+### Offboard devices from Microsoft Defender for Business (optional)

+If you canceled your subscription, you can offboard devices, such as computers, phones, and tablets, that were onboarded to Defender for Business or Microsoft 365 Business Premium. See [Offboard a device from Microsoft Defender for Business](../../security/defender-business/mdb-offboard-devices.md).

+Microsoft 365 for business is a subscription service that lets you run your organization in the cloud while Microsoft takes care of the IT for you. We manage your devices, protect against real-world threats, and provide your organization with the latest in business software. You can sign up for a free trial subscription for Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft Defender for Business, or Microsoft 365 Apps for business and try it out for 30 days.

+To create an account and sign up for a free trial subscription of Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Business Premium, Microsoft Defender for Business, or Microsoft 365 Apps for business, use the following steps.

+- [Set up Microsoft 365 Business Premium](../business-premium/index.md)

+- [Set up Microsoft Defender for Business](../security/defender-business/mdb-setup-configuration.md)

+## Week of July 31, 2023

+| Published On |Topic title | Change |

+|||--|

+| 7/31/2023 | [Batch Delete Indicators API](/microsoft-365/security/defender-endpoint/batch-delete-ti-indicators?view=o365-worldwide) | added |

+| 7/31/2023 | [URLs and IP address ranges for Office 365 operated by 21Vianet](/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide) | modified |

+| 7/31/2023 | [Service advisories for eDiscovery cmdlet exception spike in Exchange Online monitoring](/microsoft-365/enterprise/microsoft-365-exchange-monitoring-service-advisories?view=o365-worldwide) | added |

+| 8/1/2023 | [Asset rule management - Dynamic rules](/microsoft-365/security/defender/configure-asset-rules?view=o365-worldwide) | added |

+| 8/1/2023 | [Onboard to Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/mdvm-onboard-devices?view=o365-worldwide) | added |

+| 8/1/2023 | [Set up and manage content assembly in Microsoft Syntex](/microsoft-365/syntex/content-assembly-setup) | added |

+| 8/1/2023 | [Compare Microsoft Defender Vulnerability Management plans and capabilities](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide) | modified |

+| 8/1/2023 | [Microsoft Defender Vulnerability Management frequently asked questions](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-faq?view=o365-worldwide) | modified |

+| 8/1/2023 | [About the Microsoft Defender Vulnerability Management trial](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial?view=o365-worldwide) | modified |

+| 8/1/2023 | [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide) | modified |

+| 8/1/2023 | [Sign up for Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management?view=o365-worldwide) | modified |

+| 8/1/2023 | [Event timeline](/microsoft-365/security/defender-vulnerability-management/threat-and-vuln-mgt-event-timeline?view=o365-worldwide) | modified |

+| 8/1/2023 | [Trial user guide - Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management?view=o365-worldwide) | modified |

+| 8/1/2023 | [Assign device value](/microsoft-365/security/defender-vulnerability-management/tvm-assign-device-value?view=o365-worldwide) | modified |

+| 8/1/2023 | [Block vulnerable applications](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified |

+| 8/1/2023 | [Browser extensions assessment](/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions?view=o365-worldwide) | modified |

+| 8/1/2023 | [Certificate inventory](/microsoft-365/security/defender-vulnerability-management/tvm-certificate-inventory?view=o365-worldwide) | modified |

+| 8/1/2023 | [Create and view exceptions for security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-exception?view=o365-worldwide) | modified |

+| 8/1/2023 | [Exposure score in Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide) | modified |

+| 8/1/2023 | [Firmware and hardware assessment](/microsoft-365/security/defender-vulnerability-management/tvm-hardware-and-firmware?view=o365-worldwide) | modified |

+| 8/1/2023 | [Hunt for exposed devices](/microsoft-365/security/defender-vulnerability-management/tvm-hunt-exposed-devices?view=o365-worldwide) | modified |

+| 8/1/2023 | [Microsoft Secure Score for Devices](/microsoft-365/security/defender-vulnerability-management/tvm-microsoft-secure-score-devices?view=o365-worldwide) | modified |

+| 8/1/2023 | [Network share configuration assessment](/microsoft-365/security/defender-vulnerability-management/tvm-network-share-assessment?view=o365-worldwide) | modified |

+| 8/1/2023 | [Remediate vulnerabilities](/microsoft-365/security/defender-vulnerability-management/tvm-remediation?view=o365-worldwide) | modified |

+| 8/1/2023 | [Security baselines assessment](/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines?view=o365-worldwide) | modified |

+| 8/1/2023 | [Security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation?view=o365-worldwide) | modified |

+| 8/1/2023 | [Software inventory](/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory?view=o365-worldwide) | modified |

+| 8/1/2023 | [Software usage insights](/microsoft-365/security/defender-vulnerability-management/tvm-usage-insights?view=o365-worldwide) | modified |

+| 8/1/2023 | [Vulnerable devices report](/microsoft-365/security/defender-vulnerability-management/tvm-vulnerable-devices-report?view=o365-worldwide) | modified |

+| 8/1/2023 | [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses?view=o365-worldwide) | modified |

+| 8/1/2023 | [Mitigate zero-day vulnerabilities](/microsoft-365/security/defender-vulnerability-management/tvm-zero-day-vulnerabilities?view=o365-worldwide) | modified |

+| 8/1/2023 | [What's new in Microsoft Defender Vulnerability Management Public Preview](/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management?view=o365-worldwide) | modified |

+| 8/1/2023 | [DeviceInfo table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-deviceinfo-table?view=o365-worldwide) | modified |

+| 8/1/2023 | [SKOS format reference for SharePoint taxonomy](/microsoft-365/syntex/skos-format-reference) | modified |

+| 8/1/2023 | [Microsoft Syntex documentation # < 60 chars](/microsoft-365/syntex/index) | modified |

+| 8/2/2023 | [What's new in Microsoft 365 Defender Unified role-based access control (RBAC)](/microsoft-365/security/defender/whats-new-in-microsoft-defender-urbac?view=o365-worldwide) | added |

+| 8/2/2023 | [Create a rule to set a content type when a file is added to a document library in Microsoft Syntex](/microsoft-365/syntex/content-processing-content-type) | added |

+| 8/2/2023 | [How to prepare a Windows VHD for Test Base](/microsoft-365/test-base/prepare-testbase-vhd-file?view=o365-worldwide) | added |

+| 8/2/2023 | Contracts FAQ | removed |

+| 8/2/2023 | [Create a rule to move or copy a file from one document library to another in Microsoft Syntex](/microsoft-365/syntex/content-processing-create-rules) | modified |

+| 8/2/2023 | [Overview of content processing in Microsoft Syntex](/microsoft-365/syntex/content-processing-overview) | modified |

+| 8/2/2023 | [Overview](/microsoft-365/test-base/overview?view=o365-worldwide) | modified |

+| 8/2/2023 | [Pilot ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus?view=o365-worldwide) | added |

+| 8/2/2023 | [Production ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus?view=o365-worldwide) | added |

+| 8/2/2023 | [Production ring deployment using Group Policy and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update?view=o365-worldwide) | added |

+| 8/2/2023 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | added |

+| 8/2/2023 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | added |

+| 8/2/2023 | [Ring deployment using Intune and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update?view=o365-worldwide) | added |

+| 8/2/2023 | [Ring deployment using System Center Configuration Manager and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus?view=o365-worldwide) | added |

+| 8/2/2023 | [Microsoft Defender Antivirus ring deployment guide overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment?view=o365-worldwide) | added |

+| 8/3/2023 | [Test against Windows monthly security updates](/microsoft-365/test-base/validate-monthly-security-updates?view=o365-worldwide) | added |

+| 8/3/2023 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified |

+| 8/3/2023 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified |

+| 8/3/2023 | [Find and release quarantined messages as a user](/microsoft-365/security/office-365-security/quarantine-end-user?view=o365-worldwide) | modified |

+| 8/3/2023 | [Quarantined messages FAQ](/microsoft-365/security/office-365-security/quarantine-faq?view=o365-worldwide) | modified |

