| title | Manage access to Microsoft Defender XDR with Microsoft Entra global roles | |||
|---|---|---|---|---|
| description | Learn how to manage access to Microsoft Defender XDR capabilities with Microsoft Entra global roles. | |||
| ms.service | defender-xdr | |||
| f1.keywords |
|
|||
| ms.author | guywild | |||
| author | guywi-ms | |||
| ms.localizationpriority | medium | |||
| manager | deniseb | |||
| audience | ITPro | |||
| ms.collection |
|
|||
| ms.topic | concept-article | |||
| search.appverid |
|
|||
| ms.date | 05/08/2024 | |||
| appliesto |
|
Note
Microsoft Defender XDR users can now take advantage of a centralized permissions management solution to control user access and permissions across different Microsoft security solutions. Learn more about the Microsoft Defender XDR Unified role-based access control (RBAC).
[!INCLUDE Microsoft Defender XDR rebranding]
There are two ways to manage access to Microsoft Defender XDR:
- Global Microsoft Entra roles
- Custom role access
Accounts assigned the following Global Microsoft Entra roles can access Microsoft Defender XDR functionality and data:
- Global Administrator
- Security Administrator
- Security Operator
- Global Reader
- Security Reader
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
To review accounts with these roles, view Permissions in the Microsoft Defender portal.
Custom role access is a capability in Microsoft Defender XDR that allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender XDR. Custom roles offer more control than global Microsoft Entra roles, providing users only the access they need with the least-permissive roles necessary. Custom roles can be created in addition to global Microsoft Entra roles. Learn more about custom roles.
Note
This article applies only to managing global Microsoft Entra roles. For more information about using custom role-based access control, see Custom roles for role-based access control
Access to specific functionality is determined by your Microsoft Entra role. Contact a Global Administrator if you need access to specific functionality that requires you or your user group be assigned a new role.
Automated investigation and remediation can take action on emails, forwarding rules, files, persistence mechanisms, and other artifacts found during investigations. To approve or reject pending actions that require explicit approval, you must have certain roles assigned in Microsoft 365. To learn more, see Action center permissions.
Access to Microsoft Defender XDR data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). If your access hasn't been scoped to a specific set of devices in the Defender for Endpoint, you'll have full access to data in Microsoft Defender XDR. However, once your account is scoped, you'll only see data about the devices in your scope.
For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you'll see only data about sales devices in Microsoft Defender XDR. Learn more about RBAC settings in Microsoft Defender for Endpoint
During the preview, Microsoft Defender XDR doesn't enforce access controls based on Defender for Cloud Apps settings. Access to Microsoft Defender XDR data isn't affected by these settings.