Microsoft 365 Defender role-based access control

The new Microsoft 365 Defender RBAC model makes it simple to migrate existing permissions from the individual supported RBAC models to the new RBAC model.

All permissions listed within the Microsoft 365 Defender RBAC model align to permissions in the individual RBAC models to ensure backward compatibility.

What services are supported with RBAC?

Microsoft 365 DefenderCentralized permissions management for Microsoft 365 Defender experiences.
Microsoft Defender for EndpointFull support for all endpoint data and actions. All roles are compatible with the device group’s scope as defined on the device groups page.
Microsoft Defender for Office 365Support for all scenarios that were controlled by Exchange Online Protection roles (EOP), configured in the Microsoft 365 Defender portal under Permissions > Email & collaboration roles.

Note: Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online. The Microsoft 365 Defender RBAC model will initially be available for organizations with Microsoft Defender for Office Plan 2 licenses only. This capability is not available to users on trial licenses.
Microsoft for IdentityFull support for all identity data and actions.

Note: Defender for Identity experiences will also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups.


  • Compliance-controlled scenarios and experiences are still managed in the Microsoft Purview compliance portal.
  • This feature is not yet available for Microsoft Defender for CloudApps.


In Azure Active Directory, you must be a Global Administrator or Security Administrator to:

  • Get started with Permissions and Roles in the Microsoft 365 Defender portal.
  • In Microsoft 365 Defender RBAC, you can manage roles and permissions.
  • To manage roles and permissions in Microsoft 365 Defender RBAC, create a custom role that can grant access to security groups or individual users. This eliminates the requirement for Azure Active Directory global roles to manage permissions. To accomplish this, you must grant the Authorization permission in Microsoft 365 Defender RBAC.

When you activate the Microsoft 365 Defender RBAC model for some or all of your workloads, the Microsoft 365 Defender security solution will continue to respect existing Azure Active Directory global roles, i.e. Global Admins will retain assigned admin privileges.

How to enable?

Open portal from and select permissions -> roles

Create a custom role

Choose the permissions groups needed

In example the difference between Operations and Configuration

  • Select all read-only permissions – Users will be assigned with all the read-only permissions in this category.
  • Select all read and manage permissions – Users will be assigned all permissions in this category (read and manage permissions).
  • Select custom permissions – Users will be assigned the custom permissions selected.

If I choose a custom permissions, I can add read permissions to Manage email Quarantine but read-only for raw content like email headers and read or download the email itself.

Once you have permissions created, you will create an assignment group for all current and future sources

Or for specific sources

Now you the following settings in the review screen

Then activate the Workloads

And choose all workloads one by one, activation happens after every click so it will take couple of seconds.

To complete this task, you must be a Global Administrator or Security Administrator in Azure Active Directory.

After enabling the workloads, you choose Workload settings to disable the ones from RBAC that you want

And choosing Permissions and roles, then deactivate the ones you wabt

Role-based access mapping

See more here for one to one mapping with different service permissions.

Threat Hunting Survival Guide

As next steps, see this excellent guide from Microsoft Security Experts on Threat hunting


Microsoft 365 Defender RBAC is an impressive and impactful feature that provides a unified and granular access control model across multiple Microsoft Defender products. It allows security administrators to centrally manage user privileges and access permissions, which helps to increase productivity for the Security Operations Center (SOC) and improves the overall security of the organization. The ability to assign specific roles and responsibilities to different users and prevent unauthorized access to sensitive information is particularly noteworthy, as it helps to mitigate security risks and maintain compliance with industry standards. Overall, Microsoft 365 Defender RBAC is a valuable tool for organizations looking to enhance their security posture and protect against cyber threats.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *