Permissions in Microsoft Defender for Cloud
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage. Learn more about the recent renaming of Microsoft security services.
Defender for Cloud assesses the configuration of your resources to identify security issues and vulnerabilities. In Defender for Cloud, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or the resource's resource group.
In addition to the built-in roles, there are two roles specific to Defender for Cloud:
- Security Reader: A user that belongs to this role has viewing rights to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but cannot make changes.
- Security Admin: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations.
The security roles, Security Reader and Security Admin, have access only in Defender for Cloud. The security roles do not have access to other Azure services such as Storage, Web & Mobile, or Internet of Things.
Roles and allowed actions
The following table displays roles and allowed actions in Defender for Cloud.
|Action||Security Reader /
|Security Admin||Contributor / Owner||Contributor||Owner|
|(Resource group level)||(Subscription level)||(Subscription level)|
|Add/assign initiatives (including) regulatory compliance standards)||-||-||-||-||✔|
|Edit security policy||-||✔||-||-||✔|
|Enable / disable Microsoft Defender plans||-||✔||-||-||✔|
|Apply security recommendations for a resource (and use Fix)||-||-||✔||✔||✔|
|View alerts and recommendations||✔||✔||✔||✔||✔|
For auto provisioning, the specific role required depends on the extension you're deploying. For full details, check the tab for the specific extension in the availability table on the auto provisioning quick start page.
We recommend that you assign the least permissive role needed for users to complete their tasks. For example, assign the Reader role to users who only need to view information about the security health of a resource but not take action, such as applying recommendations or editing policies.
This article explained how Defender for Cloud uses Azure RBAC to assign permissions to users and identified the allowed actions for each role. Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to: