Role in Entra ID versus Role given via Role Group in Purview

Julien 5

Hi,

I would like to understand the difference between assigning a role - let's say "Compliance Administrator" - to a user via Entra ID versus asssgning this role via a Group Role (either "Compliance Administrator" or "Compliance Data Administrator" Role Group) via the Purview portal.

Are they both required, or is only one required ? Are they mutually exclusive ?

If the role is being granted through a Purview's Group Role, it does not appear as being being assigned to this user in Entra ID. Is it an intended behaviour ?

Also, we do have some restrictions in Entra ID for this "Compliance Administrator" role (activation and justification required ; can only be activated for X hours ; periodic recertification ...), but it appears that those restrictions are not enforced if the role has been granted through a Purview's Group Role, is that correct ?

Thanks for your highlights !

Best Regards

Chandra Boorla 7,335 Reputation points Microsoft Vendor

2025-01-16T03:58:44.4633333+00:00

@Julien

Your observations highlight key differences between roles assigned in Entra ID and those assigned through Purview Group Roles. Here’s a breakdown of what’s happening:

"Compliance Administrator" in Both Systems:

Entra ID - The "Compliance Administrator" role assigned in Entra ID enforces activation, justification, and other Privileged Identity Management (PIM) restrictions. This role grants broader access across Microsoft 365 services, which is essential for comprehensive compliance management.

Purview Group Role - The same role can also be assigned through a Purview Group Role, which provides specific permissions within the Purview environment. This assignment typically does not require activation or PIM restrictions, allowing for more immediate access to Purview functionalities.

Device Page Access and Entra ID Activation:

Expected Behavior - The behavior you are experiencing is expected. While the permissions you listed (e.g., reading device information) are likely part of the Purview Group Role, certain functionalities within the device page may require the broader access granted by the activated "Compliance Administrator" role in Entra ID. Therefore, activating the Entra role is necessary to access all features.

"Mailflow Administrator" and Exchange Admin:

Potential Mismatch - The "Mailflow Administrator" Purview Group Role includes the "Exchange Administrator" and "View-Only Recipients" roles. However, if you do not have the corresponding "Exchange Administrator" role in Entra ID, you will not have full Exchange admin rights. The Microsoft documentation typically lists roles that are directly synced between Entra ID and Purview, and "Exchange Administrator" may not be one of them.

Here are few recommendations:

Clarify Your Needs - Determine if you need both the Entra ID and Purview "Compliance Administrator" roles. If PIM controls are critical for your compliance needs, rely on the Entra ID assignment. The Purview Group Role can provide additional permissions specific to Purview.

Review Purview Group Role Permissions - Carefully review the specific permissions granted by the "Mailflow Administrator" Purview Group Role. Without the Entra ID role, you may have limited access within Exchange, potentially only read-only capabilities.

Minimize Redundant Role Assignments - Consider minimizing redundant role assignments to avoid confusion and potential security risks. Clear role assignments help maintain a secure and manageable environment.

By understanding the differences and potential overlaps between Entra ID and Purview roles, you can ensure that you have the appropriate access and security controls in place.

I hope this information helps.

Thank you.
Clément 0 Reputation points

2025-01-16T09:29:20.69+00:00

Hello Chandra, Hello Andy,

I'd like to thank you for your detailed answers, which help us to better understand the difference between the two notions of role and group role.

Andy's idea of adding PIM for a Purview group role seems a good solution, it's very interesting.

I'd like to pick up on a few points in Chandra's reply:

The “Mailflow Administrator” Purview Group Role includes the “Exchange Administrator” and “View-Only Recipients” roles. However, if you do not have the corresponding “Exchange Administrator” role in Entra ID, you will not have full Exchange admin rights.

can you give us details of the permissions linked to the “Exchange Administrator” role contained in the “Mailflow Administrator” group role?

In general, where can we find the permissions linked to the role contained in the group roles?

