Back to Operation

Defender Unified RBAC Responder

Azure Built-in Role

Role Information

Details and metadata

Role ID
1bacae94-6c0f-4d2d-8dfa-408d5a28e6ec
Type
BuiltInRole
Last Updated (Azure)
2025-09-15 15:09:07

Change History

Track all modifications to this role

2025-09-15 15:09:07 Initial Scan
View details 
{
  "properties": {
    "roleName": "Defender Unified RBAC Responder",
    "type": "BuiltInRole",
    "description": "Defender Unified RBAC Responder. This role is managed and assigned automatically by the Defender Unified RBAC system. Manual assignment of this role is not recommended, as the Defender Unified RBAC system may modify or remove it at any time based on system requirements.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/automationRules/*",
          "Microsoft.SecurityInsights/cases/*",
          "Microsoft.SecurityInsights/incidents/*",
          "Microsoft.SecurityInsights/entities/runPlaybook/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Insights/workbooks/read",
          "Microsoft.Authorization/*/read"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/cases/*/Delete",
          "Microsoft.SecurityInsights/incidents/*/Delete",
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2025-09-02T15:09:18.279Z",
    "updatedOn": "2025-09-15T15:09:07.354Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1bacae94-6c0f-4d2d-8dfa-408d5a28e6ec",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "1bacae94-6c0f-4d2d-8dfa-408d5a28e6ec"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Defender Unified RBAC Responder",
    "type": "BuiltInRole",
    "description": "Defender Unified RBAC Responder. This role is managed and assigned automatically by the Defender Unified RBAC system. Manual assignment of this role is not recommended, as the Defender Unified RBAC system may modify or remove it at any time based on system requirements.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.SecurityInsights/*/read",
          "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
          "Microsoft.SecurityInsights/automationRules/*",
          "Microsoft.SecurityInsights/cases/*",
          "Microsoft.SecurityInsights/incidents/*",
          "Microsoft.SecurityInsights/entities/runPlaybook/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
          "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
          "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
          "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
          "Microsoft.OperationalInsights/workspaces/analytics/query/action",
          "Microsoft.OperationalInsights/workspaces/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/workspaces/savedSearches/read",
          "Microsoft.OperationsManagement/solutions/read",
          "Microsoft.OperationalInsights/workspaces/query/read",
          "Microsoft.OperationalInsights/workspaces/query/*/read",
          "Microsoft.OperationalInsights/workspaces/dataSources/read",
          "Microsoft.OperationalInsights/querypacks/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Insights/workbooks/read",
          "Microsoft.Authorization/*/read"
        ],
        "notActions": [
          "Microsoft.SecurityInsights/cases/*/Delete",
          "Microsoft.SecurityInsights/incidents/*/Delete",
          "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
          "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2025-09-02T15:09:18.279Z",
    "updatedOn": "2025-09-15T15:09:07.354Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1bacae94-6c0f-4d2d-8dfa-408d5a28e6ec",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "1bacae94-6c0f-4d2d-8dfa-408d5a28e6ec"
}

Effective Permissions

Operations granted by this role (1003 total)

Permission Patterns (from role definition)

Actions 26 patterns
Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/automationRules/* Microsoft.SecurityInsights/cases/* Microsoft.SecurityInsights/incidents/* Microsoft.SecurityInsights/entities/runPlaybook/action Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/query/action Microsoft.SecurityInsights/threatIntelligence/bulkTag/action Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/querypacks/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Insights/workbooks/read Microsoft.Authorization/*/read
NotActions (excluded)
Microsoft.SecurityInsights/cases/*/Delete Microsoft.SecurityInsights/incidents/*/Delete Microsoft.SecurityInsights/ConfidentialWatchlists/* Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*

Control Plane Operations (1003)

Data Plane Operations (0)

No data plane operations granted