Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
The Microsoft Defender portal, Microsoft Purview portal, and the classic Microsoft Purview compliance and governance portals have replaced the Security & Compliance Center as the places to manage Microsoft Defender for Office 365 and Microsoft Purview roles and role groups for your organization. For more information about permissions within these portals, see the following articles:
- Email & collaboration permissions in the Microsoft Defender portal
- Permissions in the Microsoft Purview portal
- Permissions in the Microsoft Purview compliance portal
- Permissions in the Microsoft Purview governance portal
These portals let you grant permissions to people who perform tasks like device management, data loss prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to. To access these portals, users need to be a global admin or a member of one or more role groups in Defender for Office 365 (Email & collaboration role groups) or Purview (Microsoft Purview solutions role groups). The Microsoft Purview portal (preview) provides access to data governance, data security, and risk and compliance solutions. Selecting risk and compliance solutions in the portal currently opens these solutions in the classic Microsoft Purview compliance portal.
Permissions in these portals are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by Exchange, so if you're familiar with Exchange Online, granting permissions in these portals is very similar. But, It's important to remember that role groups in Exchange Online and role groups for Defender for Office 365 or Purview compliance don't share membership or permissions. For example, while an Organization Management role group exists in Exchange Online, the permissions granted and role group members are different than the Organization Management role group in Defender for Office 365 and Purview compliance.
This article contains the inventory of Defender for Office 365 and Microsoft Purview roles and role groups.
Note
In the Microsoft Defender XDR preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see Microsoft Defender XDR role-based access control (RBAC).
Role groups in Microsoft Defender for Office 365 and Microsoft Purview
The table in this section lists the default role groups that are available in the Microsoft Defender portal and the Microsoft Purview portals, and the roles that are assigned to the role groups by default. To grant permissions to a user to perform tasks in Defender for Office 365 or Microsoft Purview, add them to the appropriate role group.
Managing permissions in Defender for Office 365 or Microsoft Purview gives users access to security and compliance and governance features that are available within their respective portals. To grant permissions to other features, such as Exchange mail flow rules (also known as transport rules), you need to grant permissions in Exchange Online. For more information, see Permissions in Exchange Online.
Note
To view the Permissions tab as described in this article, you need to be an admin. Specifically, you need to be assigned the Role Management role, and that role is assigned only to the Organization Management and Purview Administrators role groups by default. The Role Management role also allows you to view, create, and modify role groups.
| Role group | Description | Default roles assigned |
|---|---|---|
| Attack Simulator Administrators | Don't use this role group. Use the Attack Simulation Administrator role in Microsoft Entra ID. | Attack Simulator Admin |
| Attack Simulator Payload Authors | Don't use this role group. Use the Attack Payload Author role in Microsoft Entra ID. | Attack Simulator Payload Author |
| Audit Manager | Manage Audit log settings and Search, View, and Export Audit logs. | Audit Logs View-Only Audit Logs |
| Audit Reader | Search, View, and Export Audit logs. | View-Only Audit Logs |
| Billing Administrator | Configure Billing features. | Billing Admin |
| Communication Compliance | Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer. | Case Management Communication Compliance Admin Communication Compliance Analysis Communication Compliance Case Management Communication Compliance Investigation Communication Compliance Viewer Data Classification Feedback Provider Data Connector Admin Scope Manager View-Only Case |
| Communication Compliance Administrators | Administrators of communication compliance that can create/edit policies and define global settings. | Communication Compliance Admin Communication Compliance Case Management Data Connector Admin Scope Manager |
| Communication Compliance Analysts | Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions. | Communication Compliance Analysis Communication Compliance Case Management |
| Communication Compliance Investigators | Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions. | Case Management Communication Compliance Analysis Communication Compliance Case Management Communication Compliance Investigation Data Classification Feedback Provider View-Only Case |
| Communication Compliance Viewers | Viewer of communication compliance that can access the available reports and widgets. | Communication Compliance Case Management Communication Compliance Viewer |
| Compliance Administrator¹ | Members can manage settings for device management, data loss prevention, reports, and preservation. | Admin Unit Extension Manager Case Management Communication Compliance Admin Communication Compliance Case Management Compliance Administrator Compliance Manager Administration Compliance Search Credential Reader Credential Writer Data Classification Feedback Provider Data Classification Feedback Reviewer Data Connector Admin Data Investigation Management Data Map Reader Device Management Disposition Management DLP Compliance Management Hold IB Compliance Management Information Protection Admin Information Protection Analyst Information Protection Reader Insider Risk Management Admin Insights Reader Manage Alerts Organization Configuration RecordManagement Retention Management Scan Reader Scan Writer Scope Manager Source Reader Source Writer View-Only Audit Logs View-Only Case View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
| Compliance Data Administrator | Members can manage settings for device management, data protection, data loss prevention, reports, and preservation. | Compliance Administrator Compliance Manager Administration Compliance Search Device Management Disposition Management DLP Compliance Management IB Compliance Management Information Protection Admin Information Protection Analyst Information Protection Reader Manage Alerts Organization Configuration RecordManagement Retention Management Scope Manager Sensitivity Label Administrator View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
| Compliance Manager Administrators | Manage template creation and modification. | Compliance Manager Administration Compliance Manager Assessment Compliance Manager Contribution Compliance Manager Reader Data Connector Admin |
| Compliance Manager Assessors | Create assessments, implement improvement actions, and update test status for improvement actions. | Compliance Manager Assessment Compliance Manager Contribution Compliance Manager Reader Data Connector Admin |
| Compliance Manager Contributors | Create assessments and perform work to implement improvement actions. | Compliance Manager Contribution Compliance Manager Reader Data Connector Admin |
| Compliance Manager Readers | View all Compliance Manager content except for administrator functions. | Compliance Manager Reader |
| Content Explorer Content Viewer | View the contents files in Content explorer. | Data Classification Content Viewer |
| Content Explorer List Viewer | View all items in Content explorer in list format only. | Data Classification List Viewer |
| Data Catalog Curators | Perform create, read, modify, and delete actions on catalog data objects and establish relationships between objects. | Data Map Reader Data Map Writer |
| Data Estate Insights Admins | Provides admin access to all insights reports across platforms and providers. | Data Map Reader Insights Reader Insights Writer |
| Data Estate Insights Readers | Provides read-only access to all insights reports across platforms and providers. | Data Map Reader Insights Reader |
| Data Governance | Grants access to data governance roles within Microsoft Purview. | Data Governance Administrator |
| Data Investigator | Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations. | Communication Compliance Search Custodian Data Investigation Management Export Preview Review RMS Decrypt Search And Purge |
| Data Security Management | View all Data Security Analytics insights, use CoPilot for Security, and manage Microsoft Purview data security solutions (Data Loss Prevention, Information Protection, and Insider Risk Management). | Case Management Custodian Data Classification Content Viewer Data Classification List Viewer Data Connector Admin Data Map Reader Data Security Viewer Information Protection Admin Information Protection Analyst Information Protection Investigator Information Protection Reader Insider Risk Management Admin Insider Risk Management Analysis Insider Risk Management Approval Insider Risk Management Audit Insider Risk Management Investigation Insider Risk Management Reports Administrator Insider Risk Management Sessions Insights Reader Purview Evaluation Administrator Review Scan Reader Source Reader View-Only Case |
| Data Source Administrators | Manage data sources and data scans. | Credential Reader Credential Writer Scan Reader Scan Writer Source Reader Source Writer |
| eDiscovery Manager | Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in eDiscovery (Premium). An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:
The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the eDiscovery cases page in the compliance portal. An eDiscovery manager can only access the cases they created or cases they're a member of. For more information about making a user an eDiscovery Administrator, see Assign eDiscovery permissions in the compliance portal. |
Case Management Communication Compliance Search Custodian Export Hold Manage Review Set Tags Preview Review RMS Decrypt |
| Exact Data Match Upload Admins | Upload data for Exact Data Match. | Exact Data Match Upload Admin |
| Global Reader | Members have read-only access to reports, alerts, and can see all the configuration and settings. The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings. |
Compliance Manager Reader Security Reader Sensitivity Label Reader Service Assurance View View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
| Information Protection | Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports. | Data Classification Content Viewer Data Classification List Viewer Data Map Reader Information Protection Admin Information Protection Analyst Information Protection Investigator Information Protection Reader Insights Reader Purview Evaluation Administrator Scan Reader Source Reader |
| Information Protection Admins | Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies. | Data Map Reader Information Protection Admin Insights Reader Purview Evaluation Administrator Scan Reader Source Reader |
| Information Protection Analysts | Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. | Data Classification List Viewer Data Map Reader Information Protection Analyst Insights Reader Purview Evaluation Administrator |
| Information Protection Investigators | Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. | Data Classification Content Viewer Data Classification List Viewer Data Map Reader Information Protection Analyst Information Protection Investigator Insights Reader Purview Evaluation Administrator Scan Reader Source Reader |
