Microsoft Purview · Global & Security Roles
Global Administrator
Full Microsoft 365 administration. Global Administrators are automatically added to Purview Organization Management, but still lack certain investigation-level and case-specific role assignments.
Scope: Organization-wide access across all Microsoft 365 and Purview services
Permissions
- Full Access - Full administrative access to all Microsoft 365 services
- DLP Policies - Create and manage Microsoft Purview policies (DLP, retention, sensitivity labels)
- Security Settings - Configure compliance and security settings
- Role Assignment - Assign roles and permissions to other users
- Audit Logs - Access audit logs and compliance reports
Common use cases
- Initial Purview tenant setup and configuration
- Emergency access for critical compliance issues
- Cross-service compliance policy management
Best practices
- Limit to 2-5 people maximum
- Use PIM for just-in-time access
- Use dedicated admin accounts
- For daily Purview work, use Compliance Administrator instead
Security considerations
- Highest privilege role - compromise affects entire organization
- Never use for routine compliance tasks
- Monitor all Global Admin activities through audit logs
Common questions
When should I assign the Global Administrator role?
Assign Global Administrator when you need to: Initial Purview tenant setup and configuration; Emergency access for critical compliance issues; and Cross-service compliance policy management. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Global Administrator role do?
The Global Administrator role grants permissions including: Full Access - Full administrative access to all Microsoft 365 services; DLP Policies - Create and manage Microsoft Purview policies (DLP, retention, sensitivity labels); Security Settings - Configure compliance and security settings; Role Assignment - Assign roles and permissions to other users; and Audit Logs - Access audit logs and compliance reports. See the Permissions section above for the full list.
What are the security risks of the Global Administrator role?
Key considerations when assigning Global Administrator: Highest privilege role - compromise affects entire organization; Never use for routine compliance tasks; and Monitor all Global Admin activities through audit logs. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.