Help with custom role for Service desk staff

Copper Contributor

I've been tasked with granting members of our Service desk the ability to perform 2 specific actions against user accounts within the Defender portal. Please see attached screenshot.

  • Suspend user in Entra ID

  • Require user to sign in again

Does anyone know if this is possible? I can't find any Microsoft documentation explaining what level of permission is required to perform these actions.

 

Regards,

Graham

8 Replies
Hi, for response actions on EntraID, you need an EntraID role outside the RBAC of Defender XDR.

Suspend User in Entra ID:
To suspend a user in Entra ID, you need to have the appropriate permissions in Microsoft Entra ID.
This action typically requires the User Administrator or Identity Governance Administrator role.

Require User to Sign In Again:
This action can be performed by users with the Security Administrator or Global Administrator role in Microsoft Entra.
This role allows you to manage security settings and enforce sign-in policies.
Thank you, I will give that a go!
I hope I was helpful.
Maybe in the future you can have more granular controls on these operations.
If the answer was satisfactory mark it as the best.

@micheleariis Having assigned the below roles to a test account, I unfortunately still do not have access to 'Suspend user in Entra ID' or  ‘Require user to sign in again’. Please see attached screenshot. I of course cannot assign the Global Administrator role to these helpdesk account.

 

  • Security Administrator
  • Identity Governance Administrator
  • User Administrator
Are the users onprem?
Yes, on-prem AD accounts synced with EntraID

@G_Man If you try on a cloud only user does it work? 

Sorry, which accounts are you referring to? The account that is accessing the Defender portal or the user accounts that need suspending or signed in again?

Currently the account accessing the Defender portal is an EntraID cloud account and the end user accounts are on-prem AD accounts synced with EntraID.

I have a Global Admin account (EntraID / cloud account) that can access all Microsoft systems and this account has the ability to carry out the below actions so it must be possible!

'Suspend user in Entra ID'
‘Require user to sign in again’.