Forum Discussion

Sharmila1's avatar
Sharmila1
Copper Contributor
Nov 19, 2025

Security Admin role replacement with Defender XDR

We currently have the Security Administrator role assigned to multiple users in our organization. We are considering replacing it with custom RBAC roles in Microsoft Defender XDR as described in http...
alerts
investigation
microsoft defender for endpoint
Lucaraheller's avatar
Lucaraheller
MCT
Feb 09, 2026

Yes, you can remove the Security Administrator role if your only objective is to grant full access within the Microsoft Defender portal for security operations. However, there are some important architectural boundaries to understand before doing so.

The Security Administrator role in Entra ID is a directory role. It grants permissions across multiple security workloads, including Entra ID, Conditional Access, authentication methods, and certain cross-service configurations. Defender XDR custom RBAC roles, on the other hand, apply only within the Microsoft Defender security portal and its supported workloads.

If your users only need to investigate incidents, respond to alerts, run advanced hunting queries, manage remediation actions, and handle device or identity-related security operations inside the Defender portal, then a properly configured Defender XDR custom role can cover those needs.

However, Defender RBAC does not replace directory-level permissions. If any of the following are required, Entra ID roles would still be necessary:

– Managing Conditional Access policies
– Configuring authentication methods
– Changing identity protection settings at the directory level
– Managing role assignments in Entra ID
– Modifying tenant-wide security settings outside Defender

Another consideration is workload overlap. Some response actions in Defender for Identity or Defender for Office 365 may rely on underlying Entra permissions depending on the action. If your SOC needs to disable users, reset passwords, or modify directory objects directly from Entra, those permissions must still be granted separately.

From a least-privilege perspective, moving away from broad Security Administrator assignments toward scoped Defender XDR custom roles is generally a good design decision. It reduces directory-wide exposure and limits administrative blast radius.

The recommended approach is:

– Map exactly which actions your security team performs today
– Validate those actions are fully supported via Defender RBAC
– Test with pilot accounts before removing Security Administrator
– Keep Entra roles only where directory-level control is explicitly required

If their responsibility is strictly security operations inside Microsoft Defender and not identity governance or tenant configuration, then yes, you can remove Security Administrator and rely on Defender XDR custom RBAC.