Introduction
Microsoft Purview is a comprehensive data governance and compliance solution that helps organisations manage sensitive data across various platforms. As the data stored within Microsoft Purview is highly sensitive, it’s important that only authorised individuals have access to it. Simply having the Compliance Admin, or even the Global Admin role may not be sufficient for accessing highly confidential data. To ensure that only the right people can access certain data, Role-Based Access Control (RBAC) is used within Microsoft Purview, which provides more granular control over who can access specific solutions and data.
In this guide, we’ll explore the essential permissions required to access different Microsoft Purview solutions and explain the necessary Entra ID roles and RBAC roles associated with each one.
***Pdf file is also available for download at the bottom of this article which details all current 64 built-in role groups and specific roles for Microsoft Purview solutions.***
Table of contents
Overall Microsoft Purview permissions
Microsoft Purview uses Role-Based Access Control (RBAC) to assign different roles to users based on their responsibilities. These roles define the actions users can perform within the platform, ensuring that sensitive data is protected by limiting access to only those who need it. The key to a secure Microsoft Purview environment is understanding and configuring the right permissions. While Compliance Admin permissions provide access to various compliance-related features, specialised access for each product requires additional roles.
Because you cannot view Purview policies without entering the edit mode - even if you're not making any changes - reader roles like Global Reader (which is not supported by Microsoft Purview), will not grant you sufficient permissions to see how policies are configured.
Microsoft recommends that you use roles with the fewest permissions. Minimising the number of users with the Global Administrator role and following the principle of least privilege helps improve security for your organisation.
RBAC Roles vs Role Groups
In the RBAC model within Microsoft Purview, roles and role groups serve different but related purposes in managing permissions.
1. Roles
A role in Microsoft Purview defines a specific set of permissions that allow users to perform actions within the platform.
Each role is tied to a predefined set of capabilities, such as reading metadata, managing classifications, or administering policies.
Examples of roles:
Audit Logs (that is included in the 'Audit Manager' role group)
View-Only Audit Logs (same as above)
2. Role Groups
A role group is a collection of one or more roles, making it easier to assign multiple permissions to users in a structured way.
Instead of assigning multiple individual roles separately to a user, administrators can assign a role group that includes multiple roles, simplifying permission management.
Microsoft Purview provides built-in role groups, such as:
Audit Manager (that consists of 2x roles: 'Audit Logs' and 'View-Only Audit Logs')
Purview Administrators (that consists of 3x roles: 'Admin Unit Extension Manager', 'Purview Domain Manager', 'Role Management')
Key Differences
Feature | Roles | Role Groups |
Definition | Defines a set of permissions | A collection of multiple roles |
Granularity | Specific permissions for a function | Groups multiple roles for easier assignment |
Assignment | Assigned to users or service principals directly | Assigned to users to bundle multiple roles together |
Purpose | Controls access at a detailed level | Simplifies role management by grouping related roles |
In the example below, the 'Organization Management' is a role group that consists of individual roles, such as 'Admin Unit Extension Manager' or 'Communication Compliance Case Management'.
At the time of writing, there are 64 built-in role groups for Microsoft Purview solutions.
You can also set up custom role groups that would fit your specific needs.
How to assign Purview RBAC roles?
Permissions
To view the Roles and Scopes settings in the Purview Admin Centre, users must either be a Global Administrator or be assigned the Role Management role (which is only assigned to the Organization Management role group). The Role Management role enables users to view, create, and modify role groups.
Guide
To assign Purview RBAC roles, such as Communication Compliance or Content Explorer List Viewer, etc., follow steps below:
Navigate over to the Purview admin centre (purview.microsoft.com).
Go to Settings in the left-hand pane.
Expand the "Roles and scopes" section and then select "Role groups".
Find the appropriate role you wish to assign to a user.
Either select the appropriate role by clicking into the checkbox beside a role's name or click into the role's name to edit the permissions.
Click on "Edit".
Go "Choose users".
Select correct users.
Click "Next" and "Save.
Product/ solution specific permissions
Below, I will outline the permissions required for each Microsoft Purview product.
Audit
The Audit feature in Microsoft Purview allows administrators to track user and system activity within Microsoft 365 services.
Necessary roles & permissions:
Entra ID Role: Global Administrator, Compliance Administrator.
Purview RBAC Roles:
Audit Manager: can search, export logs, and manage audit settings (including enabling/disabling logging). Grants both View-Only Audit Logs and Audit Logs roles.
Audit Reader: can search and export logs but can’t enable/disable logging. Grants only the View-Only Audit Logs role.
For Audit Search Graph API access, extra permissions in Microsoft Graph must be set up.
Communication Compliance
Communication Compliance helps track and review internal communications to ensure they comply with organisational policies.
Necessary roles & permissions:
To set up initial permissions for managing communication compliance features, six role groups are used. To access Communication Compliance in Microsoft Purview, you must be assigned to one of these roles or role groups:
Microsoft Entra ID Global Administrator
Microsoft Entra ID Compliance Administrator
Purview RBAC Organization Management (role group)
Purview RBAC Compliance Administrator (role group)
Purview RBAC Communication Compliance (role group)
Purview RBAC Communication Compliance Admins (role group)
Next, you need to assign users to role groups based on how you want to manage communication compliance policies and alerts. You can either:
Assign users to specific role groups based on their compliance responsibilities.
Add all admins, analysts, investigators, and viewers to the Communication Compliance role group.
Use a single role group or multiple groups to fit your needs. Choose from the following role groups:
Compliance Manager
Compliance Manager helps organisations manage their compliance obligations by offering tools to track, assess, and improve compliance processes.
Necessary roles & permissions:
Compliance Manager uses role-based access control (RBAC), meaning only assigned users can access it, with actions limited by role type.
The table below outlines role permissions and how Microsoft Entra roles map to Compliance Manager roles.
A user can hold only one role at a time - any role change overrides the previous one.
Data Lifecycle Management
Data Lifecycle Management ensures that data is retained according to policies and automatically deleted when it is no longer needed.
Necessary roles & permissions:
Mailbox management permissions
Managing archiving, inactive mailboxes, and imports usually requires Exchange permissions, like the Mail Recipients role. By default, this role is included in the Recipient Management and Organization Management role groups. For specific permissions per task, refer to the relevant admin documentation.
Retention policies & labels permissions
To create and manage retention policies and labels, compliance team members need access to the Microsoft Purview portal or compliance portal. The recommended approach is to add users to the Compliance Administrator role group.
Alternatively, you can:
Create a custom role group and assign the Retention Management role.
Use View-Only Retention Management for read-only access.
Data Loss Prevention (DLP)
Data Loss Prevention policies help prevent the accidental sharing or leakage of sensitive data.
Necessary roles & permissions:
Policy deployment permissions
To create and deploy policies, your account must be part of one of these role groups:
Compliance Administrator
Compliance Data Administrator
Information Protection
Information Protection Admin
Security Administrator
Granular roles & role groups
For more precise access control, use these roles and role groups:
DLP Compliance Management
Information Protection
Information Protection Admin
Information Protection Analyst
Information Protection Investigator
Information Protection Reader
Reference: https://learn.microsoft.com/en-us/purview/dlp-create-deploy-policy?tabs=purview#permissions
Data Security Posture Management (DSPM)
Data Security Posture Management (DSPM)Â assesses your organisation's security posture and helps mitigate data risks.
Necessary roles & permissions:
You need to be assigned one of the following roles or role groups:
Data Security Management (role group)
Data Security Viewer – Grants access to all insights if the DSPM dashboard is enabled; required for Security Copilot in DSPM.
Insider Risk Management Admins
Microsoft Entra ID Global Administrator
Microsoft Entra Compliance Administrator
DSPM for AI
DSPM for AIÂ enables organisations to securely monitor and manage AI interactions, helping to avoid data loss and comply with regulatory requirements for AI tools like Microsoft 365 Copilot.
Necessary roles & permissions:
Roles and role groups with full access (view, create, edit):
Microsoft Entra ID Compliance Administrator
Microsoft Entra ID Global Administrator
Microsoft Purview Compliance Administrator (role group)
Roles and role groups with view-only access:
Microsoft Purview Security Reader (role group)
For detailed permissions for various activities in DSPM for AI (such as for example the ability to read users' Copilot prompts and responses), refer to the table below:
eDiscovery
eDiscovery is used for searching and managing data related to legal investigations or compliance audits.
Necessary roles & permissions:
To access Content Search, eDiscovery Standard, or eDiscovery Premium, a user must be part of the eDiscovery Manager role group in the Purview portal.
The main eDiscovery-related role group in the compliance portal is eDiscovery Manager, which includes two subgroups:
eDiscovery Manager: Members can use eDiscovery search tools to search content locations, preview and export search results, and manage cases in Microsoft Purview eDiscovery (Standard)Â and eDiscovery (Premium). They can also add/remove case members, create case holds, run searches, and access case data. However, eDiscovery Managers can only manage the cases they create and cannot access those created by other eDiscovery Managers.
eDiscovery Administrator: Members can perform all the tasks of an eDiscovery Manager but with additional permissions. They can:
Access all cases in eDiscovery (Standard)Â and eDiscovery (Premium).
Access case data in eDiscovery (Premium)Â for any case in the organisation.
