Blog Post

Microsoft Defender XDR Blog
3 MIN READ

Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model

Gadi_Palatchi_MSFT's avatar
Gadi_Palatchi_MSFT
Icon for Microsoft rankMicrosoft
Jan 16, 2023
We are excited to announce the public preview of a central role-based access control (RBAC) capability to help unify roles and permissions management across Microsoft Defender for Endpoint, Microsoft...
Updated Oct 29, 2024
Version 2.0
microsoft defender for endpoint
microsoft defender for identity
Microsoft Defender for Office 365
zubairrahimsoc's avatar
zubairrahimsoc
Copper Contributor
Mar 17, 2023

Gadi_Palatchi_MSFT  After adapting the New M365 RBAC model, the analyst are unable to block the sender or malicious domin, file and URL from explorer menu because Microsoft not mapped the Tenant AllowBlockList Manager role in the new MD RBAC model.

 

The roles that we were using for MDO in legacy model

Defender for Office (EOP) role group

 

Below are the EOP role group and group contains different roles. These groups cover the our legacy model roles.

Microsoft 365 Defender RBAC permission

Security Reader

 

Security reader

Security operations \ Security data \Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read)

View-Only DLP Compliance Management

 

Global reader

Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security setting (read)
Authorization and settings \ System setting (read)

View-Only Device Management

 

View-Only IB Compliance Management

 

 

Security administrator

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (read)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions)

Tag Contributor

 

Organization Management

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (All permissions)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (All permissions)

 

View-Only Recipients

Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)

Preview

 

Preview

Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read)

Search And Purge

 

Search and Purge

Security operations \ Security data \ Email advanced actions (manage)

View-Only Manage Alerts

View-Only Manage Alerts

Security operations \ Security data \ Security data basics (read)

Manage Alerts

 

Manage Alerts

Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)

View-Only Audit Logs

 

View-only Audit Logs

Security operations \ Security data \ Security data basics (read)

 

Audit Logs

Security operations \ Security data \ Security data basics (read)

Quarantine

Quarantine

Security operations \ Security data \ Email quarantine (manage)

 

Role Management

Authorization and settings \ Authorization (All permissions)

Tenant AllowBlockList Manager

 

Security Operator

 

Not mapped