-
Notifications
You must be signed in to change notification settings - Fork 166
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1177 from MicrosoftDocs/main
Publish main to live, 08/20, 3:30 PM IST
- Loading branch information
Showing
28 changed files
with
219 additions
and
88 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| --- | ||
| title: Configure the permissions needed for Microsoft Defender for IoT in the Defender portal | ||
| description: This article describes how to configure the permissions required for Microsoft Defender for IoT in the Microsoft Defender portal. | ||
| ms.service: defender-for-iot | ||
| author: lwainstein | ||
| ms.author: lwainstein | ||
| ms.localizationpriority: medium | ||
| ms.date: 07/23/2024 | ||
| ms.topic: how-to | ||
| --- | ||
|
|
||
| # Configure full roles and permissions | ||
|
|
||
| The Microsoft Defender portal allows granular access to features and data based on user roles and the permissions given to each user with Role-Based Access Control (RBAC). | ||
|
|
||
| Microsoft Defender for IoT is part of the Defender portal and user access permissions for alerts, incidents, device inventory, device groups and vulnerabilities should already be configured. Nevertheless, with the added features of Defender for IoT you might want to check, adjust or add to the existing roles and permissions of your team in the Defender portal. | ||
|
|
||
| This article shows you how to make general changes to RBAC roles and permissions that relate to all areas of Defender for IoT in the Defender portal. To set up roles and permissions specifically for site security, see [set up RBAC permissions for site security](set-up-rbac.md). | ||
|
|
||
| [!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)] | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Review [the general prerequisites for Microsoft Defender for IoT](prerequisites.md). | ||
| - Details of all users to be assigned updated roles and permissions for the Defender portal. | ||
|
|
||
| ## Access management options | ||
|
|
||
| There are two ways to manage user access to the Defender portal, depending on the type of tenent you're using. Each system has different named permissions that allow access for Defender for IoT. The two systems are: | ||
|
|
||
| - [Global Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference). | ||
| - [Unified RBAC](/defender-xdr/custom-roles): Use unified role-based access control (RBAC) to manage access to specific data, tasks, and capabilities in the Defender portal. | ||
|
|
||
| The instructions and permission settings listed in this article apply to the unified RBAC version. | ||
|
|
||
| ### RBAC for version 1 or 2 only | ||
|
|
||
| Depending on your tenant, you might have access to RBAC version 1 or 2 instead of the unified version. Assign RBAC permissions and roles, based on the [summary table](#summary-of-roles-and-permissions-for-all-defender-for-iot-features), to give users access to general Defender for IoT features. However, follow the instructions listed here [for RBAC version 1](/defender-endpoint/prepare-deployment), or here [for RBAC version 2](/defender-endpoint/user-roles#permission-options). | ||
|
|
||
| If you're using the Defender portal for the first time, you need to set up all of your roles and permissions. For more information, see [manage portal access using role-based access control](/defender-xdr/manage-rbac). | ||
|
|
||
| ## Unified RBAC roles for features in Defender for IoT | ||
|
|
||
| Assign RBAC permissions and roles, based on the [summary table](#summary-of-roles-and-permissions-for-all-defender-for-iot-features), to give users access to general Defender for IoT features: | ||
|
|
||
| 1. In the Defender portal, either: | ||
| 1. Select **Settings > Microsoft XDR > Permissions and roles**. | ||
| 1. Enable **Endpoints & Vulnerability Management**. | ||
| 1. Select **Go to Permissions and roles**. | ||
|
|
||
| 1. Select **Permissions > Microsft Defender XDR (1) > Roles**. | ||
|
|
||
| 1. Select **Create custom role**. | ||
| 1. Type a **Role name**, and select **Next** for **Permissions**. | ||
|
|
||
