หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
All permissions listed within the Microsoft Defender XDR Unified RBAC model align to existing permissions in the individual RBAC models. After you activate the Microsoft Defender XDR Unified RBAC model, the permissions and assignments configured in your imported roles replace the existing roles in the individual RBAC models.
This article describes how existing roles and permissions in the available Microsoft Defender workloads and in Microsoft Entra ID map to the roles and permission in the Microsoft Defender XDR Unified RBAC model.
Important
Microsoft recommends that you use roles with the fewest permissions. This strategy helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Map Microsoft Defender XDR Unified RBAC permissions to existing RBAC permissions
Important
As of February 2025, the Microsoft Defender XDR Unified RBAC model is the default permissions model for new Microsoft Defender Endpoint organizations. New organizations can't export roles and permissions from the original permissions model. Existing organizations with roles and permissions assigned or exported before February maintain their current roles and permissions configuration.
As of March 2025, the Microsoft Defender XDR Unified RBAC model is the default permissions model for new Microsoft Defender for Identity organizations. New organizations can't export roles and permissions from the original permissions model. Existing organizations with roles and permissions assigned or exported before March maintain their current roles and permissions configuration.
Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft Defender XDR Unified RBAC roles:
- Microsoft Defender for Endpoint and Defender Vulnerability Management
- Microsoft Defender for Office 365
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Cloud
- Microsoft Entra Global roles access
Map Defender for Endpoint and Defender Vulnerability Management permissions to the Microsoft Defender XDR RBAC permissions
| Defender for Endpoint and Defender Vulnerability Management permissions | Microsoft Defender XDR Unified RBAC permission |
|---|---|
| View data - Security operations | Security operations \ Security data \ Security data basics (read) |
| View data - Defender Vulnerability Management | Security posture \ Posture management \ Vulnerability management (read) |
| Alerts investigation | Security operations \ Security data \ Alerts (manage) |
| Active remediation actions - Security operations | Security operations \ Security data \ Response (manage) |
| Active remediation actions - Defender Vulnerability Management - Exception handling | Security posture \ Posture management \ Exception handling (manage) |
| Active remediation actions - Defender Vulnerability Management - Remediation handling | Security posture \ posture management \ Remediation handling (manage) |
| Active remediation actions - Defender Vulnerability Management - Application handling | Security posture \ Posture management \ Application handling (manage) |
| Defender Vulnerability management – Manage security baselines assessment profiles | Security posture \ posture management \ Security baselines assessment (manage) |
| Live response capabilities | Security operations \ Basic live response (manage) |
| Live response capabilities - advanced | Security operations \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) |
| Manage security settings in the Security Center | Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings\Security settings \ Detection tuning (manage) |
| Manage portal system settings | Authorization and settings \ System setting (Read and manage) |
| Manage endpoint security settings in Microsoft Intune | Not supported - this permission is managed in the Microsoft Intune admin center |
Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions
Use the following tables to learn how your existing Email & collaboration and protection-related Exchange Online permissions for Defender for Office 365 map to the new Microsoft Defender XDR Unified RBAC permissions:
Email & collaboration permissions mapping
You configured Email & collaboration permissions in the Defender portal at https://security.microsoft.com/emailandcollabpermissions.
| Email & collaboration permission | Type | Microsoft Defender XDR Unified RBAC permission |
|---|---|---|
| Global Reader | Role group | Security operations \ Security data \ Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System setting (read) |
| Organization Management | Role group | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Security operations \ Security data \ Email advanced actions (manage) Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Authorization (Read and manage) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System settings (Read and manage) |
| Security Administrator | Role group | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Authorization (read) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System settings (Read and manage) |
| Security Reader | Role group | Security operations \ Security data \Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System setting (read) |
| Audit Logs | Role | Security operations \ Security data \ Security data basics (read) |
| Manage Alerts | Role | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) |
| Preview | Role | Security operations\ Security operations \ Raw data (Email & collaboration) \ Email & collaboration content (read) |
| Quarantine | Role | Security operations \ Security data \ Email quarantine (manage) |
| Role Management | Role | Authorization and settings \ Authorization (Read and manage) |
| Search and Purge | Role | Security operations \ Security data \ Email advanced actions (manage) |
| View-Only Manage Alerts | Role | Security operations \ Security data \ Security data basics (read) |
| View-Only Recipients | Role | Security operations \ Security data \ Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) |
| View-only Audit Logs | Role | Security operations \ Security data \ Security data basics (read) |
Exchange Online permissions mapping
You configured protection-related Exchange Online permissions in the Exchange admin center (EAC) at https://admin.exchange.microsoft.com/#/adminRoles.
| Exchange Online permission | Type | Microsoft Defender XDR Unified RBAC permission |
|---|---|---|
| Hygiene Management | Role group | Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings \ Security settings \ Detection tuning (manage) |
| Organization Management | Role group | Security operations \ Raw data (email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings \ Security settings \ Detection tuning (manage) Authorization and settings \ System settings (Read and manage) |
| Security Administrator | Role group | Authorization and settings \ Security settings \ Detection tuning (manage) Authorization and settings \ System settings (Read and manage) |
| View-Only Organization Management | Role group | Authorization and settings \ Security settings (Read-only) Authorization and settings \ System settings (Read-only) |
| Tenant AllowBlockList Manager | Role | Authorization and settings \ Security settings \ Detection tuning (manage) |
| View-only Recipients | Role | Security operations \ Raw data (email & collaboration) \ Email & collaboration metadata (read) |
Map Microsoft Defender for Identity permissions to the Microsoft Defender XDR Unified RBAC
| Defender for Identity permission | Defender XDR Unified RBAC permission |
|---|---|
| MDI admin | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Authorization (Read and manage) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System settings (Read and manage) |
| MDI user | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System setting (read) |
| MDI viewer | Security operations \ Security data \ Security data basics (read) Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System setting (read) |
Note
Defender for Identity experiences also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups. Exception: If you configured Scoped deployment for Microsoft Defender for Identity alerts in Microsoft Defender for Cloud Apps, these permissions don't carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions
Important
Virtually all app governance experiences are controlled by Microsoft Entra ID roles only. The only exception is the OAuthAppInfo table in advanced hunting. Unified RBAC permissions in Defender for Cloud Apps grant access to the app governance data in this specific table.
In the unified alerts and incidents experiences in Defender XDR, access to app governance data is controlled by Microsoft Entra ID only.
For more information about permissions in app governance, see App governance roles.
Activating Defender for Cloud Apps integration with Defender XDR Unified RBAC has the following results:
- Microsoft Entra ID roles continue to function as normal.
- The following built-in scoped roles in Defender for Cloud Apps are no longer supported:
- App/instance admin
- User group admin
- Cloud Discovery global admin
- Cloud Discovery report admin
| Defender for Cloud Apps permission | Defender XDR Unified RBAC permission |
|---|---|
| Local Global administrator | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Authorization (all permissions) Authorization and settings \ Security settings (all permissions) Authorization and settings \ System settings (all permissions) |
| Local Security operator | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Authorization (read) Authorization and settings \ Security setting (all permissions) Authorization and settings \ System setting (read) |
| Local Security reader | Security operations \ Security data \ Security data basics (read) Authorization and settings \ Authorization (read) Authorization and settings \ Security settings \ Security settings (read) Authorization and settings \ System settings (read) |
| Local Compliance administrator | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Authorization (read) Authorization and settings \ Security settings \ Security settings (all permissions) Authorization and settings \ System settings (read) |
Unified RBAC roles in Microsoft Defender for Cloud
Unified Role-Based Access Control (uRBAC) lets you manage permissions across Microsoft Defender for Cloud resources using a consistent model. Roles define what actions users can perform and assign roles carefully to maintain least-privilege access.
The following table lists the available uRBAC roles and their permissions.
| Role | Permissions | Description |
|---|---|---|
| Security data basics: Security operations / Security data / Security data basics (read) | Read | Access alerts, incidents, investigations, hunting, devices, cloud assets, and reports. Includes cloud inventory and threat protection. |
| Alerts: Security operations / Security data / Alerts (manage) | Manage | Manage alerts, investigations, scans, device tags, and packages. Includes cloud threat protection features. |
| Vulnerability Management: Security posture / Posture management / Vulnerability management (read) | Read | View vulnerability data: software inventory, weaknesses, missing KBs, baselines, hunting, and devices. Includes data lake (Preview). |
| Exposure Management: Security posture / Posture management / Exposure Management (read); Security posture / Posture management / Exposure Management (manage) | Read/Manage | View or manage exposure insights, including Secure Score, recommendations, initiatives, and metrics. |
Note
Roles can be combined for broader access, but always apply least-privilege principles. Some capabilities might require more permissions or feature enablement.
Microsoft Entra Global roles access
Users assigned with Microsoft Entra global roles might also have access to the Microsoft Defender portal.
Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender Vulnerability Management, Defender for Office and Defender for Identity) in Microsoft Defender XDR Unified RBAC to each global Microsoft Entra role.
| Microsoft Entra role | Microsoft Defender XDR Unified RBAC assigned permissions for all workloads | Microsoft Defender XDR Unified RBAC assigned permissions – workload specific |
|---|---|---|
| Global administrator | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Security data \ Response (manage) Security posture \ Posture management \ Exposure Management (read) Security posture \ Posture management \ Exposure Management (manage) Authorization and settings \ Authorization (Read and manage) Authorization and settings \ Security settings (All permissions) Authorization and settings \ System settings (Read and manage) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security operations \ Basic live response (manage) Security operations \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) Security posture \ Posture management \ Vulnerability management (read) Security posture \ Posture management \ Exception handling (manage) Security posture \ Posture management \ Remediation handling (manage) Security posture \ Posture management \ Application handling (manage) Security posture \ Posture management \ Security baseline assessment (manage) Defender for Office only permissions Security operations \ Security data \ Email quarantine (manage) Security operations \ Security data \ Email advanced actions (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) |
| Security administrator | Same as Global administrator | Same as Global administrator |
| Global reader | Security operations \ Security data \ Security data basics (read) Security posture \ Posture management \ Exposure Management (read) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security posture \ Posture management \ Vulnerability management (read) Defender for Office only permissions Security operations \ Security data \ Response (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ Authorization (read) Defender for Office and Defender for Identity only permissions Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System settings (read) |
| Security reader | Security operations \ Security data \ Security data basics (read) Security posture \ Posture management \ Exposure Management (read) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security posture \ Posture management \ Vulnerability management (read) Defender for Office only permissions Security operations \ Security data \ Response (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Defender for Office and Defender for Identity only permissions Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System settings (read) |
| Security operator | Security operations \ Security data \ Security data basics (read) Security posture \ Posture management \ Exposure Management (read) Security operations \ Security data \ Response (manage) Security posture \ Posture management \ Secure Score (read) Authorization and settings \ Security settings (All permissions) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security operations \ Security data \ Basic live response (manage) Security operations \ Security data \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) Security posture \ Posture management \ Vulnerability management (read) Security posture \ Posture management \ Exception handling (manage) Security posture \ Posture management \ Remediation handling (manage) Defender for Office only permissions Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ System settings (Read and manage) Defender for Identity only permissions Authorization and settings \ System settings (read) |
| Exchange Administrator | Security posture \ Posture management \ Exposure Management (read) Security posture \ Posture management \ Exposure Management (manage) |
Defender for Office only permissions Security operations \ Security data \ Security data basic (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ System settings (Read and manage) |
| SharePoint Administrator | Security posture \ Posture management \ Exposure Management (read) Security posture \ Posture management \ Exposure Management (manage) |
not applicable |
| Service Support Administrator | Security posture \ Posture management \ Exposure Management (read) | not applicable |
| User Administrator | Security posture \ Posture management \ Exposure Management (read) | not applicable |
| HelpDesk Administrator | Security posture \ Posture management \ Exposure Management (read) | not applicable |
| Compliance administrator | not applicable | Defender for Office only permissions Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) |
| Compliance data administrator | not applicable | Same as Compliance administrator |
| Billing admin | not applicable | not applicable |
Note
By activating the Microsoft Defender XDR Unified RBAC model, users with the Security Reader and Global Reader roles are granted read-only access to resources from workloads integrated into the model. However, accessing Microsoft Defender for Endpoint device data requires more configuration before Security Reader permissions take effect. For details, see the Before you begin section.
Sample permission mappings of Microsoft Sentinel built-in roles to Microsoft Defender XDR Unified RBAC roles
These are examples of the permissions that can be assigned to the users based on their roles in Microsoft Sentinel. As Unified RBAC provides the option to have more granular permissions on Microsoft Defender XDR, you can utilize that granularity to separate certain Microsoft Defender XDR permissions on Tier level as well. For example, you can apply Live Response Basic to Tier 1, but Live Response Advanced permission to Tier 2.
If some users need only read access to Microsoft Sentinel SIEM raw data, they can also utilize Log Analytics Granular RBAC functionality to scope access to only specific data saved in Log Analytics workspace. Please note that Granular RBAC will not scope access to Microsoft Sentinel incidents, alerts, watchlists, UEBA, TI, or any other Microsoft Sentinel SIEM features.
| Group | Role | Scope | Notes |
|---|---|---|---|
| Security Analysts | Microsoft Sentinel Responder | Microsoft Sentinel's Resource Group | View data, incidents, workbooks, and other Microsoft Sentinel resources. Manage incidents (assign, dismiss, etc.) |
| Security Analysts | Microsoft Sentinel Playbook Operator | Microsoft Sentinel's Resource Group (or the Resource Group where Playbooks are stored) | List, view and run playbooks. To attach playbooks to analytics rules, Microsoft Sentinel Contributor role is needed |
| Security Analysts | Security Operator Unified RBAC role | Microsoft Defender portal | View, investigate, and respond to security threats alerts Manage Microsoft Defender XDR security settings List of URBAC permissions equivalent for Security Operator Entra ID role are listed on this link: /defender-xdr/compare-rbac-roles#microsoft-entra-global-roles-access |
| Security Engineer | Microsoft Sentinel Contributor | Microsoft Sentinel's Resource Group | View data, incidents, workbooks, and other Microsoft Sentinel resources. Manage incidents (assign, dismiss, etc.). Create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. |
| Security Engineer | Logic Apps Contributor | Microsoft Sentinel's Resource Group (or the Resource Group where Playbooks are stored) | Run and modify playbooks. Attach playbooks to analytics rules and automation rules. |
| Security Engineer | Monitoring Contributor | Subscription and/or Resource group and/or An existing data collection rule | Create or edit data collection rules |
| Security Engineer | Log Analytics Contributor | Microsoft Sentinel's Resource Group | Use the Search feature |
| Security Engineer | Virtual Machine Contributor Azure Connected Machine Resource Administrator | Virtual machines, virtual machine scale sets Arc-enabled servers | Deploy DCR associations (i.e. to assign rules to the machine) |
| Security Engineer | Template Spec Contributor | Microsoft Sentinel's Resource Group | Deploy v2.0 solutions from Content hub. |
| Security Engineer | Security Administrator Unified RBAC role | Microsoft Defender portal | Monitor security-related policies across Microsoft Defender XDR services Manage security threats and alerts View reports List of URBAC permissions equivalent for Security Administrator Entra ID role are listed on this link: /defender-xdr/compare-rbac-roles#microsoft-entra-global-roles-access |
| Security Architect | Microsoft Sentinel Contributor | Microsoft Sentinel's Resource Group | View data, incidents, workbooks, and other Microsoft Sentinel resources. Manage incidents (assign, dismiss, etc.). Create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. |
| Security Architect | User Access Administrator | Microsoft Sentinel's Resource Group | This is privileged role! This permission is needed to onboard Microsoft Sentinel SIEM to Microsoft Defender portal. |
| Security Architect | Security Administrator | Entara ID Tenant level | This is a privileged role! Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview compliance portal. This permission is needed to onboard Microsoft Sentinel SIEM to Microsoft Defender portal, offboard the workspace, or change primary/secondary workspace. |
Next steps
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.