Microsoft Defender XDR · Security Operations

Incident Responder

Takes response actions to contain and remediate threats. Can isolate devices, manage quarantine, and perform live response.

Scope: Incident response and remediation across Defender workloads

Permissions

  • Security data basics (read) - View incidents, alerts, investigations, devices
  • Alerts (manage) - Manage alerts, start investigations, manage device tags
  • Response (manage) - Take response actions, approve/dismiss remediation, manage block lists
  • Basic live response (manage) - Initiate sessions, download files, read-only device actions
  • Advanced live response (manage) - Full live response with file uploads and script execution
  • File collection (manage) - Collect files for analysis
  • Email & collaboration quarantine (manage) - View and release quarantined email
  • Email & collaboration advanced actions (manage) - Move/delete email to junk, deleted items

Common use cases

  • Incident responders handling active threats
  • Tier 2/3 SOC analysts with remediation responsibilities
  • Emergency response teams

Best practices

  • Use for analysts who need to take immediate action
  • Document all response actions taken
  • Coordinate with Security Administrator for major incidents
  • Test remediation scripts before deployment

Security considerations

  • Can isolate devices from network
  • Can run scripts on devices via live response
  • Can delete emails including hard delete
  • Actions can impact business operations

Common questions

When should I assign the Incident Responder role?

Assign Incident Responder when you need to: Incident responders handling active threats; Tier 2/3 SOC analysts with remediation responsibilities; and Emergency response teams. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Incident Responder role do?

The Incident Responder role grants permissions including: Security data basics (read) - View incidents, alerts, investigations, devices; Alerts (manage) - Manage alerts, start investigations, manage device tags; Response (manage) - Take response actions, approve/dismiss remediation, manage block lists; Basic live response (manage) - Initiate sessions, download files, read-only device actions; Advanced live response (manage) - Full live response with file uploads and script execution; and File collection (manage) - Collect files for analysis. See the Permissions section above for the full list.

What are the security risks of the Incident Responder role?

Key considerations when assigning Incident Responder: Can isolate devices from network; Can run scripts on devices via live response; Can delete emails including hard delete; and Actions can impact business operations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →