Email investigations are a key part of detecting and responding to phishing and malware. As security workflows continue to evolve, there is an increasing need to align email content visibility more closely with specific roles and scenarios, such as Tier‑1 analysis or specialized workflows like user‑reported phishing triage.
Today we’re announcing additional “read-only” controls for more granular email access in Microsoft Defender and that starting on May 30th, 2026, unified RBAC will become the new default for permission modeling for new tenants.
Unified RBAC in Microsoft Defender: a single, consistent permissions model
Microsoft Defender unified role‑based access control (RBAC) provides a centralized way to manage permissions across the Defender security portfolio, replacing the need to configure and audit access separately for each solution, including endpoint, identity, SaaS, Cloud, and more. Instead of stitching together service‑specific role models, unified RBAC gives security teams one consistent authorization framework to control what users can see and do across the Microsoft Defender portal.
Unified RBAC is designed to support modern security operations by aligning access with real‑world roles, such as analysts, investigators, and administrators, while reducing the risk that comes from over‑permissioned accounts including:
- Enforcing least‑privilege access consistently
- Understanding who has access to sensitive data across services
- Performing clean access reviews and audits
- Scaling permissions safely in tiered SOC or partner‑managed environments
Unified RBAC addresses these challenges by converging permissions into a single model and separates read-only (data access) and manage (action‑taking) permissions by design, making access intent explicit and reducing accidental overexposure of sensitive security data.
More granular email permissions within unified RBAC
Unified RBAC now supports additional read‑only permissions for specific email content scenarios—so access can be matched precisely to investigation and review workflows.
1. New permission-Email & collaboration content: Emails associated with alerts
The new Emails associated with alerts permission allows analysts to preview or download emails only when they are directly associated with a security alert, without granting access to all email content. Initially, this permission applies to alerts of type Email reported by user as malware or phish and Email reported by user as junk, which is one of the most common investigation entry points for security teams. Only emails tied to that alert type can be previewed or downloaded. Support for additional alert types will expand in future updates.
Why this matters: Tier‑1 analysts and triage teams can investigate user‑reported threats quickly and effectively, without being granted visibility into unrelated emails.
2. New permission- Email and Collaboration content: Quarantine Emails
This new permission allows previewing and downloading only emails that are in admin quarantine, supporting roles responsible for reviewing or validating quarantined messages – without broader email access.
Important: After this update, Email & collaboration quarantine and Security data basics will no longer provide email content preview or download by themselves. To allow content visibility for quarantined messages, you must explicitly assign Emails in Quarantine. This change clarifies role boundaries and simplifies audits by making content access intentional and explicit. Read more here.
Why this matters: Quarantine review teams can access exactly what they need—no more, no less—supporting least-privilege access by design.
These permissions extend the Unified RBAC model for email & collaboration by separating visibility from action. They allow security teams to grant targeted access to email content only where it’s required, while preserving full content access for senior investigators and incident response teams.
Full email content access remains available through existing permissions—such as Email & collaboration content: All emails—for senior investigators and incident response teams who require unrestricted visibility.
Unified RBAC becomes the default for new Microsoft Defender tenants
Starting May 30th, 2026, Unified RBAC will be enabled by default for new Microsoft Defender for Office 365 Plan 2 tenants, making it the primary permissions model that enables a single, unified authorization model across the Defender suite. Permissions are managed through Defender unified RBAC roles, alongside Microsoft Entra roles where applicable (e.g. for Attack Simulation Training). Making Unified RBAC the default for new tenants is a key step toward simplifying permissions management and embeds least-privilege access by design.
Learn more
Microsoft