Create and manage roles for role-based access control

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Create roles and assign the role to an Azure Active Directory group

The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.

  1. Log in to Microsoft Defender Security Center using account with a Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Roles.

  3. Select Add item.

  4. Enter the role name, description, and permissions you'd like to assign to the role.

  5. Select Next to assign the role to an Azure AD Security group.

  6. Use the filter to select the Azure AD group that you'd like to add to this role to.

  7. Save and close.

  8. Apply the configuration settings.

Important

After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.

Permission options

  • View data

    • Security operations - View all security operations data in the portal
    • Threat and vulnerability management - View threat and vulnerability management data in the portal
  • Active remediation actions

    • Security operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
    • Threat and vulnerability management - Exception handling - Create new exceptions and manage active exceptions
    • Threat and vulnerability management - Remediation handling - Submit new remediation requests, create tickets, and manage existing remediation activities
  • Alerts investigation - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files

  • Manage portal system settings - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups

    Note

    This setting is only available in the Microsoft Defender for Endpoint administrator (default) role.

  • Manage security settings in Security Center - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab

  • Live response capabilities

    • Basic commands:
      • Start a live response session
      • Perform read only live response commands on remote device (excluding file copy and execution
    • Advanced commands:
      • Download a file from the remote device via live response
      • Download PE and non-PE files from the file page
      • Upload a file to the remote device
      • View a script from the files library
      • Execute a script on the remote device from the files library

For more information on the available commands, see Investigate devices using Live response.

Edit roles

  1. Log in to Microsoft Defender Security Center using account with Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Roles.

  3. Select the role you'd like to edit.

  4. Click Edit.

  5. Modify the details or the groups that are assigned to the role.

  6. Click Save and close.

Delete roles

  1. Log in to Microsoft Defender Security Center using account with Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Roles.

  3. Select the role you'd like to delete.

  4. Click the drop-down button and select Delete role.