admin roles

Author: mjcaparas

defender-xdr/configure-event-hub.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
-ms.date: 02/08/2023
+ms.date: 06/21/2024
 ---
 
 # Configure your Event Hubs
@@ -135,7 +135,7 @@ For these Event Hubs (not namespace), you'll need to configure a Shared Access P
 
     - Contributor role at the Event Hubs *Namespace* Resource level or higher for the Event Hubs that you'll be exporting to. Without this permission, you'll get an export error when you try to save the settings.
 
-    - Global Admin or Security Admin Role on the tenant tied to Microsoft Defender XDR and Azure.
+    - Security Admin Role on the tenant tied to Microsoft Defender XDR and Azure.
 
       :::image type="content" source="/defender/media/55d5b1c21dd58692fb12a6c1c35bd4fa.png" alt-text="The Settings page of the Microsoft Defender portal" lightbox="/defender/media/55d5b1c21dd58692fb12a6c1c35bd4fa.png":::
 

defender-xdr/mssp-access.md

@@ -16,7 +16,7 @@ search.appverid:
 ms.collection: 
 - m365-security
 - tier2 
-ms.date: 02/16/2021
+ms.date: 06/21/2024
 ---
 
 # Provide managed security service provider (MSSP) access 
@@ -52,7 +52,7 @@ To implement a multitenant delegated access solution, take the following steps:
 
 2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint in Microsoft Defender portal roles and groups.
 
-    To enable RBAC in the customer Microsoft Defender portal, access **Permissions >  Endpoints roles & groups > Roles** with a user account with Global Administrator or Security Administrator rights.
+    To enable RBAC in the customer Microsoft Defender portal, access **Permissions >  Endpoints roles & groups > Roles** with a user account with Security Administrator rights.
 
     :::image type="content" source="/defender/media/mssp-access.png" alt-text="The details of the MSSP access in the Microsoft Defender portal" lightbox="/defender/media/mssp-access.png":::
 

defender-xdr/prerequisites.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 12/5/2023
+ms.date: 06/21/2024
 ---
 
 # Microsoft Defender XDR prerequisites
@@ -56,11 +56,16 @@ For more information, [view the Microsoft 365 Enterprise service plans](https://
 Go to Microsoft 365 admin center ([admin.microsoft.com](https://admin.microsoft.com/)) to view your existing licenses. In the admin center, go to **Billing** \> **Licenses**.
 
 > [!NOTE]
-> You need to be assigned either the **Billing admin** or **Global reader** [role in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference) to be able to see license information. If you encounter access problems, contact a global admin.
+> You need to be assigned either the **Billing admin** or **Global reader** [role in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference) to be able to see license information. If you encounter access problems, contact a Global Administrator.
 
 ## Required permissions
 
-You must be a **global administrator** or a **security administrator** in Microsoft Entra ID to turn on Microsoft Defender XDR. For the list of roles required to use Microsoft Defender XDR and information on how access to data is regulated, read about [managing access to Microsoft Defender XDR](m365d-permissions.md).
+You must at least be a **security administrator** in Microsoft Entra ID to turn on Microsoft Defender XDR. For the list of roles required to use Microsoft Defender XDR and information on how access to data is regulated, read about [managing access to Microsoft Defender XDR](m365d-permissions.md).
+
+>[!IMPORTANT]
+>Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
+
 
 ## Browser requirements
 

defender-xdr/streaming-api-event-hub.md

@@ -13,7 +13,7 @@ ms.collection:
 - tier3
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
-ms.date: 02/08/2023
+ms.date: 06/21/2024
 ---
 
 # Configure Microsoft Defender XDR to stream Advanced Hunting events to your Azure Event Hub
@@ -43,7 +43,10 @@ Prior to configuring Microsoft Defender XDR to stream data to Event Hubs, ensure
 
 ## Enable raw data streaming
 
-1. Log on to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> as a ***Global Administrator*** or ***Security Administrator***.
+1. Log on to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> as a ***Security Administrator*** at a minimum.
+
+  >[!IMPORTANT]
+  >Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 2. Go to the [Streaming API settings page](https://sip.security.microsoft.com/settings/mtp_settings/raw_data_export).
 

defender-xdr/streaming-api-storage.md

@@ -13,7 +13,7 @@ ms.collection:
 - tier3
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
-ms.date: 02/08/2023
+ms.date: 06/21/2024
 ---
 
 # Configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account
@@ -44,7 +44,10 @@ Once the Storage account is created, you'll need to:
 
 ## Enable raw data streaming
 
-1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> as a ***Global Administrator*** or ***Security Administrator***.
+1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> as a ***Security Administrator*** at a minimum.
+
+  >[!IMPORTANT]
+  >Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
 2. Go to **Settings** \> **Microsoft Defender XDR** \> **Streaming API**. To go directly to the **Streaming API** page, use <https://security.microsoft.com/settings/mtp_settings/raw_data_export>.