| Information Protection Readers | View-only access to reports for DLP policies and sensitivity labels and their policies. | Information Protection Reader |
| Insider Risk Management | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This role group is the easiest way to quickly get started with insider risk management and is a good fit for organizations that don't need separate permissions defined for separate groups of users. | Case Management Custodian Data Connector Admin Insider Risk Management Admin Insider Risk Management Analysis Insider Risk Management Approval Insider Risk Management Audit Insider Risk Management Investigation Insider Risk Management Reports Administrator Insider Risk Management Sessions Review View-Only Case |
| Insider Risk Management Admins | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments. | Case Management Data Connector Admin Insider Risk Management Admin View-Only Case |
| Insider Risk Management Analysts | Use this group to assign permissions to users that act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They can't access the insider risk Content Explorer. | Case Management Insider Risk Management Analysis View-Only Case |
| Insider Risk Management Approvers | For internal approval use only. | Insider Risk Management Approval |
| Insider Risk Management Auditors | Use this group to assign permissions to users that audit insider risk management activities. Users in this role group can access the insider risk audit log. | Insider Risk Management Audit |
| Insider Risk Management Investigators | Use this group to assign permissions to users that act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. | Case Management Custodian Insider Risk Management Investigation Review View-Only Case |
| Insider Risk Management Session Approvers | For internal approval use only. | Insider Risk Management Sessions |
| IRM Contributors | This role group is visible, but is used by background services only. | Insider Risk Management Permanent contribution Insider Risk Management Temporary contribution |
| Knowledge Administrators | Configure knowledge, learning, assign trainings and other intelligent features. | Knowledge Admin |
| MailFlow Administrator | Members can monitor and view mail flow insights and reports in the Defender portal. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user doesn't have access to Exchange admin-related tasks. | Exchange Administrator View-Only Recipients |
| Organization Management¹ | Members can control permissions for accessing features in these portals, and also manage settings for device management, data loss prevention, reports, and preservation. Users who aren't global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). Global admins are automatically added as members of this role group, but you don't see them in the output of the Get-RoleGroupMember cmdlet in Security & Compliance PowerShell. Important: Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role. |
Admin Unit Extension Manager Audit Logs Case Management Communication Compliance Admin Communication Compliance Case Management Compliance Administrator Compliance Manager Administration Compliance Search Data Connector Admin Device Management DLP Compliance Management Hold IB Compliance Management Insider Risk Management Admin License Usage Reader Manage Alerts Organization Configuration Priority Cleanup Admin Priority Cleanup Viewer Quarantine RecordManagement Retention Management Role Management Scope Manager Search And Purge Security Administrator Security Reader Sensitivity Label Administrator Sensitivity Label Reader Service Assurance View Tag Contributor Tag Manager Tag Reader View-Only Audit Logs View-Only Case View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
| Privacy Management | Manage access control for Privacy Management solution in the Microsoft Purview compliance portal. | Case Management Compliance Manager Contribution Compliance Manager Reader Data Classification Content Viewer Data Classification List Viewer Data Map Reader Insights Reader Privacy Management Admin Privacy Management Analysis Privacy Management Investigation Privacy Management Permanent contribution Privacy Management Temporary contribution Privacy Management Viewer Source Reader Subject Rights Request Admin View-Only Case |
| Privacy Management Administrators | Administrators of privacy management solution that can create/edit policies and define global settings. | Case Management Compliance Manager Contribution Compliance Manager Reader Data Map Reader Insights Reader Privacy Management Admin Source Reader View-Only Case |
| Privacy Management Analysts | Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions. | Case Management Compliance Manager Reader Data Classification List Viewer Data Map Reader Insights Reader Privacy Management Analysis View-Only Case |
| Privacy Management Analysts | Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions. | Case Management Compliance Manager Reader Data Classification List Viewer Data Map Reader Insights Reader Privacy Management Analysis View-Only Case |
| Privacy Management Contributors | Manage contributor access for privacy management cases. | Compliance Manager Reader Privacy Management Permanent contribution Privacy Management Temporary contribution |
| Privacy Management Investigators | Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions. | Case Management Compliance Manager Reader Data Classification Content Viewer Data Classification List Viewer Privacy Management Investigation View-Only Case |
| Privacy Management Viewers | Viewer of privacy management solution that can access the available dashboards and widgets. | Compliance Manager Reader Data Classification List Viewer Privacy Management Viewer |
