Advanced Hunting Permissions update for some Microsoft Defender for Office 365 security admins

We’ve changed the permissions mechanism to access Email & collaboration schema in Advanced Hunting for Microsoft Defender for Office 365 customers, to align with Threat Explorer.

[When this will happen:]

We will begin rolling out in early May 2024 and expect to complete by late May 2024.

[How this will affect your organization:]

Impacted users:

Security teams that are using Defender XDR Email & collaboration schema in Advanced Hunting (https://security.microsoft.com/v2/advanced-hunting)

  • Users assigned to Exchange Online Protection role groups View-only Manage alerts, Manage alerts, View-only audit logs, Audit logs, and Organization configuration. These role groups are configured in the Defender portal, under Permissions / Email & collaboration Roles / Roles, or in the Purview compliance portal under Roles and Scopes/Permissions.
  • Users assigned the following permissions using Defender XDR Unified RBAC for Microsoft Defender for Office 365:
    • Security operations / Security data basics (read), without Security operations / Raw data / Email & collaboration metadata (read)).

Previously, these roles granted access to Microsoft Defender for Office 365 Alerts and Incidents, as well as Email & collaboration schema in Advanced Hunting.

[What you need to do to prepare:]

After rolling out this change, these roles will continue to grant access to Microsoft Defender for Office 365 Alerts and Incidents, but not Email & collaboration schema in Advanced Hunting. 

If you are willing to continue and grant your teams access to Email & collaboration schema in Advanced Hunting, please assign them one of the following permissions, same as required to access Threat Explorer:

  • If Defender XDR Unified RBAC is active for Email & collaboration: please assign:
    Security operations / Raw data / Email & collaboration metadata (read) permission.
  • If Defender XDR Unified RBAC is not active for Email & collaboration, please assign the following Email & collaboration permissions in the Defender portal:
    Security Reader, Security Operator, Security Administrator, Exchange Administrator, Global Reader, View-Only Recipients, Organization Management.

Notes:

  • This change does not impact access to Threat Explorer
  • Global Entra ID roles are not impacted by this change

Please review the following resources to learn more:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *