| title | Security Administrator |
|---|---|
| description | Security Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Microsoft Entra ID Protection, Microsoft Entra Authentication, Azure Information Protection, and Microsoft Purview portal. For more information about Office 365 permissions, see Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview compliance.
| In | Can do |
|---|---|
| Microsoft 365 Defender portal | Monitor security-related policies across Microsoft 365 services Manage security threats and alerts View reports |
| Microsoft Entra ID Protection | All permissions of the Security Reader role Perform all ID Protection operations except for resetting passwords |
| Privileged Identity Management | All permissions of the Security Reader role Cannot manage Microsoft Entra role assignments or settings |
| Microsoft Purview portal | Manage security policies View, investigate, and respond to security threats View reports |
| Azure Advanced Threat Protection | Monitor and respond to suspicious security activity |
| Microsoft Defender for Endpoint | Assign roles Manage machine groups Configure endpoint threat detection and automated remediation View, investigate, and respond to alerts View machines/device inventory |
| Intune | Maps to the Intune Endpoint Security Manager role |
| Microsoft Defender for Cloud Apps | Add admins, add policies and settings, upload logs and perform governance actions |
| Microsoft 365 service health | View the health of Microsoft 365 services |
| Smart lockout | Define the threshold and duration for lockouts when failed sign-in events happen. |
| Password Protection | Configure custom banned password list or on-premises password protection. |
| Cross-tenant synchronization | Configure cross-tenant access settings for users in another tenant. Security Administrators can't directly create and delete users, but can indirectly create and delete synchronized users from another tenant when both tenants are configured for cross-tenant synchronization, which is a privileged permission. |
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/applications/policies/update Update policies of applications microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, excluding custom security attributes audit logs microsoft.directory/authorizationPolicy/standard/read Read standard properties of authorization policy microsoft.directory/bitlockerKeys/key/read Read bitlocker metadata and key on devices microsoft.directory/conditionalAccessPolicies/basic/update Update basic properties for Conditional Access policies microsoft.directory/conditionalAccessPolicies/create Create Conditional Access policies microsoft.directory/conditionalAccessPolicies/delete Delete Conditional Access policies microsoft.directory/conditionalAccessPolicies/owners/read Read the owners of Conditional Access policies microsoft.directory/conditionalAccessPolicies/owners/update Update owners for Conditional Access policies microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read Read the "applied to" property for Conditional Access policies microsoft.directory/conditionalAccessPolicies/standard/read Read Conditional Access for policies microsoft.directory/conditionalAccessPolicies/tenantDefault/update Update the default tenant for Conditional Access policies microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update Update allowed cloud endpoints of cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/basic/update Update basic settings of cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update Update Microsoft Entra B2B collaboration settings of the default cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update Update Microsoft Entra B2B direct connect settings of the default cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update Update cross-cloud Teams meeting settings of the default cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/default/standard/read Read basic properties of the default cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update Update tenant restrictions of the default cross-tenant access policy microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update Update Microsoft Entra B2B collaboration settings of cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update Update Microsoft Entra B2B direct connect settings of cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/partners/create Create cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update Update cross-cloud Teams meeting settings of cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/partners/delete Delete cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update Update basic settings of cross-tenant sync policy microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create Create cross-tenant sync policy for partners microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read Read basic properties of cross-tenant sync policy microsoft.directory/crossTenantAccessPolicy/partners/standard/read Read basic properties of cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/basic/update Update cross tenant sync policy templates for multi-tenant organization microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/resetToDefaultSettings Reset cross tenant sync policy template for multi-tenant organization to default settings microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/standard/read Read basic properties of cross tenant sync policy templates for multi-tenant organization microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/basic/update Update cross tenant access policy templates for multi-tenant organization microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/resetToDefaultSettings Reset cross tenant access policy template for multi-tenant organization to default settings microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/standard/read Read basic properties of cross tenant access policy templates for multi-tenant organization microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update Update tenant restrictions of cross-tenant access policy for partners microsoft.directory/crossTenantAccessPolicy/standard/read Read basic properties of cross-tenant access policy microsoft.directory/deviceLocalCredentials/standard/read Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, except the password microsoft.directory/domains/federation/update Update federation property of domains microsoft.directory/domains/federationConfiguration/basic/update Update basic federation configuration for domains microsoft.directory/domains/federationConfiguration/create Create federation configuration for domains microsoft.directory/domains/federationConfiguration/delete Delete federation configuration for domains microsoft.directory/domains/federationConfiguration/standard/read Read standard properties of federation configuration for domains microsoft.directory/entitlementManagement/allProperties/read Read all properties in Microsoft Entra entitlement management microsoft.directory/identityProtection/allProperties/read Read all resources in Microsoft Entra ID Protection microsoft.directory/identityProtection/allProperties/update Update all resources in Microsoft Entra ID Protection microsoft.directory/multiTenantOrganization/basic/update Update basic properties of a multi-tenant organization microsoft.directory/multiTenantOrganization/create Create a multi-tenant organization microsoft.directory/multiTenantOrganization/joinRequest/organizationDetails/update Join a multi-tenant organization microsoft.directory/multiTenantOrganization/joinRequest/standard/read Read properties of a multi-tenant organization join request microsoft.directory/multiTenantOrganization/standard/read Read basic properties of a multi-tenant organization microsoft.directory/multiTenantOrganization/tenants/create Create a tenant in a multi-tenant organization microsoft.directory/multiTenantOrganization/tenants/delete Delete a tenant participating in a multi-tenant organization microsoft.directory/multiTenantOrganization/tenants/organizationDetails/read Read organization details of a tenant participating in a multi-tenant organization microsoft.directory/multiTenantOrganization/tenants/organizationDetails/update Update basic properties of a tenant participating in a multi-tenant organization microsoft.directory/multiTenantOrganization/tenants/standard/read Read basic properties of a tenant participating in a multi-tenant organization microsoft.directory/namedLocations/basic/update Update basic properties of custom rules that define network locations microsoft.directory/namedLocations/create Create custom rules that define network locations microsoft.directory/namedLocations/delete Delete custom rules that define network locations microsoft.directory/namedLocations/standard/read Read basic properties of custom rules that define network locations microsoft.directory/policies/basic/update Update basic properties on policies microsoft.directory/policies/create Create policies in Microsoft Entra ID microsoft.directory/policies/delete Delete policies in Microsoft Entra ID microsoft.directory/policies/owners/update Update owners of policies microsoft.directory/policies/tenantDefault/update Update default organization policies microsoft.directory/privilegedIdentityManagement/allProperties/read Read all resources in Privileged Identity Management microsoft.directory/provisioningLogs/allProperties/read Read all properties of provisioning logs microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions microsoft.directory/servicePrincipals/policies/update Update policies of service principals microsoft.directory/signInReports/allProperties/read Read all properties on sign-in reports, including privileged properties microsoft.networkAccess/allEntities/allProperties/allTasks Manage all aspects of Microsoft Entra Network Access microsoft.office365.protectionCenter/allEntities/basic/update Update basic properties of all resources in the Security and Compliance centers microsoft.office365.protectionCenter/allEntities/standard/read Read standard properties of all resources in the Security and Compliance centers microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks Create and manage attack payloads in Attack Simulator microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read Read reports of attack simulation, responses, and associated training microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks Create and manage attack simulation templates in Attack Simulator microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center