Forum Discussion
Defender XDR Unified RBAC - Cannot manage incidents
I've been configuring the new Defender XDR Unified RBAC roles, and two things that I cannot find permissions for are managing incidents and alerts. No matter what I configure, those buttons stay greyed out. This is despite configuring a role that has all Security Operations and Security Posture read and manage permissions.
Other functions are working, for instance being able to block users via the TABL, or Search & Purge permissions.
Can I please get some help?
Thank you Steve for this update.
Defender for Cloud Apps not yet supported by Unified RBAC. As you can see when creating a new role, the list of available data sources in the assignment stage does not include Defender for Cloud Apps as an option. You can continue granting access to Defender for Cloud Apps data and experiences using the individual workload RBAC (in parallel to using Unified RBAC with the rest of the workloads).
- Gadi_Palatchi_MSFT
Microsoft
Thank you for contacting us with your inquiry.
May I ask have you activated Unified RBAC with any of the workloads? If so which ones?
Can you also share what data sources have you included in the role assignment?
As for the Email & compliance functions you've mentioned that are working properly - note that if you haven't activated Unified RBAC for Email & compliance (both toggles) - access to these functions is managed via roles defined in Admin Center.- Hello Gadi,
I have activated the following workloads:
- Endpoints & Vulnerability Management
- Email & Collaboration (both Defender for Office 365 & Exchange Online permissions)
- Secure Store
Identity is greyed out. We do not have on-premise AD.
I enabled all data sources in the assignment (MDE, MDO, MDI, MDC, and Secure Store.)
Thank you,
- Steve- Hello Gadi,
I just realized that I CAN manage incidents where the detection source is MDO. I CANNOT manage incidents where the detection source is Microsoft Defender for Cloud Apps. Is this not possible currently with the Unified RBAC?
