services / Azure / Defender plan security operators
Security operator resources tied to Microsoft Defender for Cloud pricing plans, each backed by a system-assigned managed identity that operates a Defender plan at the scope.
Couples Defender plan enforcement with a privileged managed identity (e.g. Security Admin-equivalent), making writes a privilege/identity concern, not just a posture toggle.
Microsoft.Security/pricings/securityoperators/delete
Deleting a security operator removes the managed identity that runs a Defender plan, disabling that plan's protection and revoking the legitimate operational access tied to it.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog