Microsoft Entra ID · Security & Compliance
Compliance Administrator
Can read and manage compliance configuration and reports across Microsoft Entra ID and Microsoft 365 including DLP, retention, sensitivity labels, and eDiscovery.
Scope: Full Microsoft 365 compliance administration across Purview and related services
Permissions
- Azure Information Protection management
- Manage Azure service health
- Create Azure support tickets
- Read entitlement management
- Compliance Manager administration
- Manage M365 service health
- Create M365 support tickets
- Read admin center properties
- Manage Microsoft Purview compliance features
- Configure DLP, retention, and sensitivity labels
- Manage eDiscovery and content search
- View compliance reports and dashboards
- Configure Information Protection policies
- Manage communication compliance
- Configure insider risk management
Common use cases
- Compliance program management
- DLP policy configuration and management
- Information Protection and sensitivity labels
- eDiscovery case management
- Retention and records management
- Communication compliance policies
- Insider risk management configuration
- Compliance Manager assessments
- Regulatory compliance reporting
- Data classification and labeling
Best practices
- Use Purview roles for granular delegation
- Coordinate with Security Administrator
- Document compliance policies and procedures
- Review DLP policy matches regularly
- Test policies in simulation mode first
- Implement change management for policy changes
- Use sensitivity labels consistently
- Review eDiscovery case access
- Monitor compliance score trends
- Coordinate with Legal on eDiscovery
- Use PIM for elevated access
Security considerations
- Can access sensitive content via eDiscovery
- Can configure policies affecting data handling
- Can view compliance investigation data
- eDiscovery access should be carefully controlled
- Audit all eDiscovery case creation
- Monitor for policy changes affecting data protection
- Consider separation from content reviewer roles
- Coordinate insider risk access carefully
Common questions
When should I assign the Compliance Administrator role?
Assign Compliance Administrator when you need to: Compliance program management; DLP policy configuration and management; Information Protection and sensitivity labels; eDiscovery case management; and Retention and records management. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Compliance Administrator role do?
The Compliance Administrator role grants permissions including: Azure Information Protection management; Manage Azure service health; Create Azure support tickets; Read entitlement management; Compliance Manager administration; and Manage M365 service health. See the Permissions section above for the full list.
What are the security risks of the Compliance Administrator role?
Key considerations when assigning Compliance Administrator: Can access sensitive content via eDiscovery; Can configure policies affecting data handling; Can view compliance investigation data; and eDiscovery access should be carefully controlled. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.