Microsoft Purview · Purview Agents (Preview)
Data Security DLP Triage Agent
Role group intended exclusively for the non-interactive DLP Triage Agent identity to triage and remediate data loss prevention alerts.
Scope: DLP alert triage automation across Exchange, Teams, OneDrive, SharePoint, and Devices
Permissions
- Data Classification Content Download - Download classified content for analysis
- Data Classification Content Viewer - View classified content
- Information Protection Analyst - Access and manage DLP alerts and Activity Explorer
- Purview Content Analyst - Enable Purview agents
- Purview Copilot Workspace Contributor - Access the Purview Copilot workspace
Common use cases
- Automating initial DLP alert triage to reduce analyst workload
- Prioritizing high-severity DLP incidents for immediate investigation
- Reducing false positive fatigue for DLP alert reviewers
- Accelerating DLP incident response times
- Providing consistent alert categorization across DLP workloads
Best practices
- Use the recommended agent identity instead of a human user identity
- Do not add human analysts to this role group
- Start with a subset of DLP policies before expanding scope
- Review triage accuracy regularly and adjust agent configuration
- Ensure analysts still review "Needs attention" alerts promptly
- Monitor SCU consumption as alert volume impacts costs
- Coordinate with Information Protection team for triage rule customization
Security considerations
- Agent accesses DLP alert content including potentially sensitive data
- Data Classification Content Download grants access to classified content
- Triage categorizations should be verified by human analysts before action
- Agent processes data across Exchange, Teams, OneDrive, SharePoint, and Devices
- Monitor agent activity through audit logs
Common questions
When should I assign the Data Security DLP Triage Agent role?
Assign Data Security DLP Triage Agent when you need to: Automating initial DLP alert triage to reduce analyst workload; Prioritizing high-severity DLP incidents for immediate investigation; Reducing false positive fatigue for DLP alert reviewers; Accelerating DLP incident response times; and Providing consistent alert categorization across DLP workloads. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Data Security DLP Triage Agent role do?
The Data Security DLP Triage Agent role grants permissions including: Data Classification Content Download - Download classified content for analysis; Data Classification Content Viewer - View classified content; Information Protection Analyst - Access and manage DLP alerts and Activity Explorer; Purview Content Analyst - Enable Purview agents; and Purview Copilot Workspace Contributor - Access the Purview Copilot workspace. See the Permissions section above for the full list.
What are the security risks of the Data Security DLP Triage Agent role?
Key considerations when assigning Data Security DLP Triage Agent: Agent accesses DLP alert content including potentially sensitive data; Data Classification Content Download grants access to classified content; Triage categorizations should be verified by human analysts before action; and Agent processes data across Exchange, Teams, OneDrive, SharePoint, and Devices. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.