Forum Discussion

doedoedoe's avatar
doedoedoe
Copper Contributor
Nov 20, 2024

Defender XDR - how to grant "undo action" Permissions on File Quarantine?

Dear Defender XDR Community

I have a question regarding the permissions to "undo action" on a file quarantine action in the action center.

We have six locations, each location manages their own devices. We have created six device groups so that Accounts from Location 1 can only manage/see devices from Location 1 as well.

Then we created a custom "Microsoft Defender XDR" Role with the following permissions. This way the admins from location 1 can manage all Defender for Endpoint Devices / incidents / recommendations etc. without touching devices they aren't managing.. very cool actually!

 

BUT - if a file gets quarantined, it might want to be released again because of false positive etc. I can do that as a global admin, but not as an admin with granularly assigned rights - the option just isnt there..

 

I don't want to give them admins a more privileged role because of - you know - least privileges. but i don't have the option to allow "undo action" on file quarantine events, besides that being a critical feature for them to manage their own devices and not me having to de-quarantine files i dont care about..

 

Any thoughts on how to give users this permission?

 

 

 

 

 

 

 

 

 

microsoft defender for endpoint
microsoft defender for office 365
Response Actions

1 Reply

  • MauriceFlöthmann's avatar
    MauriceFlöthmann
    Copper Contributor
    Apr 26, 2026

    Hi doedoedoe,

    In Microsoft Defender XDR, the Undo option for completed File Quarantine actions in the Action Center (History tab) is not available through custom Unified RBAC roles.

    Even with full Response (manage) permissions and device group scoping, this action is explicitly restricted to users who have the Security Administrator role (or higher) in Microsoft Entra ID. This limitation is by design and documented by Microsoft.

    Your custom role works correctly for quarantining files and all other scoped operations, but Undo requires the broader Entra role. There is currently no granular permission to enable this.

    Recommended approach: Let location admins request undos via ticket/channel, and handle them centrally with a small Security Administrator team. This keeps least privilege intact.

    If needed, assign Security Administrator (via PIM) only to selected leads.

    I hope that I can help you with that.

    Best regards, Maurice