Forum Discussion
Defender RBAC - Grant at least priviliged for Quarantine handling NOT WORKING
Hi everyone,
I've already deployed new Defender RBAC permission.
I want to assign permission for quarantine message handling WITHOUT Preview Message option.
I,ve configured Defender RBAC in follow settings:
I've assgined only Security Basic (read)
NOT Quarantine handle and NOT Quarantine RAW Contect permission
Effect (in production!)
I can't assign at-least permission.
Currently everyone who has at least permission in Defender RBAC can read all email content for everyone user in organization!!
Anyone can help with this case?
Follow Defender RBAC docs this user should not have any permission for reading other mails!
--
Kind Regards
- HeikeRitter
Microsoft
Thank you for sharing this detailed case. The team was able to repro it, and they are on it.- FaithEbenezerOquong
MarcinRDR thanks for bringing this feedback to our attention.
After investigation into the concern you raised, we have found that this is by design.
Security reader role have the permission Review and preview all messages that have been quarantined for all users in the organization. Manage quarantined messages and files as an admin | Microsoft Learn
please note that this is specifically for Quarantined messages. This does not apply to messages that have already made it to the user inbox folder.
this design has always existed prior to Unified role-based access control feature.
- Hi,
Thanks for answer.
My users is assigned only to Defender RBAC.
Tested user has not been assigned in Entra ID roles as security reader or security admin.
The user has not been assigned to any roles in Entra ID or Azure RBAC
- I've still got problems with this configuration.
What is status resolving this case?
Has everyone similar problem?
In my opinion this is important for quarantine handle features.- HeikeRitter
MarcinRDR Hi Marcin, FaithEbenezerOquong wrote earlier, that this is by design.
