Hey @eliekarkafy 

Thanks for the quick response. So, are you saying the previous ATP roles (Admin, User & Viewer) are no longer used ? If they are supposed to be, they seem not to be working !

Can you detail your exact steps to get to Permissions & Roles|Microsoft Defender, as that is not what I see in our security.ms.com (Defender) portal as I see:

@StuartH . from the new permissions blade in Defender, under M365 Defender click on Roles 

then click on custom role to create your MDI custom role 

@eliekarkafy  mmm, that might be an issue, as I don't even see Microsoft 365 Defender as an item under Permissions. Is this valid for an Enterprise customer - RBAC not available for Defender for Business and hence why it is not showing ?  I have looked in two of our tenants, as a Global Admin, and it is not in either 

Asides....can you tell me whether those "old" permissions groups are no longer used ?  I just don't see that doc'ed anywhere, and I would have thought that there would have been something doced if there was some expectation on customers to migrate from the old way to the new way. Now we are seemingly in a position whereby our admins can't seem to manage MDI alerts. As a global admin, of course, I can still manage the backend MDI settings/sensors etc.

The ATP groups can be found in Azure AD under group 

@eliekarkafy - I am using Global Admin to view the Defender portal - so one would hope I could see it !  That's what makes me think that something is awry here.  If not available [yet], then it just enforces my other question, as whether the "old" Admin/User/Viewer roles are still valid ?

@StuartH . try to access it in different way , go to settings -- M365 Defender -- Permissions and Roles and then click on Go to permissions and roles 

did you enable that feature circled in Yellow ? 

@eliekarkafy   don't have that option shown either.  I have looked in both of our tenants, both running as a Global Admin:

@eliekarkafy  of course, I can log a ticket and will, but it is possible that all of this new RBAC stuff related to MDI is not public ready/released yet for an Enterprise org that is running Defender. Is that a fair assessment ?

Question remains though - should the "older" Admin/User/Viewer ATP roles still work and be capable of being used ?  If so, then it is seemingly broken, and I would need a ticket for that too.

@StuartH . keep me posted with MS reply 

@StuartH . 
Hi, the classic MDI roles still work but have many caveats when used, such as the need for additional permissions to view all identity related experiences, so the recommendations are to use the more granular M365 RBAC capabilities or global roles.

If you don't have the former available in your tenant, please send me your Tenant ID so i can check why it is not enabled.

OK, so after some tenuous conversations with support and PG

None of the "stuff" is available UNLESS you have the Defender Preview enabled. 

Once you enable that, you can import legacy roles (the Azure ATP groups), and then after lightning up the Identity workload....you are back to how things were before the move to the Defender Portal move.

Not throwing anyone under the bus here, but why was it deemed a good call to put this behind a preview button, and not tell people about it ?  We have been using Azure ATP/MDI for 6+ years, and the move to the new portal actually seem to have broken all of the delegation which has worked well for all that time.  Worst....it is not doc'ed.