Blog Post

Microsoft Defender XDR Blog
3 MIN READ

Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model

Gadi_Palatchi_MSFT's avatar
Jan 16, 2023

We are excited to announce the public preview of a central role-based access control (RBAC) capability to help unify roles and permissions management across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity.

 

The new Microsoft 365 Defender RBAC model, part of Microsoft’s leading Extended Detection and Response (XDR) solution, is an impactful enabler for security admins to centrally manage privileges across domains. It offers a unified and granular cross-services access permission model to help the Security Operations Center (SOC) increase productivity across the various Microsoft Defender products. Additionally, the new model is fully compatible with existing individual RBAC models currently supported in Microsoft 365 Defender portal.

 

Image 1: Access to the new Microsoft 365 Defender RBAC model from the Permissions page

 

The new Microsoft 365 Defender RBAC experience
Microsoft 365 Defender provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. The new RBAC model now takes this experience to the next level by allowing admins to centrally manage privileges across these services with a greater efficiency. While Defender for Cloud Apps is not covered in this initial preview, it will be added to the new RBAC model in the future.


The new model organizes permissions by categories. For example, the “Security operations” category includes permissions that are required to perform daily security operations activities and allows admins to either grant out-of-the-box permissions on a per category basis or select permissions one-by-one for custom roles.


In the new model, permissions can be scoped to individual users and/or security groups. By default, custom roles created in the Microsoft 365 Defender RBAC model are scoped to all data sources. However, if needed, a role can be scoped to one or more specific data sources.


To make it easy for you to adopt the new RBAC model, we support role import capabilities so that you can import existing roles from any of our current individual RBAC models to the new Microsoft 365 Defender RBAC model with a click of a button.

 

Image 2: Microsoft 365 Defender RBAC main grid. Here you can create new custom roles, import existing roles, activate the new RBAC model for one or more of your workloads, and access technical documentation.

 

Supported Products

  • Microsoft Defender for Endpoint – full support for all endpoint data and actions. All roles are compatible with Defender for Endpoint’s device group aligning.
  • Microsoft Defender for Office 365 – support for the SecOps scenarios that are managed in the Microsoft Defender portal.
    Note: Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online.
  • Microsoft Defender for Identity – Full support for all identity data and actions.
    Microsoft Defender for Cloud Apps – Will be added in the future.

 

Getting Started
Here is how you can get started with the new RBAC model:

If you don’t have any existing roles assigned:

  1. Start by creating custom roles: Enter the role name and description, select permissions, assign the role to users/a user group
  2. Activate Microsoft 365 Defender RBAC
  3. Edit or delete roles anytime as needed

You can find more details on how to create custom roles in our technical documentation.

If you have existing roles within any of the workloads:

  1. Import roles from the relevant workloads such as Defender for Endpoint, Defender for Identity or Defender for Office 365
  2. Review and modify as needed
  3. Activate M365 Defender RBAC

You can find more details on how to import roles in our technical documentation.

Notes:

  • There will be no immediate change to the way Microsoft 365 Defender enforces permissions until admins activate the new RBAC model per workload. Only after activation, the new custom roles and imported roles will become effective.
  • Only one permissions model can be honored at any given time, but the users will have the option to revert to the individual RBAC model if desired.

 

What about Azure Active Directory global roles and Privileged Identity Management?

Microsoft 365 Defender security portal will continue to respect existing Azure Active Directory global roles when you activate the Microsoft 365 Defender RBAC model for some or all workloads, i.e., Global Admins will retain assigned admin privileges.


However, with the new RBAC model you will have the flexibility to create more granular roles where appropriate, following the principle of least privilege and granting users only the privileges they need.

 

More information

  • Ready to get started? Check out our technical documentation on how to transition to the new Microsoft 365 Defender RBAC model
  • Let us know what you think! Share your feedback with us in the Microsoft 365 Defender portal feedback tool. Learn more about our feedback tool here.
Updated Oct 29, 2024
Version 2.0