Microsoft Defender for Identity role groups

Note

The experience described in this page can also be accessed at https://security.microsoft.com as part of Microsoft 365 Defender.

Microsoft Defender for Identity offers role-based security to safeguard data according to an organization's specific security and compliance needs. Defender for Identity support three separate roles: Administrators, Users, and Viewers.

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Role groups enable access management for Defender for Identity. Using role groups, you can segregate duties within your security team, and grant only the amount of access that users need to do their jobs. This article explains access management, Defender for Identity role authorization, and helps you get up and running with role groups in Defender for Identity.

Note

Any global administrator or security administrator on the tenant's Azure Active Directory is automatically a Defender for Identity administrator.

Accessing the Defender for Identity portal

Access to the Defender for Identity portal (portal.atp.azure.com) can only be accomplished by an Azure AD user who has the directory role of global administrator or security administrator. After entering the portal with the required role, you can create your Defender for Identity instance. Defender for Identity service creates three security groups in your Azure Active Directory tenant: Administrators, Users, Viewers.

Note

Access to the Defender for Identity portal is granted only to users within the Defender for Identity security groups, within your Azure Active Directory, as well as global and security admins of the tenant.

Required permissions for the Microsoft 365 Defender experience

To access the Defender for Identity experience in in Microsoft 365 Defender, you need the following permissions:

  • For Defender for Identity alerts and activities in Microsoft 365 Defender, ensure you have the sufficient Azure Active Directory roles or Microsoft Defender for Cloud Apps internal roles. For details, see Microsoft Defender for Identity integration prerequisites.

    Note

    The currently supported Defender for Cloud Apps roles are Global admin, Security reader, and Compliance admin.

  • For Defender for Identity settings in Microsoft 365 Defender, ensure that you have the sufficient Azure Active Directory roles or you're a member of the Azure ATP (instance name) Administrators or the Azure ATP (instance name) Users Azure AD groups. For more information on the Azure AD groups, see Microsoft Defender for Identity Azure AD groups.

  • For security assessments, now part of Microsoft Secure Score, ensure that you have:

Types of Defender for Identity security groups

Defender for Identity provides three types of security groups: Azure ATP (instance name) Administrators, Azure ATP (instance name) Users, and Azure ATP (instance name) Viewers. The following table describes the type of access in the Defender for Identity portal available for each role. Depending on which role you assign, various screens and menu options in Defender for Identity portal are unavailable for those users, as follows:

Activity Azure ATP (instance name) Administrators Azure ATP (instance name) Users Azure ATP (instance name) Viewers
Change status of Health Alerts Available Not available Not available
Change status of Security Alerts (reopen, close, exclude, suppress) Available Available Not available
Delete instance Available Not available Not available
Download a report Available Available Available
Login Available Available Available
Share/Export security alerts (via email, get link, download details) Available Available Available
Update Defender for Identity Configuration - Updates Available Not available Not available
Update Defender for Identity Configuration - Entity tags (sensitive and honeytoken) Available Available Not available
Update Defender for Identity Configuration - Exclusions Available Available Not available
Update Defender for Identity Configuration - Language Available Available Not available
Update Defender for Identity Configuration - Notifications (email and syslog) Available Available Not available
Update Defender for Identity Configuration - Preview detections Available Available Not available
Update Defender for Identity Configuration - Scheduled reports Available Available Not available
Update Defender for Identity Configuration - Data sources (directory services, SIEM, VPN, Defender for Endpoint) Available Not available Not available
Update Defender for Identity Configuration - Sensors (download, regenerate key, configure, delete) Available Not available Not available
View entity profiles and security alerts Available Available Available

When users try to access a page that isn't available for their role group, they're redirected to the Defender for Identity unauthorized page.

Add and remove users

Defender for Identity uses Azure AD security groups as a basis for role groups. The role groups can be managed from the Groups management page. Only Azure AD users can be added or removed from security groups.

See Also