Defender MDO permissions broken (again)

Hi SKadish​ 

You are probably hitting another permissions regression between Defender XDR / MDO portal actions and role evaluation.

What you described is not how it should normally work. Tasks like approving pending AIR actions, moving emails, deleting emails, and handling remediation are usually expected to work with Security Administrator, Security Operator, or correctly scoped custom RBAC roles. Requiring Global Administrator for daily security operations is generally not the intended model.

I have seen similar cases where the assigned role looks correct, but the backend permission check for specific actions temporarily becomes stricter after service updates.

Possible reasons:

Portal or backend permission bug

A hidden dependency on Exchange Online or another workload permission for email actions

PIM activation token not refreshing correctly

Temporary issue in unified RBAC mapping

Good tests to perform:

Open a private browser session and sign in again

After activating roles in PIM, fully sign out and back in

Test with Security Admin only

Test if the issue happens in both Defender portal and Exchange portals

Check audit logs / activity logs for denied actions

The strongest indicator in your case is that everything worked only with Global Admin. That usually suggests a Microsoft-side permission mapping issue rather than tenant configuration.

My recommendation would be to open a support case and provide:

Time of failure

Exact action that failed

Roles assigned

Confirmation that Global Admin works immediately

Any correlation ID from the error message

Also worth highlighting that Global Admin should not be necessary for routine remediation tasks.

You are definitely not the first person to report this kind of behavior lately.