Microsoft Purview · Data Loss Prevention

Information Protection Analysts

Access DLP alerts, activity explorer, and investigate incidents without policy modification rights.

Scope: Alert investigation and activity monitoring without policy changes or file content access

Permissions

  • View and triage DLP alerts (Exchange, SharePoint, OneDrive, Teams, Copilot, Devices)
  • Access Activity Explorer to track file labeling and DLP policy match activities
  • Investigate DLP policy matches and aggregate alerts
  • Review user activities and data movement patterns
  • Generate investigation reports and export alert data
  • Classify and dismiss false positive alerts with justification
  • Access DLP reports and analytics dashboards
  • View sensitivity label application events and trends
  • Track Endpoint DLP device events and user justifications
  • Monitor Copilot location policy violations and AI access attempts
  • View policy match details without modifying policies
  • Access administrative units scoped alert data

Common use cases

  • Security analysts monitoring data loss prevention events
  • Compliance team investigating potential policy violations
  • Data protection officers reviewing data movement patterns and trends
  • Incident response team triaging DLP alerts and escalating serious violations
  • SOC analysts tracking sensitive data exfiltration attempts
  • Risk management teams analyzing aggregate alert patterns
  • Endpoint DLP monitors reviewing device policy violations
  • AI governance teams tracking Copilot location policy enforcement

Best practices

  • Develop comprehensive alert triage playbooks for consistency and efficiency
  • Track false positive rates by policy and provide feedback to Admins for tuning
  • Use Activity Explorer to understand normal data usage patterns versus anomalies
  • Document investigation findings and recommendations for policy improvements
  • Escalate serious violations to security team and legal counsel promptly
  • Regular coordination meetings with Information Protection Admins on policy effectiveness
  • Monitor aggregate alert trends to identify systemic issues or training needs
  • Create dashboards and reports to communicate protection effectiveness to leadership
  • Use administrative units to focus on region-specific or business-unit-specific alerts
  • Track user override patterns to identify potential policy abuse or training gaps
  • Investigate Endpoint DLP device events in context of user role and business need
  • Balance security enforcement with business productivity when triaging alerts

Security considerations

  • Can see file activity patterns, user behaviors, and sensitive data movement flows
  • Cannot view actual file content - use Information Protection Investigators for that
  • Alert dismissal should be documented with clear justification for audit trail
  • Activity Explorer data may reveal business-sensitive patterns and workflows
  • Aggregate alerts may obscure individual violations requiring deeper investigation
  • False positive dismissals can create gaps if not reviewed by Admins
  • User override justifications should be reviewed for policy circumvention attempts
  • Endpoint DLP device events may contain sensitive user activity information
  • Copilot location policy violations may indicate business process friction
  • Administrative units scope visibility but analysts still need cross-organizational awareness

Official Microsoft Learn documentation →

Open the interactive RBACMap →