Forum Discussion

Copper Contributor

Aug 23, 2022

Defender for Identity - Required permissions

Hi, in the Microsoft docs for DFI https://docs.microsoft.com/en-us/defender-for-identity/role-groups#required-permissions-for-the-microsoft-365-defender-experience it calls out the following for perm...

Martin_Schvartzman

Microsoft

Aug 28, 2022

Chris Waterworth

Thank you for your feedback.

We've updated the documentation to better describe the permissions needed:

https://docs.microsoft.com/en-us/defender-for-identity/role-groups#required-permissions-for-the-microsoft-365-defender-experience

aexlz

Brass Contributor

Aug 28, 2022

Hi Martin_Schvartzman

Security Administrator is not sufficient for creating the MDI Workspace.

Since there are three groups created in the background when creating the MDI Workspace, you must be either Global Administrator or Security Administrator AND Group Administrator.

I had opened a ticket at MS because of this issue.

Or has anything changed here?

Martin_Schvartzman
Microsoft
Aug 29, 2022
aexlz

Security Administrator should be enough. The groups are created by the 1st party 'Azure Advanced Threat Protection' application that gets registered in your tenant.
- aexlz
  Brass Contributor
  Aug 30, 2022
  Then have you have to have the permission to register this application?
  However: Security Admin was not sufficient 2 months ago. But maybe something has changed in the meantime.