Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Cloud uses Azure role-based access control (Azure Role-Based Access Control) to provide built-in roles. Assign these roles to users, groups, and services in Azure to give them access to resources according to the role's defined access.
Defender for Cloud assesses resource configurations and identifies security issues and vulnerabilities. In Defender for Cloud, view resource information when assigned one of these roles for the subscription or resource group: Owner, Contributor, or Reader.
In addition to the built-in roles, there are two roles specific to Defender for Cloud:
- Security Reader: A user in this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, security policies, and security states but can't make changes.
- Security Admin: A user in this role has the same access as the Security Reader and can also update security policies and dismiss alerts and recommendations.
Assign the least permissive role needed for users to complete their tasks.
For example, assign the Reader role to users who only need to view security health information of a resource without taking any action. Users with a Reader role can't apply recommendations or edit policies.
The following table displays roles and allowed actions in Defender for Cloud.
| Action | Security Reader / Reader |
Security Admin | Contributor / Owner | Contributor | Owner |
|---|---|---|---|---|---|
| (Resource group level) | (Subscription level) | (Subscription level) | |||
| Add/assign initiatives (including regulatory compliance standards) | - | ✔ | - | - | ✔ |
| Edit security policy | - | ✔ | - | - | ✔ |
| Enable / disable Microsoft Defender plans | - | ✔ | - | ✔ | ✔ |
| Dismiss alerts | - | ✔ | - | ✔ | ✔ |
| Apply security recommendations for a resource (Use Fix) |
- | - | ✔ | ✔ | ✔ |
| View alerts and recommendations | ✔ | ✔ | ✔ | ✔ | ✔ |
| Exempt security recommendations | - | ✔ | - | - | ✔ |
| Configure email notifications | - | ✔ | ✔ | ✔ | ✔ |
Note
While the three roles mentioned are sufficient for enabling and disabling Defender for Cloud plans, the Owner role is required to enable all capabilities of a plan.
The specific role required to deploy monitoring components depends on the extension you deploy. Learn more about monitoring components.
To allow the Security Admin role to automatically configure agents and extensions used in Defender for Cloud plans, Defender for Cloud uses policy remediation similar to Azure Policy. To use remediation, Defender for Cloud needs to create service principals, also called managed identities, that assign roles at the subscription level. For example, the service principals for the Defender for Containers plan are:
| Service Principal | Roles |
|---|---|
| Defender for Containers provisioning Azure Kubernetes Service (AKS) Security Profile | Kubernetes Extension Contributor Contributor Azure Kubernetes Service Contributor Log Analytics Contributor |
| Defender for Containers provisioning Arc-enabled Kubernetes | Azure Kubernetes Service Contributor Kubernetes Extension Contributor Contributor Log Analytics Contributor |
| Defender for Containers provisioning Azure Policy for Kubernetes | Kubernetes Extension Contributor Contributor Azure Kubernetes Service Contributor |
| Defender for Containers provisioning Policy extension for Arc-enabled Kubernetes | Azure Kubernetes Service Contributor Kubernetes Extension Contributor Contributor |
This article explained how Defender for Cloud uses Azure Role-Based Access Control to assign permissions to users and identified the allowed actions for each role. Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to: