Microsoft Defender XDR · Security Operations
Incident Responder
Takes response actions to contain and remediate threats. Can isolate devices, manage quarantine, and perform live response.
Scope: Incident response and remediation across Defender workloads
Permissions
- Security data basics (read) - View incidents, alerts, investigations, devices
- Alerts (manage) - Manage alerts, start investigations, manage device tags
- Response (manage) - Take response actions, approve/dismiss remediation, manage block lists
- Basic live response (manage) - Initiate sessions, download files, read-only device actions
- Advanced live response (manage) - Full live response with file uploads and script execution
- File collection (manage) - Collect files for analysis
- Email & collaboration quarantine (manage) - View and release quarantined email
- Email & collaboration advanced actions (manage) - Move/delete email to junk, deleted items
Common use cases
- Incident responders handling active threats
- Tier 2/3 SOC analysts with remediation responsibilities
- Emergency response teams
Best practices
- Use for analysts who need to take immediate action
- Document all response actions taken
- Coordinate with Security Administrator for major incidents
- Test remediation scripts before deployment
Security considerations
- Can isolate devices from network
- Can run scripts on devices via live response
- Can delete emails including hard delete
- Actions can impact business operations
Common questions
When should I assign the Incident Responder role?
Assign Incident Responder when you need to: Incident responders handling active threats; Tier 2/3 SOC analysts with remediation responsibilities; and Emergency response teams. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Incident Responder role do?
The Incident Responder role grants permissions including: Security data basics (read) - View incidents, alerts, investigations, devices; Alerts (manage) - Manage alerts, start investigations, manage device tags; Response (manage) - Take response actions, approve/dismiss remediation, manage block lists; Basic live response (manage) - Initiate sessions, download files, read-only device actions; Advanced live response (manage) - Full live response with file uploads and script execution; and File collection (manage) - Collect files for analysis. See the Permissions section above for the full list.
What are the security risks of the Incident Responder role?
Key considerations when assigning Incident Responder: Can isolate devices from network; Can run scripts on devices via live response; Can delete emails including hard delete; and Actions can impact business operations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.