Microsoft Purview · Data Map Collections

Domain Admin

Domain-level role to assign permissions within a domain and manage its resources, collections, and role assignments.

Scope: Domain-level administrative access limited to assigned domain(s)

Permissions

  • Assign permissions within a specific domain
  • Manage domain resources including collections and data sources
  • Create and manage collections within the domain
  • Assign Collection Admins, Data Curators, Data Readers within domain
  • Register and manage data sources within domain scope
  • Configure domain-level access controls and permission inheritance
  • Manage domain metadata and organizational structure

Common use cases

  • Managing data governance for specific business unit or department domain
  • Delegating collection administration to regional or functional teams
  • Implementing domain-specific data classification and tagging standards
  • Coordinating data source registration for business unit data estate
  • Managing access control for division-specific data assets
  • Aligning data governance with organizational structure (Finance, HR, Sales domains)

Best practices

  • Assign to business unit leaders or data owners responsible for domain
  • Limit to 2-5 people per domain to maintain clear accountability
  • Delegate Collection Admin role within domain for operational tasks
  • Document domain purpose, scope, and ownership clearly
  • Regular review of collection structure within domain
  • Coordinate with other Domain Admins on cross-domain data sharing
  • Establish consistent naming conventions for collections within domain
  • Use permission inheritance judiciously - restrict when needed for security

Security considerations

  • Full administrative control within assigned domain(s)
  • Can modify all collections and role assignments in domain
  • Should coordinate with security team on sensitive data domains
  • Permission inheritance settings affect all subcollections
  • Changes to domain permissions can impact large numbers of users
  • Monitor for inappropriate role assignments or collection modifications

Common questions

When should I assign the Domain Admin role?

Assign Domain Admin when you need to: Managing data governance for specific business unit or department domain; Delegating collection administration to regional or functional teams; Implementing domain-specific data classification and tagging standards; Coordinating data source registration for business unit data estate; and Managing access control for division-specific data assets. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Domain Admin role do?

The Domain Admin role grants permissions including: Assign permissions within a specific domain; Manage domain resources including collections and data sources; Create and manage collections within the domain; Assign Collection Admins, Data Curators, Data Readers within domain; Register and manage data sources within domain scope; and Configure domain-level access controls and permission inheritance. See the Permissions section above for the full list.

What are the security risks of the Domain Admin role?

Key considerations when assigning Domain Admin: Full administrative control within assigned domain(s); Can modify all collections and role assignments in domain; Should coordinate with security team on sensitive data domains; and Permission inheritance settings affect all subcollections. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →