Microsoft Purview · Information Protection
Exact Data Match Upload Admins
Upload data for Exact Data Match (EDM) classifiers. EDM classifiers detect sensitive information by matching against an uploaded data set (e.g., customer database, employee records) rather than pattern matching alone.
Scope: EDM data set upload and refresh — does not include EDM schema design or DLP policy configuration
Permissions
- Exact Data Match Upload Admin - Upload sensitive data tables for EDM
- Refresh EDM data sets
- Configure EDM schema and rule packages
- Run EDM upload diagnostic tools
Common use cases
- Initial EDM data set upload (e.g., customer records, employee data)
- Scheduled refresh of EDM data sets (e.g., daily customer database sync)
- Operating the EDM upload agent on Windows machines
- Validating EDM uploads against expected row counts
Best practices
- Use a dedicated service account for scheduled uploads
- Verify row counts after each upload to detect data extraction issues
- Hash uploaded data — never upload raw sensitive data to the cloud
- Document upload schedule and data lineage
- Coordinate with Information Protection Admin on schema changes
Security considerations
- Uploaded data is hashed client-side before transmission — verify hashing is configured correctly
- Service account credentials should be stored in secure vault
- Upload agent runs on-premises — secure the host machine
- Audit upload activity for unexpected data set changes