From 0aa930d35f6a20ffb43cac93ada2e7be01ba4685 Mon Sep 17 00:00:00 2001
From: Guilherme Pohlmann <142536161+pohlmann-gui@users.noreply.github.com>
Date: Fri, 1 Aug 2025 10:37:23 -0300
Subject: [PATCH] Update m365d-autoir-actions.md

Disclosing that admin permissions are necessary for undo operations.
---
 defender-xdr/m365d-autoir-actions.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/defender-xdr/m365d-autoir-actions.md b/defender-xdr/m365d-autoir-actions.md
index b4d2f6771b..36ff9b60d2 100644
--- a/defender-xdr/m365d-autoir-actions.md
+++ b/defender-xdr/m365d-autoir-actions.md
@@ -69,6 +69,9 @@ If you've determined that a device or a file is not a threat, you can undo remed
 |:---|:---|
 | - Automated investigation <br/>- Microsoft Defender Antivirus <br/>- Manual response actions | - Isolate device <br/>- Contain device <br/>- Contain user <br/>- Restrict code execution <br/>- Quarantine a file <br/>- Remove a registry key <br/>- Stop a service <br/>- Disable a driver <br/>- Remove a scheduled task |
 
+> [!NOTE]
+> Only Security Administrators and Global Administrators are allowed access to undo operations such as File Quarantine.
+
 ### Undo one remediation action
 
 1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.