Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Tenant AllowBlockList Manager is not mapped in new Microsoft 365 Defender RBAC model

Copper Contributor

After adapting the New M365D RBAC model, the analyst are unable to block the sender or malicious domain, file and URL from explorer menu because Microsoft not mapped the Tenant AllowBlockList Manager role in the new M365D RBAC model.

 

The roles that we were using for MDO in legacy model

Defender for Office (EOP) role group

 

Below are the EOP role group and group contains different roles. These groups cover the our legacy model roles.

Microsoft 365 Defender RBAC permission

Security Reader

 

Security reader

Security operations \ Security data \Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read)

View-Only DLP Compliance Management

 

Global reader

Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read)

View-Only Device Management

 

View-Only IB Compliance Management

 

 

Security administrator

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (read)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions)

Tag Contributor

 

Organization Management

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (All permissions)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions)

 

View-Only Recipients

Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)

Preview

 

Preview

Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read)

Search And Purge

 

Search and Purge

Security operations \ Security data \ Email advanced actions (manage)

View-Only Manage Alerts

View-Only Manage Alerts

Security operations \ Security data \ Security data basics (read)

Manage Alerts

 

Manage Alerts

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)

View-Only Audit Logs

 

View-only Audit Logs

Security operations \ Security data \ Security data basics (read)

 

Audit Logs

Security operations \ Security data \ Security data basics (read)

Quarantine

Quarantine

Security operations \ Security data \ Email quarantine (manage)

 

Role Management

Authorization and settings \ Authorization (All permissions)

Tenant AllowBlockList Manager

 

Security Operator

 

Not mapped

4 Replies

Hi @zubairrahimsoc

Have you found a workaround for the Tenant AllowBlockList Manager role? 

A workaround is to assign the Security Administrator role but it beats the purpose of having people with less permissions and roles. 

I have the same problem, is there any update to this?
I found this solution to the sync problem.

https://sekureco42.ch/posts/microsoft-defender-for-office-365-least-privileges/

I'm not sure if it works, I'm just testing this out right now, but need to wait for the permissions to update.

Hi @Raúl Millán,

Are you trying this with a native account or with a B2B (guest account)?

 

You can also have a look at this response: Re: Microsoft Defender XDR Unified RBAC | Tenant Allow/Block List, entry addition error - Microsoft ...