The Microsoft Purview portal supports directly managing permissions for users who perform tasks within Microsoft Purview. Using the Roles and scopes area in Settings for the portal, you can manage permissions for users across your Purview data security, data governance, and risk and compliance solutions. You can limit users to perform only specific tasks that you explicitly grant them access to. Selecting risk and compliance solutions in the portal currently opens these solutions in the Microsoft Purview compliance portal.
To view Role groups in the Roles and scopes area in the Purview portal, users need to be a global administrator or need to be assigned the Role Management role (a role is assigned only to the Organization Management role group). The Role Management role allows users to view, create, and modify role groups.
Use roles with the fewest permissions
Microsoft always recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. When planning your access control strategy, it's a best practice to manage access for the least privilege for your users. Least privilege means you grant your administrators exactly the permission they need to do their job.
Purview permissions
Permissions in the Purview portal are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the Purview portal will be familiar. It's important to remember that the permissions managed in the Purview portal don't cover the management of all the permissions needed in each individual service. You'll still need to manage certain service-specific permissions in the admin center for the specific service. For example, if you need to assign permissions for archiving, auditing, and MRM retention policies, you'll need to manage these permissions in the Exchange admin center.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Relationship of members, roles, and role groups
A role grants permissions to do a set of tasks; for example, the Case Management role lets users work with eDiscovery cases.
A role group is a set of roles that enable users do their jobs across compliance and governance solutions the Microsoft Purview portal. For example, by adding users to the Insider Risk Management role group, designated administrators, analysts, investigators, and auditors are configured for the necessary insider risk management permissions in a single group. The Microsoft Purview portal includes default role groups for tasks and functions for each compliance and governance solution that you'll need to assign people to. Generally, we recommend simply adding individual users as members to the default role groups as needed.
Permissions needed to use features in the Purview portal
Managing permissions in the Purview portal only gives users access to the compliance and governance features that are available within the Purview portal. If you want to grant permissions to other features that aren't in the Purview portal, such as Exchange mail flow rules (also known as transport rules), you'll need to use the Exchange admin center.
Governance permissions needed
The current governance roles and role groups available cover only broad access to the Microsoft Purview Data Map and Data Catalog. For more access, Microsoft Purview governance uses a combination of role groups, data access, and solution-specific permissions.
The roles that appear in the Microsoft Entra ID section of the Roles and scopes area are Microsoft Entra roles, and this section is visible to Global Administrators. These roles are designed to align with job functions in your organization's IT group, making it easy to give a person all the permissions necessary to get their job done. You can view the users currently assigned to each role by selecting an Admin role and viewing the role panel details. To manage members of a Microsoft Entra role, select Manage members in Microsoft Entra ID. This choice redirects you to the Azure management portal.
Role
Description
Global administrator
Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see Global Administrator / Company Administrator.
Compliance data administrator
Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see Compliance Data Administrator.
Compliance administrator
Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see Compliance Administrator.
Security operator
View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see Security Operator.
Security reader
View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they don't have permissions to respond by taking action. For more information, see Security Reader.
Security administrator
Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see Security Administrator.
Global reader
The read-only version of the Global administrator role. View all settings and administrative information across Microsoft 365. For more information, see Global Reader.
Attack simulation administrator
Create and manage all aspects of attack simulation creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see Attack Simulation Administrator.
Attack payload author
Create attack payloads but not actually launch or schedule them. For more information, see Attack Payload Author.
Administrative units
Administrative units let you subdivide your organization into smaller units, and then assign specific administrators that can manage only the members of those units. They also allow you to assign administrative units to members of role groups in Microsoft Purview solutions, so that these administrators can manage only the members (and associated features) of those assigned administrative units. The Administrative Units section of the Roles and scopes area is visible only to users assigned the Global Administrator role. For more information, see Administrative units.
Add users or groups to a Microsoft Purview built-in role group
Complete the following steps to add users or groups to a Microsoft Purview role group:
Sign in to the Microsoft Purview portal using credentials for an admin account that is assigned the Role management role. Go to Settings > Roles and scopes to view and manage compliance and governance roles in your organization.
Select Role groups.
On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to add users to, then select Edit on the control bar.
On the Edit members of the role group page, select Choose users or Choose groups.
