Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model
We are excited to announce the public preview of a central role-based access control (RBAC) capability to help unify roles and permissions management across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity.
The new Microsoft 365 Defender RBAC model, part of Microsoft’s leading Extended Detection and Response (XDR) solution, is an impactful enabler for security admins to centrally manage privileges across domains. It offers a unified and granular cross-services access permission model to help the Security Operations Center (SOC) increase productivity across the various Microsoft Defender products. Additionally, the new model is fully compatible with existing individual RBAC models currently supported in Microsoft 365 Defender portal.
The new Microsoft 365 Defender RBAC experience
Microsoft 365 Defender provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. The new RBAC model now takes this experience to the next level by allowing admins to centrally manage privileges across these services with a greater efficiency. While Defender for Cloud Apps is not covered in this initial preview, it will be added to the new RBAC model in the future.
The new model organizes permissions by categories. For example, the “Security operations” category includes permissions that are required to perform daily security operations activities and allows admins to either grant out-of-the-box permissions on a per category basis or select permissions one-by-one for custom roles.
In the new model, permissions can be scoped to individual users and/or security groups. By default, custom roles created in the Microsoft 365 Defender RBAC model are scoped to all data sources. However, if needed, a role can be scoped to one or more specific data sources.
To make it easy for you to adopt the new RBAC model, we support role import capabilities so that you can import existing roles from any of our current individual RBAC models to the new Microsoft 365 Defender RBAC model with a click of a button.
Supported Products
- Microsoft Defender for Endpoint – full support for all endpoint data and actions. All roles are compatible with Defender for Endpoint’s device group aligning.
- Microsoft Defender for Office 365 – support for the SecOps scenarios that are managed in the Microsoft Defender portal.
Note: Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online. - Microsoft Defender for Identity – Full support for all identity data and actions.
Microsoft Defender for Cloud Apps – Will be added in the future.
Getting Started
Here is how you can get started with the new RBAC model:
If you don’t have any existing roles assigned:
- Start by creating custom roles: Enter the role name and description, select permissions, assign the role to users/a user group
- Activate Microsoft 365 Defender RBAC
- Edit or delete roles anytime as needed
You can find more details on how to create custom roles in our technical documentation.
If you have existing roles within any of the workloads:
- Import roles from the relevant workloads such as Defender for Endpoint, Defender for Identity or Defender for Office 365
- Review and modify as needed
- Activate M365 Defender RBAC
You can find more details on how to import roles in our technical documentation.
Notes:
- There will be no immediate change to the way Microsoft 365 Defender enforces permissions until admins activate the new RBAC model per workload. Only after activation, the new custom roles and imported roles will become effective.
- Only one permissions model can be honored at any given time, but the users will have the option to revert to the individual RBAC model if desired.
What about Azure Active Directory global roles and Privileged Identity Management?
Microsoft 365 Defender security portal will continue to respect existing Azure Active Directory global roles when you activate the Microsoft 365 Defender RBAC model for some or all workloads, i.e., Global Admins will retain assigned admin privileges.
However, with the new RBAC model you will have the flexibility to create more granular roles where appropriate, following the principle of least privilege and granting users only the privileges they need.
More information
- Ready to get started? Check out our technical documentation on how to transition to the new Microsoft 365 Defender RBAC model
- Let us know what you think! Share your feedback with us in the Microsoft 365 Defender portal feedback tool. Learn more about our feedback tool here.
Published on:
Learn moreRelated posts
Microsoft Viva: Viva Glint – Zero downtime for Viva Glint releases
Viva Glint releases previously needed several hours of downtime. With this feature, future releases will be transparent to customers, requirin...
Microsoft 365 app: Microsoft Loop – Add a Loop Workspace to your Teams Channel
Channels in Microsoft Teams streamline collaboration by bringing people, content, and apps together and helping to organize them by project or...
Microsoft Copilot (Microsoft 365): Clipchamp Copilot video creator
Create a video draft on any topic by providing a prompt. Clipchamp will create a video using stock video and music with an AI-generated voiceo...
New deployments of Microsoft 365 desktop client apps to include new Outlook
Microsoft 365 desktop client apps’ new deployments will now include new Outlook. Rollout starts late February 2025, with completion by e...
Microsoft 365 (Office) apps: The “Tags” feature will retire
The “Tags” feature in Microsoft 365 apps will be retired between January 6 and January 10, 2025. Users can use the “Favorite...
Microsoft 365 admin center: Enhancements to Copilot administration page
The Microsoft 365 admin center’s Copilot page will be updated with an enhanced Overview section and a new Health section. Rollout starts...
The Confusing Renaming of Microsoft 365 Copilot
Microsoft loves branding exercise. At least, that can be the only reason why the Microsoft 365 Copilot rename is happening. I can think of no ...
Power Platform & M365 Dev Community Call – December 19th, 2024 – Screenshot Summary
Call Highlights SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...