Edit

Share via

Activate Microsoft Defender XDR Unified role-based access control (RBAC)

  • Article
  • Applies to:
    Microsoft Defender for Endpoint Plan 2, Microsoft Defender XDR, Microsoft Defender for Identity, Microsoft Defender for Office 365 P2, Microsoft Defender Vulnerability Management, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Security Exposure Management

This article lists the steps to activate Defender workloads available in your environment to use the Microsoft Defender XDR Unified role-based access control (RBAC). Activate the Unified RBAC model for some or all of your workloads for the Microsoft Defender portal to start enforcing the permissions and assignments configured in your new custom roles or imported roles.

Important

Starting February 16, 2025, the Microsoft Defender XDR Unified RBAC model will be the default permissions model for new Microsoft Defender Endpoint tenants. These new tenants won't have the capability to export roles and permissions from the current model.

Defender for Endpoint tenants with roles and permissions assigned or exported prior to this date will maintain their current roles and permissions configuration.

Activate Microsoft Defender XDR Unified RBAC

The following steps guide you on how to activate the Microsoft Defender XDR Unified RBAC model. You can activate your workloads in the following ways:

  1. Activate in the permissions and roles page
  2. Activate in Microsoft Defender XDR settings

Important

You must be a Global Administrator or Security Administrator in Microsoft Entra ID to perform this task. For more information on permissions, see Permission prerequisites. Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Activate from the Permissions and roles page

Sign in to the Microsoft Defender portal. In the navigation pane, select Permissions and select Roles under Microsoft Defender XDR to get to the Permissions and roles page.

You can activate your workloads in two ways from the Permissions and roles page:

Screenshot of the activate workloads page

  1. Activate workloads
  • Select Activate workloads on the banner above the list of roles to go directly to the Activate workloads screen.
  • You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.

Screenshot of the page where you can choose workloads to activate.

Note

The Activate workloads button is only available when there's it at least one workload that's not active for Microsoft Defender XDR Unified RBAC. Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC. Defender XDR Unified RBAC is automatically active for Exposure Management access. Once a custom role with one of the Exposure Management permissions is created, it has an immediate impact on assigned users. There's no need to activate it.

To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active.

  1. Workload settings
    • Select Workload settings.
    • This brings you to the Microsoft Defender XDR Permission and roles page.
    • Select the toggle for the workload you want to activate.
    • Select Activate on the confirmation message.

You have now successfully activated (or deactivated) that workload.

Activate in Microsoft Defender XDR settings

Follow these steps to activate your workloads directly in Microsoft Defender XDR settings:

  1. Sign in to the Microsoft Defender portal.

  2. In the navigation pane, select Settings.

  3. Select Microsoft Defender XDR.

  4. Select Permissions and roles. This brings you to the Activate workloads page.

  5. Select the toggle for the workload you want to activate.

  6. Select Activate on the confirmation message.

You have now successfully activated (or deactivated) that workload.

Note

The Microsoft Defender XDR Unified RBAC model only impacts the Microsoft Defender portal. It doesn't impact the Microsoft Purview portal or the Exchange Admin Center.

Deactivate Microsoft Defender XDR Unified RBAC

You can deactivate Microsoft Defender XDR Unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (Exchange Online Protection).

To deactivate the workloads, repeat the steps in the previous section and select the workloads you want to deactivate. The status is set to Not Active.

If you deactivate a workload, the roles created and edited within Microsoft Defender XDR Unified RBAC are no longer in effect, and the previous permissions model is used instead.

Next steps

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.