Defender XDR - how to grant "undo action" Permissions on File Quarantine?

Hi doedoedoe,

In Microsoft Defender XDR, the Undo option for completed File Quarantine actions in the Action Center (History tab) is not available through custom Unified RBAC roles.

Even with full Response (manage) permissions and device group scoping, this action is explicitly restricted to users who have the Security Administrator role (or higher) in Microsoft Entra ID. This limitation is by design and documented by Microsoft.

Your custom role works correctly for quarantining files and all other scoped operations, but Undo requires the broader Entra role. There is currently no granular permission to enable this.

Recommended approach: Let location admins request undos via ticket/channel, and handle them centrally with a small Security Administrator team. This keeps least privilege intact.

If needed, assign Security Administrator (via PIM) only to selected leads.

I hope that I can help you with that.

Best regards, Maurice