Merge pull request #1217 from MicrosoftDocs/main

padmagit77 · web-flow · commit ad139d8667b5 · 2024-08-26T17:08:24.000+05:30
Publish main to live, Monday 5 PM IST, 08/26
diff --git a/defender-xdr/advanced-hunting-microsoft-defender.md b/defender-xdr/advanced-hunting-microsoft-defender.md
@@ -34,9 +34,10 @@ Querying from a single portal across different data sets makes hunting more effi
 ## How to access
 
 ### Required roles and permissions
-To query across Microsoft Sentinel and Microsoft Defender XDR data in the unified advanced hunting page, you must have access to Microsoft Defender XDR advanced hunting (see [Required roles and permissions](custom-roles.md#required-roles-and-permissions)) and at least Microsoft Sentinel Reader (see [Microsoft Sentinel-specific roles](/azure/sentinel/roles#microsoft-sentinel-specific-roles)).
 
-In the unified portal, you can query any data in any workload that you can currently access based on the roles and permissions you have. 
+You can query data in any workload that you can currently access based on your roles and permissions.
+
+To query across Microsoft Sentinel and Microsoft Defender XDR data in the unified advanced hunting page, you'll also need at least the Microsoft Sentinel Reader role. For more information, see [Microsoft Sentinel-specific roles](/azure/sentinel/roles#microsoft-sentinel-specific-roles).
 
 ### Connect a workspace
 
diff --git a/defender-xdr/custom-roles.md b/defender-xdr/custom-roles.md
@@ -7,7 +7,7 @@ f1.keywords:
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 03/04/2024
+ms.date: 08/22/2024
 manager: dansimp
 audience: ITPro
 ms.collection: 
@@ -18,92 +18,52 @@ search.appverid:
   - MOE150
   - MET150
 ---
-# Custom roles in role-based access control for Microsoft Defender XDR
+# Custom roles in role-based access control for Microsoft Defender portal services
 
-> [!NOTE]
-> Microsoft Defender XDR users can now take advantage of a centralized permissions management solution to control user access and permissions across different Microsoft security solutions. Learn more about the [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md).
+By default, access to services available in the Microsoft Defender portal are managed collectively using [Microsoft Entra global roles](m365d-permissions.md). If you need greater flexibility and control over access to specific product data, and aren't yet using the [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md) for centralized permissions management, we recommend creating custom roles for each service.
 
-[!INCLUDE [Prerelease](../includes/prerelease.md)]
+For example, create a custom role for Microsoft Defender for Endpoint to manage access to specific Defender for Endpoint data, or create a custom role for Microsoft Defender for Office to manage access to specific email and collaboration data.
 
 **Applies to:**
 
+- Microsoft Defender for Cloud
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Identity
+- Microsoft Defender for IoT
+- Microsoft Defender for Office 365
 - Microsoft Defender XDR
+- Microsoft Security Exposure Management (preview)
+- Microsoft Sentinel
 
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] 
-
-There are two types of roles that can be used to access to Microsoft Defender XDR:
-
-- **Global Microsoft Entra roles**
-- **Custom roles**
-
-Access to Microsoft Defender XDR can be managed collectively by using [Global roles in Microsoft Entra ID](m365d-permissions.md)
-
-If you need greater flexibility and control over access to specific product data, Microsoft Defender XDR access can also be managed with the creation of Custom roles through each respective security portal.
-
-For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft Defender portal. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft Defender portal.
-
-Users with existing Custom roles can access data in the Microsoft Defender portal according to their existing workload permissions with no additional configuration required.
-
-## Create and manage custom roles
-
-Custom roles and permissions can be created and individually managed through each of the following security portals:
-
-- Microsoft Defender for Endpoint – [Edit roles in Microsoft Defender for Endpoint](/defender-endpoint/user-roles)
-- Microsoft Defender for Office 365 – [Permissions in the Security & Compliance Center](/defender-office-365/scc-permissions?preserve-view=true&view=o365-worldwide)
-- Microsoft Defender for Cloud Apps – [Manage admin access](/cloud-app-security/manage-admins)
-
-Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data.
-
-> [!TIP]
-> Permissions and roles can also be accessed through the Microsoft Defender portal by selecting Permissions & roles from the navigation pane. Access to Microsoft Defender for Cloud Apps is managed through the Defender for Cloud Apps portal and controls access to Microsoft Defender for Identity as well.  See [Microsoft Defender for Cloud Apps](/cloud-app-security/manage-admins)
-
-> [!NOTE]
-> Custom roles created in Microsoft Defender for Cloud Apps have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Defender for Cloud Apps roles are not able to access Microsoft Defender for Cloud Apps data through the Microsoft Defender portal.
+[!INCLUDE [Prerelease](../includes/prerelease.md)]
 
