| title | Activate Microsoft Defender unified role-based access control (URBAC) | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| description | Activate Microsoft Defender unified role-based access control (URBAC) to enforce permissions and assignments configured in your new custom or imported roles. | |||||||||
| ms.service | defender-xdr | |||||||||
| ms.author | guywild | |||||||||
| author | guywi-ms | |||||||||
| ms.localizationpriority | medium | |||||||||
| audience | ITPro | |||||||||
| ms.collection |
|
|||||||||
| ms.custom | ||||||||||
| ms.topic | how-to | |||||||||
| ms.date | 03/02/2025 | |||||||||
| ms.reviewer | ||||||||||
| search.appverid | met150 | |||||||||
| appliesto |
|
[!INCLUDE Microsoft Defender XDR rebranding]
This article lists the steps to activate Defender workloads available in your environment to use the Microsoft Defender unified role-based access control (RBAC). Activate the unified RBAC model for some or all of your workloads for the Microsoft Defender portal to start enforcing the permissions and assignments configured in your new custom roles or imported roles.
Important
Starting February 16, 2025, the Microsoft Defender unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint tenants. These new tenants won't have the capability to export roles and permissions from the current model. Defender for Endpoint tenants with roles and permissions assigned or exported prior to this date will maintain their current roles and permissions configuration
As of March 2, 2025, new Microsoft Defender for Identity tenants will also have the unified RBAC model as their default permissions model. They won't be able to export roles and permissions from the current model. Existing Defender for Identity tenants will maintain their current roles and permissions configuration.
The following steps guide you on how to activate the Microsoft Defender unified RBAC model. You can activate your workloads in the following ways:
Important
You must be at least a Security Administrator in Microsoft Entra ID to perform this task. For more information on permissions, see Permission prerequisites.
-
Sign in to the Microsoft Defender portal.
-
In the navigation pane, select System > Permissions.
-
Under Microsoft Defender XDR, select Roles.
-
You can activate your workloads in two ways: either select Activate workloads from the banner or select Workload settings at the top of the page.
:::image type="content" source="media/activate-defender-rbac/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="media/activate-defender-rbac/m365-defender-rbac-activate-workloads1.png":::
Note
The Activate workloads button is only available when there's at least one workload that's not active for Microsoft Defender unified RBAC. Microsoft Defender for Cloud is active by default with Microsoft Defender unified RBAC. Defender unified RBAC is automatically active for Exposure Management access. Once a custom role with one of the Exposure Management permissions is created, it has an immediate impact on assigned users. There's no need to activate it.
To activate Exchange Online permissions in Microsoft Defender unified RBAC, Defender for Office 365 permissions must be active.
-
Select the toggle for each workload you want to activate or deactivate.
-
Optional: To activate Sentinel's workload, select View Workspaces and select which workspaces you'd like to activate.
:::image type="content" source="media/activate-defender-rbac/defender-activate-workloads.png" alt-text="Screenshot of the page where you can choose workloads to activate.":::
-
Select Activate on the confirmation message.
Follow these steps to activate your workloads directly in Microsoft Defender XDR settings:
-
Sign in to the Microsoft Defender portal.
-
In the navigation pane, select System > Settings.
-
Select Microsoft Defender XDR.
-
Under General, select Permissions and roles. This brings you to the Activate unified role-based access control page.
-
Select the toggle for the workloads you want to activate or deactivate.
-
Optional: To activate Microsoft Sentinel's workload, select View Workspaces and select which workspaces you'd like to activate.
-
Select Activate on the confirmation message.
Note
The Microsoft Defender unified RBAC model only impacts the Microsoft Defender portal. It doesn't impact the Microsoft Purview portal or the Exchange Admin Center.
Important
Once unified RBAC is activated for Microsoft Sentinel, use unified RBAC in the Defender portal to manage Sentinel permissions. Making permission changes in the Azure portal after unified RBAC is active for a workspace might lead to sync errors. If a sync error occurs, a notification appears on the Permissions page in the Defender portal with instructions on how to resolve it.
You can deactivate Microsoft Defender XDR unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (which includes the built-in security features for all cloud mailboxes).
To deactivate the workloads, repeat the steps in the previous section and select the workloads you want to deactivate. The status is set to Not Active.
If you deactivate a workload, the roles created and edited within Microsoft Defender unified RBAC are no longer in effect, and the previous permissions model is used instead.
[!INCLUDE Microsoft Defender XDR rebranding]