Microsoft Purview · Purview Agents (Preview)

Purview Agent Management

Role group for enabling, setting up, and managing AI agents in Microsoft Purview. It contains the Purview Agent Deployment and Purview Content Analyst roles.

Scope: Agent deployment and enablement across all Purview agent types

Permissions

  • Purview Agent Deployment - Deploy Microsoft Purview agents
  • Purview Content Analyst - Enable Microsoft Purview agents

Common use cases

  • Initial deployment of Purview agents across the organization
  • Enabling new agent types as they become available
  • Setting up agent identity (with Role Management role from Purview Administrators)
  • Granting agent enablement without configuration or data access

Best practices

  • Limit to security operations leads or Purview administrators
  • Use agent identity (recommended by Microsoft) instead of user identity when possible
  • Assign separate operator roles for each agent type for least-privilege
  • Review agent deployment with security team before enabling
  • Document which agents are enabled and their configuration owners

Security considerations

  • Enables AI agents that process organizational data
  • Agent identity setup requires elevated Role Management permissions
  • Agents consume Security Copilot SCUs — monitor for cost impact
  • Does not grant data access — separate roles needed for configuration and viewing
  • All agents run on Microsoft Security Copilot infrastructure

Common questions

When should I assign the Purview Agent Management role?

Assign Purview Agent Management when you need to: Initial deployment of Purview agents across the organization; Enabling new agent types as they become available; Setting up agent identity (with Role Management role from Purview Administrators); and Granting agent enablement without configuration or data access. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Purview Agent Management role do?

The Purview Agent Management role grants permissions including: Purview Agent Deployment - Deploy Microsoft Purview agents; and Purview Content Analyst - Enable Microsoft Purview agents. See the Permissions section above for the full list.

What are the security risks of the Purview Agent Management role?

Key considerations when assigning Purview Agent Management: Enables AI agents that process organizational data; Agent identity setup requires elevated Role Management permissions; Agents consume Security Copilot SCUs — monitor for cost impact; and Does not grant data access — separate roles needed for configuration and viewing. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →