Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Microsoft Defender XDR Unified RBAC | Tenant Allow/Block List, entry addition error

Copper Contributor

Hello community,

 

I'm looking into an issue that has appeared using the new Unified RBAC permissions in Defender XDR portal.

 

First of all, the user that is trying to perform the action is invited to a tenant as a guest user. The user is then assigned the Security Reader & Security Operator role. 

When accessing the Tenant Allow/Block List page in Defender XDR and trying to add a new entry, the user is met with the following error message:

arapsomanikis_0-1706280475219.png

 

Unfortunately, the message is very generic. The new entry has been tested with both an email address, as well as a TLD. In both cases, the result was the same. 

 

The user has been assigned the following permissions, with Workloads enabled, on all Data Sources:

arapsomanikis_1-1706280979641.pngarapsomanikis_2-1706281001368.png

arapsomanikis_3-1706281024411.png

 

While the Detection tuning (manage) permission, should be sufficient to complete this action, it appears that it's not. Should there be an additional permission assigned or would this indicate a different issue?

 

Thank you for your time.

 

 

2 Replies

Hello @a-rapsomanikis,

We are experiencing some issues with Invited guests and their access to some MDO experiences , that were previously controlled by EXO roles (this is including TABL).

As a temporary workaround, you may need to disable Defender XDR RBAC for Email & Collaboration / Exchange Online section. 

You may also need to re-assign the Entra ID roles in the Microsoft Admin Center
go to ‎Role assignments‎ - ‎ Microsoft 365 admin center‎ > select "Exchange" roles tab > search for a "Security Administrator" role group > in the Security Administrator role group flyout, select "Permissions" tab > select "Security Admin" and click save. 

@Marina_Kidron confirming this workaround is functional. 

Thank you for your continuous support and for introducing this workaround.