使用 Azure Active Directory 通用角色管理 Microsoft 365 Defender 的存取權Manage access to Microsoft 365 Defender with Azure Active Directory global roles

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

有兩種方式可管理 Microsoft 365 Defender 的存取權There are two ways to manage access to Microsoft 365 Defender

  • 全域 Azure Active Directory (AD) 角色Global Azure Active Directory (AD) roles
  • 自訂角色存取Custom role access

指派下列 全域 Azure Active Directory 的帳戶 (AD) 角色 可以存取 Microsoft 365 的 Defender 功能和資料:Accounts assigned the following Global Azure Active Directory (AD) roles can access Microsoft 365 Defender functionality and data:

  • 全域管理員Global administrator
  • 安全性系統管理員Security administrator
  • 安全性操作員Security Operator
  • 全域讀取者Global Reader
  • 安全性讀取者Security Reader

若要檢閱具有這些角色的帳戶,請在 Microsoft 365 安全性中心檢視權限To review accounts with these roles, view Permissions in the Microsoft 365 security center.

自訂角色 存取是 Microsoft 365 Defender 中的新功能,可讓您管理 Microsoft defender 365 中特定資料、工作及功能的存取權。Custom role access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender 365. 自訂角色比全域 Azure AD 角色提供更多的控制權,只為使用者提供必要的存取權最低的角色。Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. 除了全域 Azure AD 角色之外,還可以建立自訂角色。Custom roles can be created in addition to global Azure AD roles. 深入瞭解自訂角色Learn more about custom roles.

!記本文僅適用于管理全域 Azure Active Directory 角色。![NOTE] This article applies only to managing global Azure Active Directory roles. 如需使用自訂角色型存取控制的詳細資訊,請參閱 自訂角色的自訂角色的存取控制For more information about using custom role-based access control, see Custom roles for role-based access control

存取功能Access to functionality

特定功能的存取權由您的 Azure AD 角色決定。Access to specific functionality is determined by your Azure AD role. 如果您得存取需要為您或使用者群組指派新角色的特定功能,請與全域管理員連絡。Contact a global administrator if you need access to specific functionality that requires you or your user group be assigned a new role.

核准擱置的自動化工作Approve pending automated tasks

自動化調查和補救可針對電子郵件、轉寄規則、檔案、持續性機制和調查期間找到的其他成品採取動作。Automated investigation and remediation can take action on emails, forwarding rules, files, persistence mechanisms, and other artifacts found during investigations. 若要核准或拒絕需要明確核准的擱置中動作,您必須在 Microsoft 365 中指派特定角色。To approve or reject pending actions that require explicit approval, you must have certain roles assigned in Microsoft 365. 若要深入瞭解,請參閱重要訊息中心權限To learn more, see Action center permissions.

資料存取權Access to data

您可以使用指派給 Microsoft defender 中使用者群組的範圍來控制對 Microsoft 365 defender 資料的存取,以用於以端點角色為基礎的存取控制 (RBAC) 。Access to Microsoft 365 Defender data can be controlled using the scope assigned to user groups in Microsoft Defender for Endpoint role-based access control (RBAC). 如果您的存取未限定在 Defender for Endpoint 中的特定裝置集,您就可以完全存取 Microsoft 365 defender 中的資料。If your access has not been scoped to a specific set of devices in the Defender for Endpoint, you will have full access to data in Microsoft 365 Defender. 不過,一旦您的帳戶限定範圍設定完畢,就只會看到範圍內裝置的相關資料。However, once your account is scoped, you will only see data about the devices in your scope.

例如,如果您只隸屬于一個具有 Microsoft Defender for Endpoint role 的使用者群組,且該使用者群組已獲得對銷售裝置的存取權,您只會看到 Microsoft 365 Defender 中的銷售裝置相關資料。For example, if you belong to only one user group with a Microsoft Defender for Endpoint role and that user group has been given access to sales devices only, you will see only data about sales devices in Microsoft 365 Defender. 深入瞭解 Microsoft Defender for Endpoint 中的 RBAC 設定Learn more about RBAC settings in Microsoft Defender for Endpoint

Microsoft Cloud App Security 存取控制Microsoft Cloud App Security access controls

在預覽期間,Microsoft 365 Defender 不會根據雲端 App 安全性設定來強制執行存取控制。During the preview, Microsoft 365 Defender does not enforce access controls based on Cloud App Security settings. 這些設定不會影響 Microsoft 365 Defender 資料的存取。Access to Microsoft 365 Defender data is not affected by these settings.