Microsoft Defender XDR unified role-based access control (RBAC) model is now generally available
Published Dec 11 2023 09:00 AM 8,501 Views

Managing permissions within large organizations across various workloads can be complex and time-consuming. For security operation center (SOC) teams, speed and efficiency matter in their daily work. To streamline permission management and improve efficiency for the SOC, this January we announced the public preview of the new role-based access control (RBAC) capability in Microsoft Defender XDR to help unify roles and permissions management across various domains.

 

Microsoft has continuously enhanced and expanded the unified RBAC model in our Microsoft Defender XDR. Today we are excited to share the general availability (GA) of Microsoft Defender XDR unified RBAC model as well as the latest capabilities to further simplify permission management.

 

Coverage expansion
In addition to Microsoft Defender for Endpoint, Microsoft Defender for Office 365 (Exchange Online Protection), and Microsoft Defender for Identity, which have been covered since the initial announcement of the unified RBAC model, we are expanding the supported coverage to include the following workloads and data sources:

 

1. Exchange Online (EXO) permissions management for Microsoft Defender for Office 365 is now supported in Microsoft Defender XDR unified RBAC model to provide full integration of Defender for Office 365 roles and permissions.

In addition to the existing support for scenarios that are controlled by Exchange Online Protection (EOP) roles, configured in the Microsoft Defender portal under “Permissions > Email & collaboration roles,” the unified RBAC model now also supports the management of Exchange Online (EXO) roles and permissions, which could previously only be managed in the Exchange Admin Center. This expansion ensures that the unified RBAC model comprehensively supports all security permission management scenarios for Microsoft Defender for Office 365.

 

A new activation toggle has been added to the Workloads activation page. Notably, to activate Exchange Online (EXO) permissions in the unified RBAC model, Exchange Online Protection (EOP) permissions must be active first.

Image 1: A new activation toggle for activating unified RBAC for Exchange Online (EXO) permissions in Defender for Office 365.Image 1: A new activation toggle for activating unified RBAC for Exchange Online (EXO) permissions in Defender for Office 365.

2. Microsoft Defender Vulnerability Management permissions, basic level license, and premium level are now integrated with Microsoft Defender XDR unified RBAC model.

You can now control access and grant granular permissions for Microsoft Defender Vulnerability Management as part of the Microsoft Defender XDR unified RBAC model. You can add the new permissions to a custom role by selecting them from the Security posture permissions group when creating the role. It is noteworthy that some of the permissions will be available only with the Microsoft Defender Vulnerability Management premium service level.

 

3. Access to Microsoft Secure Score can now be managed based on dedicated new permissions added to the Microsoft Defender XDR Unified RBAC.

Previously, access to Secure Score is only limited to Entra ID global roles such as Global Administrator. The recent expansion provides the flexibility to create custom roles tailored for the Secure Score.

 

The enhanced unified RBAC model now also allows you to create roles where you can manage user’s permissions to access Secure Score data, based on new dedicated permissions, for the existing RBAC data sources including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity to help you with security posture management of your devices, identities, and Microsoft Office 365 apps.

 

Moreover, a new option, ‘Microsoft Secure score – additional data sources’ is now available. This option may be selected either independently or in conjunction with existing data sources for users to view Secure Score data from additional sources.

Image 2: New permissions for granting access to Microsoft Secure Score.Image 2: New permissions for granting access to Microsoft Secure Score.

Image 3: New data source for Microsoft Secure Score additional sources.Image 3: New data source for Microsoft Secure Score additional sources.

Model enhancements – new granular permissions
In response to feedback from our customers, we have added two new granular permissions to the original model to meet our users’ day-to-day needs and better enable implementing the least privileges access practice with your analysts.

 

1. Detection tuning and security settings permissions

You can now assign a new granular permission called Detection tuning (manage) in the Microsoft Defender XDR unified RBAC model. This permission allows SOC analysts to create and manage Custom Detection, Alerts Tuning, Threat Indicators of Compromise rules and Defender for Office 365 policies (i.e. TABL) without providing them with the full ‘Security Settings (manage)’ permission.

 

To add the new permissions to a custom role, simply select ‘Authorization and settings \ Security settings’ when creating or updating the role.

 

Furthermore, the permission name ‘Security settings’ has been updated to ‘Core security settings.’ This change has no impact on existing roles and permissions.

Image 4: Detection tuning (manage) permission under Authorization and settings \ Security settings.Image 4: Detection tuning (manage) permission under Authorization and settings \ Security settings.

2. File collection permission

You can now assign a new granular permission in the Microsoft Defender XDR unified RBAC model that allows users to collect or download files for analysis. This specific permission enables Microsoft Defender for Endpoint users to directly download files from the file page and during a live response investigation within the live response console. To add this new permission to a custom role, select it from the ‘Security operations’ permissions group when creating the role.

 

This new permission helps eliminate the need to grant analysts the ‘Advanced Live Response’ permission which, in certain cases, provides a broader range of access than necessary.

Image 5: File collection (manage) permission, under Security operations \ Security data.Image 5: File collection (manage) permission, under Security operations \ Security data.

 

Export roles more easily

Exporting your existing roles in unified RBAC to a CSV file now becomes easy. The exported file will include details such as the role name, associated permissions, assigned users or user groups, and allocated data sources. In cases where a role has multiple assignments, each assignment will be listed on a separate row in the CSV file. Moreover, the CSV provides a snapshot of the unified RBAC activation status for each workload available on the tenant.Image 6: New capability - Export rolesImage 6: New capability - Export roles

 

Learn more:

Version history
Last update:
‎Dec 11 2023 09:23 AM
Updated by: