I've had a user want permissions to
hard/soft delete emails found to be potentially malicious in M365 Defender
Threat Explorer (https://security.microsoft.com/threatexplorer)
What you need to be able
to access Threat Explorer in M365:
- Organization Management
- Security Administrator (assign this in the Azure Active Directory
admin center (https://aad.portal.azure.com)
- Security Reader (if you PIM upto SecAdmin then you
won't need SecReader
Required Licenses
You
must have Microsoft
Defender for Office 365 to use Explorer or Real-time
detections.
- Explorer is included in Defender for Office 365 Plan 2.
- The Real-time detections report is included in
Defender for Office 365 Plan 1.
- Plan to assign licenses for all users who should
be protected by Defender for Office 365. Explorer and Real-time detections
show detection data for licensed users.
Digging into it....
Assign AAD Security Administrator to
the user if they don't have it already. It's likely if they are in a SOC or
InfoSec that they will probably have this.
The
user was able to access Threat Explorer after pimming up to SecAdmin but
couldn't access hard or soft delete.
This
delete function was something that I was able to perform but actually couldn't
see why I could or where the permission was that enabled me to.
So,
let's head over to Permissions & Roles @ https://security.microsoft.com/securitypermissions and
select "Roles" under "Email & collaboration roles".
You'll
now see a list of roles and permission specific to M365 Defender
The magic role you need now is "Search & Purge" which appears
in "Data Investigator".
The
side window will swipe in and you'll see "Search & Purge" under
assigned roles.
Assign
the member to this role then they should be able to purge any emails they look
up (making sure they are pimmed upto AAD SecAdmin first).
No comments:
Post a Comment