Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model
Published Jan 16 2023 07:00 AM 17.7K Views

We are excited to announce the public preview of a central role-based access control (RBAC) capability to help unify roles and permissions management across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity.

 

The new Microsoft 365 Defender RBAC model, part of Microsoft’s leading Extended Detection and Response (XDR) solution, is an impactful enabler for security admins to centrally manage privileges across domains. It offers a unified and granular cross-services access permission model to help the Security Operations Center (SOC) increase productivity across the various Microsoft Defender products. Additionally, the new model is fully compatible with existing individual RBAC models currently supported in Microsoft 365 Defender portal.

 

Image 1: Access to the new Microsoft 365 Defender RBAC model from the Permissions pageImage 1: Access to the new Microsoft 365 Defender RBAC model from the Permissions page

 

The new Microsoft 365 Defender RBAC experience
Microsoft 365 Defender provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. The new RBAC model now takes this experience to the next level by allowing admins to centrally manage privileges across these services with a greater efficiency. While Defender for Cloud Apps is not covered in this initial preview, it will be added to the new RBAC model in the future.


The new model organizes permissions by categories. For example, the “Security operations” category includes permissions that are required to perform daily security operations activities and allows admins to either grant out-of-the-box permissions on a per category basis or select permissions one-by-one for custom roles.


In the new model, permissions can be scoped to individual users and/or security groups. By default, custom roles created in the Microsoft 365 Defender RBAC model are scoped to all data sources. However, if needed, a role can be scoped to one or more specific data sources.


To make it easy for you to adopt the new RBAC model, we support role import capabilities so that you can import existing roles from any of our current individual RBAC models to the new Microsoft 365 Defender RBAC model with a click of a button.

 

Image 2: Microsoft 365 Defender RBAC main grid. Here you can create new custom roles, import existing roles, activate the new RBAC model for one or more of your workloads, and access technical documentation.Image 2: Microsoft 365 Defender RBAC main grid. Here you can create new custom roles, import existing roles, activate the new RBAC model for one or more of your workloads, and access technical documentation.

 

Supported Products

  • Microsoft Defender for Endpoint – full support for all endpoint data and actions. All roles are compatible with Defender for Endpoint’s device group aligning.
  • Microsoft Defender for Office 365 – support for the SecOps scenarios that are managed in the Microsoft Defender portal.
    Note: Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online.
  • Microsoft Defender for Identity – Full support for all identity data and actions.
    Microsoft Defender for Cloud Apps – Will be added in the future.

 

Getting Started
Here is how you can get started with the new RBAC model:

If you don’t have any existing roles assigned:

  1. Start by creating custom roles: Enter the role name and description, select permissions, assign the role to users/a user group
  2. Activate Microsoft 365 Defender RBAC
  3. Edit or delete roles anytime as needed

You can find more details on how to create custom roles in our technical documentation.

If you have existing roles within any of the workloads:

  1. Import roles from the relevant workloads such as Defender for Endpoint, Defender for Identity or Defender for Office 365
  2. Review and modify as needed
  3. Activate M365 Defender RBAC

You can find more details on how to import roles in our technical documentation.

Notes:

  • There will be no immediate change to the way Microsoft 365 Defender enforces permissions until admins activate the new RBAC model per workload. Only after activation, the new custom roles and imported roles will become effective.
  • Only one permissions model can be honored at any given time, but the users will have the option to revert to the individual RBAC model if desired.

 

What about Azure Active Directory global roles and Privileged Identity Management?

Microsoft 365 Defender security portal will continue to respect existing Azure Active Directory global roles when you activate the Microsoft 365 Defender RBAC model for some or all workloads, i.e., Global Admins will retain assigned admin privileges.


However, with the new RBAC model you will have the flexibility to create more granular roles where appropriate, following the principle of least privilege and granting users only the privileges they need.

 

More information

  • Ready to get started? Check out our technical documentation on how to transition to the new Microsoft 365 Defender RBAC model
  • Let us know what you think! Share your feedback with us in the Microsoft 365 Defender portal feedback tool. Learn more about our feedback tool here.
19 Comments
Copper Contributor

What about auditlogs?

Steel Contributor

Can this also be managed by PowerShell or Graph?

While not available as part of the initial release, enabling auditlogs as well as integrating the new RBAC model with Graph are on our roadmap.

Steel Contributor

@Gadi_Palatchi_MSFT 

Great to hear that's on the Roadmap

Copper Contributor

@Gadi_Palatchi_MSFT  After adapting the New M365 RBAC model, the analyst are unable to block the sender or malicious domin, file and URL from explorer menu because Microsoft not mapped the Tenant AllowBlockList Manager role in the new MD RBAC model.

 

The roles that we were using for MDO in legacy model

Defender for Office (EOP) role group

 

Below are the EOP role group and group contains different roles. These groups cover the our legacy model roles.

