Microsoft Purview · Global & Security Roles

Organization Management

Top-level Purview role group. Members can control permissions for accessing features in the Microsoft Purview, Defender, and compliance portals, and manage settings for device management, data loss prevention, reports, and preservation. This is the most powerful Purview role group — effectively a "compliance global admin."

Scope: Tenant-wide administration across Microsoft Purview, Defender for Office 365, and Exchange compliance

Permissions

  • Audit Logs - Search administrator audit log and view results
  • Case Management - Create and manage eDiscovery cases
  • Compliance Administrator - Full compliance configuration
  • Compliance Search - Run searches on mailboxes and sites
  • Device Management - Manage device compliance and policies
  • DLP Compliance Management - Configure data loss prevention policies
  • Hold - Place mailboxes and sites on hold
  • Manage Alerts - Configure and respond to security alerts
  • Quarantine - Manage quarantined messages and files
  • Retention Management - Configure retention policies and labels
  • Role Management - Add or remove members from role groups (THE critical permission)
  • Security Administrator - Full security feature access
  • Sensitivity Label Administrator - Create and manage sensitivity labels
  • View-Only Audit Logs / Configuration / DLP / Recipients - Read-only views

Common use cases

  • Initial Purview tenant setup and role group configuration
  • Cross-solution compliance program management
  • Emergency access for critical compliance incidents
  • Delegating permissions to other administrators

Best practices

  • Limit to 2-5 people maximum
  • Use PIM for just-in-time activation
  • Use dedicated admin accounts (not daily-driver accounts)
  • Prefer Compliance Administrator for day-to-day compliance work
  • Review membership quarterly

Security considerations

  • Highest privilege Purview role — compromise affects entire compliance program
  • Includes Role Management permission — can self-elevate or grant others access
  • All activities should be monitored via audit logs
  • Never use for routine compliance tasks

Official Microsoft Learn documentation →

Open the interactive RBACMap →