title | description | ms.service | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | ms.reviewer | search.appverid | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Activate Microsoft Defender XDR Unified role-based access control (RBAC) |
Activate Microsoft Defender XDR Security unified role-based access control(RBAC) |
defender-xdr |
diannegali |
siosulli |
medium |
deniseb |
ITPro |
|
how-to |
11/17/2024 |
met150 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Identity
- Microsoft Defender for Office 365 P2
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Cloud
- Microsoft Defender for Cloud Apps
- Microsoft Security Exposure Management
For the Microsoft Defender XDR security portal to start enforcing the permissions and assignments configured in your new custom roles or imported roles, you must activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads.
The following steps guide you on how to activate the Microsoft Defender XDR Unified RBAC model. You can activate your workloads in the following ways:
Important
You must be a Global Administrator or Security Administrator in Microsoft Entra ID to perform this task. For more information on permissions, see Permission pre-requisites. Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Sign in to the Microsoft Defender portal. In the navigation pane, select Permissions and select Roles under Microsoft Defender XDR to get to the Permissions and roles page.
You can activate your workloads in two ways from the Permissions and roles page:
:::image type="content" source="/defender/media/defender/m365-defender-rbac-activate-workloads1.png" alt-text="Screenshot of the activate workloads page" lightbox="/defender/media/defender/m365-defender-rbac-activate-workloads1.png":::
- Activate workloads
- Select Activate workloads on the banner above the list of roles to go directly to the Activate workloads screen.
- You must activate each workload one by one. Once you select the individual toggle, you activate (or deactivate) that workload.
:::image type="content" source="/defender/media/defender/defender-activate-workloads.png" alt-text="Screenshot of the choose workloads to activate screen.":::
Note
The Activate workloads button is only available when there is it at least one workload that's not active for Microsoft Defender XDR Unified RBAC. Microsoft Defender for Cloud is active by default with Microsoft Defender XDR Unified RBAC. Defender XDR Unified RBAC is automatically active for Exposure Management access. Once a custom role with one of the Exposure Management permissions is created, it has an immediate impact on assigned users. There is no need to activate it.
To activate Exchange Online permissions in Microsoft Defender XDR Unified RBAC, Defender for Office 365 permissions must be active.
- Workload settings
- Select Workload settings.
- This brings you to the Microsoft Defender XDR Permission and roles page.
- Select the toggle for the workload you want to activate.
- Select Activate on the confirmation message.
You have now successfully activated (or deactivated) that workload.
Follow these steps to activate your workloads directly in Microsoft Defender XDR settings:
-
Sign in to the Microsoft Defender portal.
-
In the navigation pane, select Settings.
-
Select Microsoft Defender XDR.
-
Select Permissions and roles. This brings you to the Activate workloads page.
-
Select the toggle for the workload you want to activate.
-
Select Activate on the confirmation message.
You have now successfully activated (or deactivated) that workload.
Note
The Microsoft Defender XDR Unified RBAC model only impacts the Microsoft Defender XDR security portal. It does not impact the Microsoft Purview Compliance center or the Exchange Admin Center.
You can deactivate Microsoft Defender XDR Unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (Exchange Online Protection).
To Deactivate the workloads, repeat the steps above and select the workloads you want to deactivate. The status is set to Not Active.
If you deactivate a workload, the roles created and edited within Microsoft Defender XDR Unified RBAC are no longer in effect, and the previous permissions model is used instead.
[!INCLUDE Microsoft Defender XDR rebranding]