| :::image type="content" source="media/permissions/permissions-choose.png" alt-text="Screenshot of the permissions set up page with the categories of permissions for site security" lightbox="media/permissions/permissions-choose.png" ::: | ||
|
|
||
| 1. Select **Security operations**, select the permissions as needed, and select **Apply**. | ||
| 1. Select **Security posture**, select the permissions as needed, and select **Apply**. | ||
| 1. Select **Authorization and settings**, select the permissions as needed, and select **Apply**. | ||
|
|
||
| :::image type="content" source="media/permissions/permissions-choose-options.png" alt-text="Screenshot of the permissions set up page with the specific permissions chosen for site security" lightbox="media/permissions/permissions-choose-options.png" ::: | ||
|
|
||
| 1. Select **Next** for **Assignments**. | ||
| 1. Select **Add assignment**. | ||
| 1. Type a name. | ||
| 1. Choose users and groups. | ||
| 1. Select the Data sources. | ||
| 1. Select **Add**. | ||
| 1. Select **Next** for **Review and finish**. | ||
| 1. Select **Submit**. | ||
|
|
||
| ### Summary of roles and permissions for all Defender for IoT features | ||
|
|
||
| | Feature | Write permissions | Read permissions | | ||
| |---|----|---| | ||
| |Alerts and incidents| **Defender Permissions**: Alerts (manage) <br> **Entra ID roles**: Global Administrator, Security Administrator, Security Operator| Write roles<br> **Defender Permissions**: Security data basics<br>**Entra ID roles**: Global Reader, Security Reader | | ||
| |Vulnerabilities | **Defender Permissions**: Response (manage)/ Security operations / Security data <br>**Entra ID roles**: Global Administrator, Security Administrator, Security Operator | Write roles<br> **Defender Permissions**: Vulnerability management (read) <br> **Entra ID roles**: Global Reader, Security Reader | | ||
| |Inventory| **Defender Permissions**: Onboard offboard device: Detection tuning (manage) <br> Manage device tags: Alerts (manage) <br>**Entra ID roles**: Global Administrator, Security Administrator, Security Operator | Write roles <br>**Defender Permissions**: Security data basics/Security operations / Security data <br> **Entra ID roles**: Global Reader, Security Reader | | ||
| |Device group| **Defender Permissions**: Authorization (Read and manage) <br>**Entra ID roles**: Global Administrator, Security Administrator |**Defender Permissions**: Authorization (write roles, Read-only) | | ||
|
|
||
| To assign roles and permissions for other Microsoft Defender for Endpoint features, such as alerts, incidents and inventory, see [assign roles and permissions for Defender for Endpoint](/defender-endpoint/prepare-deployment). | ||
|
|
||
| For more information, see [map unified RBAC permissions](/defender-xdr/compare-rbac-roles#microsoft-entra-global-roles-access). | ||
|
|
||
| ## Next steps | ||
|
|
||
| [Monitor site security](monitor-site-security.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| --- | ||
| title: Permissions needed for the site security feature of Microsoft Defender for IoT in the Defender portal | ||
| description: This article describes the permissions required for the site security feature of Microsoft Defender for IoT in the Microsoft Defender portal. | ||
| ms.service: defender-for-iot | ||
| author: lwainstein | ||
| ms.author: lwainstein | ||
| ms.localizationpriority: medium | ||
| ms.date: 07/23/2024 | ||
| ms.topic: how-to | ||
| --- | ||
|
|
||
| # Set up RBAC permissions to access site security | ||
|
|
||
| The Microsoft Defender portal allows granular access to features and data based on user roles and the permissions given to each user with Role-Based Access Control (RBAC). | ||
|
|
||
| To access the Microsoft Defender for IoT features in the Defender portal, such as site security, and Defender for IoT specific alerts and vulnerability updates, you need to assign permissions and roles to the correct users. | ||
|
|
||
| This article shows you how to set up the new roles and permissions to access the site security and Defender for IoT specific features. | ||
|
|
||
| To make general changes to RBAC roles and permissions that relate to all other areas of Defender for IoT, see [configure general RBAC permissions](configure-permissions.md). | ||
