Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
There are two ways to manage access to Microsoft 365 Defender
- Global Azure Active Directory (AD) roles
- Custom role access
Accounts assigned the following Global Azure Active Directory (AD) roles can access Microsoft 365 Defender functionality and data:
- Global administrator
- Security administrator
- Security Operator
- Global Reader
- Security Reader
To review accounts with these roles, view Permissions in the Microsoft 365 Defender portal.
Custom role access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft 365 Defender. Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. Custom roles can be created in addition to global Azure AD roles. Learn more about custom roles.
Note
This article applies only to managing global Azure Active Directory roles. For more information about using custom role-based access control, see Custom roles for role-based access control
Access to functionality
Access to specific functionality is determined by your Azure AD role. Contact a global administrator if you need access to specific functionality that requires you or your user group be assigned a new role.
Approve pending automated tasks
Automated investigation and remediation can take action on emails, forwarding rules, files, persistence mechanisms, and other artifacts found during investigations. To approve or reject pending actions that require explicit approval, you must have certain roles assigned in Microsoft 365. To learn more, see Action center permissions.
Access to data
Access to Microsoft 365 Defender data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). If your access has not been scoped to a specific set of devices in the Defender for Endpoint, you will have full access to data in Microsoft 365 Defender. However, once your account is scoped, you will only see data about the devices in your scope.
For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you will see only data about sales devices in Microsoft 365 Defender. Learn more about RBAC settings in Microsoft Defender for Endpoint
Microsoft Defender for Cloud Apps access controls
During the preview, Microsoft 365 Defender does not enforce access controls based on Defender for Cloud Apps settings. Access to Microsoft 365 Defender data is not affected by these settings.