Plan roles and permissions for Defender for Servers

This article helps you understand how to control access to Defender for Servers. Defender for Servers is one of the paid plans provided by Microsoft Defender for Cloud.

Before you begin

This article is the second article in the Defender for Servers planning guide. Before you begin, review the earlier articles:

1. Start planning your deployment.

Determine ownership and access

It's critical that you identify ownership for server and endpoint security in your organization. Ownership that's undefined or hidden increases security risk, making it more difficult for SecOps team to identity and follow threats across enterprise silos.

• Security leadership should identify the teams, roles, and individuals that are responsible for making and implementing decisions about server security. Review cloud security functions to get started.
• Responsibility is usually is shared between a central IT team and a cloud infrastructure and endpoint security team. Individuals on these teams need access rights to manage and use Defender for Cloud.
• During planning, determine the right level of access for individuals based on the Defender for Cloud role-based access control (RBAC) model.

Defender for Cloud roles

In addition to the built-in Owner, Contributor, and Reader roles for Azure subscriptions and resource groups, Defender for Cloud has built-in roles to control access.

Learn more about roles and allowed actions in Defender for Cloud.

Next steps

After you work through these planning steps, decide which Defender for Servers plan is right for your organization, and how you want to deploy the plan.