Blog Post

Microsoft Defender for Office 365 Blog
4 MIN READ

Permissions Management: Defender XDR's RBAC Walkthrough for Microsoft Defender for Office 365

Marina_Kidron's avatar
Marina_Kidron
Icon for Microsoft rankMicrosoft
Mar 05, 2024

We are very excited about the Microsoft Defender XDR RBAC announcement as GA on December 2023, also available in GCC, GCC-High, and DoD environments.  

 

Microsoft Defender XDR unified role-based access control is the new permissions model across the various Defender workloads, and is a critical step forward in our “least privilege” permissions principle for Microsoft Defender for Office 365.  

 

Instead of managing permissions to access Defender for Office in 3 different portals (Microsoft Entra ID, the Defender portal and Exchange Admin Center), Defender XDR RBAC allows Security Operation Center (SOC) Admins to manage Defender for Office 365 permissions in a single place, along with the other Defender workloads. This new permission model truly allows you to step away from using the Global Security Admin roles in Entra ID, that grants access to many other experiences and products. 

 

If you are a Defender for Office 365 Security Admin and are new to Defender XDR RBAC, let’s explore the new permissions model to understand its benefits. 

 

 

Unified Permissions Model across Defender XDR 

To demonstrate the benefits of the centralized approach in using the same permissions model across the different Defender XDR workloads, it is worth highlighting the effectiveness in permissions management and predictable permissions for common and Defender for Office 365-specific SOC experiences. 


Here are a couple of examples to highlight the benefits: 

  1. Access to Defender for Office 365 Alerts and Incidents is consistent with access to Alerts and Incidents of other Defender workloads: 

With Defender XDR RBAC, you can assign Security operations / Security data basic (read) or Alerts (manage) permissions to your Tier 1 SOC, for Defender for Office 365 only, or combined with Defender for Endpoint, Defender for Identity and other workloads.  

In the previous RBAC mode, your Tier 1 SOC either required a global Entra ID role, or required assignment to each workload in a different permissions page.  

 

2. Access to Defender for Office 365 hunting capabilities in Explorer is segregated from Alerts read/manage permissions, and can be granted only to higher tier SOC. 

With Defender XDR RBAC, you can assign Security operations / Raw data  / Email message headers (read) permission to your Tier 2 SOC, granting access email headers and Teams messages, and keep the Alerts read/manage only permissions to Tier 1 SOC.  

In the previous RBAC model, access to email headers of bad emails (Alerts) also granted access to all message hearers in Explorer, which include both bad and good email and Teams messages.  

 

3. Access to Security, Compliance and Mailflow scenarios can be split to different teams. 

- In Defender XDR RBAC, you can separate access to Defender for Office 365 data from the Compliance center, and from the Exchange management teams. 

- In the previous RBAC model, EOP was shared a permission for Defender for Office 365 and Compliance, and EXO was shared Defender for Office 365 and Exchange. There was no clear separation of duties. 

 

4. Access to all Defender for Office 365 SecOps actions can be granted in the same model  

- In Defender XDR, you can assign your high tier SOC some or all sensitive permission to take email remediation actions (move and delete emails), email content preview and download email, quarantine manage and Tenant Allow Block List manage.   

- In the previous RBAC model, some permissions were granted in the Defender portal / Email & collaboration permissions, and some in the Exchange Admin Center. 

 

Least Privilege Permission Model to Manage Microsoft Defender for Office 365 

To manage access in Defender for Office 365 data and experiences, admins no longer need to use Entra ID level permissions (like Global Reader or a Security Administrator), as custom roles in Defender XDR RBAC provide full access to all these data and experiences. This is the true “least privilege” permission model, that can split access to Defender for Office 365 from other products.  
Using Entra ID roles grant access to many security products, commonly perceived by security teams as “over-permissioning”.  
 
For more details on customer roles for Microsoft Defender for Office 365, see Custom roles for role-based access control | Microsoft Learn 

 

 

 

All-Inclusive Security: Defender XDR RBAC covers all Microsoft Defender for Office 365 functionality with PIM Support 
Defender XDR RBAC now supports Privileged Identity Management (PIM) across all permissions, natively covering all Defender for Office 365 functionality. This is available by assigning a permission to a group, and PIM the access of a user into a group. 

For additional details on PIM support for Defender for Office 365, Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools. | Microsoft Learn 

 

Seamless Transition to the New RBAC Model 

Defender XDR RBAC is now available in opt-in mode, to enable a smooth transition whenever your team is ready to flip the switch.  
 
Security Administrators typically first create new roles in Defender XDR RBAC to manage access for the SecOps experiences - to read and manage alerts, hunt, and take email remediation actions. To offer the maximum flexibility you can either import old roles to the new model or redefine permissions from scratch, and then activate Defender XDR RBAC for Email & Collaboration tools.  
 
Next, typically security teams create the Security Admin roles and enabling Defender XDR RBAC for Email & collaboration / EXO (Exchange Online) roles, to manage access to Defender for Office 365 policies, Quarantine, and Tenant Allow/Block List (TABL) actions. 

 

Call-to-Action 

To make the most of Defender XDR RBAC model and learn about the new additions, see Microsoft Defender XDR Unified role-based access control (RBAC) | Microsoft Learn. 

 

Updated Mar 05, 2024
Version 4.0
  • AndrePKI's avatar
    AndrePKI
    Iron Contributor

    Now, what we really need is to be able to deny access to Entra ID global roles (Global and Security Reader/Admin) and to Exchange Online role groups. These are roles managed by other teams, and should never have access to security data in Defender XDR. In the current situation we are not in control over who can read security data because other teams can grant access via the Entra ID and Exchange roles(group)s

  • tipper1510's avatar
    tipper1510
    Brass Contributor

    Getting the following message when trying to activate the workloads -

    You can't activate workloads that haven't been turned on or deployed. To find out which services still need to be turned on, see Workload settings.

    What do we need to do, usually they just toggle to active?