Microsoft Purview · Global & Security Roles

Compliance Data Administrator

Enhanced Entra ID role with all Compliance Administrator permissions PLUS device management, Content Explorer access, and advanced file activity tracking capabilities.

Scope: Organization-wide Entra ID role with comprehensive compliance access including device management and sensitive content viewing

Permissions

  • Compliance Admin - All Compliance Administrator permissions (DLP, retention, sensitivity labels, eDiscovery, Compliance Manager)
  • Device Compliance - Manage device compliance policies for mobile devices and endpoints
  • Activity Explorer - Track and protect files using Activity Explorer with full file path and user details
  • Content Explorer - Access Content Explorer to view actual sensitive content and file details in-place
  • Device Onboarding - Configure device onboarding for Endpoint DLP across Windows, macOS, iOS, Android
  • Device DLP - Manage device-based DLP policies for USB, Bluetooth, removable media, network shares
  • File Activity - View file activity across all workloads: Exchange, SharePoint, OneDrive, Teams, Endpoint, Power BI
  • Evidence Download - Download evidence files from Endpoint DLP alerts and activity explorer
  • Classification Analytics - Access data classification analytics and sensitive information type distribution reports
  • DLP Simulation - Manage DLP policy test mode and simulation mode for auto-labeling
  • OCR Configuration - Configure advanced DLP rules for optical character recognition (OCR) in images
  • File Metadata - View detailed file metadata: sensitivity labels, retention labels, DLP matches, sharing permissions
  • Classifier Feedback - Access trainable classifier feedback explorer and review user feedback on ML classifications
  • Device Groups - Manage device groups and device-specific DLP policy exceptions
  • Endpoint DLP Settings - Configure advanced Endpoint DLP settings: browser monitoring, file path exclusions, unallowed apps

Common use cases

  • Managing bring-your-own-device (BYOD) compliance programs with device-level DLP enforcement
  • Implementing Endpoint DLP across corporate laptops, mobile devices, and remote worker endpoints
  • Tracking sensitive file activities and movement across cloud and on-premises locations
  • Comprehensive data protection investigations requiring Content Explorer access to actual files
  • Organizations with hybrid environments requiring both cloud and endpoint protection
  • Investigating data exfiltration incidents with Activity Explorer file path tracking
  • Validating DLP policy effectiveness by viewing actual Content Explorer matches
  • Managing device compliance for regulated industries (healthcare, finance, government)
  • Configuring advanced Endpoint DLP for removable media, network shares, and printer protection
  • Responding to data breach incidents requiring deep dive into file access and sharing patterns

Best practices

  • Coordinate with Intune and Microsoft Defender for Endpoint teams on device compliance policies
  • Test device DLP policies with pilot groups before broad deployment to avoid productivity disruption
  • Monitor Activity Explorer regularly for anomalous file movements or data exfiltration patterns
  • Use Content Explorer to verify classification effectiveness and validate DLP policy matches
  • Implement gradual rollout of Endpoint DLP policies (monitor → warn → block progression)
  • Document justification for Content Explorer access due to sensitive content viewing permissions
  • Review Activity Explorer daily during high-risk periods (layoffs, mergers, executive departures)
  • Use device groups to create phased Endpoint DLP rollouts and targeted policy exceptions
  • Configure file path exclusions for Endpoint DLP to avoid false positives on system files
  • Enable browser monitoring for Endpoint DLP to protect data in Chrome, Edge, Firefox
  • Limit Content Explorer access to specific investigations - do not browse casually
  • Maintain audit trail of Content Explorer usage for privacy compliance and oversight

Security considerations

  • Can view highly sensitive content through Content Explorer - assign ONLY to trusted personnel
  • Device DLP policies can impact user productivity if misconfigured - test thoroughly before deployment
  • Access to file activity data (Activity Explorer) requires privacy considerations and data governance policies
  • Should maintain separation from IT infrastructure admin roles to prevent conflicts of interest
  • Content Explorer access creates privacy risks - document access controls and monitoring procedures
  • Consider using Privileged Identity Management (PIM) for time-limited, just-in-time activation
  • Endpoint DLP can block legitimate business activities - implement exception workflows
  • Activity Explorer reveals detailed user behavior - use responsibly per privacy laws (GDPR, CCPA)
  • Evidence file download from Endpoint DLP must follow chain of custody procedures for investigations
  • Assign sparingly - more sensitive than Compliance Administrator due to Content Explorer access
  • Monitor Content Explorer usage with audit logs and alert on unusual access patterns
  • Require MFA and conditional access policies for accounts with this role

Official Microsoft Learn documentation →

Open the interactive RBACMap →