Jul 24 2023 06:41 AM
Jul 24 2023 06:41 AM
It used to be simple. In ATP (now MDI), there used to be 3 groups used for administration/viewing (Azure ATP [workspace] Admin, Azure ATP [workspace] Users and Azure ATP [workspace] Viewers).
Having gone round and round in Role groups - Microsoft Defender for Identity | Microsoft Learn - I am now lost on whether this is still the case, as I have recently heard a few of my MDI "admins" (with the ATP User group) can no longer manage alerts. They used to be able to, and now it is greyed out and if you hover over the button it says "You don't have permissions to perform this action". Has RBAC gone up the wazzoo since the forced transition to the new portal ? There is no menu/config for Identity permissions...so I don't even know where those groups are shown any more. Anyone know ?
Jul 24 2023 06:59 AM
@StuartH . you can now create a custom role from MD365 permission blade for the admin they need to manage the security alerts for MDI.
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
Jul 24 2023 07:13 AM
Thanks for the quick response. So, are you saying the previous ATP roles (Admin, User & Viewer) are no longer used ? If they are supposed to be, they seem not to be working !
Can you detail your exact steps to get to Permissions & Roles|Microsoft Defender, as that is not what I see in our security.ms.com (Defender) portal as I see:
Jul 24 2023 07:43 AM
@eliekarkafy mmm, that might be an issue, as I don't even see Microsoft 365 Defender as an item under Permissions. Is this valid for an Enterprise customer - RBAC not available for Defender for Business and hence why it is not showing ? I have looked in two of our tenants, as a Global Admin, and it is not in either
Asides....can you tell me whether those "old" permissions groups are no longer used ? I just don't see that doc'ed anywhere, and I would have thought that there would have been something doced if there was some expectation on customers to migrate from the old way to the new way. Now we are seemingly in a position whereby our admins can't seem to manage MDI alerts. As a global admin, of course, I can still manage the backend MDI settings/sensors etc.
Jul 24 2023 07:51 AM - edited Jul 24 2023 12:20 PM
The ATP groups can be found in Azure AD under group
Jul 24 2023 07:57 AM
@eliekarkafy - I am using Global Admin to view the Defender portal - so one would hope I could see it ! That's what makes me think that something is awry here. If not available [yet], then it just enforces my other question, as whether the "old" Admin/User/Viewer roles are still valid ?
Jul 24 2023 08:04 AM
Jul 24 2023 08:05 AM
Jul 24 2023 08:30 AM
Jul 24 2023 09:13 AM
@eliekarkafy of course, I can log a ticket and will, but it is possible that all of this new RBAC stuff related to MDI is not public ready/released yet for an Enterprise org that is running Defender. Is that a fair assessment ?
Question remains though - should the "older" Admin/User/Viewer ATP roles still work and be capable of being used ? If so, then it is seemingly broken, and I would need a ticket for that too.
Jul 24 2023 10:07 AM
Jul 27 2023 01:37 AM
Hi, the classic MDI roles still work but have many caveats when used, such as the need for additional permissions to view all identity related experiences, so the recommendations are to use the more granular M365 RBAC capabilities or global roles.
If you don't have the former available in your tenant, please send me your Tenant ID so i can check why it is not enabled.
Aug 02 2023 10:48 AM - edited Aug 03 2023 12:42 AM
OK, so after some tenuous conversations with support and PG
None of the "stuff" is available UNLESS you have the Defender Preview enabled.
Once you enable that, you can import legacy roles (the Azure ATP groups), and then after lightning up the Identity workload....you are back to how things were before the move to the Defender Portal move.
Not throwing anyone under the bus here, but why was it deemed a good call to put this behind a preview button, and not tell people about it ? We have been using Azure ATP/MDI for 6+ years, and the move to the new portal actually seem to have broken all of the delegation which has worked well for all that time. Worst....it is not doc'ed.
Aug 27 2023 01:58 AM