Forum Discussion
MicrosoftEntra Risky Users Custom Role
My customer implemented unified RBAC (Defender Portal) and removed the Entra Security Operator role. They lost the ability to manage Risky Users in Entra. Two options explored by the customer - Protected Identity Administrator role (licensing unclear) or create a custom role with microsoft.directory/identityProtection/riskyUsers/update, which they couldn't find under custom role. Do you know if there are other options to manage Risky Users without using the Security Operator role?
4 Replies
terruahmadThanks devjelly and VasilMichev for your response.
terruahmad We’ve seen this too and unfortunately this looks to be by design.
Entra ID Protection (risky users, confirm/dismiss risk, unblock) is documented as being operated by Global Administrator and Security Administrator/ security roles, not by granular custom roles. In the Entra built‑in role permissions reference, the Identity Protection/ risky‑user actions are not exposed as custom‑role assignable, so you can’t build a minimal “Risky Users custom role” today.So the supported solution right now is:
Assign a built‑in security role that can manage risky users (typically Security Operator or Security Administrator) and map it back into Defender XDR unified RBAC. Then reduce blast radius with role‑assignable groups + PIM + JIT activation rather than trying to solve it purely with a custom role that the platform doesn’t support yet.- terruahmad
Thanks Vasil.
The customer currently uses the built-in Security Operator role but plans to transition to Unified RBAC. However, the Security Operator role is required for managing Risky Users, and there is no dedicated built-in role for this specific function.
Do you know if there is an alternative approach to manage Risky Users, without using the Security Operator Role, Security Administrator, etc.?
Not every operation is supported for custom RBAC roles, you have to work with the built-in ones.