It's a real source of complexity to have given the same name to Entra roles and Group Role Purview roles.

The Microsoft documentation typically lists roles that are directly synced between Entra ID and Purview, and “Exchange Administrator” may not be one of them.

This is the documentation provided by Andy https://learn.microsoft.com/en-us/purview/purview-permissions#azure-roles-in-the-purview-portal, which does not contain the Exchange Administrator role.

However, it does contain the Compliance Administrator.

At the beginning of your answer, you mentioned a difference between the Entra Role and the Purview Group Role, but this Group Role contains the Compliance Administrator Role, which is therefore synchronized.

Is this correct or am I mistaken?

Can you tell me why there is a difference between the permissions of these two roles?

Thank you,
Have a nice day,

Clément
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Chandra Boorla 7,335 Reputation points Microsoft Vendor

2025-01-16T16:22:23.0633333+00:00

@Julien

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Chandra Boorla 7,335 Reputation points Microsoft Vendor

2025-01-17T17:31:08.58+00:00

@Julien

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Andy David - MVP 151.6K Reputation points MVP

2025-01-15T12:35:49.9666667+00:00

The roles in Purview are specific to the RBAC needed within Purview and not necessarily the same as the Entra Directory Roles:

https://learn.microsoft.com/en-us/purview/purview-permissions

The roles in the Purview Center that are also Entra roles are listed in that doc:

https://learn.microsoft.com/en-us/purview/purview-permissions#azure-roles-in-the-purview-portal

So to your question, it depends :)

If you need to leverage PIM for a Purview role group, you can do that following this:

https://learn.microsoft.com/en-us/defender-office-365/pim-in-mdo-configure

Note this however:

https://learn.microsoft.com/en-us/purview/purview-portal#permissions-and-subscriptions
Please sign in to rate this answer.
Julien 5 Reputation points

2025-01-15T13:38:21.2933333+00:00

Hi Andy,

Thanks for your returns. "Compliance Administrator" is listed in the doc (https://learn.microsoft.com/en-us/purview/purview-permissions#azure-roles-in-the-purview-portal) and is an Entra role that can also be given through the Purview portal.So here comes my problems : on my account, I have both this Compliance Administrator role assigned to my user in Entra (where it requires a PIM activation) and in the Purview Portal (via the "Compliance Administrator" Group Role) where no activation is required.

This Compliance Administrator role normaly does give access to the device onboarding page in the Purview Portal (permissions details below) :

microsoft.directory/devices/memberOf/read // Read device memberships microsoft.directory/devices/registeredOwners/read // Read registered owners of devices microsoft.directory/devices/registeredUsers/read // Read registered users of devices microsoft.directory/devices/standard/read // Read basic properties on devices microsoft.directory/users/deviceForResourceAccount/read // Read deviceForResourceAccount of users microsoft.directory/users/ownedDevices/read // Read owned devices of users microsoft.directory/users/registeredDevices/read // Read registered devices of users

When my Entra role Compliance Administrator is not activated, when I go to the device page in Purview portal, I have the following issue :

Client Error  Looks like you don't have the right permissions to view this page or this feature isn't part of your organization's Microsoft 365 subscription. To get access, contact the person who assigns permissions or makes purchasing decisions. If you're a new user or were recently assigned permissions, try again in 15 minutes. Copy diagnostic information

But if my Entra Compliance Administrator role is activated, I can see the Device page in the Purview portal.

Another weird behavior I experienced, I have the built-in Purview Role Group "Mailflow Administrator" assigned to my account. This Group Role does provide two roles : Exchange Administrator and View-Only Recipients. I do not have the Entra Exchange Administrator role.

When I connect to the Exchange admin portal, I do not have any rights to perform any action. At this point, I'm not sure that the Exchange Administrator roles in Purview and Entra are the same (also, this one is not highlighted in the "Azure roles in the Purview portal" list).
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Role in Entra ID versus Role given via Role Group in Purview

1 answer

Your answer