|
|
||
| [!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)] | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Review [the general prerequisites for Microsoft Defender for IoT](prerequisites.md). | ||
| - Details of all users to be assigned site security permissions. | ||
|
|
||
| ## Access management options | ||
|
|
||
| There are two ways to manage user access to the Defender portal, depending on the type of tenent you're using. Each system has different named permissions that allow access for site security. The two systems are: | ||
|
|
||
| - [Global Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference). | ||
| - [Unified RBAC](/defender-xdr/custom-roles): Use unified role-based access control (RBAC) to manage access to specific data, tasks, and capabilities in the Defender portal. | ||
|
|
||
| The instructions and permission settings listed in this article apply to the unified RBAC version. | ||
|
|
||
| ### RBAC for version 1 or 2 | ||
|
|
||
| Depending on your tenant, you might have access to RBAC version 1 or 2 instead of the unified version. For more information, see [permissions for RBAC version 1](/defender-endpoint/prepare-deployment), or [permissions for RBAC version 2](/defender-endpoint/user-roles#permission-options). | ||
|
|
||
| If you're using the Defender portal for the first time, you need to set up all of your roles and permissions. For more information, see [manage portal access using role-based access control](/defender-xdr/manage-rbac). | ||
|
|
||
| ## Set up unified RBAC roles for site security | ||
|
|
||
| Assign RBAC permissions and roles, based on the [summary table](#summary-of-roles-and-permissions-for-site-security), to give users access to site security features: | ||
|
|
||
| 1. In the Defender portal, select **Settings > Microsoft XDR > Permissions and roles**. | ||
| 1. Enable **Endpoints & Vulnerability Management**. | ||
| 1. Select **Go to Permissions and roles**. | ||
| 1. Select **Create custom role**. | ||
| 1. Type a **Role name**, and then select **Next** for Permissions. | ||
|
|
||
| :::image type="content" source="media/set-up-rbac/permissions-set-up.png" alt-text="Screenshot of the permissions set up page for site security." lightbox="media/set-up-rbac/permissions-set-up.png"::: | ||
|
|
||
| 1. Select **Security operations**, and select **Select custom permissions**. | ||
| 1. In **Security settings**, select **Security data basics** and select **Apply** | ||
| 1. Select **Authorization and settings**, select **Select custom permissions**. | ||
| 1. In **Security data** ,select **Core security settings (manage)** and select **Apply** | ||
|
|
||
| :::image type="content" source="media/set-up-rbac/permissions-choose-options.png" alt-text="Screenshot of the permissions set up page with the specific permissions chosen for site security." lightbox="media/set-up-rbac/permissions-choose-options.png"::: | ||
|
|
||
| 1. Select **Next** for Assignments. | ||
| 1. Select **Add assignment**, type a name, choose users and groups and select the Data sources. | ||
| 1. Select **Add**. | ||
| 1. Select **Next** to **Review and finish**. | ||
| 1. Select **Submit**. | ||
|
|
||
| ### Summary of roles and permissions for site security | ||
|
|
||
| |Write permissions |Read permissions | | ||
| |----|----| | ||
| | **Defender Permissions**: Core security settings scoped to all device groups. <br>**Entra ID roles**: Global Administrator, Security Administrator, Security Operator scoped to all device groups.| Write roles (including roles that aren't scoped to all device groups). <br> **Defender Permissions**: Security data basics (under Security Operations).<br>**Entra ID roles**: Global Reader, Security Reader.| | ||
|
|
||
| ## Next steps | ||
|
|
||
| Once you have set up the RBAC roles and permissions, [set up a site](set-up-sites.md) so that Microsoft Defender for IoT can begin sending data to the Defender portal. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 3 additions & 3 deletions
6
exposure-management/compare-secure-score-security-exposure-management.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.