| title | Assign security roles and permissions in Microsoft Defender for Business | |||||
|---|---|---|---|---|---|---|
| description | Assign roles to your cybersecurity team. Learn about these roles and permissions in Defender for Business. | |||||
| search.appverid | MET150 | |||||
| author | chrisda | |||||
| ms.author | chrisda | |||||
| manager | bagol | |||||
| audience | Admin | |||||
| ms.topic | how-to | |||||
| ms.service | defender-business | |||||
| ms.localizationpriority | medium | |||||
| ms.date | 09/11/2025 | |||||
| ms.reviewer | efratka, nehabha | |||||
| f1.keywords | NOCSH | |||||
| ms.collection |
|
This article describes how to assign security roles and permissions in Defender for Business.
:::image type="content" source="media/mdb-setup-step3.png" alt-text="Visual depicting step 3 - assign security roles and permissions in Defender for Business.":::
Your organization's security team needs certain permissions to perform tasks, such as
- Configuring Defender for Business
- Onboarding (or removing) devices
- Viewing reports about devices and threat detections
- Viewing incidents and alerts
- Taking response actions on detected threats
Permissions are granted through certain roles in the Microsoft Entra ID. These roles can be assigned in the Microsoft 365 admin center or in the Microsoft Entra admin center.
- Learn about roles in Defender for Business.
- View or edit role assignments for your security team.
- Proceed to your next steps.
The following table describes the main roles that are assigned in Defender for Business.
| Permission level | Description |
|---|---|
| Security Administrator | Security Administrators can perform the following tasks:
In general, security admins use the Microsoft Defender portal (https://security.microsoft.com) to perform security tasks. |
| Security Reader | Security Readers can perform the following tasks:
Security readers can't add or edit security policies, nor can they onboard devices. |
For more information about roles, see the following articles:
Important
Microsoft recommends that you grant people access to only what they need to perform their tasks. We call this concept least privilege for permissions. To learn more, see Best practices for least-privileged access for applications.
You can use the Microsoft 365 admin center or the Microsoft Entra admin center to view and edit role assignments.
-
Go to the Microsoft 365 admin center (https://admin.microsoft.com) and sign in.
-
In the navigation pane, go to Users > Active users.
-
Select a user account to open their flyout pane.
-
On the Account tab, under Roles, select Manage roles.
-
To add or remove a role, use one of the following procedures:
Task Procedure Add a role to a user account - Select Admin center access, scroll down, and then expand Show all by category.
- Select one of the following roles:
- Security Administrator (listed under Security & Compliance)
- Security Reader (listed under Read-only) /ul>
- Select Save changes.
Remove a role from a user account - Either select User (no admin center access) to remove all admin roles, or clear the checkbox next to one or more of the assigned roles.
- Select Save changes.
-
Go to the Microsoft Entra admin center (https://entra.microsoft.com) and sign in.
-
In the navigation pane, go to Users > All users.
-
Open a user profile by selecting the user account.
-
To add or remove a role, use one of the following procedures:
Task Procedure Add a role to a user account 1. Under Manage, select Assigned roles, and then choose + Add assignments.
2. Search for one of the following roles, select it, and then choose Add to assign that role to the user account.
- Security Administrator
- Security ReaderRemove a role from a user account 1. Under Manage, select Assigned roles.
2. Select one or more administrative roles, and then select X Remove assignments.