MC787370 - Advanced Hunting Permissions update for some Microsoft Defender for Office 365 security admins

Message ID

MC787370

View in Message Center

Service

Microsoft Defender XDR

Published

Apr 26, 2024

Tag

Admin impact

Summary

The permissions for accessing Email & Collaboration schema in Advanced Hunting for Microsoft Defender for Office 365 are updated to align with Threat Explorer. Changes will roll out in May 2024, affecting security teams with specific roles. Organizations must assign new permissions to maintain access to the schema.

More information

We've changed the permissions mechanism to access Email & collaboration schema in Advanced Hunting for Microsoft Defender for Office 365 customers, to align with Threat Explorer.

When this will happen:

We will begin rolling out in early May 2024 and expect to complete by late May 2024.

How this will affect your organization:

Impacted users:

Security teams that are using Defender XDR Email & collaboration schema in Advanced Hunting (https://security.microsoft.com/v2/advanced-hunting)

Users assigned to Exchange Online Protection role groups View-only Manage alerts, Manage alerts, View-only audit logs, Audit logs, and Organization configuration. These role groups are configured in the Defender portal, under Permissions / Email & collaboration Roles / Roles, or in the Purview compliance portal under Roles and Scopes/Permissions.
Users assigned the following permissions using Defender XDR Unified RBAC for Microsoft Defender for Office 365:
- Security operations / Security data basics (read), without Security operations / Raw data / Email & collaboration metadata (read)).

Previously, these roles granted access to Microsoft Defender for Office 365 Alerts and Incidents, as well as Email & collaboration schema in Advanced Hunting.

What you need to do to prepare:

After rolling out this change, these roles will continue to grant access to Microsoft Defender for Office 365 Alerts and Incidents, but not Email & collaboration schema in Advanced Hunting.

If you are willing to continue and grant your teams access to Email & collaboration schema in Advanced Hunting, please assign them one of the following permissions, same as required to access Threat Explorer:

If Defender XDR Unified RBAC is active for Email & collaboration: please assign:
Security operations / Raw data / Email & collaboration metadata (read) permission.
If Defender XDR Unified RBAC is not active for Email & collaboration, please assign the following Email & collaboration permissions in the Defender portal:
Security Reader, Security Operator, Security Administrator, Exchange Administrator, Global Reader, View-Only Recipients, Organization Management.

Notes:

This change does not impact access to Threat Explorer
Global Entra ID roles are not impacted by this change

Please review the following resources to learn more:

For additional information on Advanced Hunting permissions, see Custom roles for role-based access control | Microsoft Learn
For additional information on Threat Explorer permissions, see About Threat Explorer and Real-time detections in Microsoft Defender for Office 365 | Microsoft Learn