Microsoft Purview · DSPM (Preview)
DSPM Full Access (Preview)
[Preview] Full administrative access to the unified Data Security Posture Management. Complete setup tasks, create one-click policies, manage data security objectives, create data risk assessments, and configure AI observability. Requires Compliance Administrator or Purview Compliance Administrator role group — NOT the classic Data Security Management role group.
Scope: Organization-wide full access to DSPM (Preview) features. Excludes: Security Copilot (needs Data Security Viewer), AI prompts/responses (needs Content Explorer Content Viewer), IRM policies (needs IRM role group), Audit activation (needs Exchange roles)
Permissions
- Setup Tasks - Complete one-click get started steps for DSPM enablement
- Posture Dashboard - View key posture metrics, data snapshot, and posture trends chart
- Objectives - View and interact with all data security objectives and remediation plans
- Objective Actions - Complete actions on data security objective cards (remediation, policy creation)
- Recommendations - View all recommendations and complete actions on recommendation cards
- One-Click Policies - Create DLP, sensitivity label, and Insider Risk policies from objectives
- Data Risk Assessments - Create and view data risk assessments for oversharing prevention
- AI Observability - View Apps and agents page showing AI app usage including Agent 365
- Activity Explorer - View all events in Activity Explorer (AI activities and all activity types)
- Reports - View all graphs, policies, and reports from the Reports page
- Risk Patterns - View risk patterns and data security posture trends
- Policy List - View all policies (DLP, Information Protection, IRM, Communication Compliance)
- Remediation Actions - Identify and create automatic policies from remediation actions
Common use cases
- Chief Information Security Officer (CISO) managing holistic data security posture
- Data Protection Officer configuring unified data security objectives
- Chief Compliance Officer orchestrating one-click policy deployment across DSPM
- Security architect implementing proactive risk management workflows
- Compliance manager creating data risk assessments before Copilot deployment
- Security operations lead configuring AI observability and agent governance
- Regulatory compliance manager tracking data security posture for GDPR, HIPAA, PCI-DSS
- Information governance leader implementing data security objectives across the estate
Best practices
- Complete all getting started setup tasks before configuring objectives
- Allow processing time (24-72 hours) for initial analytics before creating policies
- Use data security objectives to guide remediation - each objective has a tailored plan
- Start with one-click policies for quick wins before configuring complex custom policies
- Review data risk assessments for top 100 SharePoint sites before Copilot deployment
- Monitor AI observability page regularly to identify new AI apps and agents
- Use Activity Explorer to investigate both AI-specific and general data security events
- Coordinate with IRM team if data security objectives require insider risk policies
- Review risk patterns and posture trends monthly for continuous improvement
- Document policy decisions from objectives for audit trail and regulatory compliance
- Use remediation actions to automate recurring policy creation workflows
Security considerations
- Broad access to create and manage data security policies - monitor closely
- One-click policies affect entire organization - review scope before creation
- Data risk assessments reveal potential oversharing - handle results carefully
- AI observability shows organizational AI adoption patterns - sensitive business data
- Activity Explorer shows user activity data (excluding IRM events without IRM role)
- Cannot view Security Copilot insights without additional Data Security Viewer role
- Cannot view AI prompts/responses without Content Explorer Content Viewer role
- Consider using Privileged Identity Management (PIM) for just-in-time activation
- Audit activation requires separate Exchange role group permissions
- Policy creation from objectives can have organization-wide impact - test first
Common questions
When should I assign the DSPM Full Access (Preview) role?
Assign DSPM Full Access (Preview) when you need to: Chief Information Security Officer (CISO) managing holistic data security posture; Data Protection Officer configuring unified data security objectives; Chief Compliance Officer orchestrating one-click policy deployment across DSPM; Security architect implementing proactive risk management workflows; and Compliance manager creating data risk assessments before Copilot deployment. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the DSPM Full Access (Preview) role do?
The DSPM Full Access (Preview) role grants permissions including: Setup Tasks - Complete one-click get started steps for DSPM enablement; Posture Dashboard - View key posture metrics, data snapshot, and posture trends chart; Objectives - View and interact with all data security objectives and remediation plans; Objective Actions - Complete actions on data security objective cards (remediation, policy creation); Recommendations - View all recommendations and complete actions on recommendation cards; and One-Click Policies - Create DLP, sensitivity label, and Insider Risk policies from objectives. See the Permissions section above for the full list.
What are the security risks of the DSPM Full Access (Preview) role?
Key considerations when assigning DSPM Full Access (Preview): Broad access to create and manage data security policies - monitor closely; One-click policies affect entire organization - review scope before creation; Data risk assessments reveal potential oversharing - handle results carefully; and AI observability shows organizational AI adoption patterns - sensitive business data. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.