Manage any eDiscovery case after adding themselves as a member.
Remove members from cases (only eDiscovery Administrators can do this). eDiscovery Managers cannot remove members from cases, even if they created them.
RBAC roles related to eDiscovery
The following table lists the role-based access control (RBAC)Â roles in the compliance portal, including the built-in role groups they are assigned to by default.
Reference:
Information Barriers
Information Barriers restrict communication and collaboration between certain user groups to avoid conflicts of interest and protect sensitive data.
Necessary roles & permissions:
To manage IB policies, you must have one of the following roles assigned:
Entra ID Global Administrator
Entra ID Compliance Administrator
RBAC IB Compliance Management
Information Protection
Microsoft Information Protection (MIP)Â helps to classify, label, and protect data across your organisation. MIP includes tools such as Content Explorer, Data Explorer, and Activity Explorer to review and manage sensitive content.
Necessary roles & permissions:
Permissions for creating and managing sensitivity labels
Role groups for managing sensitivity labels:
Information Protection
Information Protection Admins
Information Protection Analysts
Information Protection Investigators
Information Protection Readers
Other options:
Create a custom role group with the Sensitivity Label Administrator role.
For read-only access, use Sensitivity Label Reader.
Add users to Compliance Data Administrator, Compliance Administrator, or Security Administrator.
Reference on labels: https://learn.microsoft.com/en-us/purview/get-started-with-sensitivity-labels#permissions-required-to-create-and-manage-sensitivity-labels
Permissions for data classification access
To access the data classification page, an account must be assigned one of the following roles or role groups.
Entra ID roles
Global Administrator
Compliance Administrator
Security Administrator
Compliance Data Administrator
RBAC roles for fine-tuned access control
Roles:
Information Protection Admin
Information Protection Analyst
Information Protection Investigator
Information Protection Reader
Role Groups:
Information Protection
Information Protection Admins
Information Protection Analysts
Information Protection Investigators
Information Protection Readers
Permissions for specific policies
Additionally, if you need to use any data classifiers within specific retention label policies, sensitivity label policies, or communication compliance policy, you're going to need additional permissions, as seen in the below table.
Scenario | Required Role Permissions |
Retention label policy | Record Management, Retention Management |
Sensitivity label policy | Security Administrator, Compliance Administrator, Compliance Data Administrator |
Communication compliance policy | Insider Risk Management Administrator, Supervisory Review Administrator |
Reference for data classification:
Permissions for Microsoft Purview explorers
1. Activity Explorer Permissions
To use Activity Explorer, users must be assigned one of the following roles or role groups:
Microsoft Purview roles
Information Protection Admin
Information Protection Analyst
Information Protection Investigator
Information Protection Reader
Microsoft Purview role groups
Information Protection
Information Protection Admins
Information Protection Analysts
Information Protection Investigators
Information Protection Readers
Microsoft 365 Roles and groups
Compliance Admin
Security Admin
Compliance Data Admin
Security Reader
Reference for activity explorer: https://learn.microsoft.com/en-us/purview/data-classification-activity-explorer#permissions
2. Content Explorer Permissions
To access Content Explorer, users must be assigned one of the following Microsoft Entra ID roles:
Global Administrator
Compliance Administrator
Security Administrator
Compliance Data Administrator
🔹 Note: These roles grant access to the tab but do not allow viewing the list of items or their contents.
Permissions for viewing items in Content Explorer
Access to scanned file contents is restricted and requires one of the following permissions:
Least privileged:
Content Explorer List Viewer – Allows viewing item names and locations in a list view.
Content Explorer Content Viewer – Allows viewing item contents and item names that may contain sensitive data.
Other roles and role groups:
Roles:Â Information Protection Admin, Information Protection Analyst, Information Protection Investigator, Information Protection Reader
Role Groups:Â Information Protection, Information Protection Admins, Information Protection Analysts, Information Protection Investigators, Information Protection Readers
Reference for content explorer: https://learn.microsoft.com/en-us/purview/data-classification-content-explorer#permissions
3. Data Explorer Permissions
To access Data Explorer, users must be assigned one of the following Microsoft Entra ID roles:
Global Administrator
Compliance Administrator
Security Administrator
Compliance Data Administrator
🔹 Note: These roles allow access to the tab but not the list of items or their contents.
Permissions for viewing items in Data Explorer
Access to scanned file contents requires one of the following permissions:
Least privileged:
Data Explorer List Viewer – Allows viewing item names and locations in a list view.
Data Explorer Content Viewer – Allows viewing item contents and item names that may contain sensitive data.
Other roles and role groups:
Roles:Â Information Protection Admin, Information Protection Analyst, Information Protection Investigator, Information Protection Reader
Role Groups:Â Information Protection, Information Protection Admins, Information Protection Analysts, Information Protection Investigators, Information Protection Readers
Reference for data explorer: https://learn.microsoft.com/en-us/purview/data-classification-data-explorer#permissions
Insider Risk Management
Insider Risk Management helps detect and respond to internal risks, including data theft, inappropriate access, or sharing of sensitive data.
Necessary roles & permissions:
Role groups for Insider Risk Management
Insider risk management features in Microsoft Purview are configured using six role groups. To enable Insider Risk Management as a menu option and proceed with configuration, you must be assigned one of the following roles or role groups:
Microsoft Entra ID Roles:
Global Administrator
Compliance Administrator
Microsoft Purview Role Groups:
Organization Management
Compliance Administrator
Insider Risk Management
Insider Risk Management Admins
Managing Insider Risk policies & alerts
User assignments depend on how you want to manage insider risk policies and alerts:
Assign users to specific role groups based on compliance responsibilities.
Alternatively, assign all administrators, analysts, investigators, and viewers to the Insider Risk Management role group.
Use a single role group or multiple role groups to suit your compliance needs.
Role assignments & permissions
Users in the following roles can assign others to insider risk management role groups and have the same permissions as the Insider Risk Management Admins role group:
Microsoft Entra ID Global Administrator
Microsoft Entra ID Compliance Administrator
Microsoft Purview Organization Management
Microsoft Purview Compliance Administrator
For more specific actions and more granular permissions, see information in the below table:
Records Management
Records Management helps you manage legal, regulatory, or business-critical records, ensuring compliance with standards.
Necessary roles & permissions:
Compliance team members responsible for records management need access to the Microsoft Purview portal or Microsoft Purview compliance portal.
To grant limited administrative permissions, we recommend adding users to the Records Management Admin role group. This group provides full permissions for records management, including:
Creating and managing adaptive policy scopes
Overseeing disposition review and verification
For read-only access, create a custom role group and assign the View-Only Record Management role.
Reference: https://learn.microsoft.com/en-us/purview/get-started-with-records-management#permissions
Unified Data Governance (Data Catalog and Azure Purview)
The Unified Catalog helps organisations govern and manage data stored across multiple cloud platforms, such as Azure, AWS, and on-premises solutions.
Necessary roles & permissions:
Microsoft Purview Data Governance includes Data Map and Unified Catalog, which use tenant-level, domain/collection, and data access permissions. The type of permissions available depends on your Microsoft Purview account type.
Permission types:
Tenant/Organization permissions – Assigned at the org level, providing general and admin access.
Domain & Collection permissions – Grant access to data assets in Microsoft Purview Data Map.
Data Access permissions – Existing permissions on Azure data sources.
Tenant-level role groups:
These provide admin-level access for managing Data Map and Unified Catalog. If you're overseeing Purview or your organisation’s data governance, you likely need one or more of these roles.
Unified catalog permissions:
Data Governance (Tenant-Level Role Group) – Includes Data Governance Admin, which enables assigning permissions in Unified Catalog.
Catalog-Level Permissions – Grants ownership of governance domains and access to health management.
Governance Domain Permissions – Allows managing resources within specific governance domains.
Assigning catalog-level roles:
To assign roles in Microsoft Purview, you must be a Data Governance Admin at the tenant level:
Go to Settings in the Microsoft Purview portal.
Under Solution settings, select Unified Catalog → Roles and permissions.
Choose Governance domain creators (or another role), click add user, search and select the user, then Save.
Governance Domain permissions:
Governance domain owners should be assigned to those managing data governance or Unified Catalog, with at least two assigned. These permissions allow business users and data experts to manage resources within a specific domain.
🔹 Important: To add data assets to a data product, Data Product Owners and Data Stewards need Data Map permissions to read those assets.
Reference on governance domain permissions: https://docs.azure.cn/en-us/purview/data-governance-roles-permissions#governance-domain-level-permission
For more details on Purview governance roles, see the link below.
PDF for download
Click on the below to download a pdf file that lists all role groups and associated roles in Microsoft Purview.
Conclusion
Microsoft Purview is a powerful yet complex data governance suite, and it makes sense that such a beast requires granular permissions to manage access effectively. The distinction between roles and role groups allows for flexibility, but let’s be honest - Microsoft doesn’t make it easy on us. Figuring out which role is needed, when to use a role group, and how they all interact can feel like a puzzle with constantly shifting pieces.
Hopefully, this blog post serves as a one-stop shop when you need to check your sanity and ensure you’re assigning the right permissions for the right use case. Because if there’s one thing we can all agree on, it’s that understanding Purview’s RBAC model shouldn’t be harder than managing the data itself!