GitHub Copilot Coding Agent: First Impressions
June 12, 2025[Launched] Generally Available: Azure Site Recovery Support for Azure Trusted Launch VMs Running Linux OS
June 12, 2025
I am excited to announce the public preview of domain-based scoping for Active Directory within Microsoft Defender for Identity. This is a foundational step in extending role-based access control (RBAC) as part of the broader XDR URBAC initiative. This new capability enables organizations to define and refine the scope of Microsoft Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis.
What is “scoping” and why does it matter?
As organizations grow, so does their identity fabric and as security professionals look to manage these increasingly complex identity environments, the ability to control who can access what -and where- is critical. Whether for legal or efficiency reasons many organizations need a way to delegate access based on responsibility or ownership. The new scoping capability is part of Microsoft Defender’s unified role-based access control (URBAC) model which allows customers to refine investigation and administration experiences by Active Directory domains, providing:
- Optimize performance – improve efficiency by focusing analysts on critical assets without the noise of other non-essential alerts and data outside their purview.
- Enhance visibility control – visibility on specific Active Directory domains.
- Support operational boundaries – align access and responsibility across SOC analysts, identity admins, and regional teams.
This enhancement is part of Microsoft Defender XDR’s unified role-based access control (URBAC) model and sets the foundation for even more granular controls in the future.
What can be scoped?
Users assigned to scoped roles will only see data, such as alerts, identities, and activities, related to the Active Directory domains included in the assignment in the XDR role. This ensures that security teams can focus on the assets they are responsible for, without being exposed to information from outside their organizational boundaries.
Today this includes:
- Alerts and incidents: Analysts will only see alerts and incidents related to identities within the scoped Active Directory domains within their queue.
- Entity pages: Users can only access the account details of identities within the Active Directory domains they are scoped for.
- Advanced hunting and investigations: Data is automatically filtered to include only scoped data.
For the full list of supported experiences, see our documentation.
How to configure scoping rules:
This release is part of our ongoing XDR URBAC effort, bringing consistent and unified role-based access control across Microsoft Defender products. Domain-based scoping is now available for public preview in Microsoft Defender for Identity and aligns with the same RBAC principles used across the XDR platform.
To enable the feature, follow these steps:
- Navigate to XDR permissions page —> Microsoft Defender XDR –> Roles.
- You can edit existing roles or create a new custom role
- Add an assignment and create a scoping role with the same set of permissions
- Define Entra ID user or groups to be assigned to the role
- Choose Microsoft Defender for Identity as a data source and select User groups (AD domains) that will be scoped to the assignment.
Once configured, customers can restrict SOC analysts to viewing only specific entities, ensuring they have access only to the data relevant to their responsibilities and improving security control.
Before enabling scoping, ensure that:
- You have Microsoft Defender for Identity sensor installed.
- The Identity workload for URBAC is activated.
- To manage roles without Global Administrator or Security Administrator privileges, customers must configure Authorization permissions through URBAC. Learn more here.
What’s next
As this feature is in Public Preview, some experiences are still in progress and will be expanded over time. For setup guidance and more details, visit the Defender for Identity documentation. To stay informed about upcoming enhancements and expanded support for scoping experiences, follow our What’s New documentation page.