Microsoft Purview · Data Security Investigations
Data Security Investigations Investigators
[Preview] Conduct assigned data security investigations. Create searches, analyze results, manage investigation scope, and develop mitigation plans for assigned cases.
Scope: Access limited to assigned Data Security Investigations only
Permissions
- Create and manage assigned investigations only (not all investigations)
- Create searches and add items to assigned investigations
- Estimate and preview search results for assigned investigations
- Manage investigation scope for assigned cases
- Add, delete, and manage items for mitigation plans
- Run categorization activities on investigated data
- Run examination activities for detailed data analysis
- Run vector searches for AI-powered investigation
- View and interact with data risk graphs
- Export investigation results and evidence for assigned cases
- Access case management capabilities for assigned investigations
- Use compliance search within assigned investigation scope
- Preview file content and communications in search results
- Collaborate with administrators and reviewers on investigations
Common use cases
- Security analyst investigating assigned data security incidents
- Incident response specialist conducting detailed forensic analysis
- Compliance analyst investigating potential data breach or exfiltration
- Data protection analyst examining unauthorized access events
- SOC analyst responding to data security alerts and creating investigations
- Security operations engineer performing root cause analysis
- Threat intelligence analyst investigating data-related threats
- Privacy analyst investigating privacy incident reports
- Regional security coordinator managing investigations for business unit
- Information security specialist conducting targeted data investigations
Best practices
- Focus on assigned investigations - coordinate with Administrators for access
- Use targeted searches to minimize scope and performance impact
- Document all investigation steps and findings thoroughly
- Leverage data risk graphs to uncover related users and data
- Use categorization activities to organize large result sets efficiently
- Run vector searches to identify similar patterns or threats
- Develop detailed mitigation plans with actionable remediation steps
- Coordinate with Administrators before expanding investigation scope
- Export and preserve evidence for long-term retention
- Use examination activities to drill into specific high-risk items
- Collaborate with Reviewers to get additional analysis perspectives
- Regular status updates to Administrators on investigation progress
- Close investigations promptly once resolved to maintain clean case list
Security considerations
- Can view sensitive data within assigned investigations
- Search and preview permissions allow access to file content and communications
- All activities logged in Microsoft 365 unified audit log
- Limited to assigned investigations - cannot create organization-wide investigations
- Must coordinate with legal/HR when investigating employee activities
- Preview access may expose confidential or privileged information
- Requires secure handling of exported investigation evidence
- Maintain confidentiality of investigation details and findings
- Use compliant devices and MFA for accessing investigation data
Common questions
When should I assign the Data Security Investigations Investigators role?
Assign Data Security Investigations Investigators when you need to: Security analyst investigating assigned data security incidents; Incident response specialist conducting detailed forensic analysis; Compliance analyst investigating potential data breach or exfiltration; Data protection analyst examining unauthorized access events; and SOC analyst responding to data security alerts and creating investigations. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Data Security Investigations Investigators role do?
The Data Security Investigations Investigators role grants permissions including: Create and manage assigned investigations only (not all investigations); Create searches and add items to assigned investigations; Estimate and preview search results for assigned investigations; Manage investigation scope for assigned cases; Add, delete, and manage items for mitigation plans; and Run categorization activities on investigated data. See the Permissions section above for the full list.
What are the security risks of the Data Security Investigations Investigators role?
Key considerations when assigning Data Security Investigations Investigators: Can view sensitive data within assigned investigations; Search and preview permissions allow access to file content and communications; All activities logged in Microsoft 365 unified audit log; and Limited to assigned investigations - cannot create organization-wide investigations. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.