Security Admin role replacement with Defender XDR

Hi Sharmila,

No, you cannot rely solely on custom RBAC roles in Microsoft Defender XDR.

Users still need an appropriate Microsoft Entra security role to access the Defender portal at all. The custom XDR role then defines what they can do inside the portal.

Microsoft Defender XDR uses a two-layer authorization model:

These determine whether a user can even enter the Defender portal.
Only users with roles such as:

• Security Administrator
• Security Operator
• Security Reader
• Global Reader

Without one of these roles, the user cannot authenticate into security.microsoft.com, even if they have a Defender XDR custom role assigned.

Therefore:

Removing Security Administrator from your SOC/analyst users is a good idea.

But giving them no Entra role at all will block portal access.

The usual least-privilege choice is Security Operator or Security Reader, combined with a Defender XDR custom role for full operational access. In my opinion assign Security Reader role first and try what they can do and if this is not enough, you can assign Security Operator role. With the Security Reader role, they might not resolve some Identity tagged incident alerts. So you need to change role later.

For your scenario, the optimal setup is:

Remove Security Administrator from users who only need to perform SOC

Assign a minimal Entra security role such as Security Operator (preferred for analysts), or Security Reader

Use custom roles in Defender XDR to give them full incident/alert management permissions in the Defender portal.