Important
Security groups are supported only in Microsoft 365 commercial cloud organizations.
Select the checkbox for all users or groups you want to add to the role group.
Select Select.
If the selected users or groups need organization-wide access as part of this role group assignment, go to Step 10.
If the selected users or groups need to be assigned to administrative units, select the users or groups and select Assign admin units.
On the Assign admin units pane, select the checkbox for all the administrative units you want to assign to the users or groups. Select Select.
Select Next and Save to add the users or groups to the role group. Select Done to complete the steps.
Remove users or groups from a Microsoft Purview built-in role group
Complete the following steps to remove users or groups from a Microsoft Purview role group:
Sign in to the Microsoft Purview portal using credentials for an admin account that is assigned the Role management role. Go to Settings > Roles and scopes to view and manage compliance and governance roles in your organization.
Select Role groups.
On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to remove users or groups from, then select Edit on the control bar.
On the Edit members of the role group page, select the checkbox for all users or groups you want to remove to the role group.
Select Remove members, then select Next.
Select Save to remove the users or groups from the role group. Select Done to complete the steps.
Create a custom Microsoft Purview role group
Complete the following steps to create a custom Microsoft Purview role group:
Sign in to the Microsoft Purview portal using credentials for an admin account that is assigned the Role management role. Go to Settings > Roles and scopes to view and manage compliance and governance roles in your organization.
Select Role groups.
On the Role groups for Microsoft Purview solutions page, select Create role group.
On the Name the role group page, enter a name for the custom role group in the Name field. The name of the role group can't be changed after creation of the role group. If needed, enter a description for the custom role group in the Description field. Select Next to continue.
On the Add roles to the role group page, select Choose roles.
Select the checkboxes for the roles to add to the custom role group. Select Select.
Select Next to continue.
On the Add members to the role group page, select Choose users (or Choose groups if applicable).
Important
Security groups are supported only in Microsoft 365 commercial cloud organizations.
Select the checkboxes for the users (or groups) to add to the custom role group. Select Select.
Select Next to continue.
If the selected users or groups need organization-wide access as part of this role group assignment, go to Step 14.
If the selected users or groups need to be assigned to administrative units, select the users or groups and select Assign admin units.
On the Assign admin units pane, select the checkbox for all the administrative units you want to assign to the users or groups. Select Select.
Select Next.
On the Review the role group and finish page, review the details for the custom role group. If you need to edit the information, select Edit in the appropriate section. When all the settings are correct, select Create to create the custom role group or select Cancel to discard the changes and not create the custom role group.
Update a custom Microsoft Purview role group
Complete the following steps to update a custom Microsoft Purview role group:
Sign in to the Microsoft Purview portal using credentials for an admin account that is assigned the Role management role. Go to Settings > Roles and scopes to view and manage compliance and governance roles in your organization.
Select Role groups.
On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to update, then select Edit on the control bar.
On the Name the role group page, update the description for the custom role group in the Description field. The name of the custom role group can't be changed. Select Next.
On the Edit roles of the role group page, you can select Choose roles to add roles to update the roles assigned to the role group. You can also select any of the currently assigned roles and select Remove roles to remove the roles from the role group. After you've updated the roles, select Next.
On the Edit members of the role group page, you can select Choose users or Choose groups to add users or groups assigned to the role group. To update the administrative units for users or groups, select any of the currently assigned user or groups and select Assign admin units. You can also select any of the currently assigned users and groups and select Remove members to remove the users or groups from the role group. After you've updated the members, select Next.
On the Review the role group and finish page, review the details for the custom role group. If you need to edit the information, select Edit in the appropriate section. When all the settings are correct, select Save to update the custom role group or select Cancel to discard the changes and not update the custom role group.
Delete a custom Microsoft Purview role group
Complete the following steps to delete a custom Microsoft Purview role group:
Sign in to the Microsoft Purview portal using credentials for an admin account that is assigned the Role management role. Go to Settings > Roles and scopes to view and manage compliance and governance roles in your organization.
Select Role groups.
On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to delete, then select Delete on the control bar.
On the Delete role group dialog, select Delete to delete the role group or select Cancel to cancel the deletion process.
This module examines the use of roles and role groups in the Microsoft 365 permission model, including role management, best practices when configuring admin roles, delegating roles, and elevating privileges.