Microsoft Entra ID · Security & Compliance
Security Operator
Can manage security events, view reports, dismiss alerts, and take limited remediation actions. Cannot modify security policies.
Scope: Security event management and alert remediation across Microsoft security services
Permissions
- Audit - Read audit logs
- Authorization - Read authorization policy
- Cloud App Security - Manage Cloud App Security
- Identity Protection - Read Identity Protection
- Identity Protection - Update Identity Protection settings
- PIM - Read PIM
- Provisioning - Read provisioning logs
- Sign-in Reports - Read sign-in reports
- Azure ATP - Manage Azure ATP
- Service Health - Manage Azure service health
- Support Tickets - Create Azure support tickets
- Attack Simulation - Read attack simulation events
- Security Center - Manage Security & Compliance Center
- M365 Health - Manage M365 service health
- M365 Support - Create M365 support tickets
- Alerts - Dismiss or remediate security alerts
- Limitation - Cannot modify security policies
Common use cases
- SOC analyst daily operations
- Security incident triage and response
- Alert investigation and dismissal
- Security monitoring and reporting
- Identity Protection alert handling
- Cloud App Security management
- Threat detection investigation
- Risky user investigation
Best practices
- Assign to Tier 1/2 SOC analysts
- Use Security Admin for policy changes
- Document all alert dismissals
- Follow incident response procedures
- Escalate high-severity incidents appropriately
- Coordinate with Security Admin for remediation
- Enable alerting for critical incidents
- Use PIM for just-in-time access
- Review false positive patterns for tuning
Security considerations
- Can dismiss alerts potentially hiding threats
- Can update Identity Protection settings
- Can manage Cloud App Security
- Audit all alert dismissals
- Monitor for excessive dismissals
- Cannot modify security policies (requires Security Admin)
- Consider PIM for controlled access
- Alert on bulk dismissal activity
Common questions
When should I assign the Security Operator role?
Assign Security Operator when you need to: SOC analyst daily operations; Security incident triage and response; Alert investigation and dismissal; Security monitoring and reporting; and Identity Protection alert handling. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Security Operator role do?
The Security Operator role grants permissions including: Audit - Read audit logs; Authorization - Read authorization policy; Cloud App Security - Manage Cloud App Security; Identity Protection - Read Identity Protection; Identity Protection - Update Identity Protection settings; and PIM - Read PIM. See the Permissions section above for the full list.
What are the security risks of the Security Operator role?
Key considerations when assigning Security Operator: Can dismiss alerts potentially hiding threats; Can update Identity Protection settings; Can manage Cloud App Security; and Audit all alert dismissals. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.