Microsoft Purview · Tenant-Level Governance
Purview Administrators
Tenant-level role group to create, edit, and delete domains and perform role assignments across the Microsoft Purview account.
Scope: Tenant/organization-wide administrative access to Microsoft Purview account and all domains
Permissions
- Create, edit, and delete domains in Microsoft Purview Data Map
- Perform role assignments at the tenant/organizational level
- Manage Microsoft Purview account-level settings and configurations
- Delegate access and permissions across the entire Purview instance
- Configure tenant-wide data governance policies and standards
- Manage integration with Azure services and other Microsoft 365 solutions
- Oversee collection and domain hierarchy structure organization-wide
Common use cases
- Initial Microsoft Purview account setup and configuration
- Creating organizational domain structure for data governance
- Assigning Collection Administrators and Domain Admins to business units
- Managing tenant-wide governance policies and compliance standards
- Coordinating data governance strategy across multiple departments
- Emergency access when Collection Administrators are unavailable
- Merging multiple Microsoft Purview accounts into unified structure
- Implementing organization-wide data cataloging and discovery strategy
Best practices
- Limit Purview Administrators to 2-5 people maximum (similar to Global Admin)
- Use for strategic account-level decisions, not day-to-day operations
- Delegate Collection Administrator and Domain Admin roles to appropriate business units
- Document all domain creation decisions with business justification
- Coordinate with data stewards before making structural changes
- Implement Privileged Identity Management (PIM) for just-in-time access
- Create emergency access (break-glass) accounts for disaster recovery
- Regular quarterly review of Purview Administrator assignments
- Establish approval workflow for new domain creation requests
- Maintain clear documentation of domain purpose and ownership
Security considerations
- Highest-privilege role for Microsoft Purview data governance
- Can modify all domains, collections, and role assignments
- Account deletion or misconfiguration can disrupt entire data governance program
- Should be combined with Azure RBAC Contributor/Owner roles for full management
- Changes to domain structure affect all downstream collection permissions
- Coordinate with Compliance Administrator for regulatory alignment
- Must understand impact of domain and collection permission inheritance
- Consider using Azure locks to prevent accidental Purview account deletion
Common questions
When should I assign the Purview Administrators role?
Assign Purview Administrators when you need to: Initial Microsoft Purview account setup and configuration; Creating organizational domain structure for data governance; Assigning Collection Administrators and Domain Admins to business units; Managing tenant-wide governance policies and compliance standards; and Coordinating data governance strategy across multiple departments. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Purview Administrators role do?
The Purview Administrators role grants permissions including: Create, edit, and delete domains in Microsoft Purview Data Map; Perform role assignments at the tenant/organizational level; Manage Microsoft Purview account-level settings and configurations; Delegate access and permissions across the entire Purview instance; Configure tenant-wide data governance policies and standards; and Manage integration with Azure services and other Microsoft 365 solutions. See the Permissions section above for the full list.
What are the security risks of the Purview Administrators role?
Key considerations when assigning Purview Administrators: Highest-privilege role for Microsoft Purview data governance; Can modify all domains, collections, and role assignments; Account deletion or misconfiguration can disrupt entire data governance program; and Should be combined with Azure RBAC Contributor/Owner roles for full management. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.