|
| 1 | +--- |
| 2 | +title: Configure scoped access for Microsoft Defender for Identity |
| 3 | +description: Learn about working with Microsoft Defender for Identity scoped role groups. |
| 4 | +ms.date: 05/25/2025 |
| 5 | +ms.topic: how-to |
| 6 | +ms. reviewer: 'LiorShapiraa' |
| 7 | +--- |
| 8 | + |
| 9 | +# Configure scoped access for Microsoft Defender for Identity |
| 10 | + |
| 11 | +As organizations grow and their identity environments become more complex, it's important to control who has access to which resources. Microsoft Defender for Identity scoping lets you focus monitoring on specific Active Directory domains. This helps improve efficiency by reducing noise from nonessential data and focusing on critical assets. You can also limit visibility to specific entities, so access matches each person's responsibilities. |
| 12 | +Scoped access is implemented by creating a custom role using Microsoft Defender XDR Unified RBAC. During the role configuration process, you define which users or groups have access to specific Active Directory domains or Microsoft Entra ID groups. |
| 13 | + |
| 14 | +## Prerequisites |
| 15 | + |
| 16 | +Before you begin, make sure you meet the following requirements: |
| 17 | + |
| 18 | +- Check that Microsoft Defender for Identity sensor installed. |
| 19 | +- Confirm the [Identity workload for URBAC](/defender-xdr/activate-defender-rbac#activate-from-the-permissions-and-roles-page) is activated. |
| 20 | +- Ensure you have the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference) or [Security Administrator](/entra/identity/role-based-access-control/permissions-reference) role in Microsoft Entra ID to create and manage custom roles. |
| 21 | + |
| 22 | +- Make sure Authorization permissions are configured through [URBAC](/defender-xdr/manage-rbac) to manage roles without Global Administrator or Security Administrator privileges. |
| 23 | + |
| 24 | +### Configure scoping rules |
| 25 | +To enable identity scoping, follow these steps: |
| 26 | + |
| 27 | +1. Navigate to **Permissions > Microsoft Defender XDR > Roles**. |
| 28 | + |
| 29 | + :::image type="content" source="media/custom-roles/permissions-roles.png" alt-text="Screenshot showing the roles page in the Defender XDR portal."::: |
| 30 | + |
| 31 | +1. Select **+ Create custom role** and follow the instructions in [Create custom roles with Microsoft Defender XDR Unified RBAC](/defender-xdr/create-custom-rbac-roles#create-a-custom-role) |
| 32 | + |
| 33 | + :::image type="content" source="media/custom-roles/create-custom-role.png" alt-text="Screenshot showing the create custom roles button."::: |
| 34 | + |
| 35 | +1. You can edit the role at any time. Select the role from the list of custom roles and choose **Edit**. |
| 36 | + |
| 37 | + :::image type="content" source="media/custom-roles/edit-custom-role.png" alt-text="Screenshot showing how to edit a custom role."::: |
| 38 | + |
| 39 | +1. Select Add assignments and add the Assignment name. |
| 40 | + 1. Under **Assign users and groups**, enter the usernames or Microsoft Entra ID groups you want to assign to the role. |
| 41 | + 1. Select Microsoft Defender for Identity as the data source. |
| 42 | + 1. Under **Scope**, select the user groups (AD domains) that will be scoped to the assignment. |
| 43 | + :::image type="content" source="media/custom-roles/add-assignment.png" alt-text="Screenshot showing how to add Defender for Identity to your scoping role."::: |
| 44 | +1. Select **Add**. |
| 45 | + |
| 46 | + |
| 47 | + |
| 48 | +### Known limitations (Preview) |
| 49 | + |
| 50 | +Defender for Identity scoping is currently in Public preview. The following table lists the current limitations and supported scenarios for scoped access in Microsoft Defender for Identity. |
| 51 | + |
| 52 | +> [!NOTE] |
| 53 | +> - Custom roles apply only to new alerts and activities. Alerts and activities triggered before a custom role was created aren't retroactively tagged or filtered. |
| 54 | +> |
| 55 | +> - Microsoft Entra ID IP alerts aren't included within scoped MDI detections. |
| 56 | +
|
| 57 | +|Defender for Identity experience |Status | |
| 58 | +|---------|---------| |
| 59 | +|MDI alerts and incidents | Available |
| 60 | +|Hunting tables: AlertEvidence+Info, IdentityInfo, IdentityDirectoryEvents, IdentityLogonEvents, IdentityQueryEvents | Available | |
| 61 | +|User page and user global search | Available | |
| 62 | +|MDI alerts based on XDR detection platform (detection source is XDR and service source is MDI) | Available | |
| 63 | +|Health issues | Available | |
| 64 | +|Identities inventory and service accounts discovery page | Available | |
| 65 | +|Identities settings: sensors page, manual tagging, health issues notifications | Available | |
| 66 | +|Defender XDR Incident email notifications | Unavailable | |
| 67 | +|ISPMs and exposure management | Unavailable | |
| 68 | +|Download scheduled reports and Graph API | Unavailable | |
| 69 | +|Device and group global search and entity page | Unavailable | |
| 70 | +|Alert tuning and critical asset management | Unavailable | |
| 71 | + |
| 72 | +### Related articles |
| 73 | + |
| 74 | +- [Microsoft Defender for Identity role groups](role-groups.md) |
| 75 | +- [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac) |
| 76 | +- [Create custom roles with Microsoft Defender XDR Unified RBAC](/defender-xdr/create-custom-rbac-roles) |
| 77 | +- [Import roles to Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/import-rbac-roles) |
| 78 | +- [Activate Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/activate-defender-rbac) |
| 79 | + |
0 commit comments