Admin Unit Extension Manager |
|
Compliance Administrator
Organization Management
Purview Administrators |
*Attack Simulator Admin |
Don't use this role. Use the Attack Simulation Administrator role in Microsoft Entra ID. |
Attack Simulator Administrators |
Attack Simulator Payload Author |
|
Don't use this role. Use the Attack Payload Author role in Microsoft Entra ID. |
Data Map Reader |
|
Data Estate Insights Admins
Privacy Management
Privacy Management Administrators
Privacy Management Analysts
Privacy Management Contributors
Privacy Management Investigators
Privacy Management Viewers |
*Attack Simulator Payload Author |
Don't use this role in the portals. Use the corresponding role in Microsoft Entra ID. |
Attack Simulator Payload Authors |
Audit Logs |
Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file. |
Audit Manager
Organization Management
Security Administrator |
*Billing Admin |
Allows billing admin for selected feature. |
Billing Administrator |
Case Management |
Create, edit, delete, and control access to eDiscovery cases. |
Communication Compliance
Communication Compliance Investigators
Compliance Administrator
eDiscovery Manager
Insider Risk Management
Insider Risk Management Admins
Insider Risk Management Analysts
Insider Risk Management Investigators
Organization Management
Privacy Management
Privacy Management Administrators
Privacy Management Analysts
Privacy Management Investigators
Subject Rights Request Administrators |
*Communication |
Manage all communications with the custodians identified in an eDiscovery (Premium) case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that's used by each custodian in a case to track communications for the cases where they were identified as a custodian. |
Data Investigator
eDiscovery Manager |
Communication Compliance Admin |
Used to manage policies in the Communication Compliance feature. |
Communication Compliance
Communication Compliance Administrators
Compliance Administrator
Organization Management |
*Communication Compliance Analysis |
Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data. |
Communication Compliance
Communication Compliance Analysts
Communication Compliance Investigators |
Communication Compliance Case Management |
Used to access Communication Compliance cases. |
Communication Compliance
Communication Compliance Administrators
Communication Compliance Analysts
Communication Compliance Investigators
Communication Compliance Viewers
Compliance Administrator
Organization Management |
*Communication Compliance Investigation |
Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message. |
Communication Compliance
Communication Compliance Investigators |
*Communication Compliance Viewer |
Used to access reports and widgets in the Communication Compliance feature. |
Communication Compliance
Communication Compliance Viewers |
Compliance Administrator |
View and edit settings and reports for compliance features. |
Compliance Administrator
Compliance Data Administrator
Organization Management |
Compliance Manager Administration |
Manage template creation and modification. |
Compliance Administrator
Compliance Data Administrator
Compliance Manager Administrators
Organization Management
Security Administrator |
*Compliance Manager Assessment |
Create assessments, implement improvement actions, and update test status for improvement actions. |
Compliance Manager Administrators
Compliance Manager Assessors |
*Compliance Manager Contribution |
Create assessments and perform work to implement improvement actions. |
Compliance Manager Administrators
Compliance Manager Assessors
Compliance Manager Contributors
Privacy Management
Privacy Management Administrators
Subject Rights Request Administrators |
*Compliance Manager Reader |
View all Compliance Manager content except for administrator functions. |
Compliance Manager Administrators
Compliance Manager Assessors
Compliance Manager Contributors
Compliance Manager Readers
Global Reader
Privacy Management
Privacy Management Administrators
Privacy Management Analysts
Privacy Management Contributors
Privacy Management Investigators
Privacy Management Viewers
Security Reader
Subject Rights Request Administrators
Subject Rights Request Approvers |
Compliance Search |
Perform searches across mailboxes and get an estimate of the results. |
Compliance Administrator
Compliance Data Administrator
Data Investigator
eDiscovery Manager
Organization Management
Security Operator |
*Credential Reader |
Read the different credentials created in the tenant. |
Compliance Administrator
Data Source Administrators |
*Credential Writer |
Create and edit credentials. |
Compliance Administrator
Data Source Administrators |
*Custodian |
Identify and manage custodians for eDiscovery (Premium) cases and use the information from Microsoft Entra ID and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case. |
Data Investigator
eDiscovery Manager
Insider Risk Management
Insider Risk Management Investigators |
*Data Classification Content Download |
