Microsoft Purview · Data Security Investigations

Data Security Investigations Administrators

[Preview] Full administrative access to Data Security Investigations. Create and manage all investigations, configure settings, run searches, and coordinate data security incident response.

Scope: Organization-wide access to create, manage, and configure all Data Security Investigations

Permissions

  • Create and manage all investigations (organization-wide)
  • Create searches and add items to investigations
  • Estimate and preview search results across data sources
  • Manage investigation scope and parameters
  • Add, delete, and manage items for mitigation plans
  • Run categorization activities on investigated data
  • Run examination activities for detailed data analysis
  • Run vector searches for AI-powered investigation
  • View and interact with data risk graphs
  • Configure Data Security Investigations settings and workflows
  • Assign investigations to other investigators and reviewers
  • Export investigation results and evidence
  • Access case management capabilities
  • Use compliance search across Exchange, SharePoint, OneDrive, Teams
  • Preview file content and communications in search results

Common use cases

  • Chief Information Security Officer (CISO) overseeing data security incident investigations
  • Security Operations Center (SOC) manager coordinating investigation workflows
  • Data security team lead managing multiple concurrent investigations
  • Incident response coordinator triaging and assigning data security incidents
  • Senior security analyst conducting complex multi-source data investigations
  • Compliance officer investigating potential data breaches or exfiltration
  • Privacy officer investigating unauthorized data access incidents
  • Forensic analyst conducting detailed examination of data security events
  • Security architect designing investigation processes and mitigation strategies
  • Data protection officer coordinating response to regulatory inquiries

Best practices

  • Limit Data Security Investigations Administrators to 3-7 senior security leaders
  • Always maintain at least 2 active administrators for redundancy
  • Assign investigations to Investigators rather than handling all directly
  • Use investigation scope management to focus on relevant data sources
  • Document investigation rationale and business justification clearly
  • Coordinate with legal counsel before launching sensitive investigations
  • Use data risk graphs to identify relationships between users, data, and activities
  • Configure mitigation plans with clear action items and owners
  • Regular review of active investigations and close completed cases promptly
  • Leverage vector searches for AI-powered threat detection and analysis
  • Export investigation results for long-term retention and audit trails
  • Integrate with Microsoft Sentinel for advanced correlation and alerting
  • Use categorization activities to organize large investigation datasets
  • Schedule regular team reviews of investigation processes and outcomes
  • Establish clear escalation criteria for high-severity data security incidents

Security considerations

  • Extremely broad access - can search and view data across entire organization
  • Can access sensitive communications and files during investigations
  • All investigation activities logged in Microsoft 365 unified audit log
  • Must comply with employment laws and privacy regulations when investigating users
  • Consider Privileged Identity Management (PIM) for just-in-time activation
  • Coordinate with legal and HR before investigating employee data
  • Search results may include legally privileged attorney-client communications
  • Data risk graphs may reveal sensitive organizational relationships
  • Investigation scope can affect system performance - use targeted searches
  • Export capabilities require secure storage and handling procedures
  • Preview permissions allow viewing file content - extremely sensitive
  • Global Admins MUST be explicitly added to this role group to access features
  • Monitor role group membership changes through audit logs
  • Require MFA and compliant device access for all administrators

Official Microsoft Learn documentation →

Open the interactive RBACMap →