Microsoft Purview · Global & Security Roles

Security Operator

Members can manage security alerts, and also view reports and settings of security features. SOC operator role — focused on alert triage and response without broader security administration permissions.

Scope: Security alert management and security feature read access across Microsoft Purview and Defender

Permissions

  • Compliance Search - Run content searches across Microsoft 365
  • Data Security Investigation Contributor - Contribute to data security investigations
  • Manage Alerts - Triage and respond to security alerts
  • Purview Copilot Workspace Contributor - Use Copilot in security workflows
  • Security Reader - Read-only access to security features
  • Tag Contributor / Reader - Manage and read security tags
  • View-Only Manage Alerts - Read-only alert view

Common use cases

  • Day-to-day SOC alert triage and response
  • Investigating security incidents without permission to change policies
  • Running compliance searches as part of incident response
  • Operating as Tier 1/2 SOC analyst with read access to security configuration

Best practices

  • Pair with on-call rotation for 24/7 SOC coverage
  • Use alongside Incident Response runbooks
  • Escalate policy changes to Security Administrator role group
  • Review alert response metrics quarterly

Security considerations

  • Has read access to security configuration — protect against credential theft
  • Can mark alerts as resolved or false positive — monitor for abuse
  • Compliance Search permission can return sensitive content — log all searches

Common questions

When should I assign the Security Operator role?

Assign Security Operator when you need to: Day-to-day SOC alert triage and response; Investigating security incidents without permission to change policies; Running compliance searches as part of incident response; and Operating as Tier 1/2 SOC analyst with read access to security configuration. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Security Operator role do?

The Security Operator role grants permissions including: Compliance Search - Run content searches across Microsoft 365; Data Security Investigation Contributor - Contribute to data security investigations; Manage Alerts - Triage and respond to security alerts; Purview Copilot Workspace Contributor - Use Copilot in security workflows; Security Reader - Read-only access to security features; and Tag Contributor / Reader - Manage and read security tags. See the Permissions section above for the full list.

What are the security risks of the Security Operator role?

Key considerations when assigning Security Operator: Has read access to security configuration — protect against credential theft; Can mark alerts as resolved or false positive — monitor for abuse; and Compliance Search permission can return sensitive content — log all searches. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →