Microsoft Purview · Data Loss Prevention

Information Protection Admins

Create and edit DLP policies, sensitivity labels, and auto-labeling rules without investigation access.

Scope: Policy and label administration without Content Explorer investigation access

Permissions

  • Create and configure DLP policies (Exchange, SharePoint, OneDrive, Teams, Copilot, Devices)
  • Design and deploy sensitivity labels with encryption, marking, and protection settings
  • Configure auto-labeling policies with conditions and machine learning classifiers
  • Manage sensitive information types (built-in and custom)
  • Configure trainable classifiers and exact data match (EDM) schemas
  • Configure label policy settings and scoped policies (users, groups, admin units)
  • Manage Microsoft Purview Information Protection scanner configuration
  • Configure DLP policy tips, user notifications, and incident reports
  • Access configuration reports and Activity Explorer (view-only on events)
  • Configure Endpoint DLP settings and device onboarding
  • Manage Copilot location policies to control AI access to sensitive files
  • Create DLP policies for Microsoft Fabric and Power BI

Common use cases

  • Information protection specialists configuring policies and labels
  • Data governance team implementing classification taxonomy
  • Compliance engineers deploying protection controls across workloads
  • Separation between policy creation and alert investigation for governance
  • DLP administrators managing protection without viewing file content
  • Multinational teams using administrative units for regional policy scoping
  • Endpoint DLP specialists onboarding devices and configuring device policies
  • AI governance teams managing Copilot location restrictions for sensitive data

Best practices

  • Define comprehensive classification taxonomy before creating labels and policies
  • Start with built-in sensitive info types before creating custom types
  • Test auto-labeling policies with simulation mode before enforcement
  • Coordinate DLP policies and sensitivity labels for consistent protection
  • Document label descriptions and visual markings clearly for end users
  • Regular policy tuning based on feedback from Information Protection Analysts
  • Use trainable classifiers with sufficient training documents (300+ per category)
  • Configure policy tips and user notifications to educate rather than just block
  • Deploy on-premises scanner with service account that has minimal required permissions
  • Monitor Copilot location policy impact on AI productivity and adjust as needed
  • Test Endpoint DLP policies on pilot devices before broad deployment
  • Use administrative units to scope policies for different regions or business units

Security considerations

  • Cannot view classified content in Content Explorer - maintains privacy separation
  • Policy and label changes affect organization-wide or scoped protection
  • Should coordinate with Information Protection Investigators on policy scope
  • Label encryption configuration can lock users out of files if misconfigured
  • Auto-labeling with encryption is difficult to reverse once applied
  • Endpoint DLP policies may impact device performance and user workflows
  • Copilot location policies affect AI productivity - balance security with usability
  • DLP policy user overrides should be monitored by Analysts for abuse
  • On-premises scanner service account requires secure credential management
  • Administrative units restrict policy visibility but not permission scope

Official Microsoft Learn documentation →

Open the interactive RBACMap →