Microsoft Purview · Information Protection
Exact Data Match Upload Admins
Upload data for Exact Data Match (EDM) classifiers. EDM classifiers detect sensitive information by matching against an uploaded data set (e.g., customer database, employee records) rather than pattern matching alone.
Scope: EDM data set upload and refresh — does not include EDM schema design or DLP policy configuration
Permissions
- Exact Data Match Upload Admin - Upload sensitive data tables for EDM
- Refresh EDM data sets
- Configure EDM schema and rule packages
- Run EDM upload diagnostic tools
Common use cases
- Initial EDM data set upload (e.g., customer records, employee data)
- Scheduled refresh of EDM data sets (e.g., daily customer database sync)
- Operating the EDM upload agent on Windows machines
- Validating EDM uploads against expected row counts
Best practices
- Use a dedicated service account for scheduled uploads
- Verify row counts after each upload to detect data extraction issues
- Hash uploaded data — never upload raw sensitive data to the cloud
- Document upload schedule and data lineage
- Coordinate with Information Protection Admin on schema changes
Security considerations
- Uploaded data is hashed client-side before transmission — verify hashing is configured correctly
- Service account credentials should be stored in secure vault
- Upload agent runs on-premises — secure the host machine
- Audit upload activity for unexpected data set changes
Common questions
When should I assign the Exact Data Match Upload Admins role?
Assign Exact Data Match Upload Admins when you need to: Initial EDM data set upload (e.g., customer records, employee data); Scheduled refresh of EDM data sets (e.g., daily customer database sync); Operating the EDM upload agent on Windows machines; and Validating EDM uploads against expected row counts. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Exact Data Match Upload Admins role do?
The Exact Data Match Upload Admins role grants permissions including: Exact Data Match Upload Admin - Upload sensitive data tables for EDM; Refresh EDM data sets; Configure EDM schema and rule packages; and Run EDM upload diagnostic tools. See the Permissions section above for the full list.
What are the security risks of the Exact Data Match Upload Admins role?
Key considerations when assigning Exact Data Match Upload Admins: Uploaded data is hashed client-side before transmission — verify hashing is configured correctly; Service account credentials should be stored in secure vault; Upload agent runs on-premises — secure the host machine; and Audit upload activity for unexpected data set changes. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.