diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
index ad6dfa190d..a5f9685302 100644
--- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -25,6 +25,14 @@ Windows Defender ATP users and access permissions are managed in Azure Active Di
 - Full access (Read and Write)
 - Read only access
 
+**Full access** <br>
+Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
+Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
+
+**Read only access** <br>
+Users with read only access can log in, view all alerts, and related information. 
+They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
+Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
 
 Use the following steps to assign security roles:
 - Preparations: