Security Admin role replacement with Defender XDR

Yes, you can remove the Security Administrator role if your only objective is to grant full access within the Microsoft Defender portal for security operations. However, there are some important architectural boundaries to understand before doing so.

The Security Administrator role in Entra ID is a directory role. It grants permissions across multiple security workloads, including Entra ID, Conditional Access, authentication methods, and certain cross-service configurations. Defender XDR custom RBAC roles, on the other hand, apply only within the Microsoft Defender security portal and its supported workloads.

If your users only need to investigate incidents, respond to alerts, run advanced hunting queries, manage remediation actions, and handle device or identity-related security operations inside the Defender portal, then a properly configured Defender XDR custom role can cover those needs.

However, Defender RBAC does not replace directory-level permissions. If any of the following are required, Entra ID roles would still be necessary:

– Managing Conditional Access policies
– Configuring authentication methods
– Changing identity protection settings at the directory level
– Managing role assignments in Entra ID
– Modifying tenant-wide security settings outside Defender

Another consideration is workload overlap. Some response actions in Defender for Identity or Defender for Office 365 may rely on underlying Entra permissions depending on the action. If your SOC needs to disable users, reset passwords, or modify directory objects directly from Entra, those permissions must still be granted separately.

From a least-privilege perspective, moving away from broad Security Administrator assignments toward scoped Defender XDR custom roles is generally a good design decision. It reduces directory-wide exposure and limits administrative blast radius.

The recommended approach is:

– Map exactly which actions your security team performs today
– Validate those actions are fully supported via Defender RBAC
– Test with pilot accounts before removing Security Administrator
– Keep Entra roles only where directory-level control is explicitly required

If their responsibility is strictly security operations inside Microsoft Defender and not identity governance or tenant configuration, then yes, you can remove Security Administrator and rely on Defender XDR custom RBAC.

Hi Sharmila,

No, you cannot rely solely on custom RBAC roles in Microsoft Defender XDR.

Users still need an appropriate Microsoft Entra security role to access the Defender portal at all. The custom XDR role then defines what they can do inside the portal.

Microsoft Defender XDR uses a two-layer authorization model:

These determine whether a user can even enter the Defender portal.
Only users with roles such as:

• Security Administrator
• Security Operator
• Security Reader
• Global Reader

Without one of these roles, the user cannot authenticate into security.microsoft.com, even if they have a Defender XDR custom role assigned.

Therefore:

Removing Security Administrator from your SOC/analyst users is a good idea.

But giving them no Entra role at all will block portal access.

The usual least-privilege choice is Security Operator or Security Reader, combined with a Defender XDR custom role for full operational access. In my opinion assign Security Reader role first and try what they can do and if this is not enough, you can assign Security Operator role. With the Security Reader role, they might not resolve some Identity tagged incident alerts. So you need to change role later.

For your scenario, the optimal setup is:

Remove Security Administrator from users who only need to perform SOC

Assign a minimal Entra security role such as Security Operator (preferred for analysts), or Security Reader

Use custom roles in Defender XDR to give them full incident/alert management permissions in the Defender portal.