We’ve changed the permissions mechanism to access Email & collaboration schema in Advanced Hunting for Microsoft Defender for Office 365 customers, to align with Threat Explorer.
[When this will happen:]
We will begin rolling out in early May 2024 and expect to complete by late May 2024.
[How this will affect your organization:]
Impacted users:
Security teams that are using Defender XDR Email & collaboration schema in Advanced Hunting (https://security.microsoft.com/v2/advanced-hunting)
- Users assigned to Exchange Online Protection role groups View-only Manage alerts, Manage alerts, View-only audit logs, Audit logs, and Organization configuration. These role groups are configured in the Defender portal, under Permissions / Email & collaboration Roles / Roles, or in the Purview compliance portal under Roles and Scopes/Permissions.
- Users assigned the following permissions using Defender XDR Unified RBAC for Microsoft Defender for Office 365:
- Security operations / Security data basics (read), without Security operations / Raw data / Email & collaboration metadata (read)).
Previously, these roles granted access to Microsoft Defender for Office 365 Alerts and Incidents, as well as Email & collaboration schema in Advanced Hunting.
[What you need to do to prepare:]
After rolling out this change, these roles will continue to grant access to Microsoft Defender for Office 365 Alerts and Incidents, but not Email & collaboration schema in Advanced Hunting.
If you are willing to continue and grant your teams access to Email & collaboration schema in Advanced Hunting, please assign them one of the following permissions, same as required to access Threat Explorer:
- If Defender XDR Unified RBAC is active for Email & collaboration: please assign:
Security operations / Raw data / Email & collaboration metadata (read) permission. - If Defender XDR Unified RBAC is not active for Email & collaboration, please assign the following Email & collaboration permissions in the Defender portal:
Security Reader, Security Operator, Security Administrator, Exchange Administrator, Global Reader, View-Only Recipients, Organization Management.
Notes:
- This change does not impact access to Threat Explorer
- Global Entra ID roles are not impacted by this change
Please review the following resources to learn more:
- For additional information on Advanced Hunting permissions, see Custom roles for role-based access control | Microsoft Learn
- For additional information on Threat Explorer permissions, see About Threat Explorer and Real-time detections in Microsoft Defender for Office 365 | Microsoft Learn
