From de9d63aa488e2737ed60582baf73bb854be71280 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 16 Feb 2018 11:18:52 -0800 Subject: [PATCH 1/9] Add role-based access control section. --- ...ows-defender-advanced-threat-protection.md | 114 ++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index ac64b927c8..8302b575f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -85,5 +85,119 @@ For more information see, [Manage Azure AD group and role membership](https://te ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) +## Role-based access control + +With the robust security capabilities available in the Windows Defender ATP portal, it is crucial to provide the right access only to authorized roles and groups. Using role-based access control (RBAC), you can segregate roles and groups within your security operations team or organization to grant appropriate access to the Windows Defender ATP portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can do. + +The implementation of role-based access control in Windows Defender ATP is based on Azure Active Directory user groups. + +To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and set the Azure Active Directory (Azure AD) user groups assigned to the roles. + +### Before you begin + +When you first log in to the Windows Defender ATP portal, you’re granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. + +> [!WARNING] +> Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. +> Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +> Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions. + +To use RBAC in Windows Defender ATP, you’ll need to enable it. + +After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. + +### Create user roles and assign the role to a group + +1. In the navigation pane, select **Preferences setup > Role based access control > Roles**. + +2. Click **Add new role**. + +3. Enter the user group name, description, and active permissions you’d like to assign to the group. + + - **User group name** + - **Description** + - **Active permissions** + - **View data** – Users can view information in the portal. + - **Investigate alerts** – Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Approve or take action** – Users can take response actions and approve or dismiss pending remediation actions. + - **Manage system settings** – Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads. + - **Manage security settings** – Users can configure alert suppression settings, manage allowed or blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + - **Monitor dashboards** – Users can view all dashboards. + +4. Click **Next** to assign the user to a group. + +5. Use the filter to select the Azure AD group that you'd like the user to be a part of. + +6. Click **Save and close**. + +7. Apply the configuration settings. + +### Edit user roles + +1. Select the user role you'd like to edit. + +2. Click **Edit**. + +3. Modify the details or the memberships that the user role is a part of. + +4. Click **Save and close**. + +### Delete user roles + +1. Select the user role row you'd like to delete. + +2. Click the drop-down button and select **Delete role**. + +### Manage machine groups + +Create machine groups and set automated remediation levels on them, configure the rules to apply on the group, and assign the group to an Azure AD group and role. After configuring the groups and assignments, rank the group so that the corresponding rule is applied. + +#### Add machine group + +1. In the navigation pane, select **Preferences setup > Role based access control > Machine groups**. + +2. Click **Add machine group**. + +3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: + + - **Name** + - **Remediation level for automated investigations** + - **No remediation** + - **Require approval (all folders)** + - **Require approval (non-temp folders)** + - **Require approval (core folders)** + - **Fully automated** + - **Description** + - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. + + >[!TIP] + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](manage-machine-group-and-tags.md). + +4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. + +5. Assign the user groups that can access the machine group you created. The assignment you set here determines what the group can see in the portal. For example, if you assign a user group to only see machines with a specific tag then their view of the Machines list will be limited based on the tags you set in the rule. + +6. Click **Close**. + +7. Apply the configuration settings. + +#### Rank rules on machine groups + +After creating groups, setting the remediation levels on them, and assigning user groups that can access the machine group, you’ll need to rank the rules that are applied on the groups. + +You can promote or demote the rank of a group so that the rules applied is of higher or lower level. The evaluation order is applied from higher rank to lower rank. The higher rank should apply to the most machines. + +You can also edit and delete groups. + +By default, there will always be a group for ungrouped machines. This group is designed to aggregate all the machines that didn’t meet any of the conditions set in the other machine groups. The default remediation for this group is Require approval, but you can also define the remediation level for the group. + + + + + + + + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink) From 701af19ce08aabd9d6df6da572197207f56141d0 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 16 Feb 2018 11:20:06 -0800 Subject: [PATCH 2/9] Changed date. --- ...portal-access-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 8302b575f9..829792bfcc 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 02/16/2018 --- # Assign user access to the Windows Defender ATP portal From 6819d668c56276ec0bc92916d71d10b43e83988c Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 16 Feb 2018 11:45:05 -0800 Subject: [PATCH 3/9] Fixed link and spacing issues. --- ...l-access-windows-defender-advanced-threat-protection.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 829792bfcc..ab7d8e0c24 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -115,7 +115,9 @@ After opting in to use RBAC, you cannot revert to the initial roles as when you 3. Enter the user group name, description, and active permissions you’d like to assign to the group. - **User group name** + - **Description** + - **Active permissions** - **View data** – Users can view information in the portal. - **Investigate alerts** – Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. @@ -161,17 +163,20 @@ Create machine groups and set automated remediation levels on them, configure th 3. Set the machine group details, configure an association rule, preview the results, then assign the group to an Azure user group: - **Name** + - **Remediation level for automated investigations** - **No remediation** - **Require approval (all folders)** - **Require approval (non-temp folders)** - **Require approval (core folders)** - **Fully automated** + - **Description** + - **Matching rule** – you can apply the rule based on machine name, domain, tag, or OS version. >[!TIP] - >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](manage-machine-group-and-tags.md). + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). 4. Review the result of the preview of matched machines. If you are satisfied with the rules, click the **Access** tab. From bac478a51482b7034e3c63e233137de64392b662 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 16 Feb 2018 12:00:22 -0800 Subject: [PATCH 4/9] Fix spacing issues in Warning. --- ...rtal-access-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index ab7d8e0c24..79475bb186 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -98,8 +98,8 @@ To implement role-based access, you'll need to define admin roles, assign corres When you first log in to the Windows Defender ATP portal, you’re granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. > [!WARNING] -> Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. -> Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. +Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. > Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions. To use RBAC in Windows Defender ATP, you’ll need to enable it. From c143eaf61695b02d8995478bab85c32cb2d71cad Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 16 Feb 2018 21:06:07 +0000 Subject: [PATCH 5/9] Updated assign-portal-access-windows-defender-advanced-threat-protection.md --- ...rtal-access-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 79475bb186..0f680c0dc2 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -98,8 +98,8 @@ To implement role-based access, you'll need to define admin roles, assign corres When you first log in to the Windows Defender ATP portal, you’re granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. > [!WARNING] -Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. -Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +>Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. +>Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. > Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions. To use RBAC in Windows Defender ATP, you’ll need to enable it. From 58120ddbcdeb033dbd47919993f0636b9c34e976 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 16 Feb 2018 13:19:00 -0800 Subject: [PATCH 6/9] fix warning --- ...al-access-windows-defender-advanced-threat-protection.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 0f680c0dc2..41436bb4e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -98,8 +98,10 @@ To implement role-based access, you'll need to define admin roles, assign corres When you first log in to the Windows Defender ATP portal, you’re granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. > [!WARNING] ->Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. ->Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +> Before enabling the feature, it’s important that you have a Global Administrator role in Azure AD and that have your Azure AD groups ready to reduce the risk of being locked out of the portal. +> +> Only those with Azure AD Global Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important. +> > Turning on role-based access control will cause users with read-only permissions to lose access until they are assigned to a role. Users with admin permissions are automatically assigned the global administrator role with full permissions. To use RBAC in Windows Defender ATP, you’ll need to enable it. From 60f79be1a9e78a94221f5a491fd3c356ce550ff3 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 16 Feb 2018 13:36:26 -0800 Subject: [PATCH 7/9] update headings --- ...ss-windows-defender-advanced-threat-protection.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 41436bb4e2..dc10cc83fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -108,7 +108,7 @@ To use RBAC in Windows Defender ATP, you’ll need to enable it. After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. -### Create user roles and assign the role to a group +## Create user roles and assign the role to a group 1. In the navigation pane, select **Preferences setup > Role based access control > Roles**. @@ -136,7 +136,7 @@ After opting in to use RBAC, you cannot revert to the initial roles as when you 7. Apply the configuration settings. -### Edit user roles +## Edit user roles 1. Select the user role you'd like to edit. @@ -146,17 +146,17 @@ After opting in to use RBAC, you cannot revert to the initial roles as when you 4. Click **Save and close**. -### Delete user roles +## Delete user roles 1. Select the user role row you'd like to delete. 2. Click the drop-down button and select **Delete role**. -### Manage machine groups +## Manage machine groups Create machine groups and set automated remediation levels on them, configure the rules to apply on the group, and assign the group to an Azure AD group and role. After configuring the groups and assignments, rank the group so that the corresponding rule is applied. -#### Add machine group +### Add machine group 1. In the navigation pane, select **Preferences setup > Role based access control > Machine groups**. @@ -188,7 +188,7 @@ Create machine groups and set automated remediation levels on them, configure th 7. Apply the configuration settings. -#### Rank rules on machine groups +## Rank rules on machine groups After creating groups, setting the remediation levels on them, and assigning user groups that can access the machine group, you’ll need to rank the rules that are applied on the groups. From f0d9a4c8c6e50c6d0d5ed5a290ee74e4ed1a73b3 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Sat, 24 Feb 2018 13:21:46 -0800 Subject: [PATCH 8/9] update date --- ...rtal-access-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index dc10cc83fd..520947cfc6 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 02/16/2018 +ms.date: 03/05/2018 --- # Assign user access to the Windows Defender ATP portal @@ -24,7 +24,7 @@ ms.date: 02/16/2018 - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) From 75c0e82e7cc668a3fd8df770681d4b3398a6d68c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Sat, 24 Feb 2018 13:23:23 -0800 Subject: [PATCH 9/9] minor fix --- ...access-windows-defender-advanced-threat-protection.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 520947cfc6..c5f71247a3 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -198,13 +198,4 @@ You can also edit and delete groups. By default, there will always be a group for ungrouped machines. This group is designed to aggregate all the machines that didn’t meet any of the conditions set in the other machine groups. The default remediation for this group is Require approval, but you can also define the remediation level for the group. - - - - - - - - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)