mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-07-02 02:33:35 +00:00
Merged PR 6600: Merge atp-rs4-rbaclomayor2 to atp-rs4
Updated content
This commit is contained in:
Louie Mayor
Joey Caparas
@ -28,14 +28,29 @@ ms.date: 04/16/2018
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
|
||||
|
||||
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
|
||||
Windows Defender ATP supports two ways to manage permissions:
|
||||
|
||||
## Assign user access using Azure PowerShell
|
||||
- **Basic permissions management**: Set permissions to either full access or read-only.
|
||||
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For detailed guidance on how to use RBAC, read [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection).
|
||||
|
||||
> [!NOTE]
|
||||
>If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
|
||||
|
||||
>- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC.
|
||||
>- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
|
||||
>- After switching to RBAC, you will not be able to switch back to using basic permissions management.
|
||||
|
||||
## Use basic permissions management
|
||||
Refer to the instructions below to use basic permissions management. You can use either Azure PowerShell or the Azure Portal.
|
||||
|
||||
For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection).
|
||||
|
||||
### Assign user access using Azure PowerShell
|
||||
You can assign users with one of the following levels of permissions:
|
||||
- Full access (Read and Write)
|
||||
- Read only access
|
||||
- Read-only access
|
||||
|
||||
### Before you begin
|
||||
#### Before you begin
|
||||
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
|
||||
|
||||
> [!NOTE]
|
||||
@ -43,8 +58,6 @@ You can assign users with one of the following levels of permissions:
|
||||
|
||||
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
|
||||
|
||||
|
||||
|
||||
**Full access** <br>
|
||||
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
|
||||
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
|
||||
@ -67,7 +80,7 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader
|
||||
|
||||
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
|
||||
|
||||
## Assign user access using the Azure portal
|
||||
### Assign user access using the Azure portal
|
||||
|
||||
1. Go to the [Azure portal](https://portal.azure.com).
|
||||
|
||||
|
||||
@ -26,25 +26,19 @@ ms.date: 04/16/2018
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
In a typical enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags.
|
||||
|
||||
In a typical enterprise scenario, security operation teams are assigned a set of machines groups. These machines are grouped together based on a set of attributes such as domain, name, or tag.
|
||||
In Windows Defender ATP, you can create machine groups and use them to:
|
||||
- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac-windows-defender-advanced-threat-protection.md)
|
||||
- Configure different auto-remediation settings for different sets of machines
|
||||
|
||||
In Windows Defender ATP, you can create machine groups based on conditions and apply the following rules on them:
|
||||
- Remediation level for automated investigations
|
||||
- Azure Active Directory (Azure AD) user group access
|
||||
As part of the process of creating a machine group, you'll:
|
||||
- Set the automated remediation level for that group
|
||||
- Define a matching rule based on the machine name, domain, tags, and OS platform to determine which machines belong to the group. If a machine is also matched to other groups, it is added only to the highest ranked machine group.
|
||||
- Determine access to machine group
|
||||
- Rank the machine group relative to other groups after it is created
|
||||
|
||||
|
||||
When you create a machine group, you'll need to set the automated remediation level for that group. You'll also need to configure the conditions for when a machine is considered to be part of that group. You can set the conditions based on name, domain, tag, or OS.
|
||||
|
||||
|
||||
After setting the automated remediation level and conditions, you'll need to assign a Azure AD user group who will have access to that group of machines. The assignment you set here determines what the group can see in the portal. For example, if you assign a user group to only see machines with a specific tag then their view of the Machines list will be limited based on the tags you set in the rule.
|
||||
|
||||
|
||||
Finally, you'll need to rank the machine groups so that the appropriate rul is applied on them.
|
||||
|
||||
|
||||
|
||||
### Add machine group
|
||||
## Add a machine group
|
||||
|
||||
1. In the navigation pane, select **Settings > Permissions > Machine groups**.
|
||||
|
||||
@ -63,7 +57,7 @@ Finally, you'll need to rank the machine groups so that the appropriate rul is a
|
||||
|
||||
- **Description**
|
||||
|
||||
- **Matching rule** <EFBFBD> you can apply the rule based on machine name, domain, tag, or OS version.
|
||||
- **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version.
