Defender RBAC - Grant at least priviliged for Quarantine handling NOT WORKING

Copper Contributor

Hi everyone,

 

I've already deployed new Defender RBAC permission.

I want to assign permission for quarantine message handling WITHOUT Preview Message option.
I,ve configured Defender RBAC in follow settings:

 

 

Defender RBAC 6.jpg

Defender RBAC 2 1.jpg

Defender RBAC 1.jpg

 

Defender RBAC 3.jpg

 

I've assgined only Security Basic (read) 
NOT Quarantine handle and NOT Quarantine RAW Contect permission

 

Effect (in production!)

Defender RBAC 4.jpg

Defender RBAC 5 1.jpg

I can't assign at-least permission.

 

Currently everyone who has at least permission in Defender RBAC can read all email content for everyone user in organization!! 

Anyone can help with this case?

 

Follow Defender RBAC docs this user should not have any permission for reading other mails!

 

--

Kind Regards

 

      

  

7 Replies
Thank you for sharing this detailed case. The team was able to repro it, and they are on it.

@MarcinRDR thanks for bringing this feedback to our attention. 

 

After investigation into the concern you raised, we have found that this is by design. 

 

Security reader role have the permission Review and preview all messages that have been quarantined for all users in the organization. Manage quarantined messages and files as an admin | Microsoft Learn

 

please note that this is specifically for Quarantined messages. This does not apply to messages that have already made it to the user inbox folder. 

 

this design has always existed prior to Unified role-based access control feature. 

Hi,

Thanks for answer.
My users is assigned only to Defender RBAC.
Tested user has not been assigned in Entra ID roles as security reader or security admin.
The user has not been assigned to any roles in Entra ID or Azure RBAC
I've still got problems with this configuration.
What is status resolving this case?
Has everyone similar problem?
In my opinion this is important for quarantine handle features.

@MarcinRDR Hi Marcin, @Faith-Ebenezer_Oquong wrote earlier, that this is by design.

Ok I understand.
I'm wondering why is "content read" option in Defender RBAC if I can not use it for handle quarantine without message content view for my sub admins (only manage mail)

For example, admin can use increase phish and spam threshold
It result, many false positive message forward to quarantine
Admin can read content most of confidential VIP's emails.
In some malicious cases, admin can leverage this design for read content for confidential messages.

Anyway thanks for information.

Hi Marcin,
Let me resurface Faith's response above.

We make the distinction between reading the content of bad emails vs all emails.

Any security analyst can Preview email content for Quarantined emails, to decide if this email should be released or not. This is available for the Entra ID Security Reader as well.

To Preview all emails across the organization, including those that in the inbox of some users, a security analyst will need an additional permission, Security Operations/Email & collaboration content (read) permission in Defender XDR (or EOP Preview role).