 <a name='manage-permissions-and-roles-in-the-microsoft-365-defender-portal'></a>
 
-## Manage permissions and roles in the Microsoft Defender portal
-
-Permissions and roles can also be managed in the Microsoft Defender portal:
-
-1. Sign in to the Microsoft Defender portal at security.microsoft.com.
-2. In the navigation pane, select **Permissions & roles**.
-3. Under the **Permissions** header, select **Roles**.
-
-> [!NOTE]
-> This only applies to Defender for Office 365 and Defender for Endpoint. Access for other workloads must be done in their relevant portals.
-
-## Required roles and permissions
-
-The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
+## Locate custom role management settings in the Microsoft Defender portal
 
-> [!NOTE]
-> Incident management requires management permissions for all products that are part of the incident.
+Each Microsoft Defender service has its own custom role management settings, with some services being represented in a central location in the Microsoft Defender portal. To locate custom role management settings in the Microsoft Defender portal:
 
-> [!IMPORTANT]
-> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+1. Sign in to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com).
+1. In the navigation pane, select **Permissions**.
+1. Select the **Roles** link for the service where you want to create a custom role. For example, for Defender for Endpoint:
 
-|Microsoft Defender XDR workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 365|One of the following roles is required for Defender for Cloud Apps and Defender for Identity | One of the following roles is required for Microsoft Defender for Cloud |
-|---|---|---|---|---|
-|Viewing investigation data: <ul><li>Alert page</li> <li>Alerts queue</li> <li>Incidents</li>  <li>Incident queue</li> <li>Action center</li></ul>|View data- security operations|<ul><li>View-only Manage alerts </li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li> <li>Security reader</li> <li>Security admin</li><li>View-only recipients</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
-|Viewing hunting data, saving, editing, and deleting hunting queries and functions|View data- security operations|<ul><li>Security reader</li> <li>Security admin</li> <li>View-only recipients</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
-|Managing alerts and incidents|Alerts investigation|<ul><li>Manage alerts</li> <li>Security admin</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
-|Action center remediation|Active remediation actions – security operations|Search and purge||<ul><li>Global admin</li><li>Security admin</li></ul> |
-|Setting custom detections|Manage security settings|<ul><li>Manage alerts</li> <li>Security admin</li></ul>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
-|Threat Analytics|Alerts and incidents data: <ul><li>View data- security operations</li></ul>Defender Vulnerability Management mitigations:<ul><li>View data - Threat and vulnerability management</li></ul>|Alerts and incidents data:<ul> <li>View-only Manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li>|<ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul>|<ul><li>Global admin</li><li>Security admin</li></ul> |
+  :::image type="content" source="./media/custom-roles/custom-roles-endpoint.png" alt-text="Screenshot that shows Roles link for Defender for Endpoint." lightbox="./media/custom-roles/custom-roles-endpoint.png" :::
 
-For example, to view hunting data from Microsoft Defender for Endpoint, View data security operations permissions are required.
+In each service, custom role names aren't connected to global roles in Microsoft Entra ID, even if similarly named. For example, a custom role named *Security Admin* in Microsoft Defender for Endpoint isn't connected to the global *Security Admin* role in Microsoft Entra ID.
 
-Similarly, to view hunting data from Microsoft Defender for Office 365, users would require one of the following roles:
+## Reference of Defender portal service content
 
-- View data security operations
-- Security reader
-- Security admin
-- View-only recipients
+For information about the permissions and roles for each Microsoft Defender XDR service, see the following articles:
 
-## Related articles
+- [Microsoft **Defender for Cloud** user roles and permissions](/azure/defender-for-cloud/permissions)
+- [Configure access for **Defender for Cloud Apps**](/defender-cloud-apps/manage-admins)
+- [Create and manage roles in **Defender for Endpoint**](/defender-endpoint/user-roles)
+- [Roles and permissions in **Defender for Identity**](/defender-for-identity/role-groups)
+- [Microsoft **Defender for IoT** user management](/azure/defender-for-iot/organizations/manage-users-overview)
+- [Microsoft **Defender for Office 365** permissions](/defender-office-365/mdo-portal-permissions)
+- [Manage access to **Microsoft Defender XDR**](m365d-permissions.md)
+- [**Microsoft Security Exposure Management** permissions](/security-exposure-management/prerequisites#permissions)
+- [Roles and permissions in **Microsoft Sentinel**](/azure/sentinel/roles)
 
-- [RBAC roles](/defender-office-365/migrate-to-defender-for-office-365-onboard#rbac-roles)
-- [Manage access to Microsoft Defender XDR](m365d-permissions.md)
-- [Manage admin access for Defender for Cloud Apps](/cloud-app-security/manage-admins)
-[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
+Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
diff --git a/defender-xdr/media/custom-roles/custom-roles-endpoint.png b/defender-xdr/media/custom-roles/custom-roles-endpoint.png
