Share via

Getting Alert: The Purview Workload Content Writer role was assigned outside of PIM

Carlton Whitmore 31 Reputation points
2026-05-14T20:53:39.8533333+00:00

I've gotten several emails telling me that:

The Purview Workload Content Writer role for the My Company (ID: c709....) directory was assigned outside of PIM

Assignment details:

Settings Value

User: MyFullName

Role: Purview Workload Content Writer

Assigner: PurviewRoleAssignmentMigrator

Detected on: May 14, 2026 20:28 UTC

I haven't changed anything. What's causing this?

Microsoft Security | Microsoft Purview

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mark Perkins 0 Reputation points
    2026-05-15T13:32:21.65+00:00

    What you are seeing is expected. See this announcement from Microsoft in the admin center for more information.

    MC1199765 (Updated) Microsoft Purview: Role management update https://admin.cloud.microsoft/#/MessageCenter/:/messages/MC1199765.

    Summary Microsoft Purview is updating role management by mapping certain Purview admin roles to three new Microsoft Entra roles, syncing assignments automatically to enhance security with Microsoft 365 services. Rollout begins mid-February 2026, finishing by late May 2026.

    Was this answer helpful?

    3 people found this answer helpful.
  2. Pilladi Padma Sai Manisha 10,190 Reputation points Microsoft External Staff Moderator
    2026-05-18T06:47:08.4633333+00:00

    Hey Carlton Whitmore,

    it isn’t you clicking buttons – it’s the Purview service itself. The “PurviewRoleAssignmentMigrator” is a built-in service principal that periodically ensures the Purview Workload Content Writer role is correctly assigned for your workload pipelines, so it does its work outside of PIM and triggers the alert. In other words, it’s expected behavior and not someone manually granting you that role.

    What you can do:

    1. Leave it as is • The service needs that role to run scans and move data. • No security issue, just noise in your inbox.
    2. Tune your PIM alert settings • In Azure AD PIM > Alert settings, edit the “Role assigned outside of PIM” alert for Azure resource roles. • You can scope it so that system-initiated assignments (PurviewRoleAssignmentMigrator) don’t generate emails.
    3. (Optional) Migrate assignments into PIM • If you’d rather have all assignments go through PIM, you could pre-assign yourself the Purview Workload Content Writer role in PIM with a permanent assignment. Future service-driven migrations won’t overwrite that.

    Reference links

    • Understand Purview roles and permissions

    https://learn.microsoft.com/azure/purview/catalog-permissions#roles

    • PIM alerts for Azure resource roles (“Role assigned outside of PIM”)

    https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-email-notifications#pim-emails-for-azure-resource-roles

    • Configure PIM security alerts

    https://learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#security-alerts

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.