When evidence collection is turned on from Endpoint DLP settings, this role lets admins download endpoint-related evidence files from activity explorer and DLP alerts. |
Data Security Management
Information Protection
Information Protection Investigators |
*Data Classification Content Viewer |
View in-place rendering of files in Content explorer. |
Content Explorer Content Viewer
Information Protection
Information Protection Investigators
Privacy Management
Privacy Management Investigators |
*Data Classification Feedback Provider |
Allows providing feedback to classifiers in content explorer. |
Communication Compliance
Communication Compliance Investigators
Compliance Administrator |
*Data Classification Feedback Reviewer |
Allows reviewing feedback from classifiers in feedback explorer. |
Compliance Administrator |
*Data Classification List Viewer |
View the list of files in content explorer. |
Content Explorer List Viewer
Information Protection
Information Protection Analysts
Information Protection Investigators
Privacy Management
Privacy Management Analysts
Privacy Management Investigators
Privacy Management Viewers |
Data Connector Admin |
Create and manage connectors to import and archive non-Microsoft data in Microsoft 365. |
Communication Compliance
Communication Compliance Administrators
Compliance Administrator
Compliance Manager Administrators
Compliance Manager Assessors
Compliance Manager Contributors
Insider Risk Management
Insider Risk Management Admins
Organization Management |
*Data Governance Administrator |
Delegates the first level of access for business domain creators and other application-level permissions. |
Data Governance |
*Data Investigation Management |
Create, edit, delete, and control access to data investigation. |
Compliance Administrator
Data Investigator |
*Data Map Reader |
Read actions on data map objects. |
Compliance Administrator
Data Catalog Curators
Data Estate Insights Readers
Information Protection
Information Protection Admins
Information Protection Analysts
Information Protection Investigators |
*Data Map Writer |
Create, read, modify, and delete actions on data map objects and establish relationships between objects. |
Data Catalog Curators |
Data Security Viewer |
View access to Data Security Posture Management dashboard insights. Allows users to use Copilot for Security to view details. |
Data Security Management |
Device Management |
View and edit settings and reports for device management features. |
Compliance Administrator
Compliance Data Administrator
Organization Management
Security Administrator |
*Disposition Management |
Control permissions for accessing Manual Disposition in the Defender and compliance portals. |
Compliance Administrator
Compliance Data Administrator
Records Management |
DLP Compliance Management |
View and edit settings and reports for data loss prevention (DLP) policies. |
Compliance Administrator
Compliance Data Administrator
Organization Management
Security Administrator |
*Exact Data Match Upload Admin |
Lets users upload data for Exact Data Match. |
Exact Data Match Upload Admins |
*Exchange Administrator |
Allows Exchange administrator for selected features. |
MailFlow Administrator |
*Export |
Export mailbox and site content that's returned from searches. |
Data Investigator
eDiscovery Manager |
Hold |
Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners are still able to modify or delete the original content. |
Compliance Administrator
eDiscovery Manager
Organization Management |
IB Compliance Management |
View, create, remove, modify, and test Information Barrier policies. |
Compliance Administrator
Compliance Data Administrator
Organization Management
Security Administrator |
*Information Protection Admin |
Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies. |
Compliance Administrator
Compliance Data Administrator
Information Protection
Information Protection Admins |
*Information Protection Analyst |
Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. |
Compliance Administrator
Compliance Data Administrator
Information Protection
Information Protection Analysts
Information Protection Investigators |
*Information Protection Investigator |
Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. |
Information Protection
Information Protection Investigators |
*Information Protection Reader |
View-only access to reports for DLP policies and sensitivity labels and their policies. |
Compliance Administrator
Compliance Data Administrator
Information Protection
Information Protection Readers |
Insider Risk Management Admin |
Create, edit, delete, and control access to Insider Risk Management feature. |
Compliance Administrator
Insider Risk Management
Insider Risk Management Admins
Organization Management |
*Insider Risk Management Analysis |
Access all insider risk management alerts, cases, and notices templates. |
Insider Risk Management
Insider Risk Management Analysts |
*Insider Risk Management Approval |
Perform investigation, remediation, and review message violations in Privacy Management solution. Can view message metadata and full messages. |
Insider Risk Management
Insider Risk Management Approvers |
*Insider Risk Management Audit |
Allow viewing Insider Risk audit trails. |
Insider Risk Management
Insider Risk Management Auditors |
*Insider Risk Management Investigation |
Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. |
Insider Risk Management
Insider Risk Management Investigators |
*Insider Risk Management Permanent contribution |
This role group is visible, but is used by background services only. |
IRM Contributors |
*Insider Risk Management Reports Administrator |
|
Insider Risk Management |
*Insider Risk Management Sessions |
Perform investigation and remediation of message violations in Privacy Management solution. Can view only message metadata. |
Insider Risk Management
Insider Risk Management Session Approvers |
*Insider Risk Management Temporary contribution |
This role group is visible, but is used by background services only. |
IRM Contributors |
*Insights Reader |
Provides read-only access to all Insights reports in the Data Estate Insights app. Insights readers need to have at least data reader role access to a collection to view reports about that specific collection. |
Compliance Administrator
Data Estate Insights Admins
Data Estate Insights Readers
Information Protection
Information Protection Admins
Information Protection Analysts
Information Protection Investigators
Privacy Management
Privacy Management Administrators
Privacy Management Analysts
Privacy Management Investigators
Privacy Management Viewers |
*Insights Writer |
|
Data Estate Insights Admins |
*Knowledge Admin |
Configure knowledge, learning, assign trainings and other intelligent features. |
Knowledge Administrators |
License Usage Reader |
|
Organization Management |
Manage Alerts |
View and edit settings and reports for alerts. |
Compliance Administrator
Compliance Data Administrator
Organization Management
Security Administrator
Security Operator |
*Manage Review Set Tags |
This role lets users create, edit, and delete review set tags for cases they can access. |
eDiscovery Manager |
Organization Configuration |
Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation. |
Compliance Administrator
Compliance Data Administrator
Organization Management |
*Preview |
View a list of items that are returned from content searches, and open each item from the list to view its contents. |
Data Investigator
eDiscovery Manager |
Priority Cleanup Admin |
|
Organization Management |
Priority Cleanup Viewer |
|
Organization Management |
*Privacy Management Admin |
Manage policies in Privacy Management and has access to all functionality of the solution. |
Privacy Management
Privacy Management Administrators |
*Privacy Management Analysis |
Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata. |
Privacy Management
Privacy Management Analysts |
*Privacy Management Investigation |
Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message. |
Privacy Management
Privacy Management Investigators |
*Privacy Management Permanent contribution |
Access Privacy Management cases as a permanent contributor. |
Privacy Management
Privacy Management Contributors |
*Privacy Management Temporary contribution |
Access Privacy Management cases as a temporary contributor. |
Privacy Management
Privacy Management Contributors |
*Privacy Management Viewer |
Access dashboards and widgets in Privacy Management. |
Privacy Management
Privacy Management Viewers |
*Purview Domain Manager |
Create, edit, and delete domains and perform role assignments. |
Purview Administrators |
*Purview Evaluation Administrator |
Create and manage the Microsoft 365 Purview Evaluation lab. |
Information Protection
Information Protection Admins
Information Protection Analysts
Information Protection Investigators |
Quarantine |
Allows viewing and releasing quarantined email. |
Organization Management
Quarantine Administrator
Security Administrator |
RecordManagement |
View and edit the configuration of the records management feature. |
Compliance Administrator
Compliance Data Administrator
Organization Management
Records Management |
Retention Management |
Manage retention policies, retention labels, and retention label policies. Includes permissions to add and remove adaptive scopes from these policies, and to create, delete, and modify adaptive scopes. |
Compliance Administrator
Compliance Data Administrator
Organization Management
Records Management |
*Review |
This role lets users access review sets in eDiscovery (Premium) cases. Users who are assigned this role can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set. |
Data Investigator
eDiscovery Manager
Insider Risk Management
Insider Risk Management Investigators
Reviewer |
*RMS Decrypt |
Decrypt RMS-protected content when exporting search results. |
Data Investigator
eDiscovery Manager |
Role Management |
Manage role group membership and create or delete custom role groups. |
Organization Management
Purview Administrators |
*Scan Reader |
Read the different scans created in the tenant. |
Compliance Administrator
Data Source Administrators
Information Protection
Information Protection Admins
Information Protection Investigators |
*Scan Writer |
Create, update and delete scans in the tenant. |
Compliance Administrator
Data Source Administrators |
Scope Manager |
Enables administrators to create, edit, delete, and control access to scoping features such as Adaptive Scopes in the organization. |
Communication Compliance
Communication Compliance Administrators
Compliance Administrator
Compliance Data Administrator
Organization Management
Records Management |
Search And Purge |
Lets people bulk-remove data that matches the criteria of a content search. |
Data Investigator
Organization Management |
Security Administrator |
View and edit the configuration and reports for Security features. |
Organization Management
Security Administrator |
Security Reader |
View the configuration and reports for Security features. |
Global Reader
Organization Management
Security Operator
Security Reader |
Sensitivity Label Administrator |
View, create, modify, and remove sensitivity labels. |
Compliance Data Administrator
Organization Management
Security Administrator |
Sensitivity Label Reader |
View the configuration and usage of sensitivity labels. |
Global Reader
Organization Management
Security Reader |
Service Assurance View |
Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks. |
Global Reader
Organization Management
Service Assurance User |
*Source Reader |
Read the different sources created in the tenant. |
Compliance Administrator
Data Source Administrators
Information Protection
Information Protection Admins
Information Protection Investigators
Privacy Management
Privacy Management Administrators |
*Source Writer |
Create, update and delete sources in the tenant. |
Compliance Administrator
Data Source Administrators |
*Subject Rights Request Admin |
Manage supervisory review policies, including which communications to review and who should perform the review. |
Privacy Management
Subject Rights Request Administrators |
*Subject Rights Request Approver |
Create, edit, delete, and control access to custodian. |
Subject Rights Request Approvers |
*Supervisory Review Administrator |
Manage supervisory review policies, including which communications to review and who should do the review. |
Supervisory Review |
Tag Contributor |
Enables viewing and updating of existing tags. |
Organization Management
Security Administrator
Security Operator |
Tag Manager |
View, update, create, and delete user tags. |
Organization Management
Security Administrator |
Tag Reader |
Read-only access to existing user tags. |
Organization Management
Security Administrator
Security Operator
Security Reader |
*Tenant AllowBlockList Manager |
Manage Tenant Allow/Block List settings. |
Security Operator |
View-Only Audit Logs |
View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information. |
Audit Manager
Audit Reader
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management
Security Administrator
Security Operator |
View-Only Case |
|
Communication Compliance
Communication Compliance Investigators
Compliance Administrator
Insider Risk Management
Insider Risk Management Admins
Insider Risk Management Analysts
Insider Risk Management Investigators
Organization Management
Privacy Management
Privacy Management Administrators
Privacy Management Analysts
Privacy Management Investigators
Subject Rights Request Administrators |
View-Only Device Management |
View the configuration and reports for the Device Management feature. |
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management
Security Administrator
Security Operator
Security Reader |
View-Only DLP Compliance Management |
View the settings and reports for data loss prevention (DLP) policies. |
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management
Security Administrator
Security Operator
Security Reader |
View-Only IB Compliance Management |
View the configuration and reports for the Information Barriers feature. |
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management
Security Administrator
Security Operator
Security Reader |
View-Only Manage Alerts |
View the configuration and reports for the Manage Alerts feature. |
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management
Security Administrator
Security Operator
Security Reader |
View-Only Recipients |
View information about users and groups. |
Compliance Administrator
Compliance Data Administrator
Global Reader
MailFlow Administrator
Organization Management |
View-Only Record Management |
View the configuration of the records management feature. |
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management |
View-Only Retention Management |
View the configuration of retention policies, retention labels, and retention label policies. |
Compliance Administrator
Compliance Data Administrator
Global Reader
Organization Management |