From 5929da879cc731a10eb3f94eb4da143260f8827c Mon Sep 17 00:00:00 2001 From: garis Date: Wed, 29 Apr 2026 17:39:30 +0200 Subject: [PATCH] Clarify roles for Microsoft Sentinel onboarding Updated role requirements for onboarding and managing Microsoft Sentinel in the Defender portal to improve clarity and formatting. Added brackets to make the roles requires a bit more clear. --- unified-secops-platform/microsoft-sentinel-onboard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/unified-secops-platform/microsoft-sentinel-onboard.md b/unified-secops-platform/microsoft-sentinel-onboard.md index 6777c5373b..b580c9fac6 100644 --- a/unified-secops-platform/microsoft-sentinel-onboard.md +++ b/unified-secops-platform/microsoft-sentinel-onboard.md @@ -52,9 +52,9 @@ To onboard and use Microsoft Sentinel in the Defender portal, you must have the |Task |Microsoft Entra or Azure built-in role required |Scope | |---------|---------|---------| - |**Onboard Microsoft Sentinel to the Defender portal**| [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) or higher in Microsoft Entra ID
AND
[Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |Tenant


- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor| - |**Connect or disconnect a secondary workspace**| [Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |Tenant


- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor| - |**Change the primary workspace**| [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) or higher in Microsoft Entra ID
AND
[Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |Tenant


- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor| + |**Onboard Microsoft Sentinel to the Defender portal**| ([Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) or higher in Microsoft Entra ID)
AND
([Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator)) AND ([Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)) |Tenant


- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor| + |**Connect or disconnect a secondary workspace**| ([Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator)) AND ([Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)) |Tenant


- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor| + |**Change the primary workspace**| ([Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) or higher in Microsoft Entra ID)
AND
([Owner](/azure/role-based-access-control/built-in-roles#owner) or
[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator)) AND ([Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)) |Tenant


- Subscription for Owner or User Access Administrator roles

- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor| |**View Microsoft Sentinel in the Defender portal**|[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) |Subscription, resource group, or workspace resource | |**Query Microsoft Sentinel data tables or view incidents** |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:
- Microsoft.OperationalInsights/workspaces/read
- Microsoft.OperationalInsights/workspaces/query/read
- Microsoft.SecurityInsights/Incidents/read
- Microsoft.SecurityInsights/incidents/comments/read
- Microsoft.SecurityInsights/incidents/relations/read
- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource | |**Take investigative actions on incidents** |[Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) or a role with the following actions:
- Microsoft.OperationalInsights/workspaces/read
- Microsoft.OperationalInsights/workspaces/query/read
- Microsoft.SecurityInsights/incidents/read
- Microsoft.SecurityInsights/incidents/write
- Microsoft.SecurityInsights/incidents/comments/read
- Microsoft.SecurityInsights/incidents/comments/write
- Microsoft.SecurityInsights/incidents/relations/read
- Microsoft.SecurityInsights/incidents/relations/write
- Microsoft.SecurityInsights/incidents/tasks/read
- Microsoft.SecurityInsights/incidents/tasks/write |Subscription, resource group, or workspace resource |