Microsoft Entra ID · Security & Compliance
Security Operator
Can manage security events, view reports, dismiss alerts, and take limited remediation actions. Cannot modify security policies.
Scope: Security event management and alert remediation across Microsoft security services
Permissions
- Audit - Read audit logs
- Authorization - Read authorization policy
- Cloud App Security - Manage Cloud App Security
- Identity Protection - Read Identity Protection
- Identity Protection - Update Identity Protection settings
- PIM - Read PIM
- Provisioning - Read provisioning logs
- Sign-in Reports - Read sign-in reports
- Azure ATP - Manage Azure ATP
- Service Health - Manage Azure service health
- Support Tickets - Create Azure support tickets
- Attack Simulation - Read attack simulation events
- Security Center - Manage Security & Compliance Center
- M365 Health - Manage M365 service health
- M365 Support - Create M365 support tickets
- Alerts - Dismiss or remediate security alerts
- Limitation - Cannot modify security policies
Common use cases
- SOC analyst daily operations
- Security incident triage and response
- Alert investigation and dismissal
- Security monitoring and reporting
- Identity Protection alert handling
- Cloud App Security management
- Threat detection investigation
- Risky user investigation
Best practices
- Assign to Tier 1/2 SOC analysts
- Use Security Admin for policy changes
- Document all alert dismissals
- Follow incident response procedures
- Escalate high-severity incidents appropriately
- Coordinate with Security Admin for remediation
- Enable alerting for critical incidents
- Use PIM for just-in-time access
- Review false positive patterns for tuning
Security considerations
- Can dismiss alerts potentially hiding threats
- Can update Identity Protection settings
- Can manage Cloud App Security
- Audit all alert dismissals
- Monitor for excessive dismissals
- Cannot modify security policies (requires Security Admin)
- Consider PIM for controlled access
- Alert on bulk dismissal activity