All Microsoft 365 Defender Permissions Menu Locations
Managing permissions in all 4 Microsoft 365 Defender platforms.
The menus for granting permissions in the Microsoft 365 Defender platforms are hidden in a maze of Microsoft Docs articles. It took experienced Microsoft security administrators at CyberMSI multiple hours to try and pin down where the menus were without having the global admin privileges available. We are sharing tips on working with these menus so that others do not have to go through the same process.
In this blog, we will point out where we have found the permissions menus for each of the 4 Microsoft 365 Defender platforms. We will also discuss some important information about the roles that most security analysts will need to do their jobs effectively.
If the reader does not see these menu items in their UI, they will need to get one of the roles outlined in the first sentence of each section to view the menus. The reader can request those roles from either a user with the described role or a global admin.
MDE Roles Menu
In the settings menu in MDE, there is a Roles submenu that a default admin can select to view how permissions are distributed in MDE. The permissions are distributed using groups, by creating or editing these groups, Azure users and groups can be assigned to them.
Security admins should be added to the default admin role so they can give out permissions. Security analysts will need some combination of the available permissions based on what they are required to do in MDE.
MCAS Admin Access Menu
By selecting the settings gear in the top-right corner of the MCAS menu a MCAS global admin or full access admin can view the “Manage Admin Access” menu. From this menu the user can see which admin roles have been distributed and they can give out MCAS admin permissions to individual users.
Security admins can be given permissions based on which aspect of MCAS they are managing. Most analysts will only need the security reader role so that they can view and manage alerts in MCAS.
Defender for Office 365 Permissions Menus
In the right-hand navigation menu in the Office 365 Security & Compliance center, a security administrator will be able to select a “Permissions” menu. From here the user can view all the available permissions groups for Defender for Office 365.
Security admins should be given both security admin and security operator because operator has permissions that admin does not. Security analysts should get security operator so that they can update alerts and use the features available in both Defender for Office 365 menus.
Defender for Identity AAD Roles
Defender for Identity follows its own rules, so if the first-time setup is finished any user that can view Azure Active Directory roles can see the automatically generated AAD groups for the platform. An Azure ATP viewers, users, and admins groups will all appear, and AAD users and groups can be added to those groups.
Security admins should be added to the Azure ATP Admin group and security analysts should be added to the Azure ATP Users group. These roles will allow each of the roles to do what they need to in the Defender for Identity platform.
We will continue to share best practices and lessons learned in future posts on managing roles in Microsoft products. As a Microsoft partner, it is our responsibility to stay up to date with security topics like permissions needed for Microsoft products.
In closing, consider these three questions when using Microsoft 365 Defender product roles in your organization:
- Have we defined the appropriate roles and groups for managing security operations in Microsoft 365 Defender?
- Do we know the difference between the roles in each of these Microsoft products?
- Can we come up with a way to test these roles to ensure that we are following the principal of least privilege?