Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender RBAC - Grant at least priviliged for Quarantine handling NOT WORKING

Copper Contributor

Hi everyone,

 

I've already deployed new Defender RBAC permission.

I want to assign permission for quarantine message handling WITHOUT Preview Message option.
I,ve configured Defender RBAC in follow settings:

 

 

Defender RBAC 6.jpg

Defender RBAC 2 1.jpg

Defender RBAC 1.jpg

 

Defender RBAC 3.jpg

 

I've assgined only Security Basic (read) 
NOT Quarantine handle and NOT Quarantine RAW Contect permission

 

Effect (in production!)

Defender RBAC 4.jpg

Defender RBAC 5 1.jpg

I can't assign at-least permission.

 

Currently everyone who has at least permission in Defender RBAC can read all email content for everyone user in organization!! 

Anyone can help with this case?

 

Follow Defender RBAC docs this user should not have any permission for reading other mails!

 

--

Kind Regards

 

      

  

3 Replies
Thank you for sharing this detailed case. The team was able to repro it, and they are on it.

@MarcinRDR thanks for bringing this feedback to our attention. 

 

After investigation into the concern you raised, we have found that this is by design. 

 

Security reader role have the permission Review and preview all messages that have been quarantined for all users in the organization. Manage quarantined messages and files as an admin | Microsoft Learn

 

please note that this is specifically for Quarantined messages. This does not apply to messages that have already made it to the user inbox folder. 

 

this design has always existed prior to Unified role-based access control feature. 

Hi,

Thanks for answer.
My users is assigned only to Defender RBAC.
Tested user has not been assigned in Entra ID roles as security reader or security admin.
The user has not been assigned to any roles in Entra ID or Azure RBAC