|
||||
|
||||
>[!TIP]
|
||||
>If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags).
|
||||
@ -72,19 +66,21 @@ Finally, you'll need to rank the machine groups so that the appropriate rul is a
|
||||
|
||||
5. Assign the user groups that can access the machine group you created.
|
||||
|
||||
>[!NOTE]
|
||||
>You can only grant access to Azure AD user groups with assigned RBAC roles.
|
||||
|
||||
6. Click **Close**.
|
||||
|
||||
7. Apply the configuration settings.
|
||||
|
||||
## Rank rules on machine groups
|
||||
## Understand matching and manage groups
|
||||
|
||||
After creating groups based on conditions, setting the remediation levels on them, and assigning user groups that can access the machine group, you<6F>ll need to rank the rules that are applied on the groups.
|
||||
You can promote the rank of a machine group so that it is given higher priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group.
|
||||
|
||||
You can promote or demote the rank of a group so that the rules applied is of higher or lower level. The evaluation order is applied from higher rank to lower rank. The higher rank should apply to the most machines.
|
||||
Machines that are not matched to any groups are added to **Ungrouped machines**. By default, remediations performed on machines in this group require approval, but you can also define the remediation level for this group.
|
||||
|
||||
You can also edit and delete groups.
|
||||
|
||||
By default, there will always be a group for ungrouped machines. This group is designed to aggregate all the machines that didn<64>t meet any of the conditions set in the other machine groups. The default remediation for this group is Require approval, but you can also define the remediation level for the group.
|
||||
|
||||
|
||||
## Related topic
|
||||
|
||||
@ -31,7 +31,7 @@ ms.date: 04/16/2018
|
||||
|
||||
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.
|
||||
|
||||
Large geo-distributed security operations teams typically adopt a tier model to assign and authorize access to security portals. Typical tiers include the following three levels:
|
||||
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access to security portals. Typical tiers include the following three levels:
|
||||
|
||||
Tier | Description
|
||||
:---|:---
|
||||
@ -39,19 +39,16 @@ Tier 1 | **Local security operations team / IT team** <br> This team usually tri
|
||||
Tier 2 | **Regional security operations team** <br> This team can see all the machines for their region and perform remediation actions.
|
||||
Tier 3 | **Global security operations team** <br> This team consists of security experts and are authorized to see and perform all actions from the portal.
|
||||
|
||||
Windows Defender ATP RBAC is designed to support your tier or role model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take.
|
||||
Windows Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework is centered around the following controls:
|
||||
|
||||
The implementation of role-based access control in Windows Defender ATP is based on Azure Active Directory (Azure AD) user groups.
|
||||
|
||||
The Windows Defender ATP RBAC framework is centered around the following controls:
|
||||
- **Control who can take specific action**
|
||||
- Create custom roles and control what Windows Defender ATP capabilities they can access with granularity.
|
||||
|
||||
|
||||
- **Control who can see specific information**
|
||||
- Create machine groups by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group.
|
||||
- [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group.
|
||||
|
||||
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure Active Directory (Azure AD) user groups assigned to the roles.
|
||||
|
||||
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and set the Azure Active Directory (Azure AD) user groups assigned to the roles.
|
||||
|
||||
### Before you begin
|
||||
|
||||
@ -62,11 +59,9 @@ When you first log in to the Windows Defender ATP portal, you're granted either
|
||||
>
|
||||
> Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
|
||||
>
|
||||
> Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions.
|
||||
|
||||
To use RBAC in Windows Defender ATP, you'll need to enable it.
|
||||
|
||||
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
|
||||
> Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the default Windows Defender ATP global administrator role with full permissions.
|
||||
>
|
||||
> After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
|
||||
|
||||
## Create user roles and assign the role to a group
|
||||
|
||||
@ -74,7 +69,7 @@ After opting in to use RBAC, you cannot revert to the initial roles as when you
|
||||
|
||||
2. Click **Add new role**.
|
||||
|
||||
3. Enter the user group name, description, and active permissions you<EFBFBD>d like to assign to the group.
|
||||
3. Enter the user group name, description, and active permissions you’d like to assign to the group.
|
||||
|
||||
- **User group name**
|
||||
|
||||
|
||||
Reference in New Issue
Block a user