Microsoft Purview RBAC Roles

Full administrative access to all Microsoft 365 and Purview features. However, Global Admin does NOT automatically grant access to certain Purview role groups.

Read-only access across all Microsoft 365 and Purview features without the ability to make changes.

Manage security features across Microsoft 365 including Purview compliance, Defender, identity protection, and security policies without full Global Admin access.

Read-only access to security features, reports, and alerts across Microsoft 365 including Purview compliance monitoring.

Comprehensive Entra ID role with broad permissions across Microsoft Purview compliance features including DLP, retention, sensitivity labels, eDiscovery, and compliance management.

Enhanced Entra ID role with all Compliance Administrator permissions PLUS device management, Content Explorer access, and advanced file activity tracking capabilities.

Members can access all quarantine actions in Microsoft Defender for Office 365 and Exchange Online Protection. Can release, delete, preview, and manage quarantined messages and files.

Manage and view Purview consumption billing reports. Provides access to consumption-based licensing reports and usage analytics for Microsoft Purview services.

Top-level Purview role group. Members can control permissions for accessing features in the Microsoft Purview, Defender, and compliance portals, and manage settings for device management, data loss…

Members can manage security alerts, and also view reports and settings of security features. SOC operator role — focused on alert triage and response without broader security administration…

Members can access the Service Assurance section in the Microsoft Purview portal. Service Assurance provides reports and documents that describe Microsoft's security practices for customer data…

In addition to the capabilities of the AI Administrator role in Microsoft Entra, this group assigns read-only permissions for AI security insights in Microsoft Purview. Used for governing Microsoft…

Configure billing features in Microsoft Purview. Used for Purview consumption-based billing configuration (separate from broader Microsoft 365 billing administration).

Members can monitor and view mail flow insights and reports in the Microsoft Defender portal. Read-focused role for understanding mail flow patterns, queues, and delivery issues without permission to…

Create and manage eDiscovery (Standard and Premium) cases with custodian management, review sets, legal hold notifications, advanced indexing, analytics, and ML-powered predictive coding.

All eDiscovery Manager permissions PLUS organization-wide access to all cases, global eDiscovery settings management, and hold report oversight across entire tenant.

Perform searches and access review sets for investigation without case management capabilities.

Access review sets in eDiscovery cases to analyze collected data without search or export capabilities.

Identify and manage custodians (data owners) for eDiscovery cases and track their data sources.

Place and manage legal holds on content to preserve it during investigations and litigation.

Search, manage, and configure audit log settings and retention policies for compliance monitoring.

Search and export audit logs with read-only access, without ability to configure settings.

Configure retention labels for records, file plans, and disposition reviews for formal records management programs with regulatory-grade immutability.

Review and approve content disposition at end of retention period to ensure proper record destruction with proof of disposal and audit trail.

Read-only access to records management features for auditing, compliance reporting, and oversight without modification permissions.

Create and manage retention policies and labels across Microsoft 365 to ensure compliance with data retention requirements.

Read-only access to retention policies, labels, and analytics for auditing, compliance reporting, and oversight without modification permissions.

Full access to configure policies, investigate alerts, remediate violations, and manage all aspects of communication monitoring.

Configure policies and settings but cannot investigate alerts or view message content - separated administration.

Access and investigate alerts, view message metadata, but cannot view full message content - limited investigation access.

Investigate alerts, view full messages, and take remediation actions without policy configuration access.

View-only access to reports and analytics dashboards without alert or message access.

Members can create and manage the policies that define which communications are subject to review in an organization. Used for regulatory supervisory review requirements (e.g., FINRA, SEC) where…

Dedicated role group for deploying and enabling all Purview agents. Contains the "Purview Content Analyst" role required to activate the DLP Triage Agent, IRM Triage Agent, and DSPM Posture Agent.

Combined role requirements for setting up, configuring, and viewing results from the DLP Triage Agent. This agent automatically triages DLP alerts from Exchange, Teams, OneDrive, SharePoint, and…

Combined role requirements for setting up, configuring, and viewing results from the Insider Risk Management Triage Agent. This agent automatically triages IRM alerts, helping analysts focus on…

Combined role requirements for deploying, running, and viewing results from the DSPM Posture Agent (Preview). This agent uses natural language processing to find sensitive data across Microsoft 365,…

Manage template creation and modification in Microsoft Purview Compliance Manager. Can create assessments, implement improvement actions, and manage all Compliance Manager content.

Create assessments, implement improvement actions, and update test status for improvement actions in Microsoft Purview Compliance Manager.

Create assessments and perform work to implement improvement actions in Microsoft Purview Compliance Manager. Cannot manage templates or update test status.

View all Microsoft Purview Compliance Manager content except for administrator functions. Read-only access to assessments, improvement actions, and compliance score.

Full access to all IRM features including policy creation, alert investigation, forensic evidence review, and Adaptive Protection.

Configure IRM policies, settings, integrations, and Adaptive Protection without access to investigate individual cases.

Review and investigate alerts, access analytics and case data, configure notice templates without policy configuration or forensic evidence access.

Full investigation access including forensic evidence, Content Explorer, and detailed user activity review without policy configuration.

View and export audit logs for IRM activities to ensure proper program governance, compliance, and ethical oversight.

Approve forensic evidence capturing requests to ensure legal and privacy compliance before evidence collection.

Provides controlled approval and oversight of user session-based activities within Microsoft Purview Insider Risk Management, without granting access to investigations, alerts, cases, or sensitive…

System role group. Visible in the Purview portal but used by background services only — do not assign users directly. Provides permissions that allow Insider Risk Management automation to function…

Create, configure, and manage Data Loss Prevention policies to prevent unauthorized sharing of sensitive information across Microsoft 365 and endpoints.

Create and edit DLP policies, sensitivity labels, and auto-labeling rules without investigation access.

Access DLP alerts, activity explorer, and investigate incidents without policy modification rights.

Access Content Explorer to view in-place rendering of DLP-matched files for deep investigation.

Full control over all information protection features including DLP, sensitivity labels, and classification.

Create and manage sensitivity labels and their policies for document classification and protection.

View sensitivity labels and configurations with read-only access for auditing and compliance.

View-only access to information protection reports and analytics dashboards.

View file metadata and classifications in list format without viewing actual file content.

View actual contents of classified and labeled files for detailed classification verification.

Upload data for Exact Data Match (EDM) classifiers. EDM classifiers detect sensitive information by matching against an uploaded data set (e.g., customer database, employee records) rather than…

Comprehensive DSPM role with full access to insights, Security Copilot integration, and ability to manage DLP, Information Protection, and Insider Risk Management solutions.

Read-only access to DSPM dashboard insights, analytics, and Security Copilot for viewing data security posture without policy modification or investigation.

Read-only access to DSPM for AI to monitor AI app usage, view insights into Copilot interactions, and track AI-related data security risks without viewing prompts/responses.

View AI interaction prompts and responses for investigation of data security incidents in Copilot, agents, and third-party AI apps.

[Preview] Full administrative access to the unified Data Security Posture Management. Complete setup tasks, create one-click policies, manage data security objectives, create data risk assessments,…

[Preview] View-only access to the unified Data Security Posture Management dashboards, reports, objectives, and data risk assessments. Uses Security Reader role group — does NOT require classic Data…

[Preview] Entra ID role providing view-only access to AI-related data in DSPM (Preview) including AI observability, AI activities, AI objectives, and AI-related risk patterns. New role introduced…

[Preview] Edit DLP policies related to Copilot and view AI content in the unified DSPM (Preview). Cannot read prompts and responses of AI interactions. Role group: Data Security AI Admins.

Full administrative access to Microsoft Priva features including Privacy Risk Management and Subject Rights Requests. Can configure policies, manage settings, and oversee all privacy management…

Investigate privacy policy matches and view file metadata without accessing file content. Can take remediation actions and manage privacy risk cases. Ideal for privacy analysts who need to triage…

Full investigative access to privacy policy matches including file content review. Can investigate privacy incidents, view associated file content, and take comprehensive remediation actions.…

Read-only access to privacy analytics, reports, insights, and policy trends. Can view privacy risk dashboards and compliance metrics without investigative or administrative capabilities. Ideal for…

Full administrative rights to create and manage subject rights requests (SRRs). Can handle GDPR, CCPA, and other privacy regulation requests including access, export, tagged list, and delete…

Can approve subject rights requests to which they are added as an approver. Typically used for approving delete requests or other high-risk SRRs requiring secondary authorization. Provides approval…

Manage contributor access for privacy management cases in Microsoft Priva. Can perform compliance searches, work with custodian data, export data, and manage review set tags. Cannot configure…

Top-level role group for the Privacy Management (Priva) solution in Microsoft Purview. Manages access control for the entire Privacy Management portal experience — distinct from the more scoped…

[Preview] Full administrative access to Data Security Investigations. Create and manage all investigations, configure settings, run searches, and coordinate data security incident response.

[Preview] Conduct assigned data security investigations. Create searches, analyze results, manage investigation scope, and develop mitigation plans for assigned cases.

[Preview] Review and analyze assigned data security investigations. Manage investigation scope, run analysis activities, view data risk graphs, and contribute to mitigation plans without…

Tenant-level role group to create, edit, and delete domains and perform role assignments across the Microsoft Purview account.

Tenant-level role group that grants access to data governance roles and delegates permissions for Governance Domain Creators in Unified Catalog.

Tenant-level role group to manage data sources and scans across Microsoft Purview Data Map, including registration, scanning, and integration runtime management.

Tenant-level role group to perform create, read, modify, and delete actions on catalog data objects and establish relationships between objects in the classic Data Catalog.

Tenant-level role group providing read-only access to all insights reports across platforms and providers in the classic Data Catalog.

Tenant-level role group providing admin access to all insights reports across platforms and providers in the classic Data Catalog.

Domain-level role to assign permissions within a domain and manage its resources, collections, and role assignments.

Manage collections, assign roles, and organize data sources and assets within collection hierarchy.

Manage assets, create classifications, build glossary terms, and curate data catalog metadata for improved discoverability and understanding.

Read-only access to data assets, classifications, glossary terms, and collections for data discovery and search.

Manage data sources and scans within assigned collections, including registration, scanning, and credential management.

Read-only access to Data Estate Insights reports and analytics for collections where also assigned Data Reader role.

Create, view, update, and delete data access policies through Microsoft Purview Data Policy feature for Azure data sources.

Access workflow authoring page in Microsoft Purview governance portal and publish workflows on collections where they have access permissions.

Catalog-level role that delegates first level of access for Governance Domain Creators and other catalog permissions.

Create governance domains and delegate governance domain owner role (or remain owner by default).

Read published artifacts across all governance domains that don't have Local Catalog Reader restrictions.

Create, update, and read artifacts in Data Estate Health management area of Unified Catalog.

Read artifacts in Data Estate Health management area of Unified Catalog.

Delegate all governance domain permissions, configure data quality alerts, set schedules, and manage access policies.

Create, update, and read data products within governance domain. Build relationships with concepts across domains.

Create, update, and read artifacts and policies within governance domain. Read artifacts from other domains.

Read governance domain metadata for published domains they are added to.

Read published concepts only in assigned governance domain. Limits federated access for regulatory requirements.

Manage data quality rules, scanning, insights, scheduling, monitoring, and alerts. Sub-role requiring Governance Domain Reader and Data Product Owner.

Browse all data quality insights and rules. Sub-role requiring Governance Domain Reader and catalog reader role.

Run data profiling jobs and access profiling insights. Sub-role requiring Governance Domain Reader and Data Product Owner.

Browse data profile insights and drill down to column-level statistics. Sub-role requiring Governance Domain Reader and catalog reader.

Browse data quality insights, rule definitions, and scores. Sub-role requiring Governance Domain Reader and catalog reader.