SOLVED

Defender XDR Unified RBAC - Cannot manage incidents

Brass Contributor

I've been configuring the new Defender XDR Unified RBAC roles, and two things that I cannot find permissions for are managing incidents and alerts.  No matter what I configure, those buttons stay greyed out.  This is despite configuring a role that has all Security Operations and Security Posture read and manage permissions.  

 

Other functions are working, for instance being able to block users via the TABL, or Search & Purge permissions.  

 

Can I please get some help?

 

6 Replies
Thank you for contacting us with your inquiry.
May I ask have you activated Unified RBAC with any of the workloads? If so which ones?
Can you also share what data sources have you included in the role assignment?
As for the Email & compliance functions you've mentioned that are working properly - note that if you haven't activated Unified RBAC for Email & compliance (both toggles) - access to these functions is managed via roles defined in Admin Center.
Hello Gadi,

I have activated the following workloads:
- Endpoints & Vulnerability Management
- Email & Collaboration (both Defender for Office 365 & Exchange Online permissions)
- Secure Store

Identity is greyed out. We do not have on-premise AD.

I enabled all data sources in the assignment (MDE, MDO, MDI, MDC, and Secure Store.)

Thank you,
- Steve

Hello Gadi,

I just realized that I CAN manage incidents where the detection source is MDO. I CANNOT manage incidents where the detection source is Microsoft Defender for Cloud Apps. Is this not possible currently with the Unified RBAC?
best response confirmed by SKadish (Brass Contributor)
Solution

Thank you Steve for this update.
Defender for Cloud Apps not yet supported by Unified RBAC. As you can see when creating a new role, the list of available data sources in the assignment stage does not include Defender for Cloud Apps as an option. You can continue granting access to Defender for Cloud Apps data and experiences using the individual workload RBAC (in parallel to using Unified RBAC with the rest of the workloads).

Hi Gadi,

Thank you. Is Defender for Cloud Apps support on the Unified RBAC roadmap? If so, is there an anticipated timeframe?
Hi Steve,
We continue to improve and to expand the product so it will cover more and more areas as well as meet end-users' needs as good as possible.
Please stay tuned and continue to follow our releases for new capabilities in the future.
1 best response

Accepted Solutions
best response confirmed by SKadish (Brass Contributor)
Solution

Thank you Steve for this update.
Defender for Cloud Apps not yet supported by Unified RBAC. As you can see when creating a new role, the list of available data sources in the assignment stage does not include Defender for Cloud Apps as an option. You can continue granting access to Defender for Cloud Apps data and experiences using the individual workload RBAC (in parallel to using Unified RBAC with the rest of the workloads).

View solution in original post