Delen via


Permissions for Microsoft Purview AI Hub

Microsoft 365 licensing guidance for security & compliance.

Members of your security and compliance teams who are responsible for managing AI apps in the Microsoft Purview AI Hub need appropriate permissions when they sign in to the Microsoft Purview portal or sign in to Microsoft Purview compliance portal.

Roles and role groups that can view, create, and edit in the AI hub:

  • Microsoft Entra ID Compliance Administrator role
  • Microsoft Entra ID Global Administrator role
  • Microsoft Purview Compliance Administrator role group

Roles and role groups that can view-only in the AI hub:

  • Microsoft Purview Security Reader role group

To help you assign the right permissions to users, use the following guidance, depending on the portal you're using:

Use the following table to understand the detailed permissions for different activities in the AI hub.

Permissions by AI hub activities

AI hub activities Microsoft Entra ID Compliance Administrator role Microsoft Entra ID Global Administrator role Microsoft Purview Compliance Administrator role group Microsoft Purview Security Reader role group When not supported, additional role groups required
View all get started steps Not applicable
Complete action on getting started steps
Excludes Activate Audit
Microsoft Exchange Compliance Management

Microsoft Exchange Records Management

Microsoft Exchange Organization Management
View completion status of getting started steps
Excludes status of Activate Audit

Excludes:

Status of Activate Audit

Status of Extend Your Insights
For Activate Audit:

Microsoft Exchange View-Only Organization Management

Microsoft Exchange Hygiene Management

Microsoft Exchange Compliance Management

Microsoft Exchange Records Management

Microsoft Exchange Organization Management

For Extend Your Insights:

Microsoft Purview Insider Risk Management Administrator

Microsoft Purview Insider Risk Management Analyst

Microsoft Purview Insider Risk Management Investigator
View all recommendations from the Recommendations page Not applicable
Complete actions on recommendation cards Not applicable
View completion status of recommendation cards
Excludes Unethical Behavior card
Communication Compliance Administrator
View all graphs from the Reports page Not applicable
View all policies in the policy list
Excludes:

Insider risk management policies

Communication compliance policies
For insider risk management polices:

Microsoft Purview Insider Risk Management Administrator

Microsoft Purview Insider Risk Management Analyst

Microsoft Purview Insider Risk Management Investigator

For communication compliance policies:

Communication Compliance Administrator
View all events in activity explorer
Excludes browse to URL (AI Visit) from insider risk management

Excludes browse to URL (AI Visit) from insider risk management

Excludes browse to URL (AI Visit) from insider risk management

Excludes browse to URL (AI Visit) from insider risk management
Microsoft Purview Insider Risk Management Analyst

Microsoft Purview Insider Risk Management Investigator
View user risk level of an individual user in all events from activity explorer

View link to view user details in insider risk management in all events from activity explorer
Microsoft Purview Insider Risk Management Analyst

Microsoft Purview Insider Risk Management Investigator
View the prompts and responses within AI Interaction events from activity explorer Microsoft Purview Content Explorer Content Viewer

Custom role groups for the AI hub

Instead of granting access to the AI hub by using the built-in role groups, you can grant access by including either the Microsoft Purview Compliance Administrator role or the Microsoft Purview Security Reader role in a custom role group.

If a custom role group includes the Microsoft Purview Compliance Administrator role, the user has the same access to the AI hub as the Microsoft Purview Compliance Administrator role group, except for the following:

  • Create, view, update, and delete policies for insider risk management and communication compliance

If a custom role group includes the Microsoft Purview Security Reader role, the user has the same access to the AI hub as the Microsoft Purview Security Reader role group, except for the following:

  • View information protection policies