Applying "quick fix" remediations from Azure Defender (Microsoft Defender for Cloud) changes the underlying resources (VMs). Beyond the Security Admin role (which grants security policy/manage permissions), the user needs write permissions on the target resources. To follow least privilege, grant Contributor on RG1 (the resource group containing the 100 VMs) so SecAdmin1 can remediate only those resources-rather than the entire subscription (over-privilege) or Owner (unnecessary). Security Reader is read-only and cannot apply fixes.