Forum Discussion

RSKadish's avatar
RSKadish
Brass Contributor
Jul 16, 2024

Can't find correct RBAC permissions to approve AIR actions

I've been configuring custom RBAC roles, and even though the "Response (manage)" permission in the Security Operations permissions group includes "approve or dismiss pending remediation actions," it ...
incident management
investigation
remediation
RSKadish's avatar
RSKadish
Brass Contributor
Jul 17, 2024

Hi Youri,

 

Thank you. We already use PIM, but I'm trying to get people away from using Security Administrator for things like releasing emails.

 

In the article you cited, I'm referring to THIS section:

https://learn.microsoft.com/en-us/defender-xdr/manage-rbac

  • Microsoft Defender for Endpoint remediation: Security operations \ Security data \ Response (manage).
  • Microsoft Defender for Office 365 remediation (Office content and email, if Email & collaboration > Defender for Office 365 permissions is 
     

     

     Active. Affects the Defender portal only, not PowerShell):
    • Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
    • Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).

I already have a custom role configured with these permissions, but that role can't approve/reject pending actions.  

 

Best regards,

- Steve

Resources