Microsoft Entra ID · Remaining Built-in Roles

Security Administrator

Can read security information and reports, and manage configuration in Microsoft Entra ID and Microsoft 365. This role has broad security configuration permissions across services.

Scope: Organization-wide security configuration across Microsoft Entra ID and Microsoft 365

Permissions

  • Conditional Access - Update Conditional Access policies
  • Conditional Access - Create Conditional Access policies
  • Conditional Access - Delete Conditional Access policies
  • Identity Protection - Read all Identity Protection resources
  • Identity Protection - Update Identity Protection
  • Named Locations - Update named locations
  • Named Locations - Create named locations
  • Named Locations - Delete named locations
  • Policies - Update policies
  • Policies - Create policies
  • Policies - Delete policies
  • PIM - Read PIM settings
  • Audit - Read audit logs
  • Sign-in Reports - Read sign-in reports (including privileged)
  • BitLocker - Read BitLocker keys
  • Cross-Tenant - Update cross-tenant access policy
  • Federation - Update federation settings
  • Multi-Tenant - Update multi-tenant organization
  • Global Secure Access - Manage Global Secure Access
  • Security Center - Update Security & Compliance Center
  • Attack Simulation - Manage attack simulation
  • Attack Simulation - Run attack simulations
  • M365 Security - Read and configure security-related features across Microsoft 365
  • Cloud App Security - Manage Microsoft Defender for Cloud Apps settings
  • Agents - Read visibility into agents and the Agent 365 registry in the Microsoft 365 admin center for investigation and risk assessment (cannot publish or manage agent lifecycle)

Common use cases

  • Implementing and managing Conditional Access policies
  • Configuring Identity Protection risk policies
  • Managing security baselines and hardening
  • Responding to security incidents
  • Configuring attack simulation campaigns
  • Managing cross-tenant access policies for B2B
  • Implementing Zero Trust security model
  • Reviewing and analyzing security reports
  • Configuring named locations for risk assessment
  • Managing federation security settings
  • Configuring Global Secure Access (Entra Private/Internet Access)
  • Implementing phishing-resistant authentication policies
  • Managing multi-tenant organization security

Best practices

  • Use PIM for just-in-time access to this role
  • Consider using Security Reader for monitoring-only staff
  • Test Conditional Access policies in report-only mode first
  • Always exclude emergency access accounts from policies
  • Document all security policy changes
  • Implement change management for security configurations
  • Review security configurations quarterly
  • Use named locations for risk-based policies
  • Configure Identity Protection with appropriate thresholds
  • Enable security defaults as baseline if no custom policies
  • Monitor for Conditional Access policy bypasses
  • Align policies with organizational risk tolerance
  • Coordinate with Compliance team on policy requirements
  • Set up alerts for security configuration changes
  • Review BitLocker key access regularly

Security considerations

  • Can modify Conditional Access policies affecting all users
  • Can disable security controls if not properly governed
  • Can read BitLocker recovery keys
  • Can configure Identity Protection thresholds
  • Can modify cross-tenant access affecting B2B security
  • Can update federation settings affecting authentication
  • Should not have permanent active assignment
  • Monitor for bulk policy changes or deletions
  • Alert on emergency access exclusion modifications
  • Consider separation of duties with Conditional Access Admin
  • Can access sensitive security reports
  • Can configure Global Secure Access affecting network security
  • Changes can lock out legitimate users if misconfigured

Official Microsoft Learn documentation →

Open the interactive RBACMap →