Microsoft Purview · Tenant-Level Governance

Purview Administrators

Tenant-level role group to create, edit, and delete domains and perform role assignments across the Microsoft Purview account.

Scope: Tenant/organization-wide administrative access to Microsoft Purview account and all domains

Permissions

  • Create, edit, and delete domains in Microsoft Purview Data Map
  • Perform role assignments at the tenant/organizational level
  • Manage Microsoft Purview account-level settings and configurations
  • Delegate access and permissions across the entire Purview instance
  • Configure tenant-wide data governance policies and standards
  • Manage integration with Azure services and other Microsoft 365 solutions
  • Oversee collection and domain hierarchy structure organization-wide

Common use cases

  • Initial Microsoft Purview account setup and configuration
  • Creating organizational domain structure for data governance
  • Assigning Collection Administrators and Domain Admins to business units
  • Managing tenant-wide governance policies and compliance standards
  • Coordinating data governance strategy across multiple departments
  • Emergency access when Collection Administrators are unavailable
  • Merging multiple Microsoft Purview accounts into unified structure
  • Implementing organization-wide data cataloging and discovery strategy

Best practices

  • Limit Purview Administrators to 2-5 people maximum (similar to Global Admin)
  • Use for strategic account-level decisions, not day-to-day operations
  • Delegate Collection Administrator and Domain Admin roles to appropriate business units
  • Document all domain creation decisions with business justification
  • Coordinate with data stewards before making structural changes
  • Implement Privileged Identity Management (PIM) for just-in-time access
  • Create emergency access (break-glass) accounts for disaster recovery
  • Regular quarterly review of Purview Administrator assignments
  • Establish approval workflow for new domain creation requests
  • Maintain clear documentation of domain purpose and ownership

Security considerations

  • Highest-privilege role for Microsoft Purview data governance
  • Can modify all domains, collections, and role assignments
  • Account deletion or misconfiguration can disrupt entire data governance program
  • Should be combined with Azure RBAC Contributor/Owner roles for full management
  • Changes to domain structure affect all downstream collection permissions
  • Coordinate with Compliance Administrator for regulatory alignment
  • Must understand impact of domain and collection permission inheritance
  • Consider using Azure locks to prevent accidental Purview account deletion

Official Microsoft Learn documentation →

Open the interactive RBACMap →