You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/dex-xdr-permissions.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ ms.collection:
14
14
- tier1
15
15
ms.topic: conceptual
16
16
search.appverid: met150
17
-
ms.date: 05/29/2023
17
+
ms.date: 06/28/2024
18
18
---
19
19
20
20
# How Microsoft Defender Experts for XDR permissions work
@@ -32,6 +32,9 @@ For Microsoft Defender Experts for XDR incident investigations, when our experts
32
32
33
33
## Configuring permissions in customer tenants
34
34
35
+
> [!IMPORTANT]
36
+
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
37
+
35
38
Once you select the permissions you'd like to grant to our experts, we create the following policies in your tenant using the Security Administrator or Global Administrator context:
36
39
37
40
-**Configure Microsoft Experts as a service provider** – This setting lets our experts access the tenant environment as external collaborators without requiring you to create accounts for them.
@@ -44,4 +47,5 @@ These policies are configured during the onboarding process and require the rele
44
47
### See also
45
48
46
49
[Important considerations for Microsoft Defender Experts for XDR](additional-information-xdr.md)
Copy file name to clipboardExpand all lines: defender-xdr/get-started-xdr.md
+16-1Lines changed: 16 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
- essentials-get-started
16
16
ms.topic: conceptual
17
17
search.appverid: met150
18
-
ms.date: 05/28/2024
18
+
ms.date: 06/28/2024
19
19
---
20
20
21
21
# Get started with Microsoft Defender Experts for XDR
@@ -36,6 +36,9 @@ Select the link in the welcome email to directly launch the Defender Experts set
36
36
37
37
## Grant permissions to our experts
38
38
39
+
> [!IMPORTANT]
40
+
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
41
+
39
42
By default, Defender Experts for XDR requires **Service provider access** that lets our experts sign into your tenant and deliver services based on assigned security roles. [Learn more about cross-tenant access](/azure/active-directory/external-identities/cross-tenant-access-overview)
40
43
41
44
You also need to grant our experts one or both of the following permissions:
@@ -53,7 +56,9 @@ You also need to grant our experts one or both of the following permissions:
53
56
**To grant our experts permissions:**
54
57
55
58
1. In the same Defender Experts settings setup, under **Permissions**, choose the access level(s) you want to grant our experts.
59
+
56
60
1. If you wish to [exclude device and user groups](#exclude-devices-from-remediation) in your organization from remediation actions, select **Manage exclusions**.
61
+
57
62
1. Select **Next** to [add contact persons or groups](#tell-us-who-to-contact-for-important-matters).
58
63
59
64
To edit or update permissions after the initial setup, go to **Settings** > **Defender Experts** > **Permissions**.
@@ -65,12 +70,15 @@ Defender Experts for XDR lets you exclude devices and users from remediation act
65
70
**To exclude device groups:**
66
71
67
72
1. In the same Defender Experts settings setup, under **Exclusions**, go to the **Device groups** tab.
73
+
68
74
2. Select **+ Add device groups**, then search for and choose the device group(s) that you wish to exclude.
69
75
> [!NOTE]
70
76
> This page only lists existing device groups. If you wish to create a new device group, you first need to go to the Defender for Endpoint settings in your Microsoft Defender portal. Then, refresh this page to search for and choose the newly created group. [Learn more about creating device groups](/defender-endpoint/machine-groups)
71
77
72
78
3. Select **Add device groups**.
79
+
73
80
4. Back on the **Device groups** tab, review the list of excluded device groups. If you wish to remove a device group from the exclusion list, choose it then select **Remove device group**.
81
+
74
82
5. Select **Next** to confirm your exclusion list and proceed to [adding contact persons or groups](#tell-us-who-to-contact-for-important-matters). Otherwise, select **Skip**, and all your added exclusions are discarded.
