Merge pull request #7345 from mberdugo/URBACsentinel

mberdugo · web-flow · commit cddf44220b5a · 2026-04-30T11:35:48.000+03:00
URBAC updates
diff --git a/defender-xdr/activate-defender-rbac.md b/defender-xdr/activate-defender-rbac.md
@@ -4,14 +4,12 @@ description: Activate Microsoft Defender unified role-based access control (URBA
 ms.service: defender-xdr
 ms.author: monaberdugo
 author: mberdugo
-ms.localizationpriority: medium
 ms.collection: 
 - m365-security
 - tier3
-ms.custom: 
 ms.topic: how-to
 ms.date: 03/02/2025
-ms.reviewer: 
+ms.reviewer: Tomas Beerthuis
 appliesto:
 - Microsoft Defender for Endpoint Plan 2
 - Microsoft Defender XDR
@@ -32,22 +30,30 @@ appliesto:
 This article lists the steps to activate Defender workloads available in your environment to use the Microsoft Defender unified role-based access control (RBAC). Activate the unified RBAC model for some or all of your workloads for the Microsoft Defender portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md).
 
 > [!IMPORTANT]
-> Starting February 16, 2025, the Microsoft Defender unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint tenants. These new tenants won't have the capability to export roles and permissions from the current model. Defender for Endpoint tenants with roles and permissions assigned or exported prior to this date will maintain their current roles and permissions configuration
->
-> As of March 2, 2025, new Microsoft Defender for Identity tenants will also have the unified RBAC model as their default permissions model. They won't be able to export roles and permissions from the current model. Existing Defender for Identity tenants will maintain their current roles and permissions configuration.
+> Starting 2025, the Microsoft Defender unified RBAC model is the default permissions model for new Microsoft Defender Endpoint tenants and Microsoft Defender for Identity tenants. These tenants can't export roles and permissions from the old model. Defender for Endpoint or Defender for Identity tenants with roles and permissions assigned or exported prior to this date maintain their old roles and permissions configuration.
 
 <a name='activate-microsoft-365-defender-unified-rbac'></a>
 
+## Prerequisites
+
+You must be at least a Security Administrator in Microsoft Entra ID to activate Microsoft Defender unified RBAC. For more information on permissions, see [Permission prerequisites](manage-rbac.md#permissions-prerequisites).
+
+## Before you begin
+
+Before you activate Microsoft Defender unified RBAC, consider the following:
+
+* The following roles are not supported for unified RBAC: the Microsoft Sentinel *Playbook Operator*, *Automation Contributor* and *Workbook Contributor*. These roles continue to be managed in Azure.  
+* Assigning permissions to a service principal or to a GDAP user group in Microsoft Sentinel isn't supported in unified RBAC. If you need either capability, don't activate Sentinel in unified RBAC yet. Continue using Azure RBAC for Microsoft Sentinel.
+* The Microsoft Defender unified RBAC model only impacts the Microsoft Defender portal. It doesn't impact the [Microsoft Purview portal](https://purview.microsoft.com) or the [Exchange Admin Center](https://admin.exchange.microsoft.com).
+* Once unified RBAC is activated for Microsoft Sentinel, use unified RBAC in the Defender portal to manage Sentinel permissions. Making permission changes in the Azure portal after unified RBAC is active for a workspace might lead to sync errors. If a sync error occurs, a notification appears on the **Permissions** page in the Defender portal with instructions on how to resolve it.
+
 ## Activate Microsoft Defender unified RBAC
 
 The following steps guide you on how to activate the Microsoft Defender unified RBAC model. You can activate your workloads in the following ways:
 
 * [Activate in the permissions and roles page](#activate-from-the-permissions-and-roles-page)
 * [Activate in Microsoft Defender XDR settings](#activate-in-microsoft-365-defender-settings)
 
-> [!IMPORTANT]
-> You must be at least a Security Administrator in Microsoft Entra ID to perform this task. For more information on permissions, see [Permission prerequisites](manage-rbac.md#permissions-prerequisites).
-
 ### Activate from the Permissions and roles page
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com).
@@ -75,7 +81,6 @@ The following steps guide you on how to activate the Microsoft Defender unified
 
 1. Select **Activate** on the confirmation message.
 
-
 <a name='activate-in-microsoft-365-defender-settings'></a>
 
 ### Activate in Microsoft Defender XDR settings
@@ -96,24 +101,18 @@ Follow these steps to activate your workloads directly in Microsoft Defender XDR
 
 1. Select **Activate** on the confirmation message.
 
-> [!NOTE]
-> The Microsoft Defender unified RBAC model only impacts the Microsoft Defender portal. It doesn't impact the [Microsoft Purview portal](https://purview.microsoft.com) or the [Exchange Admin Center](https://admin.exchange.microsoft.com).
-
-> [!IMPORTANT]
-> Once unified RBAC is activated for Microsoft Sentinel, use unified RBAC in the Defender portal to manage Sentinel permissions. Making permission changes in the Azure portal after unified RBAC is active for a workspace might lead to sync errors. If a sync error occurs, a notification appears on the **Permissions** page in the Defender portal with instructions on how to resolve it.
-
 <a name='deactivate-microsoft-365-defender-unified-rbac'></a>
 
 ## Deactivate Microsoft Defender unified RBAC
 
-You can deactivate Microsoft Defender XDR unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (which includes [the built-in security features for all cloud mailboxes](/defender-office-365/eop-about)).
+You can deactivate Microsoft Defender XDR unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Sentinel, and Microsoft Defender for Office 365 (which includes [the built-in security features for all cloud mailboxes](/defender-office-365/eop-about)).
 
 To deactivate the workloads, repeat the steps in the previous section and select the workloads you want to deactivate. The status is set to **Not Active**.
 
 If you deactivate a workload, the roles created and edited within Microsoft Defender unified RBAC are no longer in effect, and the previous permissions model is used instead.
 
 ## Next steps
 
-- [Edit or delete roles](edit-delete-rbac-roles.md)
+[Edit or delete roles](edit-delete-rbac-roles.md)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/compare-rbac-roles.md b/defender-xdr/compare-rbac-roles.md
@@ -39,9 +39,7 @@ This article describes how existing roles and permissions in the available Micro
 This article contains tables describing how to map your existing individual RBAC role defintions to the new Microsoft Defender unified RBAC permissions for the following products:
 
 > [!IMPORTANT]
-> As of February 2025, the Microsoft Defender unified RBAC model is the default permissions model for new Microsoft Defender Endpoint organizations. New organizations can't export roles and permissions from the original permissions model. Existing organizations with roles and permissions assigned or exported before February maintain their current roles and permissions configuration.
->
-> As of March 2025, the Microsoft Defender unified RBAC model is the default permissions model for new Microsoft Defender for Identity organizations. New organizations can't export roles and permissions from the original permissions model. Existing organizations with roles and permissions assigned or exported before March maintain their current roles and permissions configuration.
+> Starting 2025, the Microsoft Defender unified RBAC model is the default permissions model for new Microsoft Defender Endpoint tenants and Microsoft Defender for Identity tenants. These tenants can't export roles and permissions from the old model. Defender for Endpoint or Defender for Identity tenants with roles and permissions assigned or exported prior to this date maintain their old roles and permissions configuration.
 
 Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft Defender unified RBAC roles:
 
@@ -182,11 +180,13 @@ The following table lists the available uRBAC roles and their permissions.
 
 Use the following table to learn how your existing permissions for Microsoft Sentinel map to the new Microsoft Defender unified RBAC permissions:
 
-|Sentinel permission|Defender unified RBAC permission|
-|---|-----|
-|Sentinel Reader|Security operations \ Security data \ Security data basic (read)|
-|Sentinel Responder|Security operations \ Security data \ Security data basic (read) </br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)|
-|Sentinel Contributor|Security operations \ Security data \ Security data basic (read) </br>Security operations \ Security data \ Alerts (manage)  </br>Security operations \ Security data \ Response (manage) </br>Authorization and settings \ Detection tuning (manage)|
+|Sentinel role|URBAC role|Defender unified RBAC permission|
+|---|---|-----|
+|Sentinel Reader|Defender Unified RBAC Reader|Security operations \ Security data \ Security data basic (read)|
+|Sentinel Responder|Defender Unified RBAC Responder|Security operations \ Security data \ Security data basic (read) </br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)|
+|Sentinel Contributor|Defender Unified RBAC Contributor and Responder|Security operations \ Security data \ Security data basic (read) </br>Security operations \ Security data \ Alerts (manage)  </br>Security operations \ Security data \ Response (manage) </br>Authorization and settings \ Detection tuning (manage)|
+|N/A|Defender Unified RBAC Scoped Reader|Security operations \ Security data \ Security data basic (read) <br/>Applies only to role assignments with Sentinel Scope applied|
+|N/A|Defender Unified RBAC Data Manager|Data operations \ Data management \ Data (manage)|
 
 The following roles aren't available in unified RBAC and must be managed in the Azure portal: Microsoft Sentinel Playbook Operator, Automation Contributor, and Workbook Contributor.
 
diff --git a/defender-xdr/edit-delete-rbac-roles.md b/defender-xdr/edit-delete-rbac-roles.md
@@ -64,9 +64,7 @@ If the workload is active, all assigned user permissions are deleted by removing
 ## Export roles
 
 > [!IMPORTANT]
-> Starting February 16, 2025, the Microsoft Defender unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint tenants. These new tenants won't have the capability to export roles and permissions from the current model. Defender for Endpoint tenants with roles and permissions assigned or exported prior to this date will maintain their current roles and permissions configuration.
->
-> Starting March 2, 2025, new Microsoft Defender for Identity tenants will also have the unified RBAC model as their default permissions model. They won't be able to export roles and permissions from the current model. Existing Defender for Identity tenants will maintain their current roles and permissions configuration.
+> Starting 2025, the Microsoft Defender unified RBAC model is the default permissions model for new Microsoft Defender Endpoint tenants and Microsoft Defender for Identity tenants. These tenants can't export roles and permissions from the old model. Defender for Endpoint or Defender for Identity tenants with roles and permissions assigned or exported prior to this date maintain their old roles and permissions configuration.
 
 The Export feature enables you to export the following roles data:
 
diff --git a/defender-xdr/manage-rbac.md b/defender-xdr/manage-rbac.md
@@ -37,9 +37,7 @@ Microsoft Defender XDR provides integrated threat protection, detection, and res
 The Microsoft Defender unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across different security solutions.
 
 > [!IMPORTANT]
-> Starting February 16, 2025, the Microsoft Defender unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint tenants. These new tenants won't have the capability to export roles and permissions from the current model. Defender for Endpoint tenants with roles and permissions assigned or exported prior to this date will maintain their current roles and permissions configuration.
->
-> Starting March 2, 2025, new Microsoft Defender for Identity tenants will also have the Unified RBAC model as their default permissions model. They won't be able to export roles and permissions from the current model. Existing Defender for Identity tenants will maintain their current roles and permissions configuration.
+> Starting 2025, the Microsoft Defender unified RBAC model is the default permissions model for new Microsoft Defender Endpoint tenants and Microsoft Defender for Identity tenants. These tenants can't export roles and permissions from the old model. Defender for Endpoint or Defender for Identity tenants with roles and permissions assigned or exported prior to this date maintain their old roles and permissions configuration.
 
