Roles and Permissions in Microsoft Sentinel

Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure. This allows you to grant appropriate access to Microsoft Sentinel and control what users can see and do.

Microsoft Sentinel-Specific Roles

The built-in Microsoft Sentinel roles and their allowed actions are:

  • Microsoft Sentinel Reader: Can view data, incidents, workbooks, and other Microsoft Sentinel resources.
  • Microsoft Sentinel Responder: In addition to Reader permissions, can manage incidents like assign, dismiss, and change them.
  • Microsoft Sentinel Contributor: In addition to Responder permissions, can install and update solutions from the content hub, and create/edit Microsoft Sentinel resources like workbooks, analytics rules, etc.
  • Microsoft Sentinel Playbook Operator: Can list, view, and manually run playbooks.
  • Microsoft Sentinel Automation Contributor: Allows Microsoft Sentinel to add playbooks to automation rules (not meant for user accounts).

You can assign these roles at the resource group level containing the Microsoft Sentinel workspace, or directly to the workspace itself.

Other Roles and Permissions

Users may need additional roles or permissions depending on their job requirements:

  • Install and Manage Content: Assign the Microsoft Sentinel Contributor role to enable installing and managing solutions from the content hub.
  • Automate Threat Response: Use the Microsoft Sentinel Playbook Operator and Logic App Contributor roles to enable creating, editing, and running playbooks.
  • Connect Data Sources: Assign Write permissions on the Microsoft Sentinel workspace to allow adding data connectors.
  • Allow Guest Users to Assign Incidents: Assign the Directory Reader role in addition to the Microsoft Sentinel Responder role.
  • Create and Delete Workbooks: Assign either the Microsoft Sentinel Contributor role or a lesser Microsoft Sentinel role plus the Workbook Contributor role.

You may also encounter Azure and Log Analytics roles that provide broader permissions, which could impact access to Microsoft Sentinel resources.

Custom Roles and Advanced Azure RBAC

  • Custom Roles: You can create custom Azure roles for Microsoft Sentinel, based on specific permissions.
  • Log Analytics RBAC: Use advanced Azure RBAC across the data in your Microsoft Sentinel workspace, including data type-based and resource-context RBAC.

Role and Permissions Recommendations

Here are some role recommendations for different user types:

User Type Roles Resource Group
Security Analysts Microsoft Sentinel ResponderMicrosoft Sentinel Playbook Operator Microsoft Sentinel’s resource group
Security Engineers Microsoft Sentinel ContributorLogic App Contributor Microsoft Sentinel’s resource group
Service Principal Microsoft Sentinel Contributor Microsoft Sentinel’s resource group

Additional roles may be required depending on your data and requirements, such as Microsoft Entra roles.

Resource-Based Access Control

You can also configure RBAC based on the resources users are allowed to access, rather than granting access to the entire Microsoft Sentinel environment. This resource-context RBAC can provide more granular control over data access.

For more information, see the Manage access to Microsoft Sentinel data by resource article.