You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/custom-roles.md
+37-68Lines changed: 37 additions & 68 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ f1.keywords:
7
7
ms.author: dansimp
8
8
author: dansimp
9
9
ms.localizationpriority: medium
10
-
ms.date: 03/04/2024
10
+
ms.date: 08/22/2024
11
11
manager: dansimp
12
12
audience: ITPro
13
13
ms.collection:
@@ -18,92 +18,61 @@ search.appverid:
18
18
- MOE150
19
19
- MET150
20
20
---
21
-
# Custom roles in role-based access control for Microsoft Defender XDR
21
+
# Custom roles in role-based access control for Microsoft Defender XDR services
22
22
23
-
> [!NOTE]
24
-
> Microsoft Defender XDR users can now take advantage of a centralized permissions management solution to control user access and permissions across different Microsoft security solutions. Learn more about the [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md).
23
+
By default, access to Microsoft Defender XDR services is managed collectively using [Microsoft Entra global roles](m365d-permissions.md). If you need greater flexibility and control over access to specific product data, and aren't yet using the [Microsoft Defender XDR Unified role-based access control (RBAC)](manage-rbac.md) for centralized permissions management, we recommend creating custom roles for each service.
For example, create a custom role for Microsoft Defender for Endpoint to manage access to specific Defender for Endpoint data, create a custom role for Microsoft Defender for Office to manage access to specific email and collaboration data.
26
+
27
+
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
There are two types of roles that can be used to access to Microsoft Defender XDR:
35
-
36
-
-**Global Microsoft Entra roles**
37
-
-**Custom roles**
38
-
39
-
Access to Microsoft Defender XDR can be managed collectively by using [Global roles in Microsoft Entra ID](m365d-permissions.md)
40
-
41
-
If you need greater flexibility and control over access to specific product data, Microsoft Defender XDR access can also be managed with the creation of Custom roles through each respective security portal.
42
-
43
-
For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft Defender portal. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft Defender portal.
44
-
45
-
Users with existing Custom roles can access data in the Microsoft Defender portal according to their existing workload permissions with no additional configuration required.
46
-
47
-
## Create and manage custom roles
48
-
49
-
Custom roles and permissions can be created and individually managed through each of the following security portals:
50
-
51
-
- Microsoft Defender for Endpoint – [Edit roles in Microsoft Defender for Endpoint](/defender-endpoint/user-roles)
52
-
- Microsoft Defender for Office 365 – [Permissions in the Security & Compliance Center](/defender-office-365/scc-permissions?preserve-view=true&view=o365-worldwide)
53
-
- Microsoft Defender for Cloud Apps – [Manage admin access](/cloud-app-security/manage-admins)
54
-
55
-
Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data.
56
-
57
-
> [!TIP]
58
-
> Permissions and roles can also be accessed through the Microsoft Defender portal by selecting Permissions & roles from the navigation pane. Access to Microsoft Defender for Cloud Apps is managed through the Defender for Cloud Apps portal and controls access to Microsoft Defender for Identity as well. See [Microsoft Defender for Cloud Apps](/cloud-app-security/manage-admins)
59
-
60
-
> [!NOTE]
61
-
> Custom roles created in Microsoft Defender for Cloud Apps have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Defender for Cloud Apps roles are not able to access Microsoft Defender for Cloud Apps data through the Microsoft Defender portal.
## Manage permissions and roles in the Microsoft Defender portal
66
-
67
-
Permissions and roles can also be managed in the Microsoft Defender portal:
68
-
69
-
1. Sign in to the Microsoft Defender portal at security.microsoft.com.
70
-
2. In the navigation pane, select **Permissions & roles**.
71
-
3. Under the **Permissions** header, select **Roles**.
42
+
## Locate custom role management settings in the Microsoft 365 Defender portal
72
43
73
-
> [!NOTE]
74
-
> This only applies to Defender for Office 365 and Defender for Endpoint. Access for other workloads must be done in their relevant portals.
44
+
Each Microsoft Defender service has its own custom role management settings, with some services being represented in a central location in the Microsoft Defender portal. To locate custom role management settings in the Microsoft Defender portal:
75
45
76
-
## Required roles and permissions
46
+
1. Sign in to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com).
47
+
1. In the navigation pane, select **Permissions**.
48
+
1. Select the **Roles** link for the service where you want to create a custom role. For example, for Defender for Endpoint:
77
49
78
-
The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table refer to customroles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
50
+
:::image type="content" source="media/custom-roles/custom-roles-endpoint.jpeg" alt-text="Screenshot of a Roles link for Defender for Endpoint.":::
79
51
80
-
> [!NOTE]
81
-
> Incident management requires management permissions for all products that are part of the incident.
52
+
## Reference to service-specific content
82
53
83
-
> [!IMPORTANT]
84
-
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
54
+
Custom role names aren't connected to global roles in Microsoft Entra ID, even if similarly named. For example, a custom role named *Security Admin* in Microsoft Defender for Endpoint isn't connected to the global *Security Admin* role in Microsoft Entra ID.
85
55
86
-
|Microsoft Defender XDR workload|One of the following roles is required for Defender for Endpoint|One of the following roles is required for Defender for Office 365|One of the following roles is required for Defender for Cloud Apps and Defender for Identity | One of the following roles is required for Microsoft Defender for Cloud |
For Defender for Endpoint and Defender for Office, use custom roles as follows:
94
57
95
-
For example, to view hunting data from Microsoft Defender for Endpoint, View data security operations permissions are required.
58
+
|Task |Required roles for Defender for Endpoint | Required roles for Defender for Office 365 |
59
+
|---------|---------|
60
+
|**View investigation data**, including alerts, incidents, and the Action center | View data - security operations | One of the following: <ul><li>View-only Manage alerts<li>Organization configuration<li>Audit logs<li>View-only audit logs<li>Security reader<li>Security admin<li>View-only recipients |
61
+
|**View and manage hunting data**, including queries and functions | View data - security operations | One of the following: <ul><li>Security reader<li>Security admin <li>View-only recipients|
62
+
|**Manage alerts and incidents**| Alert investigation |One of the following: <ul><li>Manage alerts<li>Security admin|
63
+
|**Action center remediation**| Active remediation actions – security operations | Search and purge |
64
+
|**Set custom detections**| Manage security settings | One of the following: <ul><li>Manage alerts<li>Security admin|
65
+
|**Threat analytics** | For alert and incidents data: View data- security operations <br><br>For vulnerability management mitigations: View data - Threat and vulnerability management | For alerts and incidents data, one of the following: <ul><li>View-only Manage alerts<li>Manage alerts<li>Organization configuration<li>Audit logs<li>View-only audit logs<li>Security reader<li>Security admin<li>View-only recipients
66
+
<br>For prevented email attempts, one of the following:<ul><li>Security reader<li>Security admin<li>View-only recipients |
96
67
97
-
Similarly, to view hunting data from Microsoft Defender for Office 365, users would require one of the following roles:
68
+
For other service information, see:
98
69
99
-
- View data security operations
100
-
- Security reader
101
-
- Security admin
102
-
- View-only recipients
70
+
-[Roles and permissions in Defender for Cloud](/azure/defender-for-cloud/permissions)
71
+
-[Configure access for Defender for Cloud Apps](/defender-cloud-apps/manage-admins)
72
+
-[Roles and permissions in Defender for Identity](/defender-for-identity/role-groups)
0 commit comments