Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender for Identity - Required permissions

Copper Contributor

Hi, in the Microsoft docs for DFI it calls out the following for permissions with DFI.


For Defender for Identity settings in Microsoft 365 Defender, ensure that you have the sufficient Azure Active Directory roles or you're a member of the Azure ATP (instance name) Administrators or the Azure ATP (instance name) Users Azure AD groups. 


I am trying to determine what roles are required for the installation and operation of the DFI service with M365 Defender.


Do we need to have the security reader role in M365D and user added to the Azure ATP Viewer group to access functionality, or are we able to do this with Azure AD roles like the Security Reader? Just looking for clarity as the above paragraph called out "Azure directory role or you're a member of Azure ATP...", but I cannot find a definition of the required AD roles supported.


I did see another post around unifying this with RBAC, but not sure if that is there currently. 


4 Replies

@Chris Waterworth 

Thank you for your feedback.

We've updated the documentation to better describe the permissions needed:


Hi @Martin_Schvartzman 

Security Administrator is not sufficient for creating the MDI Workspace. 

Since there are three groups created in the background when creating the MDI Workspace, you must be either Global Administrator or Security Administrator AND Group Administrator. 

I had opened a ticket at MS because of this issue. 


Or has anything changed here? 





Security Administrator should be enough. The groups are created by the 1st party 'Azure Advanced Threat Protection' application that gets registered in your tenant.

Then have you have to have the permission to register this application?
However: Security Admin was not sufficient 2 months ago. But maybe something has changed in the meantime.