Edit

Share via

Assign user access

  • Article

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Defender for Endpoint supports two ways to manage permissions:

Important

Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC). Existing customers keep their current roles and permissions. For more information, see URBAC Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint.

Change from basic permissions to RBAC

If you have basic permissions, you can switch to RBAC anytime. Consider the following before making the switch:

  • Users who have full access are automatically assigned the default Defender for Endpoint administrator role.
  • Other Microsoft Entra user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC.
  • Only users who are assigned the Defender for Endpoint administrator role can manage permissions using RBAC.
  • Users who have read-only access (Security Readers) lose access to the portal until they're assigned a role. Only Microsoft Entra user groups can be assigned a role under RBAC.
  • After switching to RBAC, you can't switch back to using basic permissions management.

Important

Microsoft recommends that you use roles with the fewest permissions as it helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.