Create and manage roles for role-based access control

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Create roles and assign the role to an Azure Active Directory group

The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.

  1. In the navigation pane, select Settings > Roles.

  2. Click Add role.

  3. Enter the role name, description, and permissions you'd like to assign to the role.

    • Role name

    • Description

    • Permissions

      • View data - Users can view information in the portal.


      To view Threat & Vulnerability Management data, select Threat and vulnerability management.

      • Alerts investigation - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
      • Active remediation actions - Users can take response actions and approve or dismiss pending remediation actions.


      To enable your Security operation personnel to choose remediation options and file exceptions, select Threat and vulnerability management - Remediation handling, and Threat and vulnerability management - Exception handling.

      • Manage portal system settings - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.


      This setting is only available in the Microsoft Defender ATP administrator (default) role.

      • Manage security settings - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.

      • Live response capabilities - Users can take basic or advanced live response commands.

        • Basic commands allow users to:
          • Start a live response session
          • Run read only live response commands on a remote machine
        • Advanced commands allow users to:
          • Run basic actions
          • Download a file from the remote machine
          • View a script from the files library
          • Run a script on the remote machine from the files library take read and write commands.

      For more information on the available commands, see Investigate machines using Live response.

  4. Click Next to assign the role to an Azure AD group.

  5. Use the filter to select the Azure AD group that you'd like to add to this role.

  6. Click Save and close.

  7. Apply the configuration settings.

After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.

Edit roles

  1. Select the role you'd like to edit.

  2. Click Edit.

  3. Modify the details or the groups that are assigned to the role.

  4. Click Save and close.

Delete roles

  1. Select the role you'd like to delete.

  2. Click the drop-down button and select Delete role.