Microsoft is introducing a new permission in Defender for Office 365 that gives security teams more targeted access when investigating emails that users have reported as malware or phishing.
- This update is part of the Defender XDR Unified Role-Based Access Control (RBAC).
- Defender XDR RBAC usually requires a Defender for Office 365 Plan 2 license.
Timeline
The rollout should be completed in May 2026.
What is changing?
Reviewing email content linked to security alerts previously required broad access to all emails in the organization.
Security admins could select two permissions under email & collaboration.
- Email & collaboration metadata (read)
- Email & collaboration content: All Emails (read)
The new permission “Emails associated with alerts (read)”, found under Security operations, allows defined user accounts to preview and download only the specific emails associated with the alert “Email reported by user as malware or phish“.
As described in the updated unified RBAC documentation, the new permission is scoped to investigate flagged messages without requiring broader access to all email content in the organization.
Administrators who already hold the broader email and collaboration content read permission will see no change to their access or workflows. The new permission is an addition, not a replacement, and existing role assignments remain unaffected.
