Forum Discussion
Defender for Identity - Required permissions
Hi, in the Microsoft docs for DFI https://docs.microsoft.com/en-us/defender-for-identity/role-groups#required-permissions-for-the-microsoft-365-defender-experience it calls out the following for permissions with DFI.
For Defender for Identity settings in Microsoft 365 Defender, ensure that you have the sufficient Azure Active Directory roles or you're a member of the Azure ATP (instance name) Administrators or the Azure ATP (instance name) Users Azure AD groups.
I am trying to determine what roles are required for the installation and operation of the DFI service with M365 Defender.
Do we need to have the security reader role in M365D and user added to the Azure ATP Viewer group to access functionality, or are we able to do this with Azure AD roles like the Security Reader? Just looking for clarity as the above paragraph called out "Azure directory role or you're a member of Azure ATP...", but I cannot find a definition of the required AD roles supported.
I did see another post around unifying this with RBAC, but not sure if that is there currently.
Thanks
- Martin_Schvartzman
Microsoft
Thank you for your feedback.
We've updated the documentation to better describe the permissions needed:
Security Administrator is not sufficient for creating the MDI Workspace.
Since there are three groups created in the background when creating the MDI Workspace, you must be either Global Administrator or Security Administrator AND Group Administrator.
I had opened a ticket at MS because of this issue.
Or has anything changed here?
- Martin_Schvartzman
Security Administrator should be enough. The groups are created by the 1st party 'Azure Advanced Threat Protection' application that gets registered in your tenant.
