Merge pull request #3624 from MicrosoftDocs/diannegali-phishingagent

phishing triage capabilities

Author: mberdugo

defender-xdr/phishing-triage-agent.md

@@ -18,7 +18,7 @@ ms.topic: concept-article
 search.appverid:
 - MOE150
 - MET150
-ms.date: 04/28/2025
+ms.date: 05/12/2025
 appliesto:
 - Microsoft Defender XDR
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -41,6 +41,20 @@ The [Phishing Triage Agent](phishing-triage-agent.md) helps security operations
 
 The agent is triggered when a user in your organization submits a phishing incident. The agent autonomously analyzes the submitted email to classify them as either phishing or not phishing based on its training and the context of the organization.
 
+#### Permissions
+
+The agent requires the following permissions to operate:
+
+- Security data basics (read)
+- Email & collaboration content (read)
+- Email & collaboration metadata (read)
+- Security Copilot (read)
+- Alerts (manage)
+
+#### Identity
+
+The agent operates in the context of the identity you associate with it. Creating the agent's identity and assigning the appropriate permissions to the agent is the required before starting the setup.
+
 #### Products
 
 Tenants must have the following products enabled to use the agent:
@@ -54,4 +68,8 @@ The following plugins must be enabled in Security Copilot:
 
 - Microsoft Defender XDR
 - Microsoft Threat Intelligence
-- Phishing Triage Agent
+- Phishing Triage Agent
+
+#### Roles with access
+
+The **Security Administrator** role is required to set up and manage the agent. Users with the same permissions as the Phishing Triage Agent can view the agent's activity and results, and provide feedback on the agent's classification verdict.