You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/roles.md
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,6 @@ Use Azure RBAC to create and assign roles within your security operations team t
27
27
28
28
Grant the appropriate access to the data in your workspace by using built-in roles. You might need to grant more roles or specific permissions depending on a user's job tasks.
29
29
30
-
31
30
### Microsoft Sentinel-specific roles
32
31
33
32
All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace.
@@ -50,6 +49,10 @@ As another option, assign the roles directly to the Microsoft Sentinel **workspa
50
49
51
50
Users with particular job requirements might need to be assigned other roles or specific permissions in order to accomplish their tasks.
52
51
52
+
-**Connect data sources to Microsoft Sentinel**
53
+
54
+
For a user to add data connectors, you must assign the user **Write** permissions on the Microsoft Sentinel workspace. Notice the required extra permissions for each connector, as listed on the relevant connector page.
55
+
53
56
-**Install and manage out-of-the-box content**
54
57
55
58
Find packaged solutions for end-to-end products or standalone content from the content hub in Microsoft Sentinel. To install and manage content from the content hub, assign the **Microsoft Sentinel Contributor** role at the resource group level.
@@ -64,10 +67,6 @@ Users with particular job requirements might need to be assigned other roles or
64
67
65
68
For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have **Owner** permissions to the resource groups containing the playbooks.
66
69
67
-
-**Connect data sources to Microsoft Sentinel**
68
-
69
-
For a user to add data connectors, you must assign the user **Write** permissions on the Microsoft Sentinel workspace. Notice the required extra permissions for each connector, as listed on the relevant connector page.
70
-
71
70
-**Allow guest users to assign incidents**
72
71
73
72
If a guest user needs to be able to assign incidents, you need to assign the [**Directory Reader**](../active-directory/roles/permissions-reference.md#directory-readers) role to the user, in addition to the **Microsoft Sentinel Responder** role. The Directory Reader role isn't an Azure role but a Microsoft Entra role, and regular (nonguest) users have this role assigned by default.
@@ -126,7 +125,7 @@ After understanding how roles and permissions work in Microsoft Sentinel, you ca
126
125
||[Logic Apps Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor)| Microsoft Sentinel's resource group, or the resource group where your playbooks are stored | Attach playbooks to analytics and automation rules. <br>Run and modify playbooks. |
127
126
|**Service Principal**|[Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor)| Microsoft Sentinel's resource group | Automated configuration for management tasks |
128
127
129
-
More roles might be required depending on the data you ingest or monitor. For example, Microsoft Entra roles might be required, such as the Security Administrator role, to set up data connectors for services in other Microsoft portals.
128
+
More roles might be required depending on the data you ingest or monitor. For example, Microsoft Entra roles might be required, such as the Security Administrator role, to [manage multiple workspaces](workspaces-defender-portal.md#permissions-to-manage-workspaces-and-view-workspace-data), or to set up data connectors for services in other Microsoft portals.
Copy file name to clipboardExpand all lines: articles/sentinel/workspaces-defender-portal.md
+14-5Lines changed: 14 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,18 +50,27 @@ If you have the appropriate permissions to view data from primary and secondary
50
50
|**Microsoft Sentinel** experiences|View data from one workspace for each page in the Microsoft Sentinel section of the Defender portal. Switch between workspaces by selecting **Select a workspace** from the top-right hand side of the browser for most pages. The **Workbooks** page only shows data associated with the primary workspace.|
51
51
|**SOC optimization**|Data and recommendations are aggregated from multiple workspaces. |
52
52
53
+
## Permissions to manage workspaces and view workspace data
53
54
54
-
## Permissions to view workspace data
55
+
Use one of the following roles or role combinations to manage primary and secondary workspaces:
55
56
56
-
After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to view and work with the Microsoft Sentinel features and workspaces that you have access to.
57
+
|Task |Required roles or role combinations |
58
+
|---------|---------|
59
+
|**Connect a primary workspace**| One of the following: <br>- Global Administrator <br>- Security Administrator + subscription Owner <br>- Security Administrator + User access administrator + Sentinel contributor |
60
+
|**Select a different primary workspace**| One of the following: <br>- Global Administrator <br>- Security Administrator |
61
+
|**Onboard or offboard secondary workspaces**| One of the following: <br>- Global Administrator <br>- Security Administrator <br>- Security Administrator + subscription Owner <br>- Security Administrator + User access administrator + Sentinel contributor <br>- Subscription Owner + Sentinel contributor <br>- User access administrator + Sentinel contributor |
57
62
63
+
> [!IMPORTANT]
64
+
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
65
+
66
+
After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to view and work with the Microsoft Sentinel features and workspaces that you have access to.
58
67
59
68
|Workspace |Access |
60
69
|---------|---------|
61
-
|Primary | If you have access to the primary workspace, you're able to read and manage data from the workspace and Defender XDR. |
62
-
|Secondary | If you have access to a secondary workspace, you're able to read and manage data from the workspace only. The secondary workspaces don't include Defender XDR data. |
70
+
|**Primary**| If you have access to the primary workspace, you're able to read and manage data from the workspace and Defender XDR. |
71
+
|**Secondary**| If you have access to a secondary workspace, you're able to read and manage data from the workspace only. The secondary workspaces don't include Defender XDR data. |
63
72
64
-
**Exception:** If you've already onboarded one workspace to the Defender portal, any alerts created by using custom detections on `AlertInfo` and `AlertEvidance` tables before mid January are visible to all users.
73
+
**Exception:** If you've already onboarded one workspace to the Defender portal, any alerts created by using custom detections on `AlertInfo` and `AlertEvidence` tables before mid January 2025 are visible to all users.
65
74
66
75
For more information, see [Roles and permissions in Microsoft Sentinel](roles.md).
0 commit comments