Microsoft Entra ID · Security & Compliance

Security Operator

Can manage security events, view reports, dismiss alerts, and take limited remediation actions. Cannot modify security policies.

Scope: Security event management and alert remediation across Microsoft security services

Permissions

  • Audit - Read audit logs
  • Authorization - Read authorization policy
  • Cloud App Security - Manage Cloud App Security
  • Identity Protection - Read Identity Protection
  • Identity Protection - Update Identity Protection settings
  • PIM - Read PIM
  • Provisioning - Read provisioning logs
  • Sign-in Reports - Read sign-in reports
  • Azure ATP - Manage Azure ATP
  • Service Health - Manage Azure service health
  • Support Tickets - Create Azure support tickets
  • Attack Simulation - Read attack simulation events
  • Security Center - Manage Security & Compliance Center
  • M365 Health - Manage M365 service health
  • M365 Support - Create M365 support tickets
  • Alerts - Dismiss or remediate security alerts
  • Limitation - Cannot modify security policies

Common use cases

  • SOC analyst daily operations
  • Security incident triage and response
  • Alert investigation and dismissal
  • Security monitoring and reporting
  • Identity Protection alert handling
  • Cloud App Security management
  • Threat detection investigation
  • Risky user investigation

Best practices

  • Assign to Tier 1/2 SOC analysts
  • Use Security Admin for policy changes
  • Document all alert dismissals
  • Follow incident response procedures
  • Escalate high-severity incidents appropriately
  • Coordinate with Security Admin for remediation
  • Enable alerting for critical incidents
  • Use PIM for just-in-time access
  • Review false positive patterns for tuning

Security considerations

  • Can dismiss alerts potentially hiding threats
  • Can update Identity Protection settings
  • Can manage Cloud App Security
  • Audit all alert dismissals
  • Monitor for excessive dismissals
  • Cannot modify security policies (requires Security Admin)
  • Consider PIM for controlled access
  • Alert on bulk dismissal activity

Common questions

When should I assign the Security Operator role?

Assign Security Operator when you need to: SOC analyst daily operations; Security incident triage and response; Alert investigation and dismissal; Security monitoring and reporting; and Identity Protection alert handling. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Security Operator role do?

The Security Operator role grants permissions including: Audit - Read audit logs; Authorization - Read authorization policy; Cloud App Security - Manage Cloud App Security; Identity Protection - Read Identity Protection; Identity Protection - Update Identity Protection settings; and PIM - Read PIM. See the Permissions section above for the full list.

What are the security risks of the Security Operator role?

Key considerations when assigning Security Operator: Can dismiss alerts potentially hiding threats; Can update Identity Protection settings; Can manage Cloud App Security; and Audit all alert dismissals. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →