Least privileged role for the "Suspend user in AAD" action

Copper Contributor

Hello,

we try to find the least privileged role for our SOC members to be able to have the "Supend user in AAD" and "Require user to sign in again" action available in the user page of Microsoft 365 Defender.
For now we've seen it available only to Global Administrators.

Screenshot 2023-03-03 at 08.49.09.png


We are using the new Defender RBAC for all three products (Endpoints, Email and Collaboration, Identity)

The permissions and roles in the Microsoft 365 Defender RBAC are configured like this for our SOC group:
Security operations -> All read and manage permissions -> All Scopes

 

So far we tried adding the SOC members to the following Azure AD roles:
- "Security Operator" does not show this actions for AAD users (but it shows the similar actions for Active Directory Users when you have MDI configured: "Disable user in AD", "Enable users in AD", "Force password reset")

Screenshot 2023-03-03 at 11.17.05.png
- "Authentication administrator" does not show this actions for AAD users, but if we go to the users page in Azure AD (via "Azure AD account settings" link), the options to disable or re-authenticate the users account are obviously available because of this role

 

Is there a role except Global Admin for this feature to be visible?

Or will this feature and AzureAD Identity Protection in general be better integrated in future enhancements of Microsoft 365 Defender RBAC?

2 Replies
Hey Stefan,
For AAD response actions, this does require an AAD role outside of M365D RBAC. The least privilege permission as it stands today is Security Admin.
HTH,
Dean.
Hi Dean
I wouldn't have guessed this role, especially since none of the actions in https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-admini... seem to allow actions against users.
We will weigh which role to use, but will probably stick with authentication admin for now.
Are there any plans to integrate these AzureAD (and Active Directory/MDI) response permissions into Defender RBAC?
Best regards