Forum Discussion
slaimer
Mar 03, 2023Copper Contributor
Least privileged role for the "Suspend user in AAD" action
Hello,
we try to find the least privileged role for our SOC members to be able to have the "Supend user in AAD" and "Require user to sign in again" action available in the user page of Microsoft 365 Defender.
For now we've seen it available only to Global Administrators.
We are using the new Defender RBAC for all three products (Endpoints, Email and Collaboration, Identity)
The permissions and roles in the Microsoft 365 Defender RBAC are configured like this for our SOC group:
Security operations -> All read and manage permissions -> All Scopes
So far we tried adding the SOC members to the following Azure AD roles:
- "Security Operator" does not show this actions for AAD users (but it shows the similar actions for Active Directory Users when you have MDI configured: "Disable user in AD", "Enable users in AD", "Force password reset")
- "Authentication administrator" does not show this actions for AAD users, but if we go to the users page in Azure AD (via "Azure AD account settings" link), the options to disable or re-authenticate the users account are obviously available because of this role
Is there a role except Global Admin for this feature to be visible?
Or will this feature and AzureAD Identity Protection in general be better integrated in future enhancements of Microsoft 365 Defender RBAC?
- DeanPickering
Microsoft
Hey Stefan,
For AAD response actions, this does require an AAD role outside of M365D RBAC. The least privilege permission as it stands today is Security Admin.
HTH,
Dean.- slaimerCopper ContributorHi Dean
I wouldn't have guessed this role, especially since none of the actions in https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-administrator seem to allow actions against users.
We will weigh which role to use, but will probably stick with authentication admin for now.
Are there any plans to integrate these AzureAD (and Active Directory/MDI) response permissions into Defender RBAC?
Best regards