+| 8/3/2023 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified |

+| 8/3/2023 | [Quarantine notifications (end-user spam notifications) in Microsoft 365](/microsoft-365/security/office-365-security/quarantine-quarantine-notifications?view=o365-worldwide) | modified |

+| 8/4/2023 | [Test against Windows new features](/microsoft-365/test-base/against-windows-new-features?view=o365-worldwide) | added |

+| 8/4/2023 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified |

+| 8/4/2023 | [Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified |

+| 8/4/2023 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified |

+| 8/4/2023 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified |

+| 8/4/2023 | [Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance](/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide) | modified |

+| 8/4/2023 | [Azure Active Directory setup guides](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide) | modified |

+| 8/4/2023 | [Step 2. Protect your Microsoft 365 privileged accounts](/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide) | modified |

+| 8/4/2023 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | modified |

+| 8/4/2023 | [Create a B2B extranet with managed guests](/microsoft-365/solutions/b2b-extranet?view=o365-worldwide) | modified |

+### Exchange Online license

+Loop workspaces currently require each user to have an Exchange Online license and the user account cannot be a resource account (e.g. a shared mailbox user). If these requirements are not met, users will experience failures in the Loop app; won't receive notifications or signals when they collaborate and update; and encounter failures in other experiences also.

+### WebSocket connections

+Loop's near real-time communications are enabled by the core services that run a WebSocket server. Coauthors in the same session need to establish secured WebSocket connections to this service to send and receive collaborative data such as changes made by others, live cursors, presence, and so on. These experiences are crucial to Loop, and to all the scenarios powered by Fluid framework. So, at the minimum, WebSocket will need to be unblocked from the user's endpoint.

+## Settings management in the Microsoft Admin Center

+If you're looking for a simple way to turn on or off the creation of content in Loop workspaces in your tenant, do the following:

+1. Sign in to the Microsoft 365 admin center as a Global Administrator.

+2. Navigate to [Home > Org settings > Services > Loop](https://admin.microsoft.com/Adminportal/Home#/Settings/Services/:/Settings/L1/Loop).

+3. Choose your desired state for Loop workspaces via the checkbox.

+ > [!NOTE]

+ > If your tenant was automatically enabled as part of an early adopter program by Microsoft, the checkbox may not reflect this. However, the state you save in the Admin Center will override any defaults for your tenant.

+4. Select Save.

+The Microsoft Admin Center will configure the Cloud Policy setting described below, targeted at All users (your full tenant). See the next section if you wish to perform more advanced controls.

+2. Select **Customization** from the left pane.

+3. Select **Policy Management**.

+4. Create a new policy configuration or edit an existing one.

+5. From the **Choose the scope** dropdown list, choose either **All users** or select the group for which you want to apply the policy. For more information, See [Microsoft 365 Groups for Cloud Policy](#microsoft-365-groups-for-cloud-policy).

+6. In **Configure Settings**, choose **Create and view Loop workspaces in Loop** and then choose one of the following settings:

+7. Save the policy configuration.

+8. Reassign priority for any security group, if required. (If two or more policy configurations are applicable to the same set of users, the one with the higher priority is applied.)

+[Get started with Microsoft Loop - Microsoft Support](https://support.microsoft.com/office/get-started-with-microsoft-loop-9f4d8d4f-dfc6-4518-9ef6-069408c21f0c)

+- The list of built-in exclusions changes frequently with [security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) and product updates. This article lists some, but not all, of the built-in and automatic exclusions.

+- [Microsoft Defender for Business](../defender-business/mdb-overview.md)

+> This document explains the data storage and privacy details related to Defender for Endpoint and Defender for Business. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.

+Built-in exclusions are updated through security intelligence updates and product updates. To learn more about these exclusions, see [Microsoft Defender Antivirus exclusions on Windows Server: Built-in exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#built-in-exclusions).

+## August 2023

+- **Data completeness**

+ - Extended file attributes and registry monitoring capabilities to enhance investigation and detection experience. 

+

+ - Conditional Access - Expanding integration between Microsoft Defender for Endpoint and Intune to support additional Azure Active Directory (AAD) joined scenarios to deploy conditional access policies in your environment and enable Zero Trust policies to better protect your network against adversaries. 

+ - Engine bugfixes and improvements. 

+- **Platform**

+ - Enabled safer deployment of features through rings and containment mechanism enhancements. 

+ - Consolidate the billing and alert experiences of customers that are onboarded to both Microsoft Defender for Endpoint and Microsoft Defender for Cloud in cloud environments by collecting machine identifiers that allow de-duplication on cloud side. 

+- **Hardening**

+ - General hardening improvements. 

+- **Response** 

+ - Device Isolation improvements. For more information, see [Take response actions on a device](respond-machine-alerts.md) 

+ - Strengthen the resilience of device isolation permit and block rules.  

+ - Allow a device that is disconnected from a Command and Control channel using offline signed command to be removed from isolation.  

+ - Improved performance for [Live Response](live-response.md) commands when executed concurrently with automatic investigation.  

+ - Send command status events for isolate and IR commands through Command and Control channel to improve performance, support future design changes, and easier monitoring. 

+ - Custom Exclusion for Isolation - exclusion of apps, allow list of IP addresses and ports, and users.

+ - Isolation hardening is a measure taken against a technique known as process hollowing. Implementing this hardening approach, a system can establish stronger isolation rules that significantly enhance security when dealing with code injection tactics.  

+

+ - Reduce device disconnections for isolated device caused by third-party inspection drivers. For more information, see [Take response actions on a device](respond-machine-alerts.md).

+- **Vulnerability management** 

+

+ - Replaces some of the current threat vulnerability collections and adds new much requested user installed packages collector. 

+ - New and higher-performing (both CPU and memory) vulnerabilities collector. 

+ - Changes on devices will be reflected in a timelier manner to the portal, enabling them to take action against threats faster. 

+ - Bugfix in Vulnerability Management client management component - race condition. 

+- **Threat Prevention/Protection** 

+ - Lateral Movement Firewall - Addressing advanced attacks inflicting customers (Human Operated Ransomware) by expanding identity-oriented response capabilities known to be gaps in our current protection story.

+ - Supporting force close active SMB sessions for incriminated users as part of Lateral Movement Firewall to disrupt and terminate active malicious sessions. 

+ - Device Contain - Introducing new Windows Filtering Platform (WFP) network filter to allow telemetry & audit-mode capabilities to network connections enforcements. For more information, see - [Take response actions on a device in Microsoft Defender for Endpoint](respond-machine-alerts.md#contain-devices-from-the-network).

+ - Anti-tampering - Addressing tampering gaps in Defender for Endpoint authentication flow by hardening protection of the cryptographic key used to register clients with Defender for Endpoint's authentication service. This is done by storing the key in an AV-protected registry key. 

+- **MITRE**

+ - Introducing a new sensor for MITRE. 

+ - Alternative data streams support. 

+ - Extended Registry monitoring capabilities. 

+ Title: Activate Microsoft 365 Defender Unified role-based access control (RBAC)

+description: Activate Microsoft 365 Defender Security unified role-based access control(RBAC)

+# Activate Microsoft 365 Defender Unified role-based access control (RBAC)

+For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new [custom roles](create-custom-rbac-roles.md) or [imported roles](import-rbac-roles.md) you must activate the Microsoft 365 Defender Unified RBAC model for some or all of your workloads.

+## Activate Microsoft 365 Defender Unified RBAC

+The following steps guide you on how to activate the Microsoft 365 Defender Unified RBAC model. You can activate your workloads in the following ways:

+ > The **Activate workloads** button is only available when there is it at least one workload that's not active for Microsoft 365 Defender Unified RBAC.

+> The Microsoft 365 Defender Unified RBAC model only impacts the Microsoft 365 Defender security portal. It does not impact the [Microsoft Purview Compliance center](https://compliance.microsoft.com) or the [Exchange Admin Center](https://admin.exchange.microsoft.com).

+## Deactivate Microsoft 365 Defender Unified RBAC

+You can deactivate Microsoft 365 Defender Unified RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (Exchange Online Protection).

+If you deactivate a workload, the roles created and edited within Microsoft 365 Defender Unified RBAC won't be effective and you'll return to using the previous permissions model. This will remove any access that users assigned these roles have.

+ Title: Map Microsoft 365 Defender Unified role-based access control (RBAC) permissions

+# Map Microsoft 365 Defender Unified role-based access control (RBAC) permissions

+All permissions listed within the Microsoft 365 Defender Unified RBAC model align to existing permissions in the individual RBAC models. Once you activate the Microsoft 365 Defender Unified RBAC model the permissions and assignments configured in your imported roles will replace the existing roles in the individual RBAC models.

+This article describes how existing roles and permissions in Microsoft Defender for Endpoint, Microsoft Defender for Office 365 (Exchange Online Protection), Microsoft Defender for Identity, and Azure Active Directory roles map to the roles and permission in the Microsoft 365 Defender Unified RBAC model.

+## Map Microsoft 365 Defender Unified RBAC permissions to existing RBAC permissions

+Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft 365 Defender Unified RBAC roles:

+1. [Map Defender for Endpoint permissions](#map-defender-for-endpoint-permissions-to-the-microsoft-365-defender-unified-rbac-permissions)

+2. [Map Defender for Office 365 (Exchange Online Protection) roles](#map-defender-for-office-365-exchange-online-protection-roles-to-the-microsoft-365-defender-unified-rbac-permissions)

+3. [Map Microsoft Defender for Identity permissions](#map-microsoft-defender-for-identity-permissions-to-the-microsoft-365-defender-unified-rbac-permissions)

+### Map Defender for Endpoint permissions to the Microsoft 365 Defender Unified RBAC permissions

+|Defender for Endpoint permission|Microsoft 365 Defender Unified RBAC permission|

+### Map Defender for Office 365 (Exchange Online Protection) roles to the Microsoft 365 Defender Unified RBAC permissions

+|Defender for Office (EOP) role group|Microsoft 365 Defender Unified RBAC permission|

+### Map Microsoft Defender for Identity permissions to the Microsoft 365 Defender Unified RBAC permissions

+Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender for Office and Defender for Identity) in Microsoft 365 Defender Unified RBAC to each global Azure Active Directory role.

+|AAD role|Microsoft 365 Defender Unified RBAC assigned permissions for all workloads|Microsoft 365 Defender Unified RBAC assigned permissions ΓÇô workload specific|

+|Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)</br>Authorization and settings \ Authorization \ (All permissions)</br>Authorization and settings \ Security settings \ (All permissions)</br>Authorization and settings \ System settings \ (All permissions) |_**Defender for Endpoint only permissions**_ </br>Security operations \ Basic live response (manage)</br>Security operations \ Advanced live response (manage) </br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br>Security posture \ Posture management \ Application handling (manage)</br>Security posture \ Posture management \ Security baseline assessment (manage)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Email quarantine (manage)</br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)|

+|Global reader|Security operations \ Security data \ Security data basics (read)</br>Security posture \ Posture management \ Secure Score (read) </br>|_**Defender for Endpoint only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ Authorization \ (read) </br></br>_**Defender for Office and Defender for Identity only permissions**_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)|

+|Security reader|Security operations \ Security data \ Security data basics (read)</br>Security posture \ Posture management \ Secure Score (read) </br>|_**Defender for Endpoint only permissions**_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _**Defender for Office only permissions**_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br></br>_**Defender for Office and Defender for Identity only permissions**_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)|

+|Security operator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Security posture \ Posture management \ Secure Score (read)</br>Authorization and settings \ Security settings \ (All permissions)|_**Defender for Endpoint only permissions**_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br> Security operations \ Security data \ File collection (manage) </br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_**Defender for Office only permissions**_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ System settings \ (All permissions)</br></br>_**Defender for Identity only permissions**_ </br>Authorization and settings \ System settings \ (read)|

+|Exchange Administrator|Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)|not applicable|

+|SharePoint Administrator|Security posture \ Posture management \ Secure Score (read) </br> Security posture \ Posture management \ Secure Score (manage)|not applicable|

+|Service Support Administrator|Security posture \ Posture management \ Secure Score (read) |not applicable|

+|User Administrator|Security posture \ Posture management \ Secure Score (read) |not applicable|

+|HelpDesk Administrator|Security posture \ Posture management \ Secure Score (read) |not applicable|

+> By activating the Microsoft 365 Defender Unified RBAC model, users with Security reader and Global reader roles will have access to Defender for Endpoint data.

