Edit

Share via


Microsoft Defender XDR Unified role-based access control (RBAC)

Applies to:

Microsoft Defender XDR provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. Controlling a user's permissions around their access to view data or complete tasks is essential for organizations to minimize the risks associated with unauthorized access.

The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across different security solutions.

Important

Starting February 16, 2025, the Microsoft Defender XDR Unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint tenants. These new tenants won't have the capability to export roles and permissions from the current model. Defender for Endpoint tenants with roles and permissions assigned or exported prior to this date will maintain their current roles and permissions configuration.

Starting March 2, 2025, new Microsoft Defender for Identity tenants will also have the Unified RBAC model as their default permissions model. They won't be able to export roles and permissions from the current model. Existing Defender for Identity tenants will maintain their current roles and permissions configuration.

What's supported by the Microsoft Defender XDR Unified RBAC model

Centralized permissions management is supported for the following services:

Service name Unified RBAC support
Microsoft Defender XDR Centralized permissions management for Microsoft Defender XDR experiences.
Microsoft Defender for Endpoint Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page. Limiting permissions to different device groups is accomplished in the Devices Groups page.
Microsoft Defender Vulnerability Management Centralized permissions management for all Defender Vulnerability Management capabilities.
Microsoft Defender for Office 365 Full support for all data and actions.

Note:
  • Initially, the Microsoft Defender XDR RBAC model is available only for organizations with Microsoft Defender for Office 365 Plan 2 licenses (trial licenses aren't supported).
  • Granular delegated admin privileges (GDAP) aren't supported.
  • Exchange Online PowerShell and Security & Compliance PowerShell continue to use Exchange Online roles and Email & Collaboration roles. Microsoft Defender XDR Unified RBAC doesn't affect Exchange Online PowerShell or Security & Compliance PowerShell.
Microsoft Defender for Identity Full support for all identity data and actions. All roles are compatible with Microsoft Defender for Identity scoped access.

Note: Defender for Identity experiences also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups.
Microsoft Defender for Cloud Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.
Microsoft Security Exposure Management Full support for all Exposure Management data and actions, including Microsoft Secure Score data.
Microsoft Defender for Cloud Apps (Preview) Note: Once Unified RBAC is activated, some built-in scoped roles will no longer be supported. For more information, see Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions.
Microsoft Sentinel data lake (Preview) Supports permission management for the Microsoft Sentinel data lake default workspace, when Microsoft Sentinel is onboarded to both the Defender portal and the Microsoft Sentinel data lake.

Microsoft Sentinel users with built-in Azure RBAC roles for their workspaces receive parallel permissions in the Microsoft Sentinel data lake experiences, such as the lake explorer and notebooks. For more information, see Roles and permissions for the Microsoft Sentinel data lake (Preview).

Note

Scenarios and experiences controlled by Compliance permissions are managed in the Microsoft Purview portal.

Before you start

This section provides useful information on what you need to know before you start using Microsoft Defender XDR Unified RBAC.

Permissions prerequisites

  • You must be a Global Administrator or Security Administrator in Microsoft Entra ID to:

    • Gain initial access to Permissions and roles in the Microsoft Defender portal.

    • Manage roles and permissions in Microsoft Defender XDR Unified RBAC.

    • Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft Defender XDR unified RBAC. This removes the need for Microsoft Entra global roles to manage permissions. To do this, you need to assign the Authorization permission in Microsoft Defender XDR Unified RBAC. For details on how to assign the Authorization permission, see Create a role to access and manage roles and permissions.

  • The Microsoft Defender XDR security solution continues to respect existing Microsoft Entra global roles when you activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads, that is, Global Administrators retain assigned administrator privileges.

Important

Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role.

Migration of existing roles and permissions

The new Microsoft Defender XDR Unified RBAC model provides easy migration of the existing permissions in the individual supported unified RBAC models to the new RBAC model.

Defender for Endpoint Devices Groups now use the device groups side of the interface to define which groups have access to the proper Device Groups.

All permissions listed within the Microsoft Defender XDR Unified RBAC model align to permissions in the individual RBAC models to ensure backward compatibility. For more information on how the permissions align, see Map permissions in Microsoft Defender XDR unified role-based access control (RBAC).

Activation of the Microsoft Defender XDR Unified RBAC model

You must activate the workloads in Microsoft Defender XDR to use the Microsoft Defender XDR Unified RBAC model. Until activated, Microsoft Defender XDR continues to respect the existing RBAC models. For more information, see Activate Microsoft Defender XDR Unified RBAC.

When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads are fully controlled by the Microsoft Defender XDR Unified RBAC model in the Microsoft Defender portal.

Start using Microsoft Defender XDR Unified RBAC model

Use the following steps as a guide to start using the Microsoft Defender XDR Unified RBAC model:

  1. Get started with creating custom roles and importing roles from existing RBAC role models

  2. Activate and manage your roles with the Microsoft Defender XDR Unified RBAC model

  3. Learn more about the Microsoft Defender XDR Unified RBAC model

  4. Learn more about Microsoft Defender for Identity scoped access

Watch the following video to see the preceding steps in action:

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.