Forum Discussion

RSKadish's avatar
RSKadish
Brass Contributor
Jul 16, 2024

Can't find correct RBAC permissions to approve AIR actions

I've been configuring custom RBAC roles, and even though the "Response (manage)" permission in the Security Operations permissions group includes "approve or dismiss pending remediation actions," it ...
Incident Management
investigation
Remediation
  • RSKadish's avatar
    RSKadish
    Brass Contributor
    Jul 17, 2024

    Hi Youri,

     

    Thank you. We already use PIM, but I'm trying to get people away from using Security Administrator for things like releasing emails.

     

    In the article you cited, I'm referring to THIS section:

    Microsoft Defender XDR Unified role based access control (RBAC)

    • Microsoft Defender for Endpoint remediation: Security operations \ Security data \ Response (manage).
    • Microsoft Defender for Office 365 remediation (Office content and email, if Email & collaboration > Defender for Office 365 permissions is 
       

       

       Active. Affects the Defender portal only, not PowerShell):
      • Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
      • Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).

    I already have a custom role configured with these permissions, but that role can't approve/reject pending actions.  

     

    Best regards,

    - Steve

    • Youri's avatar
      Youri
      Copper Contributor
      Jul 18, 2024
      I understand you on this one. Maybe somebody from Microsoft is able to respond on this.
    • MicrosoftIsBuggy's avatar
      MicrosoftIsBuggy
      Copper Contributor
      Aug 08, 2024

      Hi Steve,
      I was just looking at this for someone and found it can get quite complex when you move to XDR permissions.

      Option 1: XDR Permissions
      From what I've seen you have to "hijack" the permissions in XDR from MDO before AIR approvals will work (specifically the soft-delete action). Which is fine, but requires a bit of planning as the built-in roles no longer function as expected.

      Enable the MDO workload here: https://security.microsoft.com/securitysettings/defender/mtp_roles

       

       


      Option 2: Traditional RBAC permissions
      Otherwise the least privileged option out-of-the-box appears to be Global Reader + the Data Investigator (MDO) role.

       

      MDO Permissions here: https://security.microsoft.com/emailandcollabpermissions


      Permissions for AIR capabilities are described by Microsoft here:
      https://learn.microsoft.com/en-us/defender-office-365/air-about#required-permissions-to-use-air-capabilities

      • RSKadish's avatar
        RSKadish
        Brass Contributor
        Aug 09, 2024

        Hi MicrosoftIsBuggy,

         

        I agree that it takes some planning to transition from the old RBAC scheme to the new, but activating the workloads is well-documented.  The problem I was having seemed to be related to an advisory Microsoft has been updating for over a year, Issue ID DZ584153.  Sometimes we could approve the actions, sometimes not.  The problem is supposedly fixed now, and I look forward to testing it.

         

Resources