Customer deleted the MDI default Entra ID groups "Azure ATP <workspace> ..."

SecNinja · ‎Apr 17 2024

Hi all,

one of our customers accidentally deleted the MDI default groups in Entra ID.

Unified RBAC is under discussion with the customer, but implementation will not be quick. Providing a Security Administrator is only a temporary solution and not a long-term one. We use these groups to access all details for MDI alerts. Without this access, sometimes we are unable to get the full picture of the alert.

Simply recreating the Entra ID groups does not seem to work.

Is there a way to get it working again without deleting the MDI workspace and recreating it?

I can't believe that no one else has encountered this issue before, but I found nothing."

thanks for helping

Eli Ofek · ‎Apr 17 2024

@SecNinja After recreating the groups in AAD, open a support case, and supply the new group names and AAD ID for each group.
Support can set those id's in the backend instead of the ones that were auto created upon workspace creation.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Customer deleted the MDI default Entra ID groups "Azure ATP <workspace> ..."

Customer deleted the MDI default Entra ID groups "Azure ATP <workspace> ..."

Re: Customer deleted the MDI default Entra ID groups "Azure ATP <workspace> ..."