Skip to Content

MC1246007: New URBAC permission to preview email content in Microsoft Defender for Office 365

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1246007: New URBAC permission to preview email content in Microsoft Defender for Office 365

Summary

  • A new Defender XDR Unified RBAC permission allows admins to preview and download email content tied to specific alerts without broad email access.
  • The new permission is called “Emails associated with alerts (read)” and currently applies to alerts for emails reported as malware or phishing.
  • Existing roles and workflows remain unaffected, and admins with full email access retain that capability.
  • Admins should assess access needs and communicate changes to security and helpdesk teams.
  • Additional alert types will be supported in the future.

Admin Impact: Medium
User Impact: Low
Release Start: 15 Apr 2026
Release End: 31 May 2026
Services: Defender XDR
Category: Stay informed
Tags: Feature Update, User Adoption, Admin Action

History

3/6/2026 Item Added to Message Center

Microsoft Message

Introduction

We are introducing a new Defender XDR Unified RBAC (URBAC) permission in Microsoft Defender for Office 365 that allows administrators to preview and download email content associated with the alert “Email reported by user as malware or phish”, without granting broad access to all email content. This new permission helps provide more granular access during security investigations while preserving existing workflows for admins who require full email content access.

These changes affect permissions assigned through Defender XDR Unified RBAC.

When this will happen

  • General Availability (Worldwide): We will begin rolling out in early April 2026 and expect to complete by mid-May 2026.
  • General Availability (GCC, GCC High, DoD): We will begin rolling out in mid-April 2026 and expect to complete by late May 2026.

How this will affect your organization

We are introducing a new URBAC permission under Security operations called Email and collaboration content: Emails associated with alerts (read).

  • With this permission, Admins can perform preview and download actions on email entity associated with supported alerts.
  • This permission currently applies to the alert “Email reported by user as malware or phish”.
  • This is a new permission, and there is no impact to existing roles or admin workflows.
  • Admins who already have Security operations/Raw data (email & collaboration)/Email & collaboration content (read): All Emails will retain full access and do not need to take any action.
  • Support for additional alert types will be added at a later stage.

What you need to do to prepare

  • Review which administrators in your organization require access to message content.
  • Communicate this change to security operations and helpdesk teams that investigate messages.
  • If you want to assign more granular access:
    • Review your existing Defender XDR Unified RBAC roles.
    • Consider assigning the new permission to analysts who only need access to emails tied to the alert “Email reported by user as malware or phish.”

Learn more:

  • The Email entity page in Microsoft Defender for Office 365 | Microsoft Defender for Office 365 | Microsoft Learn
  • Microsoft Defender XDR Unified role-based access control (RBAC) | Microsoft Defender XDR | Microsoft Learn

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.