Microsoft Purview · Global & Security Roles

Security Operator

Members can manage security alerts, and also view reports and settings of security features. SOC operator role — focused on alert triage and response without broader security administration permissions.

Scope: Security alert management and security feature read access across Microsoft Purview and Defender

Permissions

  • Compliance Search - Run content searches across Microsoft 365
  • Data Security Investigation Contributor - Contribute to data security investigations
  • Manage Alerts - Triage and respond to security alerts
  • Purview Copilot Workspace Contributor - Use Copilot in security workflows
  • Security Reader - Read-only access to security features
  • Tag Contributor / Reader - Manage and read security tags
  • View-Only Manage Alerts - Read-only alert view

Common use cases

  • Day-to-day SOC alert triage and response
  • Investigating security incidents without permission to change policies
  • Running compliance searches as part of incident response
  • Operating as Tier 1/2 SOC analyst with read access to security configuration

Best practices

  • Pair with on-call rotation for 24/7 SOC coverage
  • Use alongside Incident Response runbooks
  • Escalate policy changes to Security Administrator role group
  • Review alert response metrics quarterly

Security considerations

  • Has read access to security configuration — protect against credential theft
  • Can mark alerts as resolved or false positive — monitor for abuse
  • Compliance Search permission can return sensitive content — log all searches

Official Microsoft Learn documentation →

Open the interactive RBACMap →