Microsoft Defender XDR · Security Operations
Security Operations Manager
Full access to security operations including all data, response actions, live response, and email security. Senior SOC leadership role.
Scope: Organization-wide security operations across all Defender workloads
Permissions
- Security data basics (read) - View all incidents, alerts, investigations, hunting, devices
- Alerts (manage) - Manage alerts, start investigations, run scans, manage device tags
- Response (manage) - Take response actions, approve/dismiss remediation, manage block lists
- Advanced live response (manage) - Full live response with file uploads and script execution
- File collection (manage) - Collect executable files for analysis
- Email & collaboration quarantine (manage) - View and release quarantined email
- Email & collaboration advanced actions (manage) - Move/delete email including hard delete
- Email & collaboration metadata (read) - View email data in hunting and threat explorer
- Email & collaboration content (read) - View and download email content and attachments
- Data (manage) - Manage Sentinel data lake retention and connectors
- Analytics job schedule (manage) - Schedule and manage analytics jobs
Common use cases
- SOC team leads managing security operations
- Senior security analysts with full investigation authority
- Security architects overseeing security posture
Best practices
- Limit to senior SOC staff and security leads
- Use PIM for just-in-time activation
- Audit actions regularly in Defender portal
- Combine with device groups for scoped access
Security considerations
- Can delete email messages permanently (hard delete)
- Can run scripts on devices via live response
- Can collect executable files from endpoints
- Full access to investigate any user or device
Common questions
When should I assign the Security Operations Manager role?
Assign Security Operations Manager when you need to: SOC team leads managing security operations; Senior security analysts with full investigation authority; and Security architects overseeing security posture. It is part of Microsoft Defender XDR and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Security Operations Manager role do?
The Security Operations Manager role grants permissions including: Security data basics (read) - View all incidents, alerts, investigations, hunting, devices; Alerts (manage) - Manage alerts, start investigations, run scans, manage device tags; Response (manage) - Take response actions, approve/dismiss remediation, manage block lists; Advanced live response (manage) - Full live response with file uploads and script execution; File collection (manage) - Collect executable files for analysis; and Email & collaboration quarantine (manage) - View and release quarantined email. See the Permissions section above for the full list.
What are the security risks of the Security Operations Manager role?
Key considerations when assigning Security Operations Manager: Can delete email messages permanently (hard delete); Can run scripts on devices via live response; Can collect executable files from endpoints; and Full access to investigate any user or device. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.