Microsoft Purview · Global & Security Roles

Security Administrator

Manage security features across Microsoft 365 including Purview compliance, Defender, identity protection, and security policies without full Global Admin access.

Scope: Organization-wide security and compliance management without full tenant administration

Permissions

  • Security Policies - Manage security policies and settings across Microsoft 365 and Azure
  • Purview Compliance - Configure and manage Microsoft Purview compliance features (DLP, retention, sensitivity labels)
  • Microsoft Defender - Manage Microsoft Defender for Office 365, Endpoint, Identity, and Cloud Apps
  • Security Alerts - Create and manage security alerts and incidents
  • Conditional Access - Configure Conditional Access policies and identity protection
  • Threat Protection - Manage threat protection policies and security baselines
  • Security Reports - Access and manage security reports and dashboards
  • Information Protection - Configure information protection and data loss prevention
  • Insider Risk - Manage insider risk management and communication compliance policies
  • Alert Investigation - View and investigate security alerts across Microsoft 365
  • Workload Security - Manage security settings in Exchange, SharePoint, Teams
  • Audit Logs - Read audit logs and security events

Common use cases

  • Chief Information Security Officer (CISO) managing security program
  • Security team managing DLP, information protection, and threat protection
  • Compliance team configuring security-related compliance policies
  • Security operations center (SOC) managing security incidents
  • IT security team implementing security baselines and policies
  • Managing Purview security features (DLP, insider risk, communication compliance)

Best practices

  • Use for security team members who need comprehensive security management
  • Implement MFA and Conditional Access for all Security Administrators
  • Use Privileged Identity Management (PIM) for just-in-time access
  • Regularly review Security Admin assignments and activities
  • Coordinate with Compliance Administrators on overlapping policies
  • Monitor security configuration changes through audit logs
  • Separate security administration from IT infrastructure management when possible
  • Document security policy changes and maintain change control

Security considerations

  • Broad security permissions - can modify critical security controls
  • Cannot manage billing, users, or infrastructure (less privileged than Global Admin)
  • Should not have Global Admin rights to maintain separation of duties
  • All activities logged in audit logs for accountability
  • Can access sensitive security data and compliance information
  • Consider using PIM for time-limited activation vs permanent assignment
  • Monitor for privilege escalation attempts or unauthorized changes
  • Require strong authentication and device compliance for access

Common questions

When should I assign the Security Administrator role?

Assign Security Administrator when you need to: Chief Information Security Officer (CISO) managing security program; Security team managing DLP, information protection, and threat protection; Compliance team configuring security-related compliance policies; Security operations center (SOC) managing security incidents; and IT security team implementing security baselines and policies. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Security Administrator role do?

The Security Administrator role grants permissions including: Security Policies - Manage security policies and settings across Microsoft 365 and Azure; Purview Compliance - Configure and manage Microsoft Purview compliance features (DLP, retention, sensitivity labels); Microsoft Defender - Manage Microsoft Defender for Office 365, Endpoint, Identity, and Cloud Apps; Security Alerts - Create and manage security alerts and incidents; Conditional Access - Configure Conditional Access policies and identity protection; and Threat Protection - Manage threat protection policies and security baselines. See the Permissions section above for the full list.

What are the security risks of the Security Administrator role?

Key considerations when assigning Security Administrator: Broad security permissions - can modify critical security controls; Cannot manage billing, users, or infrastructure (less privileged than Global Admin); Should not have Global Admin rights to maintain separation of duties; and All activities logged in audit logs for accountability. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →