Microsoft Defender XDR · XDR System Administration

XDR SysAdmin

Manages Defender XDR system including RBAC roles, device groups, core settings, and system configuration. The single administrative role for XDR platform management.

Scope: Defender XDR platform administration and access management

Permissions

  • Authorization (manage) - Full management of device groups, custom roles, and role assignments
  • Core security settings (manage) - View and manage security settings across workloads
  • System settings (manage) - View and manage general portal settings and configurations

Common use cases

  • IT security administrators managing Defender RBAC
  • IAM teams implementing least privilege access
  • Security architects designing role structures
  • Platform administrators configuring Defender settings

Best practices

  • Limit to dedicated IAM/security administrators
  • Document all custom roles and their justifications
  • Review role assignments on a regular schedule
  • Use device groups to scope access appropriately
  • Use PIM for just-in-time activation of this role

Security considerations

  • Can grant any Defender permission to any group
  • Can create roles with full security access
  • Settings changes affect all users in tenant
  • Should be tightly controlled and audited

Official Microsoft Learn documentation →

Open the interactive RBACMap →