Important
Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft 365 Defender. It assumes that you have already created Azure Active Directory user groups.
- Log in to Microsoft 365 Defender using account with a Security administrator or Global administrator role assigned.
- In the navigation pane, select Settings > Endpoints > Roles (under Permissions).
- Select Add item.
- Enter the role name, description, and permissions you’d like to assign to the role.
- Select Next to assign the role to an Azure AD Security group.
- Use the filter to select the Azure AD group that you’d like to add to this role to.
- Save and close.
- Apply the configuration settings.
Important
After creating roles, you’ll need to create a device group and provide access to the device group by assigning it to a role that you just created.
Permission options
- View data
- Security operations – View all security operations data in the portal
- Threat and vulnerability management – View threat and vulnerability management data in the portal
- Active remediation actions
- Security operations – Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
- Threat and vulnerability management – Exception handling – Create new exceptions and manage active exceptions
- Threat and vulnerability management – Remediation handling – Submit new remediation requests, create tickets, and manage existing remediation activities
- Alerts investigation – Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
- Manage portal system settings – Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups
Note
This setting is only available in the Microsoft Defender for Endpoint administrator (default) role.
- Manage security settings in Defender for Cloud – Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab
- Live response capabilities
- Basic commands:
- Start a live-response session
- Perform read-only live-response commands on remote device (excluding file copy and execution)
- Download a file from the remote device via live response
- Advanced commands:
- Download PE and non-PE files from the file page
- Upload a file to the remote device
- View a script from the files library
- Execute a script on the remote device from the files library
- Basic commands:
For more information on the available commands, see Investigate devices using Live response.
Edit roles
- Log in to Microsoft 365 Defender using account with Security administrator or Global administrator role assigned.
- In the navigation pane, select Settings > Endpoints > Roles (under Permissions).
- Select the role you’d like to edit.
- Click Edit.
- Modify the details or the groups that are assigned to the role.
- Click Save and close.
Delete roles
- Log in to Microsoft 365 Defender using account with Security administrator or Global administrator role assigned.
- In the navigation pane, select Settings > Endpoints > Roles (under Permissions).
- Select the role you’d like to delete.
- Click the drop-down button and select Delete role.
Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team
(Visited 4 times, 1 visits today)