 <a name='whats-supported-by-the-microsoft-365-defender-unified-rbac-model'></a>
 
@@ -57,7 +55,7 @@ Centralized permissions management is supported for the following services:
 |**Microsoft Defender for Cloud**|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.|
 |**Microsoft Security Exposure Management**|Full support for all Exposure Management data and actions, including Microsoft Secure Score data.|
 |**Microsoft Defender for Cloud Apps (Preview)**|**Note:** Once Unified RBAC is activated, some built-in scoped roles will no longer be supported. For more information, see [Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender unified RBAC permissions](compare-rbac-roles.md#microsoft-defender-for-cloud-apps).|
-|**Microsoft Sentinel** (Preview)| Supports unified access management for all Microsoft Sentinel workspaces onboarded to the Defender portal. Sentinel role assignments made in Unified RBAC sync with Azure RBAC and are visible there. However, unified RBAC becomes the source of permissions once enabled. <br><br> Sentinel experiences in the Defender portal continue to respect ARM roles and permissions in addition to URBAC. Therefore, users with more permissions in ARM than in URBAC may see more data in the Sentinel pages in the Defender portal than configured in their URBAC permissions. <br><br>Supports permission management for the Microsoft Sentinel data lake default workspace, when Microsoft Sentinel is onboarded to both the Defender portal and the Microsoft Sentinel data lake. <br><br>Microsoft Sentinel users with built-in Azure RBAC roles for their workspaces receive parallel permissions in the Microsoft Sentinel data lake experiences, such as the lake explorer and notebooks. For more information, see [Roles and permissions for the Microsoft Sentinel data lake (Preview)](/azure/sentinel/roles#roles-and-permissions-for-the-microsoft-sentinel-data-lake-preview). <br><br>To see which roles are supported, check the [unified RBAC roles mapping](compare-rbac-roles.md#microsoft-sentinel-preview).|
+|**Microsoft Sentinel** (Preview)| Supports unified access management for all Microsoft Sentinel workspaces onboarded to the Defender portal. Sentinel role assignments made in Unified RBAC sync with Azure RBAC and are visible there. However, unified RBAC becomes the source of permissions once enabled. <br><br>When activating Sentinel in Unified RBAC, the *User Access Administrator* role is assigned to the MTP Unified RBAC app within the enabled workspace.<br><br>Assigning permissions to a service principal or to a GDAP user group in Microsoft Sentinel isn't supported in unified RBAC. If you need either capability, keep using Azure RBAC for Microsoft Sentinel. For more information, see [Activate Microsoft Defender unified RBAC](activate-defender-rbac.md).<br><br> Sentinel experiences in the Defender portal continue to respect ARM roles and permissions in addition to URBAC. Therefore, users with more permissions in ARM than in URBAC may see more data in the Sentinel pages in the Defender portal than configured in their URBAC permissions. <br><br>Supports permission management for the Microsoft Sentinel data lake default workspace, when Microsoft Sentinel is onboarded to both the Defender portal and the Microsoft Sentinel data lake. <br><br>Microsoft Sentinel users with built-in Azure RBAC roles for their workspaces receive parallel permissions in the Microsoft Sentinel data lake experiences, such as the lake explorer and notebooks. For more information, see [Roles and permissions for the Microsoft Sentinel data lake (Preview)](/azure/sentinel/roles#roles-and-permissions-for-the-microsoft-sentinel-data-lake-preview). <br><br>To see which roles are supported, check the [unified RBAC roles mapping](compare-rbac-roles.md#microsoft-sentinel-preview).|
 
 > [!NOTE]
 > Scenarios and experiences controlled by Compliance permissions are managed in the Microsoft Purview portal. Specifically, Data Loss Prevention (DLP) and Insider Risk Management experiences accessible from the Defender portal are governed by Microsoft Purview RBAC, not Microsoft Defender unified RBAC. To manage permissions for these experiences, see [Permissions in the Microsoft Purview portal](/purview/purview-permissions).
