Microsoft Defender XDR RBAC Roles

Microsoft Defender XDR Unified RBAC role compositions for investigations, threat response, configuration, and security operations.

7 roles across 4 categories. Open the interactive map →

Security Operations

Permissions: Security data basics, Alerts & incidents, Response, Basic live response, Advanced live response, Email & collaboration quarantine, Email & collaboration advanced actions, Email & collaboration metadata, Email & collaboration content, File collection, Data (Sentinel), Analytics job schedule

  • Security Analyst

    Investigates security incidents, hunts for threats, and analyzes alerts. Read-focused role with hunting and investigation capabilities.

  • Security Operations Manager

    Full access to security operations including all data, response actions, live response, and email security. Senior SOC leadership role.

  • Threat Hunting Analyst

    Proactively hunts for threats using advanced hunting queries, analyzes attack patterns, and identifies indicators of compromise. Specialized role focused on threat discovery.

  • Incident Responder

    Takes response actions to contain and remediate threats. Can isolate devices, manage quarantine, and perform live response.

Security Detections

Permissions: Security data basics (read), Detection tuning

  • Detection Engineer

    Creates and manages custom detections, alert tuning, threat indicators, and advanced hunting queries. The single role for all detection-related activities.

XDR System Administration

Permissions: Authorization, Core security settings, System settings

  • XDR SysAdmin

    Manages Defender XDR system including RBAC roles, device groups, core settings, and system configuration. The single administrative role for XDR platform management.

Security Posture Management

Permissions: Vulnerability management, Exception handling, Remediation handling, Application handling, Security baseline assessment, Exposure management

  • Security Posture Manager

    Manages vulnerability management, exposure management, and security posture across the organization. The single role for all posture-related activities.