| Purview Administrators | Create, edit, and delete domains and perform role assignments. | Admin Unit Extension Manager Purview Domain Manager Role Management |
| Quarantine Administrator | Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP | Quarantine |
| Records Management | Members can configure all aspects of records management, including retention labels and disposition reviews. | Disposition Management RecordManagement Retention Management Scope Manager |
| Reviewer | Members can access review sets in eDiscovery (Premium) cases. Members of this role group can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set. | Review |
| Security Administrator | Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. By default, this role group may not appear to have any members. However, the Security Administrator role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Microsoft Entra ID. To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see Microsoft Entra built-in roles. If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services. This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. |
Audit Logs Compliance Manager Administration Device Management DLP Compliance Management IB Compliance Management Manage Alerts Quarantine Security Administrator Sensitivity Label Administrator Tag Contributor Tag Manager Tag Reader View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts |
| Security Operator | Members can manage security alerts, and also view reports and settings of security features. | Compliance Search Manage Alerts Security Reader Tag Contributor Tag Reader Tenant AllowBlockList Manager View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts |
| Security Reader | Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. By default, this role group may not appear to have any members. However, the Security Reader role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Microsoft Entra ID. To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see Microsoft Entra built-in roles. If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services. |
Compliance Manager Reader Security Reader Sensitivity Label Reader Tag Reader View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts |
| Service Assurance User | Members can access the Service assurance section in the compliance portal. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see Service assurance in the compliance portal. | Service Assurance View |
| Subject Rights Request Administrators | Create subject rights requests. | Case Management Compliance Manager Contribution Compliance Manager Reader Subject Rights Request Admin View-Only Case |
| Subject Rights Request Approvers | Approvers who are able to approve subject rights requests. | Compliance Manager Reader Subject Rights Request Approver |
| Supervisory Review | Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see Configure communication compliance policies for your organization. | Supervisory Review Administrator |
Note
¹ This role group doesn't assign members the permissions necessary to search the audit log or to use any reports that might include Exchange data, such as the DLP or Defender for Office 365 reports. To search the audit log or to view all reports, a user has to be assigned permissions in Exchange Online. This action is required because the underlying cmdlet that's used to search the audit log is an Exchange Online cmdlet. Global admins can search the audit log and view all reports because they're automatically added as members of the Organization Management role group in Exchange Online. For more information, see Search the audit log in the compliance portal.
Roles in Microsoft Defender for Office 365 and Microsoft Purview
The table in this section lists the available roles and the role groups that they're assigned to by default.
Roles that aren't assigned to the Organization Management role group by default are marked with *
| Role | Description | Default role group assignments |
|---|---|---|
| Admin Unit Extension Manager | Compliance Administrator Organization Management Purview Administrators |
|
| *Attack Simulator Admin | Don't use this role. Use the Attack Simulation Administrator role in Microsoft Entra ID. | Attack Simulator Administrators |
| Attack Simulator Payload Author | Don't use this role. Use the Attack Payload Author role in Microsoft Entra ID. | |
| Data Map Reader | Data Estate Insights Admins Privacy Management Privacy Management Administrators Privacy Management Analysts Privacy Management Contributors Privacy Management Investigators Privacy Management Viewers |
|
| *Attack Simulator Payload Author | Don't use this role in the portals. Use the corresponding role in Microsoft Entra ID. | Attack Simulator Payload Authors |
| Audit Logs | Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file. | Audit Manager Organization Management Security Administrator |
| *Billing Admin | Allows billing admin for selected feature. | Billing Administrator |
| Case Management | Create, edit, delete, and control access to eDiscovery cases. | Communication Compliance Communication Compliance Investigators Compliance Administrator eDiscovery Manager Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider Risk Management Investigators Organization Management Privacy Management Privacy Management Administrators Privacy Management Analysts Privacy Management Investigators Subject Rights Request Administrators |
| *Communication | Manage all communications with the custodians identified in an eDiscovery (Premium) case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that's used by each custodian in a case to track communications for the cases where they were identified as a custodian. | Data Investigator eDiscovery Manager |
