Assign user access to Windows Defender Security Center

Applies to:

  • Azure Active Directory
  • Office 365
  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Want to experience Windows Defender ATP? Sign up for a free trial.

Windows Defender ATP supports two ways to manage permissions:

  • Basic permissions management: Set permissions to either full access or read-only.
  • Role-based access control (RBAC): Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see Manage portal access using role-based access control.

Note

If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:

  • Users with full access (Security Administrators) are automatically assigned the default Global administrator role, which also has full access. Only global administrators can manage permissions using RBAC.
  • Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
  • After switching to RBAC, you will not be able to switch back to using basic permissions management.

Want to experience Windows Defender ATP? Sign up for a free trial.