+- [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md)

+ Title: Create custom roles with Microsoft 365 Defender Unified role-based access control (RBAC)

+# Create custom roles with Microsoft 365 Defender Unified RBAC

+The following steps guide you on how to create custom roles in Microsoft 365 Defender Unified RBAC.

+> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender Unified RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

+ > By selecting **Choose all data sources** all supported data sources within Microsoft 365 Defender Unified RBAC and any future data sources that are added will be automatically assigned to this assignment.

+ > In Microsoft 365 Defender Unified RBAC, you can create as many assignments as needed under the same role with same permissions. For example, you can have an assignment within a role that has access to all data sources and then a separate assignment for a team that only needs access to Endpoint alerts from the Defender for Endpoint data source. This enables maintaining the minimum number of roles.

+> For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Microsoft 365 Defender Unified RBAC model. For more information, see [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md).

+- [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md)

+ Title: Details of custom permissions in Microsoft 365 Defender Unified role-based access control (RBAC)

+# Permissions in Microsoft 365 Defender Unified role-based access control (RBAC)

+In Microsoft 365 Defender Unified role-based access control (RBAC) you can select permissions from each permission group to customize a role.

+## Microsoft 365 Defender Unified RBAC permission details

+|Secure Score|Read / Manage|Manage permissions to Secure Score data including which users have access to the data and the products for which they will see Secure Score data.|

+> Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online. The Microsoft 365 Defender Unified RBAC model will initially be available for organizations with Microsoft Defender for Office Plan 2 licenses.

+- [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md)

+> [!NOTE]

+> Any incident response services offered by Defender Experts will be offered under the Defender Experts Service Terms.

+> [!NOTE]

+> Any incident response services offered by Defender Experts will be offered under the Defender Experts Service Terms.

+ Title: Edit or delete roles Microsoft 365 Defender Unified role-based access control (RBAC)

+# Edit or delete roles in Microsoft 365 Defender Unified role-based access control (RBAC)

+In Microsoft 365 Defender Unified role-based access control (RBAC), you can edit and delete custom roles or roles that were imported from Defender for Endpoint, Defender for Identity, or Defender for Office 365.

+The following steps guide you on how to edit roles in Microsoft 365 Defender Unified RBAC:

+> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender Unified RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

+> After editing an imported role, the changes made in Microsoft 365 Defender Unified RBAC will not be reflected back in the individual product RBAC model.

+To delete roles in Microsoft 365 Defender Unified RBAC, select the role or roles you want to delete and select **Delete roles**.

+> After deleting an imported role, the role won't be deleted from the individual product RBAC model. If needed, you can re-import it to the Microsoft 365 Defender Unified RBAC list of roles.

+- [Map existing RBAC roles to Microsoft 365 Defender Unified RBAC roles](compare-rbac-roles.md)

+ Title: Import roles to Microsoft 365 Defender Unified role-based access control (RBAC)

+# Import roles to Microsoft 365 Defender Unified role-based access control (RBAC)

+## Import roles to Microsoft 365 Defender Unified RBAC from individual RBAC models

+You can import existing roles that are maintained as part of individual supported products in Microsoft 365 Defender (for example, Microsoft Defender for Endpoint) to the Microsoft 365 Defender Unified RBAC model.

+Importing roles will migrate and maintain the roles with full parity in relation to their permissions and user assignments in the Microsoft 365 Defender Unified RBAC model.

+The following steps guide you on how to import roles into Microsoft 365 Defender Unified RBAC:

+> You must be a Global Administrator or Security Administrator in Azure Active Directory, or have all the **Authorization** permissions assigned in Microsoft 365 Defender Unified RBAC to perform this task. For more information on permissions, see [Permission pre-requisites](../defender/manage-rbac.md#permissions-pre-requisites).

+For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new or imported roles, you'll need to activate the new Microsoft 365 Defender Unified RBAC model. For more information, see [Activate the workloads](activate-defender-rbac.md).

+- [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md)

+ Title: Microsoft 365 Defender Unified role-based access control (RBAC)

+description: Manage permissions and access to Microsoft 365 Defender Security portal experiences using unified role-based access control (RBAC)

+# Microsoft 365 Defender Unified role-based access control (RBAC)

+The Microsoft 365 Defender Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across different security solutions.

+## What's supported by the Microsoft 365 Defender Unified RBAC model

+|Microsoft Defender for Office 365|Support for all scenarios that were controlled by **Exchange Online Protection roles** (EOP), configured in the Microsoft 365 Defender portal under **Permissions** \> **Email & collaboration roles**. </br></br> **Note:** Scenarios that adhere to Exchange Online roles are not impacted by this new model and will still be managed by Exchange Online. The Microsoft 365 Defender Unified RBAC model will initially be available for organizations with Microsoft Defender for Office Plan 2 licenses only. This capability is not available to users on trial licenses.|

+|Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](../defender/microsoft-secure-score.md#products-included-in-secure-score).|

+This section provides useful information on what you need to know before you start using Microsoft 365 Defender Unified RBAC.

+ - Manage roles and permissions in Microsoft 365 Defender Unified RBAC.

+ - Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft 365 Defender unified RBAC. This will remove the need for Azure Active Directory global roles to manage permissions. To do this you need assign the **Authorization** permission in Microsoft 365 Defender Unified RBAC. For details on how to assign the Authorization permission, see [Create a role to access and manage roles and permissions](../defender/create-custom-rbac-roles.md#create-a-role-to-access-and-manage-roles-and-permissions).

+- The Microsoft 365 Defender security solution will continue to respect existing Azure Active Directory global roles when you activate the Microsoft 365 Defender Unified RBAC model for some or all of your workloads i.e. Global Admins will retain assigned admin privileges.

+The new Microsoft 365 Defender Unified RBAC model provides easy migration of the existing permissions in the individual supported unified RBAC models to the new RBAC model.

+All permissions listed within the Microsoft 365 Defender Unified RBAC model align to permissions in the individual RBAC models to ensure backward compatibility. For more information on how the permissions align, see [Map permissions in Microsoft 365 Defender unified role-based access control (RBAC)](compare-rbac-roles.md).

+### Activation of the Microsoft 365 Defender Unified RBAC model

+You must activate the workloads in Microsoft 365 Defender to use the Microsoft 365 Defender Unified RBAC model. Until activated, Microsoft 365 Defender will continue to respect the existing RBAC models. For more information, see [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md).

+When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads will be fully controlled by the Microsoft 365 Defender Unified RBAC model in the Microsoft 365 Defender portal.

+## Start using Microsoft 365 Defender Unified RBAC model

+Use the following steps as a guide to start using the Microsoft 365 Defender Unified RBAC model:

+2. **Activate and manage your roles with the Microsoft 365 Defender Unified RBAC model**

+ - [Activate Microsoft 365 Defender Unified RBAC](activate-defender-rbac.md)

+3. **Learn more about the Microsoft 365 Defender Unified RBAC model**

+ - [Microsoft 365 Defender Unified RBAC permissions](custom-permissions-details.md)

+ - [Map existing RBAC roles to Microsoft 365 Defender Unified RBAC roles](compare-rbac-roles.md)

+[Microsoft 365 Defender](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats, and now includes all functionality provided in the [legacy, classic Defender for Identity portal](/previous-versions/defender-for-identity).

+## August 2023

+**Microsoft Secure Score permissions integration with Microsoft 365 Defender Unified role-based access control (RBAC) is now in Public Preview** </br>

+Previously, only Azure Active Directory global roles (such as Global Administrators) could access Microsoft Secure Score. Now, you'll be able to control access and grant granular permissions for the Microsoft Secure Score experience as part of the Microsoft 365 Defender Unified RBAC model. 

