Permissions in Microsoft Defender XDR Unified role-based access control (RBAC)
In Microsoft Defender XDR Unified role-based access control (RBAC) you can select permissions from each permission group to customize a role.
Microsoft Defender XDR Unified RBAC permission details
The following table lists the permissions available to configure for your users based on the tasks they need to do:
Note
Unless otherwise stated, all permissions are applicable to all supported workloads and will be applied to the data scope selected during the data source and assignment stage.
Security operations – Security data
Permissions for managing day-to-day operations and responding to incidents and advisories.
| Permission name | Level | Description |
|---|---|---|
| Security data basics | Read | View info about incidents, alerts, investigations, advanced hunting, devices, submissions, evaluation lab, and reports. |
| Alerts | Manage | Manage alerts, start automated investigations, run scans, collect investigation packages, and manage device tags. |
| Response | Manage | Take response actions, approve or dismiss pending remediation actions, and manage blocked and allowed lists for automation. |
| Basic live response | Manage | Initiate a live response session, download files, and perform read-only actions on devices remotely. |
| Advanced live response | Manage | Create live response sessions and perform advanced actions, including uploading files and running scripts on devices remotely. |
| File collection | Manage | Collect or download relevant files for analysis, including executable files. |
| Email & collaboration quarantine | Manage | View and release email from quarantine. |
| Email & collaboration advanced actions | Manage | Move or Delete email to the junk email folder, deleted items or inbox, including soft and hard delete of email. |
Security operations – Raw data (Email & collaboration)
| Permission name | Level | Description |
|---|---|---|
| Email & collaboration metadata | Read | View email and collaboration data in a hunting scenarios, including advanced hunting, threat explorer, campaigns, and email entity. |
| Email & collaboration content | Read | View and download email content and attachments. |
Security posture – Posture management
Permissions for managing the organization's security posture and performing vulnerability management.
| Permission name | Level | Description |
|---|---|---|
| Vulnerability management | Read | View Defender Vulnerability Management data for the following: software and software inventory, weaknesses, missing KBs, advanced hunting, security baselines assessment, and devices. |
| Exception handling | Manage | Create security recommendation exceptions and manage active exceptions in Defender Vulnerability Management. |
| Remediation handling | Manage | Create remediation tickets, submit new requests, and manage remediation activities in Defender Vulnerability Management. |
| Application handling | Manage | Manage vulnerable applications and software, including blocking and unblocking them in Defender Vulnerability Management. |
| Security baseline assessment | Manage | Create and manage profiles so you can assess if your devices comply to security industry baselines. |
| Exposure Management | Read / Manage | View or manage Exposure Management insights, including Microsoft Secure Score recommendations from all products that are covered by Secure Score. |
Authorization and settings
Permissions to manages the security and system settings and to create and assign roles.
| Permission name | Level | Description |
|---|---|---|
| Authorization | Read / Manage | View or manage device groups, and custom and built-in roles. |
| Core security settings | Read / Manage | View or manage core security settings for the Microsoft Defender portal. |
| Detection tuning | Manage | Manage tasks related to detections in the Microsoft Defender portal including Custom detections, Alerts Tuning and Threat Indicators of compromise. |
| System settings | Read / Manage | View or manage general systems settings for the Microsoft Defender portal. |
Next steps
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.