使用 Azure Active Directory 全局角色管理对 Microsoft 365 Defender 的访问权限Manage access to Microsoft 365 Defender with Azure Active Directory global roles

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

有两种方法可以管理对 Microsoft 365 Defender 的访问权限There are two ways to manage access to Microsoft 365 Defender

  • 全局 Azure Active Directory (AD) 角色Global Azure Active Directory (AD) roles
  • 自定义角色访问Custom role access

分配了以下全局 Azure Active Directory (AD) 的帐户 可以访问 Microsoft 365 Defender 功能和数据:Accounts assigned the following Global Azure Active Directory (AD) roles can access Microsoft 365 Defender functionality and data:

  • 全局管理员Global administrator
  • 安全管理员Security administrator
  • 安全操作员Security Operator
  • 全局读取者Global Reader
  • 安全读取者Security Reader

若要查看具有这些角色的帐户,请在 Microsoft 365 安全中心中查看权限To review accounts with these roles, view Permissions in the Microsoft 365 security center.

自定义角色 访问是 Microsoft 365 Defender 中的一项新功能,允许你管理对 Microsoft Defender 365 中特定数据、任务和功能的访问权限。Custom role access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender 365. 自定义角色提供比全局 Azure AD 角色更多的控制,从而仅为用户提供所需的访问权限以及所需的最小权限角色。Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. 除了全局 Azure AD 角色之外,还可以创建自定义角色。Custom roles can be created in addition to global Azure AD roles. 详细了解自定义角色Learn more about custom roles.

![注意]本文仅适用于管理全局 Azure Active Directory 角色。![NOTE] This article applies only to managing global Azure Active Directory roles. 有关使用基于自定义角色的访问控制的信息,请参阅基于 角色的访问控制的自定义角色For more information about using custom role-based access control, see Custom roles for role-based access control

对功能的访问权限Access to functionality

对特定功能的访问权限由 Azure AD 角色确定。Access to specific functionality is determined by your Azure AD role. 如果需要访问要求你或你的用户组分配有新角色的特定功能,请联系全局管理员。Contact a global administrator if you need access to specific functionality that requires you or your user group be assigned a new role.

批准挂起的自动化任务Approve pending automated tasks

自动调查和修复可以针对电子邮件、转发规则、文件、持久性机制和调查过程中找到的其他项目执行操作。Automated investigation and remediation can take action on emails, forwarding rules, files, persistence mechanisms, and other artifacts found during investigations. 若要批准或拒绝需要显式审批的挂起操作,必须在 Microsoft 365 中分配特定角色。To approve or reject pending actions that require explicit approval, you must have certain roles assigned in Microsoft 365. 若要了解详细信息,请参阅操作中心权限To learn more, see Action center permissions.

对数据的访问Access to data

可以使用在 Microsoft Defender 中为基于终结点角色的访问控制分配至用户组的范围控制对 Microsoft 365 Defender 数据 (RBAC) 。Access to Microsoft 365 Defender data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). 如果你的访问范围尚未确定为 Defender for Endpoint 中的一组特定设备,你将具有对 Microsoft 365 Defender 中数据的完全访问权限。If your access has not been scoped to a specific set of devices in the Defender for Endpoint, you will have full access to data in Microsoft 365 Defender. 但是,在限定帐户范围后,你将只看到有关范围内的设备的数据。However, once your account is scoped, you will only see data about the devices in your scope.

例如,如果你仅属于具有 Microsoft Defender for Endpoint 角色的一个用户组,并且该用户组只获得对销售设备的访问权限,你将只看到有关 Microsoft 365 Defender 中销售设备的数据。For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you will see only data about sales devices in Microsoft 365 Defender. 详细了解 Microsoft Defender for Endpoint 中的 RBAC 设置Learn more about RBAC settings in Microsoft Defender for Endpoint

Microsoft Cloud App Security 访问控制Microsoft Cloud App Security access controls

在预览版中,Microsoft 365 Defender 不会基于 Cloud App Security 设置强制执行访问控制。During the preview, Microsoft 365 Defender does not enforce access controls based on Cloud App Security settings. 这些设置不会影响对 Microsoft 365 Defender 数据的访问。Access to Microsoft 365 Defender data is not affected by these settings.