Microsoft Defender XDR · XDR System Administration

XDR SysAdmin

Manages Defender XDR system including RBAC roles, device groups, core settings, and system configuration. The single administrative role for XDR platform management.

Scope: Defender XDR platform administration and access management

Permissions

  • Authorization (manage) - Full management of device groups, custom roles, and role assignments
  • Core security settings (manage) - View and manage security settings across workloads
  • System settings (manage) - View and manage general portal settings and configurations

Common use cases

  • IT security administrators managing Defender RBAC
  • IAM teams implementing least privilege access
  • Security architects designing role structures
  • Platform administrators configuring Defender settings

Best practices

  • Limit to dedicated IAM/security administrators
  • Document all custom roles and their justifications
  • Review role assignments on a regular schedule
  • Use device groups to scope access appropriately
  • Use PIM for just-in-time activation of this role

Security considerations

  • Can grant any Defender permission to any group
  • Can create roles with full security access
  • Settings changes affect all users in tenant
  • Should be tightly controlled and audited

Common questions

When should I assign the XDR SysAdmin role?

Assign XDR SysAdmin when you need to: IT security administrators managing Defender RBAC; IAM teams implementing least privilege access; Security architects designing role structures; and Platform administrators configuring Defender settings. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the XDR SysAdmin role do?

The XDR SysAdmin role grants permissions including: Authorization (manage) - Full management of device groups, custom roles, and role assignments; Core security settings (manage) - View and manage security settings across workloads; and System settings (manage) - View and manage general portal settings and configurations. See the Permissions section above for the full list.

What are the security risks of the XDR SysAdmin role?

Key considerations when assigning XDR SysAdmin: Can grant any Defender permission to any group; Can create roles with full security access; Settings changes affect all users in tenant; and Should be tightly controlled and audited. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →