Forum Discussion

Layne123's avatar
Layne123
Copper Contributor
Oct 11, 2024

MS 365 Defender - What permissions are needed to move and delete emails in Explorer?

I need a tech with limited permissions to be able to https://learn.microsoft.com/en-us/defender-office-365/remediate-malicious-email-delivered-office-365

These are the options I have in Admin.

I tried a bunch of recommended actions, yet I don't seem to have the correct Admin portals as shown https://learn.microsoft.com/en-us/defender-xdr/manage-rbac.

For example, I don't have MS 365 Defender Permissions Group shown in the video:

 

investigation
microsoft 365 defender
remediation

4 Replies

  • cyb3rmik3's avatar
    cyb3rmik3
    MVP
    Oct 12, 2024

    Hi Layne123 ,

     

    I think both resources might need some refreshing. Have you tried to create a custom role? Under System, choose Permissions > Create a custom role > Create a custom role > Add your role name and description > In Choose permissions choose Security operations > Select custom permissions and then make sure you choose Email & collaboration advanced actions (manage).

     

     

    Make sure you also allow Read-only to Alerts and any other permissions you might need.

     

    Email & collaboration advanced actions permissions should be enough to soft and hard delete messages.

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

    • Layne123's avatar
      Layne123
      Copper Contributor
      Oct 16, 2024

      cyb3rmik3 

      Under System > Permissions, it takes me to the page in my screenshot.

      Which item do I choose to create the role?

      • Defender XDR
      • Entra ID
      • Email & Collab
      • Cloud Apps

      I tried to create it in Defender XDR yet at the end it gives me the option to Activate Workloads > Activate unified role-based access control:

       

      I'm not sure what Enforcing Exchange Online permissions will impact the Email & Collab capabilities that were previously configured in the Exchange admin center or Enabling this setting will also enforce these permissions on the Microsoft Defender for Identity portal. will affect my tenant.

      Thanks for any further assisantance!

      • cyb3rmik3's avatar
        cyb3rmik3
        MVP
        Oct 22, 2024

        Layne123 hello,

         

        The following documentation includes all information you need to know about the Unified RBAC model in Defender XDR: Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn.

         

        Long story short, by allowing access to Exchange Online Permissions and MDI as in the screenshot you provided you allow taking actions like the one you requested in the first place.

         

        You should go ahead, and follow my first message to cover your requirement about Remediate malicious email delivered.

         

        If I have answered your question, please mark your post as Solved

        If you like my response, please consider giving it a like

Resources