Microsoft Purview · Purview Agents (Preview)
Data Security DSPM Posture Agent
Role group intended exclusively for the non-interactive Data Security Posture Agent identity to search and classify data within the scope selected by posture management administrators.
Scope: Sensitive data discovery and posture assessment across Microsoft 365 data estate
Permissions
- Purview Content Analyst - Enable and run Purview content analysis
- Purview Copilot Workspace Contributor - Access the Purview Copilot workspace
Common use cases
- Discovering sensitive data locations across Microsoft 365 using natural language
- Assessing data security posture before AI deployments (e.g., Copilot)
- Identifying oversharing of sensitive content across SharePoint, OneDrive, Exchange
- Supporting compliance audits with comprehensive data discovery
- Proactively finding unprotected sensitive data for remediation
Best practices
- Use the recommended agent identity instead of a human user identity
- Do not add human analysts to this role group
- Review results with data owners before taking remediation actions
- Coordinate with Information Protection team for label gap analysis
- Document findings and create remediation plans from agent results
- Monitor SCU consumption — complex queries increase costs
- Use findings to prioritize sensitivity label deployment
Security considerations
- Agent discovers sensitive data locations — results are themselves sensitive
- Requires broad read access to classified content metadata
- Results may reveal data exposure gaps that need immediate remediation
- Limit access to security and compliance leads only
Common questions
When should I assign the Data Security DSPM Posture Agent role?
Assign Data Security DSPM Posture Agent when you need to: Discovering sensitive data locations across Microsoft 365 using natural language; Assessing data security posture before AI deployments (e.g., Copilot); Identifying oversharing of sensitive content across SharePoint, OneDrive, Exchange; Supporting compliance audits with comprehensive data discovery; and Proactively finding unprotected sensitive data for remediation. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Data Security DSPM Posture Agent role do?
The Data Security DSPM Posture Agent role grants permissions including: Purview Content Analyst - Enable and run Purview content analysis; and Purview Copilot Workspace Contributor - Access the Purview Copilot workspace. See the Permissions section above for the full list.
What are the security risks of the Data Security DSPM Posture Agent role?
Key considerations when assigning Data Security DSPM Posture Agent: Agent discovers sensitive data locations — results are themselves sensitive; Requires broad read access to classified content metadata; Results may reveal data exposure gaps that need immediate remediation; and Limit access to security and compliance leads only. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.