Forum Discussion
MDI Roles/Permissions - where art thou now ?
It used to be simple. In ATP (now MDI), there used to be 3 groups used for administration/viewing (Azure ATP [workspace] Admin, Azure ATP [workspace] Users and Azure ATP [workspace] Viewers). Having...
StuartH . from the new permissions blade in Defender, under M365 Defender click on Roles
then click on custom role to create your MDI custom role
elieelkarkafi mmm, that might be an issue, as I don't even see Microsoft 365 Defender as an item under Permissions. Is this valid for an Enterprise customer - RBAC not available for Defender for Business and hence why it is not showing ? I have looked in two of our tenants, as a Global Admin, and it is not in either 
Asides....can you tell me whether those "old" permissions groups are no longer used ? I just don't see that doc'ed anywhere, and I would have thought that there would have been something doced if there was some expectation on customers to migrate from the old way to the new way. Now we are seemingly in a position whereby our admins can't seem to manage MDI alerts. As a global admin, of course, I can still manage the backend MDI settings/sensors etc.
The ATP groups can be found in Azure AD under group
- Yes, and these are unchanged in our Azure AD....they have been there for 6+ years !! My point is....it does not seem that (in your example), Azure ATP newampio Users, is being honoured. Users in this group, can no longer manage alerts.....which they used to be able to do. Bug ?
StuartH . try to access it in different way , go to settings -- M365 Defender -- Permissions and Roles and then click on Go to permissions and roles
did you enable that feature circled in Yellow ?
elieelkarkafi - I am using Global Admin to view the Defender portal - so one would hope I could see it ! That's what makes me think that something is awry here. If not available [yet], then it just enforces my other question, as whether the "old" Admin/User/Viewer roles are still valid ?
- yes they are still valid , but it should appear for you that option to create custom role for MDI .