Microsoft Purview · DSPM (Classic)

Data Security Management

Comprehensive DSPM role with full access to insights, Security Copilot integration, and ability to manage DLP, Information Protection, and Insider Risk Management solutions.

Scope: Organization-wide comprehensive data security posture management with full control over DLP, Information Protection, and Insider Risk Management

Permissions

  • View all Data Security Posture Management (DSPM) insights and analytics dashboards
  • Use Microsoft Security Copilot for Security in DSPM for AI-powered investigations
  • Access DSPM recommendations to create DLP and Insider Risk Management policies
  • Monitor unprotected sensitive data across Exchange, SharePoint, OneDrive, Teams
  • Track data security posture trends and analytics reports over time
  • Investigate data security risks using Copilot promptbooks and custom prompts
  • Create and manage DLP policies from DSPM recommendations
  • Create and manage Insider Risk Management policies from DSPM recommendations
  • Create Adaptive Protection policies to dynamically apply DLP based on user risk
  • Manage Information Protection labels and auto-labeling policies
  • Access Content Explorer to view classified and labeled file content
  • Review sensitivity label usage, DLP policy coverage, and risky user behavior trends
  • Configure analytics in Insider Risk Management and DLP for DSPM scanning
  • Full Information Protection Admin permissions (DLP, sensitivity labels, classifiers)
  • Full Information Protection Analyst permissions (alerts, Activity Explorer)
  • Full Information Protection Investigator permissions (Content Explorer)
  • Full Insider Risk Management Admin permissions (policies, Adaptive Protection)
  • Full Insider Risk Management Analysis permissions (alerts, cases, analytics)
  • Full Insider Risk Management Approval permissions (forensic evidence approval)
  • Full Insider Risk Management Audit permissions (audit log access)
  • Full Insider Risk Management Investigation permissions (Content Explorer, forensic evidence)
  • Includes all roles: Case Management, Custodian, Data Connector Admin, and more

Common use cases

  • Chief Information Security Officer (CISO) with comprehensive data security oversight
  • Data Protection Officer (DPO) managing holistic data protection compliance program
  • Chief Compliance Officer orchestrating integrated data security strategy
  • Security Operations Center (SOC) lead coordinating data loss prevention and insider threat
  • Enterprise security architect implementing end-to-end data protection framework
  • Senior security analyst with Security Copilot access for AI-powered threat investigation
  • Regulatory compliance manager overseeing GDPR, HIPAA, PCI-DSS, SOX compliance
  • Insider threat program director managing behavioral analytics and Adaptive Protection
  • Information governance leader coordinating classification, DLP, and retention
  • Security consultant implementing comprehensive Microsoft Purview data security solutions

Best practices

  • Enable analytics in Insider Risk Management and DLP before configuring DSPM (auto-enabled on opt-in)
  • Allow 24-72 hours for initial DSPM analytics processing and scanning after opt-in
  • Use Security Copilot promptbooks for guided investigation of top data security risks
  • Review DSPM recommendations daily and create policies to close data security gaps
  • Implement Adaptive Protection to dynamically apply DLP based on insider risk levels
  • Coordinate DSPM insights with existing DLP, Information Protection, and Insider Risk policies
  • Use DSPM trends and reports to track data security posture improvement over time
  • Leverage AI-powered recommendations to prioritize high-impact policy creation
  • Start with quick-win recommendations for immediate risk reduction (prevent printing sensitive files)
  • Use DSPM to identify gaps in existing policy coverage without manual policy review
  • Configure Security Copilot custom prompts to investigate specific organizational data risks
  • Regular review of unprotected sensitive assets reports to identify new risk areas
  • Monitor sensitivity label usage trends to measure classification program effectiveness
  • Track risky user behavior patterns to identify training needs or process improvements
  • Use DSPM analytics to demonstrate compliance program effectiveness to leadership and auditors
  • Coordinate with business units before creating restrictive DLP policies from recommendations
  • Document DSPM-driven policy decisions for audit trail and regulatory compliance evidence
  • Test policies in simulation mode before enforcement when creating from DSPM recommendations

Security considerations

  • Extremely broad access - combines DLP, Information Protection, and Insider Risk Management permissions
  • Can view highly sensitive employee communications and file content via Content Explorer
  • Must comply with privacy laws and employment regulations (GDPR, CCPA, local privacy laws)
  • All activities logged in unified audit log - subject to oversight and regulatory review
  • Security Copilot access requires appropriate safeguards and responsible AI usage
  • DSPM analytics processes data across multiple Purview solutions - consider privacy impact
  • Consider using Privileged Identity Management (PIM) for just-in-time activation
  • Should maintain separation from IT infrastructure admin roles for segregation of duties
  • Content Explorer access extremely sensitive - can view executive and privileged documents
  • Forensic evidence approval permissions enable intrusive device monitoring
  • Policy creation from recommendations can impact entire organization - test thoroughly
  • Adaptive Protection configuration affects dynamic DLP enforcement based on user risk
  • DSPM scanning may reveal business-sensitive data patterns and organizational vulnerabilities
  • Limit role assignment to 2-5 senior security/compliance leaders maximum
  • Require MFA, conditional access, and compliant device for all access
  • Monitor Security Copilot usage to ensure appropriate and ethical AI-powered investigations
  • Administrative units restrictions can prevent DSPM access - verify permissions
  • Coordinate with legal counsel on employee monitoring and investigation practices

Common questions

When should I assign the Data Security Management role?

Assign Data Security Management when you need to: Chief Information Security Officer (CISO) with comprehensive data security oversight; Data Protection Officer (DPO) managing holistic data protection compliance program; Chief Compliance Officer orchestrating integrated data security strategy; Security Operations Center (SOC) lead coordinating data loss prevention and insider threat; and Enterprise security architect implementing end-to-end data protection framework. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Data Security Management role do?

The Data Security Management role grants permissions including: View all Data Security Posture Management (DSPM) insights and analytics dashboards; Use Microsoft Security Copilot for Security in DSPM for AI-powered investigations; Access DSPM recommendations to create DLP and Insider Risk Management policies; Monitor unprotected sensitive data across Exchange, SharePoint, OneDrive, Teams; Track data security posture trends and analytics reports over time; and Investigate data security risks using Copilot promptbooks and custom prompts. See the Permissions section above for the full list.

What are the security risks of the Data Security Management role?

Key considerations when assigning Data Security Management: Extremely broad access - combines DLP, Information Protection, and Insider Risk Management permissions; Can view highly sensitive employee communications and file content via Content Explorer; Must comply with privacy laws and employment regulations (GDPR, CCPA, local privacy laws); and All activities logged in unified audit log - subject to oversight and regulatory review. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →