Microsoft Defender for Identity offers role-based security to safeguard data according to an organization’s specific security and compliance needs. Defender for Identity support three separate roles: Administrators, Users, and Viewers.
Note
This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Role groups enable access management for Defender for Identity. Using role groups, you can segregate duties within your security team, and grant only the amount of access that users need to do their jobs. This article explains access management, Defender for Identity role authorization, and helps you get up and running with role groups in Defender for Identity.
Note
Any global administrator or security administrator on the tenant’s Azure Active Directory is automatically a Defender for Identity administrator.
Accessing the Defender for Identity portal
Access to the Defender for Identity portal (portal.atp.azure.com) can only be accomplished by an Azure AD user who has the directory role of global administrator or security administrator. After entering the portal with the required role, you can create your Defender for Identity instance. Defender for Identity service creates three security groups in your Azure Active Directory tenant: Administrators, Users, Viewers.
Note
Access to the Defender for Identity portal is granted only to users within the Defender for Identity security groups, within your Azure Active Directory, as well as global and security admins of the tenant.
Required permissions for the Microsoft 365 Defender experience
To access the Defender for Identity experience in in Microsoft 365 Defender, you need the following permissions:
- For Defender for Identity alerts, activities, and security assessments in Microsoft 365 Defender, ensure you have the sufficient Azure Active Directory roles or Microsoft Defender for Cloud Apps internal roles. For details, see Microsoft Defender for Identity integration prerequisites.
Note
The currently supported Defender for Cloud Apps roles are Global admin, Security reader, and Compliance admin.
- For Defender for Identity settings in Microsoft 365 Defender, ensure that you have the sufficient Azure Active Directory roles or you’re a member of the Azure ATP (instance name) Administrators or the Azure ATP (instance name) Users Azure AD groups. For more information on the Azure AD groups, see Microsoft Defender for Identity Azure AD groups.
Types of Defender for Identity security groups
Defender for Identity provides three types of security groups: Azure ATP (instance name) Administrators, Azure ATP (instance name) Users, and Azure ATP (instance name) Viewers. The following table describes the type of access in the Defender for Identity portal available for each role. Depending on which role you assign, various screens and menu options in Defender for Identity portal are unavailable for those users, as follows:
| Activity | Azure ATP (instance name) Administrators | Azure ATP (instance name) Users | Azure ATP (instance name) Viewers |
|---|---|---|---|
| Change status of Health Alerts | Available | Not available | Not available |
| Change status of Security Alerts (reopen, close, exclude, suppress) | Available | Available | Not available |
| Delete instance | Available | Not available | Not available |
| Download a report | Available | Available | Available |
| Login | Available | Available | Available |
| Share/Export security alerts (via email, get link, download details) | Available | Available | Available |
| Update Defender for Identity Configuration – Updates | Available | Not available | Not available |
| Update Defender for Identity Configuration – Entity tags (sensitive and honeytoken) | Available | Available | Not available |
| Update Defender for Identity Configuration – Exclusions | Available | Available | Not available |
| Update Defender for Identity Configuration – Language | Available | Available | Not available |
| Update Defender for Identity Configuration – Notifications (email and syslog) | Available | Available | Not available |
| Update Defender for Identity Configuration – Preview detections | Available | Available | Not available |
| Update Defender for Identity Configuration – Scheduled reports | Available | Available | Not available |
| Update Defender for Identity Configuration – Data sources (directory services, SIEM, VPN, Defender for Endpoint) | Available | Not available | Not available |
| Update Defender for Identity Configuration – Sensors (download, regenerate key, configure, delete) | Available | Not available | Not available |
| View entity profiles and security alerts | Available | Available | Available |
When users try to access a page that isn’t available for their role group, they’re redirected to the Defender for Identity unauthorized page.
Add and remove users
Defender for Identity uses Azure AD security groups as a basis for role groups. The role groups can be managed from the Groups management page. Only Azure AD users can be added or removed from security groups.