+You can add the new permission and choose the data sources the user has access to by selecting the **Security posture** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender Unified RBAC](./create-custom-rbac-roles.md). Users will see Secure Score data for the data sources they have permissions to.

+A new data source **Secure Score ΓÇô Additional data source** is also available. Users with permissions to this data source, will have access to additional data within the Secure score dashboard. For more information on additional data sources, see [Products included in Secure Score](./microsoft-secure-score.md#products-included-in-secure-score).

+Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at [Microsoft Secure Score](https://security.microsoft.com/securescore) in the [Microsoft 365 Defender portal](microsoft-365-defender-portal.md).

+## Secure Score permissions

+### Manage permissions with Microsoft 365 Defender Unified role-based access control(RBAC)

+With [Microsoft 365 Defender Unified role-based access control(RBAC)](manage-rbac.md), you can create custom roles with specific permissions for Secure Score. This allows you to control which users have access to Secure Score data, the products for which they will see Secure Score data (for example, Microsoft Defender for Endpoint) and their permission level to the data.

+You can also manage user permissions to access Secure Score data from additional data sources, such as the other products supported by Secure Score, for more information, see [Products included in Secure Score](#products-included-in-secure-score). You can view the Secure Score data from the additional data sources either alone or alongside the other data sources.

+To start using Microsoft 365 Defender Unified RBAC to manage your Secure Score permissions, see [Microsoft 365 Defender Unified role-based access control(RBAC)](manage-rbac.md).

+> [!NOTE]

+> Currently, the model is only supported in the Microsoft 365 Defender portal. If you want to use GraphAPI (for example, for internal dashboards or Defender for Identity Secure Score) you should continue to use Azure Active Directory roles. Support GraphAPI is planned at a later date.

+### Azure Active Directory global roles permissions

+Azure Active Directory global roles (for example, Global Administrator) can still be used to access Secure Score. Users who have the supported Azure Active Directory global roles, but are not assigned to a custom role in Microsoft 365 Defender Unified RBAC, will continue to have access to view (and manage where permitted) Secure Score data as outlined below:

+The following roles have read and write access and can make changes, directly interact with Secure Score, and can assign read-only access to other users:

+The following roles have read-only access and aren't able to edit status or notes for a recommended action, edit score zones, or edit custom comparisons:

+> [!NOTE]

+> If you want to follow the principle of least privilege access (where you only give users and groups the permissions, they need to do their job), Microsoft recommends that you remove any existing elevated Azure Active Directory global roles for users and/or security groups assigned a custom role with Secure Score permissions. This will ensure that the custom Microsoft 365 Defender Unified RBAC roles will take effect.

+### Microsoft Secure Score permissions integration with Microsoft 365 Defender Unified role-based access control (RBAC) is now in Public Preview </br>

+You can control access and grant granular permissions for the Microsoft Secure Score experience as part of the Microsoft 365 Defender Unified RBAC model. For more information, see [Manage permissions with Microsoft 365 Defender Unified role-based access control(RBAC)](./microsoft-secure-score.md#manage-permissions-with-microsoft-365-defender-unified-role-based-access-controlrbac). </br>

+### A new file collection permission in Microsoft 365 Defender Unified RBAC is now in Public Preview </br>

+You can now assign a new granular permission in Microsoft 365 Defender Unified RBAC that allows users to collect or download files for analysis. This permission enables Microsoft Defender for Endpoint users download files directly from the file page and during a live response investigation in the live response console.

+You can add the new permission to a custom role by selecting it from the **Security operations** permissions group when creating the role. For more information, see [Create custom roles with Microsoft 365 Defender Unified RBAC](./create-custom-rbac-roles.md).

+By default, prebuilt document processing is turned on for libraries in all SharePoint sites. Follow these steps to manage which SharePoint sites users can use to create prebuilt models to process files.

+By default, unstructured document processing is turned on for libraries in all SharePoint sites. Follow these steps to manage which SharePoint sites users can use to create custom models to process files.