75
83
76
84
:::image type="content" source="/defender/media/xdr/exclude-device-groups.png" alt-text="Screenshot of option to exclude device groups." lightbox="/defender/media/xdr/exclude-device-groups.png":::
@@ -127,9 +135,13 @@ Once identified, the individuals or groups will receive an email notifying them
127
135
**To add notification contacts:**
128
136
129
137
1. In the same Defender Experts settings setup, under **Contacts**, search for and add your **Contact person or team** in the text field provided.
138
+
130
139
2. Add a **Phone number** (optional) that Defender Experts can call for matters that require immediate attention.
140
+
131
141
3. Under the **Contact for** dropdown box, choose **Incident notification** or **Service review**.
142
+
132
143
4. Select **Add**.
144
+
133
145
1. Select **Next** to confirm your contacts list and proceed to [creating a Teams channel](#receive-managed-response-notifications-and-updates-in-microsoft-teams) where you can also receive incident notifications.
134
146
135
147
To edit or update your notification contacts after the initial setup, go to **Settings** > **Defender Experts** > **Notification contacts**.
@@ -146,8 +158,11 @@ Apart from email and [in-portal chat](communicate-defender-experts-xdr.md#in-por
146
158
**To turn on Teams notifications and chat:**
147
159
148
160
1. In the same Defender Experts settings setup, under **Teams**, select the **Communicate on Teams** checkbox.
161
+
149
162
2. Select **Next** to review your settings.
163
+
150
164
3. Select **Submit**. The step-by-step guide then completes the initial setup.
165
+
151
166
4. Select **View readiness assessment** to complete the necessary actions required to [optimize your security posture](#prepare-your-environment-for-the-defender-experts-service).
Copy file name to clipboardExpand all lines: defender-xdr/import-rbac-roles.md
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.collection:
12
12
- tier3
13
13
ms.custom:
14
14
ms.topic: how-to
15
-
ms.date: 06/13/2024
15
+
ms.date: 06/28/2024
16
16
ms.reviewer:
17
17
search.appverid: met150
18
18
---
@@ -45,16 +45,22 @@ The following steps guide you on how to import roles into Microsoft Defender XDR
45
45
46
46
> [!IMPORTANT]
47
47
> You must be a Global Administrator or Security Administrator in Microsoft Entra ID, or have all the **Authorization** permissions assigned in Microsoft Defender XDR Unified RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](manage-rbac.md#permissions-prerequisites).
48
+
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
48
49
49
50
1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
51
+
50
52
2. In the navigation pane, select **Permissions**.
53
+
51
54
3. Select **Roles** under Microsoft Defender XDR to get to the Permissions and roles page.
55
+
52
56
4. Select **Import role**.
57
+
53
58
5. Select the products you want to import roles from.
54
59
55
60
:::image type="content" source="/defender/media/defender/m365-defender-import-workloads.png" alt-text="Screenshot of the import workloads page" lightbox="/defender/media/defender/m365-defender-import-workloads.png":::
56
61
57
62
6. Select **Next** to choose the roles to import. You can choose all roles or select specific roles from the list. Select the role name to review the permissions and assigned users or groups for that specific role.
63
+
58
64
7. Select the roles you want to import and select **Next**.
59
65
60
66
> [!NOTE]
@@ -63,6 +69,7 @@ The following steps guide you on how to import roles into Microsoft Defender XDR
63
69
> To import this role to Unified RBAC, remove the user or user group from the role in the original RBAC model. Select the role to view the list of users that still exist for that role to determine which user or group to remove.
64
70
65
71
8. Select **Submit**.
72
+
66
73
9. Select **Done** on the confirmation page.
67
74
68
75
Now that you have imported your roles you will be able to [View and edit roles](edit-delete-rbac-roles.md) and activate the workloads.
@@ -78,5 +85,6 @@ Imported roles appear in the **Permissions and roles** list together with any cu
78
85
79
86
-[Activate Microsoft Defender XDR Unified RBAC](activate-defender-rbac.md)
80
87
-[Edit or delete roles](edit-delete-rbac-roles.md)
0 commit comments