Microsoft Entra ID · M365 Workloads & Services

Purview Workload Content Reader

Allows long-running Microsoft Purview operations to read Microsoft 365 content. Microsoft manages this Entra role from mapped Purview role assignments; do not assign it directly in Entra.

Scope: Runtime read authorization for Purview operations against content in SharePoint, Teams, OneDrive, and Exchange

Permissions

  • Runtime content access - Allow Microsoft Purview operations to read Microsoft 365 content
  • Long-running operations - Authorize content reads after an operation is submitted from the Purview portal

Common use cases

  • Authorizing Compliance Search and Export operations
  • Authorizing Insider Risk Management analysis and investigation operations
  • Authorizing Privacy Management and Data Security Investigation review operations

Best practices

  • Assign the mapped role in Microsoft Purview instead of assigning this Entra role directly
  • Keep the Purview Role Assignment Migrator enterprise application enabled
  • Use PIM for Groups on Purview role groups when just-in-time access is required
  • Size activation windows to cover the full duration of long-running operations

Security considerations

  • Can authorize Purview operations to read sensitive content across Microsoft 365 workloads
  • Manual Entra assignments can be overwritten during the next Purview synchronization
  • Read-only at the workload content layer; Purview role groups separately control portal tasks

Common questions

When should I assign the Purview Workload Content Reader role?

Assign Purview Workload Content Reader when you need to: Authorizing Compliance Search and Export operations; Authorizing Insider Risk Management analysis and investigation operations; and Authorizing Privacy Management and Data Security Investigation review operations. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Purview Workload Content Reader role do?

The Purview Workload Content Reader role grants permissions including: Runtime content access - Allow Microsoft Purview operations to read Microsoft 365 content; and Long-running operations - Authorize content reads after an operation is submitted from the Purview portal. See the Permissions section above for the full list.

What are the security risks of the Purview Workload Content Reader role?

Key considerations when assigning Purview Workload Content Reader: Can authorize Purview operations to read sensitive content across Microsoft 365 workloads; Manual Entra assignments can be overwritten during the next Purview synchronization; and Read-only at the workload content layer; Purview role groups separately control portal tasks. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →