Forum Discussion

RSKadish's avatar
RSKadish
Brass Contributor
Jul 16, 2024

Can't find correct RBAC permissions to approve AIR actions

I've been configuring custom RBAC roles, and even though the "Response (manage)" permission in the Security Operations permissions group includes "approve or dismiss pending remediation actions," it ...
incident management
investigation
remediation
RSKadish's avatar
RSKadish
Brass Contributor
Jul 17, 2024

Hi Youri,

 

Thank you. We already use PIM, but I'm trying to get people away from using Security Administrator for things like releasing emails.

 

In the article you cited, I'm referring to THIS section:

https://learn.microsoft.com/en-us/defender-xdr/manage-rbac

  • Microsoft Defender for Endpoint remediation: Security operations \ Security data \ Response (manage).
  • Microsoft Defender for Office 365 remediation (Office content and email, if Email & collaboration > Defender for Office 365 permissions is 
     

     

     Active. Affects the Defender portal only, not PowerShell):
    • Read access for email and Teams message headers: Security operations/Raw data (email & collaboration)/Email & collaboration metadata (read).
    • Remediate malicious email: Security operations/Security data/Email & collaboration advanced actions (manage).

I already have a custom role configured with these permissions, but that role can't approve/reject pending actions.  

 

Best regards,

- Steve

MicrosoftIsBuggy's avatar
MicrosoftIsBuggy
Copper Contributor
Aug 08, 2024

Hi Steve,
I was just looking at this for someone and found it can get quite complex when you move to XDR permissions.

Option 1: XDR Permissions
From what I've seen you have to "hijack" the permissions in XDR from MDO before AIR approvals will work (specifically the soft-delete action). Which is fine, but requires a bit of planning as the built-in roles no longer function as expected.

Enable the MDO workload here: https://security.microsoft.com/securitysettings/defender/mtp_roles

 

 


Option 2: Traditional RBAC permissions
Otherwise the least privileged option out-of-the-box appears to be Global Reader + the Data Investigator (MDO) role.

 

MDO Permissions here: https://security.microsoft.com/emailandcollabpermissions


Permissions for AIR capabilities are described by Microsoft here:
https://learn.microsoft.com/en-us/defender-office-365/air-about#required-permissions-to-use-air-capabilities

  • RSKadish's avatar
    RSKadish
    Brass Contributor
    Aug 09, 2024

    Hi MicrosoftIsBuggy,

     

    I agree that it takes some planning to transition from the old RBAC scheme to the new, but activating the workloads is well-documented.  The problem I was having seemed to be related to an advisory Microsoft has been updating for over a year, Issue ID DZ584153.  Sometimes we could approve the actions, sometimes not.  The problem is supposedly fixed now, and I look forward to testing it.

     

Resources