After adapting the New M365D RBAC model, the analyst are unable to block the sender or malicious domain, file and URL from explorer menu because Microsoft not mapped the Tenant AllowBlockList Manager role in the new M365D RBAC model.
The roles that we were using for MDO in legacy model | Defender for Office (EOP) role group Below are the EOP role group and group contains different roles. These groups cover the our legacy model roles. | Microsoft 365 Defender RBAC permission |
Security Reader | Security reader | Security operations \ Security data \Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read) |
View-Only DLP Compliance Management | Global reader | Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read) |
View-Only Device Management View-Only IB Compliance Management | Security administrator | Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (read)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions) |
Tag Contributor | Organization Management | Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (All permissions)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions) |
| View-Only Recipients | Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read) |
Preview | Preview | Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read) |
Search And Purge | Search and Purge | Security operations \ Security data \ Email advanced actions (manage) |
View-Only Manage Alerts | View-Only Manage Alerts | Security operations \ Security data \ Security data basics (read) |
Manage Alerts | Manage Alerts | Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage) |
View-Only Audit Logs | View-only Audit Logs | Security operations \ Security data \ Security data basics (read) |
| Audit Logs | Security operations \ Security data \ Security data basics (read) |
Quarantine | Quarantine | Security operations \ Security data \ Email quarantine (manage) |
| Role Management | Authorization and settings \ Authorization (All permissions) |
Tenant AllowBlockList Manager | Security Operator | Not mapped |
