Forum Discussion
Can't find correct RBAC permissions to approve AIR actions
I've been configuring custom RBAC roles, and even though the "Response (manage)" permission in the Security Operations permissions group includes "approve or dismiss pending remediation actions," it ...
Hi Youri,
Thank you. We already use PIM, but I'm trying to get people away from using Security Administrator for things like releasing emails.
In the article you cited, I'm referring to THIS section:
Microsoft Defender XDR Unified role based access control (RBAC)
- Microsoft Defender for Endpoint remediation: Security operations \ Security data \ Response (manage).
- Microsoft Defender for Office 365 remediation (Office content and email, if Email & collaboration > Defender for Office 365 permissions is
Active. Affects the Defender portal only, not PowerShell):- Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
- Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).
I already have a custom role configured with these permissions, but that role can't approve/reject pending actions.
Best regards,
- Steve
I understand you on this one. Maybe somebody from Microsoft is able to respond on this.
