| title | Security Operator |
|---|---|
| description | Security Operator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Users with this role can manage alerts and have global read-only access on security-related features, including all information in Microsoft 365 Defender portal, Microsoft Entra ID Protection, Privileged Identity Management, and Microsoft Purview portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
| In | Can do |
|---|---|
| Microsoft 365 Defender portal | All permissions of the Security Reader role View, investigate, and respond to security threats alerts Manage security settings in Microsoft 365 Defender portal |
| Microsoft Entra ID Protection | All permissions of the Security Reader role Perform all ID Protection operations except for configuring or changing risk-based policies, resetting passwords, and configuring alert e-mails. |
| Privileged Identity Management | All permissions of the Security Reader role |
| Microsoft Purview portal | All permissions of the Security Reader role View, investigate, and respond to security alerts |
| Microsoft Defender for Endpoint | All permissions of the Security Reader role View, investigate, and respond to security alerts When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Security Reader role lose access until they're assigned a Microsoft Defender for Endpoint role. |
| Intune | All permissions of the Security Reader role |
| Microsoft Defender for Cloud Apps | All permissions of the Security Reader role View, investigate, and respond to security alerts |
| Microsoft 365 service health | View the health of Microsoft 365 services |
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.advancedThreatProtection/allEntities/allTasks Manage all aspects of Azure Advanced Threat Protection microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, excluding custom security attributes audit logs microsoft.directory/authorizationPolicy/standard/read Read standard properties of authorization policy microsoft.directory/cloudAppSecurity/allProperties/allTasks Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps microsoft.directory/identityProtection/allProperties/allTasks Create and delete all resources, and read and update standard properties in Microsoft Entra ID Protection microsoft.directory/privilegedIdentityManagement/allProperties/read Read all resources in Privileged Identity Management microsoft.directory/provisioningLogs/allProperties/read Read all properties of provisioning logs microsoft.directory/signInReports/allProperties/read Read all properties on sign-in reports, including privileged properties microsoft.intune/allEntities/read Read all resources in Microsoft Intune microsoft.office365.securityComplianceCenter/allEntities/allTasks Create and delete all resources, and read and update standard properties in the Microsoft 365 Security and Compliance Center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks Manage all aspects of Microsoft Defender for Endpoint