Forum Discussion

slaimer's avatar
slaimer
Copper Contributor
Mar 03, 2023

Least privileged role for the "Suspend user in AAD" action

Hello,

we try to find the least privileged role for our SOC members to be able to have the "Supend user in AAD" and "Require user to sign in again" action available in the user page of Microsoft 365 Defender.
For now we've seen it available only to Global Administrators.


We are using the new Defender RBAC for all three products (Endpoints, Email and Collaboration, Identity)

The permissions and roles in the Microsoft 365 Defender RBAC are configured like this for our SOC group:
Security operations -> All read and manage permissions -> All Scopes

 

So far we tried adding the SOC members to the following Azure AD roles:
- "Security Operator" does not show this actions for AAD users (but it shows the similar actions for Active Directory Users when you have MDI configured: "Disable user in AD", "Enable users in AD", "Force password reset")


- "Authentication administrator" does not show this actions for AAD users, but if we go to the users page in Azure AD (via "Azure AD account settings" link), the options to disable or re-authenticate the users account are obviously available because of this role

 

Is there a role except Global Admin for this feature to be visible?

Or will this feature and AzureAD Identity Protection in general be better integrated in future enhancements of Microsoft 365 Defender RBAC?

Resources