| Communication Compliance Admin | Used to manage policies in the Communication Compliance feature. | Communication Compliance Communication Compliance Administrators Compliance Administrator Organization Management |
| *Communication Compliance Analysis | Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data. | Communication Compliance Communication Compliance Analysts Communication Compliance Investigators |
| Communication Compliance Case Management | Used to access Communication Compliance cases. | Communication Compliance Communication Compliance Administrators Communication Compliance Analysts Communication Compliance Investigators Communication Compliance Viewers Compliance Administrator Organization Management |
| *Communication Compliance Investigation | Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message. | Communication Compliance Communication Compliance Investigators |
| *Communication Compliance Viewer | Used to access reports and widgets in the Communication Compliance feature. | Communication Compliance Communication Compliance Viewers |
| Compliance Administrator | View and edit settings and reports for compliance features. | Compliance Administrator Compliance Data Administrator Organization Management |
| Compliance Manager Administration | Manage template creation and modification. | Compliance Administrator Compliance Data Administrator Compliance Manager Administrators Organization Management Security Administrator |
| *Compliance Manager Assessment | Create assessments, implement improvement actions, and update test status for improvement actions. | Compliance Manager Administrators Compliance Manager Assessors |
| *Compliance Manager Contribution | Create assessments and perform work to implement improvement actions. | Compliance Manager Administrators Compliance Manager Assessors Compliance Manager Contributors Privacy Management Privacy Management Administrators Subject Rights Request Administrators |
| *Compliance Manager Reader | View all Compliance Manager content except for administrator functions. | Compliance Manager Administrators Compliance Manager Assessors Compliance Manager Contributors Compliance Manager Readers Global Reader Privacy Management Privacy Management Administrators Privacy Management Analysts Privacy Management Contributors Privacy Management Investigators Privacy Management Viewers Security Reader Subject Rights Request Administrators Subject Rights Request Approvers |
| Compliance Search | Perform searches across mailboxes and get an estimate of the results. | Compliance Administrator Compliance Data Administrator Data Investigator eDiscovery Manager Organization Management Security Operator |
| *Credential Reader | Read the different credentials created in the tenant. | Compliance Administrator Data Source Administrators |
| *Credential Writer | Create and edit credentials. | Compliance Administrator Data Source Administrators |
| *Custodian | Identify and manage custodians for eDiscovery (Premium) cases and use the information from Microsoft Entra ID and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case. | Data Investigator eDiscovery Manager Insider Risk Management Insider Risk Management Investigators |
| *Data Classification Content Viewer | View in-place rendering of files in Content explorer. | Content Explorer Content Viewer Information Protection Information Protection Investigators Privacy Management Privacy Management Investigators |
| *Data Classification Feedback Provider | Allows providing feedback to classifiers in content explorer. | Communication Compliance Communication Compliance Investigators Compliance Administrator |
| *Data Classification Feedback Reviewer | Allows reviewing feedback from classifiers in feedback explorer. | Compliance Administrator |
| *Data Classification List Viewer | View the list of files in content explorer. | Content Explorer List Viewer Information Protection Information Protection Analysts Information Protection Investigators Privacy Management Privacy Management Analysts Privacy Management Investigators Privacy Management Viewers |
| Data Connector Admin | Create and manage connectors to import and archive non-Microsoft data in Microsoft 365. | Communication Compliance Communication Compliance Administrators Compliance Administrator Compliance Manager Administrators Compliance Manager Assessors Compliance Manager Contributors Insider Risk Management Insider Risk Management Admins Organization Management |
| *Data Governance Administrator | Delegates the first level of access for business domain creators and other application-level permissions. | Data Governance |
| *Data Investigation Management | Create, edit, delete, and control access to data investigation. | Compliance Administrator Data Investigator |
| *Data Map Reader | Read actions on data map objects. | Compliance Administrator Data Catalog Curators Data Estate Insights Readers Information Protection Information Protection Admins Information Protection Analysts Information Protection Investigators |
| *Data Map Writer | Create, read, modify, and delete actions on data map objects and establish relationships between objects. | Data Catalog Curators |
| Data Security Viewer | View access to Data Security Analytics dashboard insights. Allows users to use Copilot for Security to view details. | Data Security Management |
| Device Management | View and edit settings and reports for device management features. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator |
| *Disposition Management | Control permissions for accessing Manual Disposition in the Defender and compliance portals. | Compliance Administrator Compliance Data Administrator Records Management |
| DLP Compliance Management | View and edit settings and reports for data loss prevention (DLP) policies. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator |
| *Exact Data Match Upload Admin | Lets users upload data for Exact Data Match. | Exact Data Match Upload Admins |
| *Exchange Administrator | Allows Exchange administrator for selected features. | MailFlow Administrator |
| *Export | Export mailbox and site content that's returned from searches. | Data Investigator eDiscovery Manager |
| Hold | Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners are still able to modify or delete the original content. | Compliance Administrator eDiscovery Manager Organization Management |
| IB Compliance Management | View, create, remove, modify, and test Information Barrier policies. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator |
| *Information Protection Admin | Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies. | Compliance Administrator Compliance Data Administrator Information Protection Information Protection Admins |
| *Information Protection Analyst | Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. | Compliance Administrator Compliance Data Administrator Information Protection Information Protection Analysts Information Protection Investigators |
| *Information Protection Investigator | Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. | Information Protection Information Protection Investigators |
| *Information Protection Reader | View-only access to reports for DLP policies and sensitivity labels and their policies. | Compliance Administrator Compliance Data Administrator Information Protection Information Protection Readers |
| Insider Risk Management Admin | Create, edit, delete, and control access to Insider Risk Management feature. | Compliance Administrator Insider Risk Management Insider Risk Management Admins Organization Management |
| *Insider Risk Management Analysis | Access all insider risk management alerts, cases, and notices templates. | Insider Risk Management Insider Risk Management Analysts |
| *Insider Risk Management Approval | Perform investigation, remediation, and review message violations in Privacy Management solution. Can view message metadata and full messages. | Insider Risk Management Insider Risk Management Approvers |
| *Insider Risk Management Audit | Allow viewing Insider Risk audit trails. | Insider Risk Management Insider Risk Management Auditors |
| *Insider Risk Management Investigation | Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. | Insider Risk Management Insider Risk Management Investigators |
| *Insider Risk Management Permanent contribution | This role group is visible, but is used by background services only. | IRM Contributors |
| *Insider Risk Management Reports Administrator | Insider Risk Management | |
| *Insider Risk Management Sessions | Perform investigation and remediation of message violations in Privacy Management solution. Can view only message metadata. | Insider Risk Management Insider Risk Management Session Approvers |
| *Insider Risk Management Temporary contribution | This role group is visible, but is used by background services only. | IRM Contributors |
| *Insights Reader | Provides read-only access to all Insights reports in the Data Estate Insights app. Insights readers need to have at least data reader role access to a collection to view reports about that specific collection. | Compliance Administrator Data Estate Insights Admins Data Estate Insights Readers Information Protection Information Protection Admins Information Protection Analysts Information Protection Investigators Privacy Management Privacy Management Administrators Privacy Management Analysts Privacy Management Investigators Privacy Management Viewers |
| *Insights Writer | Data Estate Insights Admins | |
| *Knowledge Admin | Configure knowledge, learning, assign trainings and other intelligent features. | Knowledge Administrators |
| License Usage Reader | Organization Management | |
| Manage Alerts | View and edit settings and reports for alerts. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator Security Operator |
| *Manage Review Set Tags | This role lets users create, edit, and delete review set tags for cases they can access. | eDiscovery Manager |
| Organization Configuration | Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation. | Compliance Administrator Compliance Data Administrator Organization Management |
| *Preview | View a list of items that are returned from content searches, and open each item from the list to view its contents. | Data Investigator eDiscovery Manager |
| Priority Cleanup Admin | Organization Management | |
| Priority Cleanup Viewer | Organization Management | |
| *Privacy Management Admin | Manage policies in Privacy Management and has access to all functionality of the solution. | Privacy Management Privacy Management Administrators |
| *Privacy Management Analysis | Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata. | Privacy Management Privacy Management Analysts |
| *Privacy Management Investigation | Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message. | Privacy Management Privacy Management Investigators |
| *Privacy Management Permanent contribution | Access Privacy Management cases as a permanent contributor. | Privacy Management Privacy Management Contributors |
| *Privacy Management Temporary contribution | Access Privacy Management cases as a temporary contributor. | Privacy Management Privacy Management Contributors |
| *Privacy Management Viewer | Access dashboards and widgets in Privacy Management. | Privacy Management Privacy Management Viewers |
| *Purview Domain Manager | Create, edit, and delete domains and perform role assignments. | Purview Administrators |
| *Purview Evaluation Administrator | Create and manage the Microsoft 365 Purview Evaluation lab. | Information Protection Information Protection Admins Information Protection Analysts Information Protection Investigators |
| Quarantine | Allows viewing and releasing quarantined email. | Organization Management Quarantine Administrator Security Administrator |
| RecordManagement | View and edit the configuration of the records management feature. | Compliance Administrator Compliance Data Administrator Organization Management Records Management |
| Retention Management | Manage retention policies, retention labels, and retention label policies. Includes permissions to add and remove adaptive scopes from these policies, and to create, delete, and modify adaptive scopes. | Compliance Administrator Compliance Data Administrator Organization Management Records Management |
| *Review | This role lets users access review sets in eDiscovery (Premium) cases. Users who are assigned this role can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set. | Data Investigator eDiscovery Manager Insider Risk Management Insider Risk Management Investigators Reviewer |
| *RMS Decrypt | Decrypt RMS-protected content when exporting search results. | Data Investigator eDiscovery Manager |
| Role Management | Manage role group membership and create or delete custom role groups. | Organization Management Purview Administrators |
| *Scan Reader | Read the different scans created in the tenant. | Compliance Administrator Data Source Administrators Information Protection Information Protection Admins Information Protection Investigators |
| *Scan Writer | Create, update and delete scans in the tenant. | Compliance Administrator Data Source Administrators |
| Scope Manager | Enables administrators to create, edit, delete, and control access to scoping features such as Adaptive Scopes in the organization. | Communication Compliance Communication Compliance Administrators Compliance Administrator Compliance Data Administrator Organization Management Records Management |
| Search And Purge | Lets people bulk-remove data that matches the criteria of a content search. | Data Investigator Organization Management |
| Security Administrator | View and edit the configuration and reports for Security features. | Organization Management Security Administrator |
| Security Reader | View the configuration and reports for Security features. | Global Reader Organization Management Security Operator Security Reader |
| Sensitivity Label Administrator | View, create, modify, and remove sensitivity labels. | Compliance Data Administrator Organization Management Security Administrator |
| Sensitivity Label Reader | View the configuration and usage of sensitivity labels. | Global Reader Organization Management Security Reader |
| Service Assurance View | Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks. | Global Reader Organization Management Service Assurance User |
| *Source Reader | Read the different sources created in the tenant. | Compliance Administrator Data Source Administrators Information Protection Information Protection Admins Information Protection Investigators Privacy Management Privacy Management Administrators |
| *Source Writer | Create, update and delete sources in the tenant. | Compliance Administrator Data Source Administrators |
| *Subject Rights Request Admin | Manage supervisory review policies, including which communications to review and who should perform the review. | Privacy Management Subject Rights Request Administrators |
| *Subject Rights Request Approver | Create, edit, delete, and control access to custodian. | Subject Rights Request Approvers |
| *Supervisory Review Administrator | Manage supervisory review policies, including which communications to review and who should do the review. | Supervisory Review |
| Tag Contributor | Enables viewing and updating of existing tags. | Organization Management Security Administrator Security Operator |
| Tag Manager | View, update, create, and delete user tags. | Organization Management Security Administrator |
| Tag Reader | Read-only access to existing user tags. | Organization Management Security Administrator Security Operator Security Reader |
| *Tenant AllowBlockList Manager | Manage Tenant Allow/Block List settings. | Security Operator |
| View-Only Audit Logs | View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information. | Audit Manager Audit Reader Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator |
| View-Only Case | Communication Compliance Communication Compliance Investigators Compliance Administrator Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider Risk Management Investigators Organization Management Privacy Management Privacy Management Administrators Privacy Management Analysts Privacy Management Investigators Subject Rights Request Administrators |
|
| View-Only Device Management | View the configuration and reports for the Device Management feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
| View-Only DLP Compliance Management | View the settings and reports for data loss prevention (DLP) policies. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
| View-Only IB Compliance Management | View the configuration and reports for the Information Barriers feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
| View-Only Manage Alerts | View the configuration and reports for the Manage Alerts feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
| View-Only Recipients | View information about users and groups. | Compliance Administrator Compliance Data Administrator Global Reader MailFlow Administrator Organization Management |
| View-Only Record Management | View the configuration of the records management feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management |
| View-Only Retention Management | View the configuration of retention policies, retention labels, and retention label policies. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management |