Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to create custom roles in Microsoft Defender XDR Unified role-based access control (RBAC). Microsoft Defender XDR Unified RBAC enables you to create custom roles with specific permissions and assign them to users or groups, allowing for granular control over access to Microsoft Defender portal experiences.
Creating custom roles for Microsoft Sentinel data lake is supported in Preview.
Prerequisites
To create custom roles in Microsoft Defender XDR Unified RBAC, you must be assigned one of the following roles or permissions:
- Global Administrator or Security Administrator in Microsoft Entra ID.
- All Authorization permissions assigned in Microsoft Defender XDR Unified RBAC.
For more information on permissions, see Permission prerequisites.
Tip
Microsoft recommends that you use roles with the fewest permissions. This practice helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
To create custom roles for the Microsoft Sentinel data lake using the Security Operations or Data operations permission group, you must have a Log Analytics workspace enabled for Microsoft Sentinel and onboarded to the Defender portal.
Create a custom role
The following steps describe how to create custom roles in the Microsoft Defender portal.
Sign in to the Microsoft Defender portal. In the navigation pane on the side, scroll down and select Permissions.
On the Permissions page, under Microsoft Defender XDR, select Roles > Create custom role.
In the wizard that opens, on the Basics tab, enter the role name and an optional description, and then select Next.
On the Choose permissions page, select each of the following as needed to configure permissions for that area:
- Security operations
- Security posture
- Authorization and settings
- Data Operations (Preview). Supported for the Microsoft Sentinel data lake data collection.
Hover over the description column for each permission group for a detailed description of the permissions available in that group.
An extra Authorization and settings side pane slides open for each permission group you select, where you can choose the specific permissions to assign to the role.
If you select All read-only permissions, or All read and manage permissions, any new permissions later added to these categories are also automatically assigned under this role.
For more information, see Permissions in Microsoft Defender XDR Unified role-based access control (RBAC).
When you're done assigning permissions for each permission group, select Apply and then Next to continue on to the next permission group.
Note
If all read-only or all read and manage permissions are assigned, any new permissions added to this category in the future are automatically assigned under this role.
If you assigned custom permissions and new permissions are added to this category, you'll need to reassign your roles with the new permissions if needed.
Once you selected your permissions for any relevant permission group, select Apply and then Next to assign users and data sources.
On the Assign users and data sources page, select Add assignment.
On the Add assignment side pane, enter the following details:
- Assignment name: Enter a descriptive name for the assignment.
- Employees: Select Microsoft Entra security groups or individual users to assign users to the role.
- Data sources: Select the Data sources drop down and then select the services where the assigned users will have the selected permissions. If you assigned read-only permissions for a single data source, such as Microsoft Defender for Endpoint, the assigned users can't read alerts in the other services, such as Microsoft Defender for Office 365 or Microsoft Defender for Identity.
Select Include future data sources automatically to include all other data sources supported by Microsoft Defender unified RBAC. If this option is selected, any future data sources that are added for unified RBAC support are also automatically added to the assignment.
In the Data collections area on the Add assignments side pane, the Microsoft Sentinel default data lake is listed by default. Select Edit to either remove access to the data lake, or define a custom data lake selection.
Note
In Microsoft Defender XDR Unified RBAC, you can create as many assignments as needed under the same role with same permissions. For example, you can have an assignment within a role that has access to all data sources and then a separate assignment for a team that only needs access to Endpoint alerts from the Defender for Endpoint data source. This enables maintaining the minimum number of roles.
Back on the Assign users and data sources page, select Next to review the role and assignment details. Select Submit to create the role.
Create a role to access and manage roles and permissions
To access and manage roles and permissions, without being a Global Administrator or Security Administrator in Microsoft Entra ID, create a role with Authorization permissions. To create this role:
Sign in to the Microsoft Defender portal as Global Administrator or Security Administrator.
In the navigation pane, select Permissions > Microsoft Defender XDR > Roles > Create custom role.
Enter your role name and description, and then select Next.
Select Authorization and settings, and then on the Authorization and settings side pane, select Select custom permissions.
Under Authorization, select one of the following options:
- Select all permissions. Users are able to create and manage roles and permissions.
- Read-only. Users can access and view roles and permissions in a read-only mode.
For example:
Select Apply and then Next to assign users and data sources.
Select Add assignments and enter the Assignment name.
To choose the data sources that users assigned with the Authorization permission have access to, select one of the following options:
- Choose all data sources: This grants users permissions to create new roles and manage roles for all data sources.
- Select specific data sources: This grants users permissions to create new roles and manage roles for a specific data source. For example, select Microsoft Defender for Endpoint from the dropdown to grant users the Authorization permission for the Microsoft Defender for Endpoint data source only.
- Microsoft Sentinel data lake collection: Select this option to grant users the Authorization permission for the Microsoft Sentinel data lake.
In Assigned users and groups – choose the Microsoft Entra security groups or individual users to assign the role to, and select Add.
Select Next to review and finish creating the role and then select Submit.
Note
For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new or imported roles, you need to activate the new Microsoft Defender XDR Unified RBAC model. For more information, see Activate Microsoft Defender XDR Unified RBAC.
Configure scoped roles for Microsoft Defender for Identity
Scoped access for Microsoft Defender for Identity (MDI) is currently in Public preview. You can configure scoped access using Microsoft Defender XDR’s Unified RBAC (URBAC) model. This allows you to restrict access and visibility to specific Active Directory domains, helping align with team responsibilities and reduce unnecessary data exposure.
For more information, see: Configure scoped access for Microsoft Defender for Identity.
Next steps
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.