Microsoft Purview · Purview Agents (Preview)

Data Security DSPM Posture Agent

Combined role requirements for deploying, running, and viewing results from the DSPM Posture Agent (Preview). This agent uses natural language processing to find sensitive data across Microsoft 365, helping security teams understand their data landscape.

Scope: Sensitive data discovery and posture assessment across Microsoft 365 data estate

Permissions

  • Deploy Posture Agent - Requires Purview Content Analyst + Compliance Admin/Security Reader/Data Security Viewer + Data Classification Viewer + Security Copilot Contributor/Owner
  • Run Posture Queries - Execute natural language searches for sensitive data across Microsoft 365
  • View Results - Access Posture Agent findings including data locations and sensitivity classifications
  • Data Classification Content Viewer - View classified content identified by the agent
  • Data Classification List Viewer - Browse list of classified items

Common use cases

  • Discovering sensitive data locations across Microsoft 365 using natural language
  • Assessing data security posture before AI deployments (e.g., Copilot)
  • Identifying oversharing of sensitive content across SharePoint, OneDrive, Exchange
  • Supporting compliance audits with comprehensive data discovery
  • Proactively finding unprotected sensitive data for remediation

Best practices

  • Use for periodic data posture assessments rather than continuous monitoring
  • Review results with data owners before taking remediation actions
  • Coordinate with Information Protection team for label gap analysis
  • Document findings and create remediation plans from agent results
  • Monitor SCU consumption — complex queries increase costs
  • Use findings to prioritize sensitivity label deployment

Security considerations

  • Agent discovers sensitive data locations — results are themselves sensitive
  • Requires broad read access to classified content metadata
  • Results may reveal data exposure gaps that need immediate remediation
  • Requires role from FOUR different permission groups — complex access model
  • Security Copilot Contributor/Owner provides access to all SCU-based features
  • Limit access to security and compliance leads only

Official Microsoft Learn documentation →

Open the interactive RBACMap →