Microsoft Defender XDR · Security Operations
Security Operations Manager
Full access to security operations including all data, response actions, live response, and email security. Senior SOC leadership role.
Scope: Organization-wide security operations across all Defender workloads
Permissions
- Security data basics (read) - View all incidents, alerts, investigations, hunting, devices
- Alerts (manage) - Manage alerts, start investigations, run scans, manage device tags
- Response (manage) - Take response actions, approve/dismiss remediation, manage block lists
- Advanced live response (manage) - Full live response with file uploads and script execution
- File collection (manage) - Collect executable files for analysis
- Email & collaboration quarantine (manage) - View and release quarantined email
- Email & collaboration advanced actions (manage) - Move/delete email including hard delete
- Email & collaboration metadata (read) - View email data in hunting and threat explorer
- Email & collaboration content (read) - View and download email content and attachments
- Data (manage) - Manage Sentinel data lake retention and connectors
- Analytics job schedule (manage) - Schedule and manage analytics jobs
Common use cases
- SOC team leads managing security operations
- Senior security analysts with full investigation authority
- Security architects overseeing security posture
Best practices
- Limit to senior SOC staff and security leads
- Use PIM for just-in-time activation
- Audit actions regularly in Defender portal
- Combine with device groups for scoped access
Security considerations
- Can delete email messages permanently (hard delete)
- Can run scripts on devices via live response
- Can collect executable files from endpoints
- Full access to investigate any user or device