MDI Roles/Permissions - where art thou now ?

Brass Contributor

It used to be simple. In ATP (now MDI), there used to be 3 groups used for administration/viewing (Azure ATP [workspace] Admin, Azure ATP [workspace] Users and Azure ATP [workspace] Viewers).

Having gone round and round in Role groups - Microsoft Defender for Identity | Microsoft Learn - I am now lost on whether this is still the case, as I have recently heard a few of my MDI "admins" (with the ATP User group) can no longer manage alerts. They used to be able to, and now it is greyed out and if you hover over the button it says "You don't have permissions to perform this action".  Has RBAC gone up the wazzoo since the forced transition to the new portal ?  There is no menu/config for Identity permissions...so I don't even know where those groups are shown any more.  Anyone know ?

20 Replies

@StuartH . you can now create a custom role from MD365 permission blade for the admin they need to manage the security alerts for MDI. 

eliekarkafy_0-1690207067402.png

 

eliekarkafy_1-1690207102598.png

eliekarkafy_2-1690207142715.png

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

 

 

Hey @eliekarkafy 

Thanks for the quick response. So, are you saying the previous ATP roles (Admin, User & Viewer) are no longer used ? If they are supposed to be, they seem not to be working !

Can you detail your exact steps to get to Permissions & Roles|Microsoft Defender, as that is not what I see in our security.ms.com (Defender) portal as I see:

StuartH_0-1690207992777.png

 

@StuartH . from the new permissions blade in Defender, under M365 Defender click on Roles 

eliekarkafy_0-1690208216914.png

 

then click on custom role to create your MDI custom role 

 

eliekarkafy_1-1690208286740.png

 

 

 

@eliekarkafy  mmm, that might be an issue, as I don't even see Microsoft 365 Defender as an item under Permissions. Is this valid for an Enterprise customer - RBAC not available for Defender for Business and hence why it is not showing ?  I have looked in two of our tenants, as a Global Admin, and it is not in either :unamused:

 

Asides....can you tell me whether those "old" permissions groups are no longer used ?  I just don't see that doc'ed anywhere, and I would have thought that there would have been something doced if there was some expectation on customers to migrate from the old way to the new way. Now we are seemingly in a position whereby our admins can't seem to manage MDI alerts. As a global admin, of course, I can still manage the backend MDI settings/sensors etc.

 

 

The ATP groups can be found in Azure AD under group 

eliekarkafy_0-1690210357763.png

 

 

@eliekarkafy - I am using Global Admin to view the Defender portal - so one would hope I could see it !  That's what makes me think that something is awry here.  If not available [yet], then it just enforces my other question, as whether the "old" Admin/User/Viewer roles are still valid ?

yes they are still valid , but it should appear for you that option to create custom role for MDI .
Yes, and these are unchanged in our Azure AD....they have been there for 6+ years !! My point is....it does not seem that (in your example), Azure ATP newampio Users, is being honoured. Users in this group, can no longer manage alerts.....which they used to be able to do. Bug ?

@StuartH . try to access it in different way , go to settings -- M365 Defender -- Permissions and Roles and then click on Go to permissions and roles 

eliekarkafy_1-1690211342636.png

 

did you enable that feature circled in Yellow ? 

 

 

@eliekarkafy   don't have that option shown either.  I have looked in both of our tenants, both running as a Global Admin:

 

StuartH_0-1690211961056.png

 

if you're signing in with a Global admin and you're missing some settings, i suggest you open a ticket with the security team so they can check your tenant.

@eliekarkafy  of course, I can log a ticket and will, but it is possible that all of this new RBAC stuff related to MDI is not public ready/released yet for an Enterprise org that is running Defender. Is that a fair assessment ?

 

Question remains though - should the "older" Admin/User/Viewer ATP roles still work and be capable of being used ?  If so, then it is seemingly broken, and I would need a ticket for that too.

yes better to open a ticket with the security so they can check your issue with the ATP roles

@StuartH . keep me posted with MS reply 

@StuartH . 
Hi, the classic MDI roles still work but have many caveats when used, such as the need for additional permissions to view all identity related experiences, so the recommendations are to use the more granular M365 RBAC capabilities or global roles.

If you don't have the former available in your tenant, please send me your Tenant ID so i can check why it is not enabled.

OK, so after some tenuous conversations with support and PG

 

None of the "stuff" is available UNLESS you have the Defender Preview enabled. 

Once you enable that, you can import legacy roles (the Azure ATP groups), and then after lightning up the Identity workload....you are back to how things were before the move to the Defender Portal move.

 

Not throwing anyone under the bus here, but why was it deemed a good call to put this behind a preview button, and not tell people about it ?  We have been using Azure ATP/MDI for 6+ years, and the move to the new portal actually seem to have broken all of the delegation which has worked well for all that time.  Worst....it is not doc'ed.

Hi StuartH, happy to continue this discussion, can you please ping me at ort@microsoft.com so we can think of the proper way to make sure permissions are not broken during the portal transition?

@Or Tsemah  Thank you for this post as I'm experiencing a similar issue. I've followed the steps you listed to setup access to the MDI Health Reports but I seem to be a step or two away from completion. They sys admin that I'm testing with is able to see "Identities" under Settings. He can see "Health issues", "Advanced Settings", "About", and "Report Management", but he cannot see any data under 'Health Issues', nor can he see any servers under 'Sensors'. Can you help me identify what I'm missing? Please see attached screenshots.

 

Thanks!


Glenn

@tgo21 Looks like an issue with your tenant, can you please open a support ticket?