Global Admin reduce

Author: Dansimp

.openpublishing.redirection.defender.json

@@ -185,6 +185,11 @@
         "redirect_url": "/defender-xdr/pilot-deploy-overview",
         "redirect_document_id": false
     },
+    {
+      "source_path": "defender-xdr/microsoft-365-security-mde-redirection.md",
+      "redirect_url": "/defender-xdr/",
+      "redirect_document_id": false
+    },
     {
       "source_path": "defender-endpoint/evaluation-lab.md",
       "redirect_url": "/defender-endpoint/evaluate-microsoft-defender-antivirus",

defender-office-365/mdo-usage-card-about.md

@@ -33,6 +33,9 @@ In organizations with Microsoft Defender for Office 365, the usage card is avail
 > [!TIP]
 > The usage card is enabled for tenants with at least one paid Defender for Office 365 Plan 1 or Defender for Office 365 Plan 2 license.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 Usage cards can help determine the following scenarios:
 
 - The active usage of Exchange Online licenses and how many of those licenses are active usage of Microsoft Defender for Office 365.
@@ -47,7 +50,7 @@ Usage cards can help determine the following scenarios:
 
    :::image type="content" source="media/usage-card-mdo.png" alt-text="The Defender for Office 365 usage card in the Defender portal." lightbox="media/usage-card-mdo.png":::
 
-For members of **Global Administrator** or **Billing Administrator** roles in [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal), following items are available on the card:
+For members of **Billing Administrator** and **Global Administrator** roles in [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal), following items are available on the card:
 
 - **Add more licenses**
 - **See licensing details**
@@ -74,7 +77,7 @@ The details flyout that opens contains the following information from the last 2
 
 **Threat protection status report** takes you to the [Threat protection status report](reports-email-security.md#threat-protection-status-report).
 
-**See licensing details** is available for members of the **Global Administrators** or **Security Operator** roles in [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal).
+**See licensing details** is available for members of the **Security Operator** and  **Global Administrators** roles in [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal).
 
 ## Frequently asked questions
 

defender-xdr/custom-roles.md

@@ -80,6 +80,9 @@ The following table outlines the roles and permissions required to access each u
 > [!NOTE]
 > Incident management requires management permissions for all products that are part of the incident.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 |Microsoft Defender XDR workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 365|One of the following roles is required for Defender for Cloud Apps|
 |---|---|---|---|
 |Viewing investigation data: <ul><li>Alert page</li> <li>Alerts queue</li> <li>Incidents</li>  <li>Incident queue</li> <li>Action center</li></ul>|View data- security operations|<ul><li>View-only Manage alerts </li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li> <li>Security reader</li> <li>Security admin</li><li>View-only recipients</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|

defender-xdr/m365d-permissions.md

@@ -44,6 +44,9 @@ Accounts assigned the following **Global Microsoft Entra roles** can access Micr
 - Global Reader
 - Security Reader
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 To review accounts with these roles, [view Permissions in the Microsoft Defender portal](https://security.microsoft.com/permissions).
 
 **Custom role** access is a capability in Microsoft Defender XDR that allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender XDR. Custom roles offer more control than global Microsoft Entra roles, providing users only the access they need with the least-permissive roles necessary.  Custom roles can be created in addition to global Microsoft Entra roles. [Learn more about custom roles](custom-roles.md).