Microsoft 365 Defender RBAC permission

Security Reader

 

Security reader

Security operations \ Security data \Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read)

View-Only DLP Compliance Management

 

Global reader

Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read)

View-Only Device Management

 

View-Only IB Compliance Management

 

 

Security administrator

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (read)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions)

Tag Contributor

 

Organization Management

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (All permissions)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions)

 

View-Only Recipients

Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)

Preview

 

Preview

Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read)

Search And Purge

 

Search and Purge

Security operations \ Security data \ Email advanced actions (manage)

View-Only Manage Alerts

View-Only Manage Alerts

Security operations \ Security data \ Security data basics (read)

Manage Alerts

 

Manage Alerts

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)

View-Only Audit Logs

 

View-only Audit Logs

Security operations \ Security data \ Security data basics (read)

 

Audit Logs

Security operations \ Security data \ Security data basics (read)

Quarantine

Quarantine

Security operations \ Security data \ Email quarantine (manage)

 

Role Management

Authorization and settings \ Authorization (All permissions)

Tenant AllowBlockList Manager

 

Security Operator

 

Not mapped

@zubairrahimsoc Currently, this new RBAC model supports MDO Exchange Online Protection (EOP) permissions only. However, we are actively working on expanding this support to include permissions managed in Exchange online within the Microsoft 365 Defender RBAC model as well. Permissions managed in Exchange online shall currently be granted via the admin center, even if the new RBAC model for MDO is activated.

Copper Contributor

@Gadi_Palatchi_MSFT  I cannot find it in our tenant. Clicking the link (from docs:

  1. Settings.
  2. Select Microsoft 365 Defender.
  3. Select Permissions and roles.

I'm being redirected to Security homepage. Is this feature available for Microsoft Business Premium (which include Microsoft Defender for Business)?

@xorMichal The new RBAC model is not available for Microsoft Defender for Business.

Copper Contributor

@Gadi_Palatchi_MSFT Thank you for your answer! Then there is no any RBAC model for Microsoft Defender for Business at all., right? Is there any plans to introduce it there?

@xorMichal At the moment, for Microsoft Defender for Business customers, access control is managed based on Azure Active Directory global roles only. Enabling other RBAC models for this segment is not on the roadmap at the moment but might be considered in the future.

Copper Contributor

Hi team,

How would this work for MSSP partners? Can you assign GDAP partner technitians to those roles and is B2B still only one option?

Hi @Lajdva,

The Microsoft 365 Defender Unified RBAC model is currently not supported with GDAP connection scenarios. However, B2B connection option is fully supported.

Copper Contributor

Hi @Gadi_Palatchi_MSFT ,

regarding the following response from @zubairrahimsoc :

Currently, this new RBAC model supports MDO Exchange Online Protection (EOP) permissions only. However, we are actively working on expanding this support to include permissions managed in Exchange online within the Microsoft 365 Defender RBAC model as well. Permissions managed in Exchange online shall currently be granted via the admin center, even if the new RBAC model for MDO is activated.

Has there been an update regarding the Tenant Allow/Block List Manager role?

Hi @a-rapsomanikis 

No change has been made to the Microsoft 365 Defender Unified RBAC model with that regards yet.

We will publicly announce once we are ready with this expansion.

Copper Contributor

Hi @Gadi_Palatchi_MSFT ,

Would it be safe to assume that the Unified RBAC model has been updated to include the Tenant AllowBlockList Manager role?

 

According to the table located on the following page [Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions | Microsoft Learn], the respective permissions is 

Authorization and settings \ Security settings \ Detection tuning (manage)

 

Hi @a-rapsomanikis ,

 

Once we announced GA (you can see the new published blog here) - XDR Unified RBAC now covers all Defender for Office 365 security permissions, EOP and EXO.

That includes the equivalent permission to AllowBlockList Manager role which as you stated and as appears in the updated public doc here - Detection tuning (manage).

Copper Contributor

Hi @Gadi_Palatchi_MSFT ,

 

Great news. Thank you for the news and resources provided. 

Steel Contributor

Hi all

Any updates on the Roadmap, when these Roles can be managed with PowerShell or Graph? 

Regards

Andres Bohren

Copper Contributor

Hi @Gadi_Palatchi_MSFT ,

 

In a previous message the following is mentioned:

The Microsoft 365 Defender Unified RBAC model is currently not supported with GDAP connection scenarios. However, B2B connection option is fully supported.


I have a B2B implementation with guest users having specific role assignments, but when trying to access the Tenant Allow/Block List, the list is not populated with existing entries and when trying to add a new entry an error message shows up. 

arapsomanikis_0-1706700679949.png

 

More details: Microsoft Defender XDR Unified RBAC | Tenant Allow/Block List, entry addition error - Microsoft Comm...

Version history
Last update:
‎Jan 11 2023 07:55 PM
Updated by: