Microsoft Entra ID · Security & Compliance

Compliance Administrator

Can read and manage compliance configuration and reports across Microsoft Entra ID and Microsoft 365 including DLP, retention, sensitivity labels, and eDiscovery.

Scope: Full Microsoft 365 compliance administration across Purview and related services

Permissions

  • Azure Information Protection management
  • Manage Azure service health
  • Create Azure support tickets
  • Read entitlement management
  • Compliance Manager administration
  • Manage M365 service health
  • Create M365 support tickets
  • Read admin center properties
  • Manage Microsoft Purview compliance features
  • Configure DLP, retention, and sensitivity labels
  • Manage eDiscovery and content search
  • View compliance reports and dashboards
  • Configure Information Protection policies
  • Manage communication compliance
  • Configure insider risk management

Common use cases

  • Compliance program management
  • DLP policy configuration and management
  • Information Protection and sensitivity labels
  • eDiscovery case management
  • Retention and records management
  • Communication compliance policies
  • Insider risk management configuration
  • Compliance Manager assessments
  • Regulatory compliance reporting
  • Data classification and labeling

Best practices

  • Use Purview roles for granular delegation
  • Coordinate with Security Administrator
  • Document compliance policies and procedures
  • Review DLP policy matches regularly
  • Test policies in simulation mode first
  • Implement change management for policy changes
  • Use sensitivity labels consistently
  • Review eDiscovery case access
  • Monitor compliance score trends
  • Coordinate with Legal on eDiscovery
  • Use PIM for elevated access

Security considerations

  • Can access sensitive content via eDiscovery
  • Can configure policies affecting data handling
  • Can view compliance investigation data
  • eDiscovery access should be carefully controlled
  • Audit all eDiscovery case creation
  • Monitor for policy changes affecting data protection
  • Consider separation from content reviewer roles
  • Coordinate insider risk access carefully

Common questions

When should I assign the Compliance Administrator role?

Assign Compliance Administrator when you need to: Compliance program management; DLP policy configuration and management; Information Protection and sensitivity labels; eDiscovery case management; and Retention and records management. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Compliance Administrator role do?

The Compliance Administrator role grants permissions including: Azure Information Protection management; Manage Azure service health; Create Azure support tickets; Read entitlement management; Compliance Manager administration; and Manage M365 service health. See the Permissions section above for the full list.

What are the security risks of the Compliance Administrator role?

Key considerations when assigning Compliance Administrator: Can access sensitive content via eDiscovery; Can configure policies affecting data handling; Can view compliance investigation data; and eDiscovery access should be carefully controlled. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →