Microsoft Purview · Global & Security Roles
Compliance Data Administrator
Enhanced Entra ID role with all Compliance Administrator permissions PLUS device management, Content Explorer access, and advanced file activity tracking capabilities.
Scope: Organization-wide Entra ID role with comprehensive compliance access including device management and sensitive content viewing
Permissions
- Compliance Admin - All Compliance Administrator permissions (DLP, retention, sensitivity labels, eDiscovery, Compliance Manager)
- Device Compliance - Manage device compliance policies for mobile devices and endpoints
- Activity Explorer - Track and protect files using Activity Explorer with full file path and user details
- Content Explorer - Access Content Explorer to view actual sensitive content and file details in-place
- Device Onboarding - Configure device onboarding for Endpoint DLP across Windows, macOS, iOS, Android
- Device DLP - Manage device-based DLP policies for USB, Bluetooth, removable media, network shares
- File Activity - View file activity across all workloads: Exchange, SharePoint, OneDrive, Teams, Endpoint, Power BI
- Evidence Download - Download evidence files from Endpoint DLP alerts and activity explorer
- Classification Analytics - Access data classification analytics and sensitive information type distribution reports
- DLP Simulation - Manage DLP policy test mode and simulation mode for auto-labeling
- OCR Configuration - Configure advanced DLP rules for optical character recognition (OCR) in images
- File Metadata - View detailed file metadata: sensitivity labels, retention labels, DLP matches, sharing permissions
- Classifier Feedback - Access trainable classifier feedback explorer and review user feedback on ML classifications
- Device Groups - Manage device groups and device-specific DLP policy exceptions
- Endpoint DLP Settings - Configure advanced Endpoint DLP settings: browser monitoring, file path exclusions, unallowed apps
Common use cases
- Managing bring-your-own-device (BYOD) compliance programs with device-level DLP enforcement
- Implementing Endpoint DLP across corporate laptops, mobile devices, and remote worker endpoints
- Tracking sensitive file activities and movement across cloud and on-premises locations
- Comprehensive data protection investigations requiring Content Explorer access to actual files
- Organizations with hybrid environments requiring both cloud and endpoint protection
- Investigating data exfiltration incidents with Activity Explorer file path tracking
- Validating DLP policy effectiveness by viewing actual Content Explorer matches
- Managing device compliance for regulated industries (healthcare, finance, government)
- Configuring advanced Endpoint DLP for removable media, network shares, and printer protection
- Responding to data breach incidents requiring deep dive into file access and sharing patterns
Best practices
- Coordinate with Intune and Microsoft Defender for Endpoint teams on device compliance policies
- Test device DLP policies with pilot groups before broad deployment to avoid productivity disruption
- Monitor Activity Explorer regularly for anomalous file movements or data exfiltration patterns
- Use Content Explorer to verify classification effectiveness and validate DLP policy matches
- Implement gradual rollout of Endpoint DLP policies (monitor → warn → block progression)
- Document justification for Content Explorer access due to sensitive content viewing permissions
- Review Activity Explorer daily during high-risk periods (layoffs, mergers, executive departures)
- Use device groups to create phased Endpoint DLP rollouts and targeted policy exceptions
- Configure file path exclusions for Endpoint DLP to avoid false positives on system files
- Enable browser monitoring for Endpoint DLP to protect data in Chrome, Edge, Firefox
- Limit Content Explorer access to specific investigations - do not browse casually
- Maintain audit trail of Content Explorer usage for privacy compliance and oversight
Security considerations
- Can view highly sensitive content through Content Explorer - assign ONLY to trusted personnel
- Device DLP policies can impact user productivity if misconfigured - test thoroughly before deployment
- Access to file activity data (Activity Explorer) requires privacy considerations and data governance policies
- Should maintain separation from IT infrastructure admin roles to prevent conflicts of interest
- Content Explorer access creates privacy risks - document access controls and monitoring procedures
- Consider using Privileged Identity Management (PIM) for time-limited, just-in-time activation
- Endpoint DLP can block legitimate business activities - implement exception workflows
- Activity Explorer reveals detailed user behavior - use responsibly per privacy laws (GDPR, CCPA)
- Evidence file download from Endpoint DLP must follow chain of custody procedures for investigations
- Assign sparingly - more sensitive than Compliance Administrator due to Content Explorer access
- Monitor Content Explorer usage with audit logs and alert on unusual access patterns
- Require MFA and conditional access policies for accounts with this role
Common questions
When should I assign the Compliance Data Administrator role?
Assign Compliance Data Administrator when you need to: Managing bring-your-own-device (BYOD) compliance programs with device-level DLP enforcement; Implementing Endpoint DLP across corporate laptops, mobile devices, and remote worker endpoints; Tracking sensitive file activities and movement across cloud and on-premises locations; Comprehensive data protection investigations requiring Content Explorer access to actual files; and Organizations with hybrid environments requiring both cloud and endpoint protection. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Compliance Data Administrator role do?
The Compliance Data Administrator role grants permissions including: Compliance Admin - All Compliance Administrator permissions (DLP, retention, sensitivity labels, eDiscovery, Compliance Manager); Device Compliance - Manage device compliance policies for mobile devices and endpoints; Activity Explorer - Track and protect files using Activity Explorer with full file path and user details; Content Explorer - Access Content Explorer to view actual sensitive content and file details in-place; Device Onboarding - Configure device onboarding for Endpoint DLP across Windows, macOS, iOS, Android; and Device DLP - Manage device-based DLP policies for USB, Bluetooth, removable media, network shares. See the Permissions section above for the full list.
What are the security risks of the Compliance Data Administrator role?
Key considerations when assigning Compliance Data Administrator: Can view highly sensitive content through Content Explorer - assign ONLY to trusted personnel; Device DLP policies can impact user productivity if misconfigured - test thoroughly before deployment; Access to file activity data (Activity Explorer) requires privacy considerations and data governance policies; and Should maintain separation from IT infrastructure admin roles to prevent conflicts of interest. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.