Microsoft Purview · Data Security Investigations
Data Security Investigations Administrators
[Preview] Full administrative access to Data Security Investigations. Create and manage all investigations, configure settings, run searches, and coordinate data security incident response.
Scope: Organization-wide access to create, manage, and configure all Data Security Investigations
Permissions
- Create and manage all investigations (organization-wide)
- Create searches and add items to investigations
- Estimate and preview search results across data sources
- Manage investigation scope and parameters
- Add, delete, and manage items for mitigation plans
- Run categorization activities on investigated data
- Run examination activities for detailed data analysis
- Run vector searches for AI-powered investigation
- View and interact with data risk graphs
- Configure Data Security Investigations settings and workflows
- Assign investigations to other investigators and reviewers
- Export investigation results and evidence
- Access case management capabilities
- Use compliance search across Exchange, SharePoint, OneDrive, Teams
- Preview file content and communications in search results
Common use cases
- Chief Information Security Officer (CISO) overseeing data security incident investigations
- Security Operations Center (SOC) manager coordinating investigation workflows
- Data security team lead managing multiple concurrent investigations
- Incident response coordinator triaging and assigning data security incidents
- Senior security analyst conducting complex multi-source data investigations
- Compliance officer investigating potential data breaches or exfiltration
- Privacy officer investigating unauthorized data access incidents
- Forensic analyst conducting detailed examination of data security events
- Security architect designing investigation processes and mitigation strategies
- Data protection officer coordinating response to regulatory inquiries
Best practices
- Limit Data Security Investigations Administrators to 3-7 senior security leaders
- Always maintain at least 2 active administrators for redundancy
- Assign investigations to Investigators rather than handling all directly
- Use investigation scope management to focus on relevant data sources
- Document investigation rationale and business justification clearly
- Coordinate with legal counsel before launching sensitive investigations
- Use data risk graphs to identify relationships between users, data, and activities
- Configure mitigation plans with clear action items and owners
- Regular review of active investigations and close completed cases promptly
- Leverage vector searches for AI-powered threat detection and analysis
- Export investigation results for long-term retention and audit trails
- Integrate with Microsoft Sentinel for advanced correlation and alerting
- Use categorization activities to organize large investigation datasets
- Schedule regular team reviews of investigation processes and outcomes
- Establish clear escalation criteria for high-severity data security incidents
Security considerations
- Extremely broad access - can search and view data across entire organization
- Can access sensitive communications and files during investigations
- All investigation activities logged in Microsoft 365 unified audit log
- Must comply with employment laws and privacy regulations when investigating users
- Consider Privileged Identity Management (PIM) for just-in-time activation
- Coordinate with legal and HR before investigating employee data
- Search results may include legally privileged attorney-client communications
- Data risk graphs may reveal sensitive organizational relationships
- Investigation scope can affect system performance - use targeted searches
- Export capabilities require secure storage and handling procedures
- Preview permissions allow viewing file content - extremely sensitive
- Global Admins MUST be explicitly added to this role group to access features
- Monitor role group membership changes through audit logs
- Require MFA and compliant device access for all administrators
Common questions
When should I assign the Data Security Investigations Administrators role?
Assign Data Security Investigations Administrators when you need to: Chief Information Security Officer (CISO) overseeing data security incident investigations; Security Operations Center (SOC) manager coordinating investigation workflows; Data security team lead managing multiple concurrent investigations; Incident response coordinator triaging and assigning data security incidents; and Senior security analyst conducting complex multi-source data investigations. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Data Security Investigations Administrators role do?
The Data Security Investigations Administrators role grants permissions including: Create and manage all investigations (organization-wide); Create searches and add items to investigations; Estimate and preview search results across data sources; Manage investigation scope and parameters; Add, delete, and manage items for mitigation plans; and Run categorization activities on investigated data. See the Permissions section above for the full list.
What are the security risks of the Data Security Investigations Administrators role?
Key considerations when assigning Data Security Investigations Administrators: Extremely broad access - can search and view data across entire organization; Can access sensitive communications and files during investigations; All investigation activities logged in Microsoft 365 unified audit log; and Must comply with employment laws and privacy regulations when investigating users. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.