Can't find correct RBAC permissions to approve AIR actions

Question

I've been configuring custom RBAC roles, and even though the "Response (manage)" permission in the Security Operations permissions group includes "approve or dismiss pending remediation actions," it doesn't work. I've tried it with pending "soft delete emails" actions in the Action Center, and I get an error. The only way we can approve or reject these actions is with the Entra Security Administrator role checked out.

Does anyone know which RBAC permission is supposed to grant the rights to approve these remediation actions?

youri · Answer

Hi RSKadish,In this example indeed you need the Entra Security Administrator role.Full Action Center permissions below:https://learn.microsoft.com/en-us/defender-xdr/m365d-action-center#required-permissions-for-action-center-tasks&nbsp;I recommend to use PIM so operators only elevate their permissions when needed:https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started&nbsp;

rskadish · Answer

Hi&nbsp;Youri,&nbsp;Thank you. We already use PIM, but I'm trying to get people away from using Security Administrator for things like releasing emails.&nbsp;In the article you cited, I'm referring to THIS section:https://learn.microsoft.com/en-us/defender-xdr/manage-rbacMicrosoft Defender for Endpoint remediation:&nbsp;Security operations \ Security data \ Response (manage).Microsoft Defender for Office 365 remediation&nbsp;(Office content and email, if&nbsp;Email &amp; collaboration&nbsp;&gt;&nbsp;Defender for Office 365&nbsp;permissions is&nbsp;&nbsp;&nbsp;&nbsp;Active. Affects the Defender portal only, not PowerShell):Read access for email and Teams message headers:&nbsp;Security operations/Raw data (email &amp; collaboration)/Email &amp; collaboration metadata (read).Remediate malicious email:&nbsp;Security operations/Security data/Email &amp; collaboration advanced actions (manage).I already have a custom role configured with these permissions, but that role can't approve/reject pending actions.&nbsp;&nbsp;&nbsp;Best regards,- Steve

youri · Answer

I understand you on this one. Maybe somebody from Microsoft is able to respond on this.

microsoftisbuggy · Answer

Hi Steve,I was just looking at this for someone and found it can get quite complex when you move to XDR permissions.Option 1: XDR PermissionsFrom what I've seen you have to "hijack" the permissions in XDR from MDO before AIR approvals will work (specifically the soft-delete action). Which is fine, but requires a bit of planning as the built-in roles no longer function as expected.Enable the MDO workload here: https://security.microsoft.com/securitysettings/defender/mtp_roles&nbsp;&nbsp;Option 2: Traditional RBAC permissionsOtherwise the least privileged option out-of-the-box appears to be Global Reader + the Data Investigator (MDO) role.&nbsp;MDO Permissions here: https://security.microsoft.com/emailandcollabpermissionsPermissions for AIR capabilities are described by Microsoft here:https://learn.microsoft.com/en-us/defender-office-365/air-about#required-permissions-to-use-air-capabilities

rskadish · Answer

Hi MicrosoftIsBuggy,&nbsp;I agree that it takes some planning to transition from the old RBAC scheme to the new, but activating the workloads is well-documented.&nbsp; The problem I was having seemed to be related to an advisory Microsoft has been updating for over a year,&nbsp;Issue ID&nbsp;DZ584153.&nbsp; Sometimes we could approve the actions, sometimes not.&nbsp; The problem is supposedly fixed now, and I look forward to testing it.&nbsp;

Forum Discussion

Can't find correct RBAC permissions to approve AIR actions

5 Replies

Resources