Microsoft Purview · DSPM (Preview)

DSPM Full Access (Preview)

[Preview] Full administrative access to the unified Data Security Posture Management. Complete setup tasks, create one-click policies, manage data security objectives, create data risk assessments, and configure AI observability. Requires Compliance Administrator or Purview Compliance Administrator role group — NOT the classic Data Security Management role group.

Scope: Organization-wide full access to DSPM (Preview) features. Excludes: Security Copilot (needs Data Security Viewer), AI prompts/responses (needs Content Explorer Content Viewer), IRM policies (needs IRM role group), Audit activation (needs Exchange roles)

Permissions

  • Setup Tasks - Complete one-click get started steps for DSPM enablement
  • Posture Dashboard - View key posture metrics, data snapshot, and posture trends chart
  • Objectives - View and interact with all data security objectives and remediation plans
  • Objective Actions - Complete actions on data security objective cards (remediation, policy creation)
  • Recommendations - View all recommendations and complete actions on recommendation cards
  • One-Click Policies - Create DLP, sensitivity label, and Insider Risk policies from objectives
  • Data Risk Assessments - Create and view data risk assessments for oversharing prevention
  • AI Observability - View Apps and agents page showing AI app usage including Agent 365
  • Activity Explorer - View all events in Activity Explorer (AI activities and all activity types)
  • Reports - View all graphs, policies, and reports from the Reports page
  • Risk Patterns - View risk patterns and data security posture trends
  • Policy List - View all policies (DLP, Information Protection, IRM, Communication Compliance)
  • Remediation Actions - Identify and create automatic policies from remediation actions

Common use cases

  • Chief Information Security Officer (CISO) managing holistic data security posture
  • Data Protection Officer configuring unified data security objectives
  • Chief Compliance Officer orchestrating one-click policy deployment across DSPM
  • Security architect implementing proactive risk management workflows
  • Compliance manager creating data risk assessments before Copilot deployment
  • Security operations lead configuring AI observability and agent governance
  • Regulatory compliance manager tracking data security posture for GDPR, HIPAA, PCI-DSS
  • Information governance leader implementing data security objectives across the estate

Best practices

  • Complete all getting started setup tasks before configuring objectives
  • Allow processing time (24-72 hours) for initial analytics before creating policies
  • Use data security objectives to guide remediation - each objective has a tailored plan
  • Start with one-click policies for quick wins before configuring complex custom policies
  • Review data risk assessments for top 100 SharePoint sites before Copilot deployment
  • Monitor AI observability page regularly to identify new AI apps and agents
  • Use Activity Explorer to investigate both AI-specific and general data security events
  • Coordinate with IRM team if data security objectives require insider risk policies
  • Review risk patterns and posture trends monthly for continuous improvement
  • Document policy decisions from objectives for audit trail and regulatory compliance
  • Use remediation actions to automate recurring policy creation workflows

Security considerations

  • Broad access to create and manage data security policies - monitor closely
  • One-click policies affect entire organization - review scope before creation
  • Data risk assessments reveal potential oversharing - handle results carefully
  • AI observability shows organizational AI adoption patterns - sensitive business data
  • Activity Explorer shows user activity data (excluding IRM events without IRM role)
  • Cannot view Security Copilot insights without additional Data Security Viewer role
  • Cannot view AI prompts/responses without Content Explorer Content Viewer role
  • Consider using Privileged Identity Management (PIM) for just-in-time activation
  • Audit activation requires separate Exchange role group permissions
  • Policy creation from objectives can have organization-wide impact - test first

Official Microsoft Learn documentation →

Open the interactive RBACMap →