Forum Discussion

Bosanac89's avatar
Bosanac89
Copper Contributor
Jan 03, 2025

Pending Actions - Defender XDR

Noticed that I don't have permissions anymore to approve actions in the action center. 

 

My roles have not changed, and I have Security Admin, Operator, Reader, etc. 

 

Has anyone else ran into this issue? 

 

Thanks 

investigation
microsoft defender for endpoint
Response Actions

6 Replies

  • Bosanac89's avatar
    Bosanac89
    Copper Contributor
    Jan 07, 2025

    RBAC was already enabled, and all proper permissions are assigned. Still cannot approve or reject any actions very frustrating. 

  • RSKadish's avatar
    RSKadish
    Brass Contributor
    Jan 06, 2025

    I don't have any actions to approve right now, so I can't check, but I had this issue for several months.  I would get a 405 error.  To be clear, this was not the case if I had Security Admin activated, but it wasn't working properly with the Unified RBAC roles.   

    • Tim Beer's avatar
      Tim Beer
      Copper Contributor
      Jan 07, 2025

      I haven't been able to replicate this issue in 2 environments. Only other thing I can think of is Device Groups, if the machine is in a device group that the RBAC role doesn't have full rights over I've seen a similar issue where admins could see incidents but couldn't act on them, which ended up being that the devices were in a device group the Admins rbac had no rights to. i.e resolve by adding the rbac group here 

       

      • RSKadish's avatar
        RSKadish
        Brass Contributor
        Jan 08, 2025

        My issue was some time ago in 2024, and was resolved by Microsoft after I had a ticket open for a while.

  • TheGift73's avatar
    TheGift73
    Iron Contributor
    Jan 04, 2025

    Has anyone enabled https://learn.microsoft.com/en-us/defender-xdr/manage-rbac in Defender recently in your estate, without actually configuring it correctly?

  • Tim Beer's avatar
    Tim Beer
    Copper Contributor
    Jan 04, 2025

    Yes I believe this has been like this a while and best thing to do is to Use the new RBAC Roles..

     

    Defender RBAC
    https://learn.microsoft.com/en-us/defender-xdr/create-custom-rbac-roles

    Activating RBAC
    https://learn.microsoft.com/en-us/defender-xdr/activate-defender-rbac

     

    Go to Permissions - Defender XDR Roles

     

    and build out a new role  i.e

     

    You can then either choose all read and Manage for say a full security Admin which is the easiest or if you want to be more granular then choose each option manually, in general if you were a security Admin role in azure before then you would have had more or less all read and manage anyway

     

     

    As written above you'll need to activate RBAC

    https://learn.microsoft.com/en-us/defender-xdr/activate-defender-rbac

     

    If you're working in a large environment this will take change process etc and working with anyone with access to defender and making sure they are given rights to do their job etc

     

    As to why it broke, not sure but think its because Microsoft are trying to move towards RBAC rather than the giant Azure Roles people had that gave you say Azure Rights, Identity, rights, etc all in one. Now they are moving more towards RBAC, so you are a Defender admin therefore you have granular rights in defender and it doesn't stray into other Azure areas.

     

    In my environments I have now moved completely to new RBAC and tiered it all for each type of security worker group so we have like SOC analysts level 1's level 2 etc and full admins so the LV1 1 newbies can only do a limited number of things till management is confident they are ready for deeper dives and approvals etc

Resources