Microsoft Purview · Global & Security Roles

Security Administrator

Manage security features across Microsoft 365 including Purview compliance, Defender, identity protection, and security policies without full Global Admin access.

Scope: Organization-wide security and compliance management without full tenant administration

Permissions

  • Security Policies - Manage security policies and settings across Microsoft 365 and Azure
  • Purview Compliance - Configure and manage Microsoft Purview compliance features (DLP, retention, sensitivity labels)
  • Microsoft Defender - Manage Microsoft Defender for Office 365, Endpoint, Identity, and Cloud Apps
  • Security Alerts - Create and manage security alerts and incidents
  • Conditional Access - Configure Conditional Access policies and identity protection
  • Threat Protection - Manage threat protection policies and security baselines
  • Security Reports - Access and manage security reports and dashboards
  • Information Protection - Configure information protection and data loss prevention
  • Insider Risk - Manage insider risk management and communication compliance policies
  • Alert Investigation - View and investigate security alerts across Microsoft 365
  • Workload Security - Manage security settings in Exchange, SharePoint, Teams
  • Audit Logs - Read audit logs and security events

Common use cases

  • Chief Information Security Officer (CISO) managing security program
  • Security team managing DLP, information protection, and threat protection
  • Compliance team configuring security-related compliance policies
  • Security operations center (SOC) managing security incidents
  • IT security team implementing security baselines and policies
  • Managing Purview security features (DLP, insider risk, communication compliance)

Best practices

  • Use for security team members who need comprehensive security management
  • Implement MFA and Conditional Access for all Security Administrators
  • Use Privileged Identity Management (PIM) for just-in-time access
  • Regularly review Security Admin assignments and activities
  • Coordinate with Compliance Administrators on overlapping policies
  • Monitor security configuration changes through audit logs
  • Separate security administration from IT infrastructure management when possible
  • Document security policy changes and maintain change control

Security considerations

  • Broad security permissions - can modify critical security controls
  • Cannot manage billing, users, or infrastructure (less privileged than Global Admin)
  • Should not have Global Admin rights to maintain separation of duties
  • All activities logged in audit logs for accountability
  • Can access sensitive security data and compliance information
  • Consider using PIM for time-limited activation vs permanent assignment
  • Monitor for privilege escalation attempts or unauthorized changes
  • Require strong authentication and device compliance for access

Official Microsoft Learn documentation →

Open the interactive RBACMap →