Microsoft Purview · Global & Security Roles
Security Operator
Members can manage security alerts, and also view reports and settings of security features. SOC operator role — focused on alert triage and response without broader security administration permissions.
Scope: Security alert management and security feature read access across Microsoft Purview and Defender
Permissions
- Compliance Search - Run content searches across Microsoft 365
- Data Security Investigation Contributor - Contribute to data security investigations
- Manage Alerts - Triage and respond to security alerts
- Purview Copilot Workspace Contributor - Use Copilot in security workflows
- Security Reader - Read-only access to security features
- Tag Contributor / Reader - Manage and read security tags
- View-Only Manage Alerts - Read-only alert view
Common use cases
- Day-to-day SOC alert triage and response
- Investigating security incidents without permission to change policies
- Running compliance searches as part of incident response
- Operating as Tier 1/2 SOC analyst with read access to security configuration
Best practices
- Pair with on-call rotation for 24/7 SOC coverage
- Use alongside Incident Response runbooks
- Escalate policy changes to Security Administrator role group
- Review alert response metrics quarterly
Security considerations
- Has read access to security configuration — protect against credential theft
- Can mark alerts as resolved or false positive — monitor for abuse
- Compliance Search permission can return sensitive content — log all searches
Common questions
When should I assign the Security Operator role?
Assign Security Operator when you need to: Day-to-day SOC alert triage and response; Investigating security incidents without permission to change policies; Running compliance searches as part of incident response; and Operating as Tier 1/2 SOC analyst with read access to security configuration. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Security Operator role do?
The Security Operator role grants permissions including: Compliance Search - Run content searches across Microsoft 365; Data Security Investigation Contributor - Contribute to data security investigations; Manage Alerts - Triage and respond to security alerts; Purview Copilot Workspace Contributor - Use Copilot in security workflows; Security Reader - Read-only access to security features; and Tag Contributor / Reader - Manage and read security tags. See the Permissions section above for the full list.
What are the security risks of the Security Operator role?
Key considerations when assigning Security Operator: Has read access to security configuration — protect against credential theft; Can mark alerts as resolved or false positive — monitor for abuse; and Compliance Search permission can return sensitive content — log all searches. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.