Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

The Microsoft Defender portal, Microsoft Purview portal, and the classic Microsoft Purview compliance and governance portals have replaced the Security & Compliance Center as the places to manage Microsoft Defender for Office 365 and Microsoft Purview roles and role groups for your organization. For more information about permissions within these portals, see the following articles:

These portals let you grant permissions to people who perform tasks like device management, data loss prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to. To access these portals, users need to be a global admin or a member of one or more role groups in Defender for Office 365 (Email & collaboration role groups) or Purview (Microsoft Purview solutions role groups). The Microsoft Purview portal (preview) provides access to data governance, data security, and risk and compliance solutions. Selecting risk and compliance solutions in the portal currently opens these solutions in the classic Microsoft Purview compliance portal.

Permissions in these portals are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by Exchange, so if you're familiar with Exchange Online, granting permissions in these portals is very similar. But, It's important to remember that role groups in Exchange Online and role groups for Defender for Office 365 or Purview compliance don't share membership or permissions. For example, while an Organization Management role group exists in Exchange Online, the permissions granted and role group members are different than the Organization Management role group in Defender for Office 365 and Purview compliance.

This article contains the inventory of Defender for Office 365 and Microsoft Purview roles and role groups.

Note

In the Microsoft Defender XDR preview program, a different Microsoft Defender 365 RBAC model is also available. The permissions in this RBAC model are different from the Defender for Office 365 permissions as described in this article. For more information, see Microsoft Defender XDR role-based access control (RBAC).

If you activate Defender XDR RBAC for Email & collaboration, the permissions page at https://security.microsoft.com/emailandcollabpermissions is no longer available in the Defender portal.

Role groups in Microsoft Defender for Office 365 and Microsoft Purview

The table in this section lists the default role groups that are available in the Microsoft Defender portal and the Microsoft Purview portals, and the roles that are assigned to the role groups by default. To grant permissions to a user to perform tasks in Defender for Office 365 or Microsoft Purview, add them to the appropriate role group.

Managing permissions in Defender for Office 365 or Microsoft Purview gives users access to security and compliance and governance features that are available within their respective portals. To grant permissions to other features, such as Exchange mail flow rules (also known as transport rules), you need to grant permissions in Exchange Online. For more information, see Permissions in Exchange Online.

Note

To view the Permissions tab as described in this article, you need to be an admin. Specifically, you need to be assigned the Role Management role, and that role is assigned only to the Organization Management and Purview Administrators role groups by default. The Role Management role also allows you to view, create, and modify role groups.

Role group Description Default roles assigned
Attack Simulator Administrators Don't use this role group. Use the Attack Simulation Administrator role in Microsoft Entra ID. Attack Simulator Admin
Attack Simulator Payload Authors Don't use this role group. Use the Attack Payload Author role in Microsoft Entra ID. Attack Simulator Payload Author
Audit Manager Manage Audit log settings and Search, View, and Export Audit logs. Audit Logs

View-Only Audit Logs
Audit Reader Search, View, and Export Audit logs. View-Only Audit Logs
Billing Administrator Configure Billing features. Billing Admin
Communication Compliance Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer. Case Management

Communication Compliance Admin

Communication Compliance Analysis

Communication Compliance Case Management

Communication Compliance Investigation

Communication Compliance Viewer

Data Classification Feedback Provider

Data Connector Admin

Scope Manager

View-Only Case
Communication Compliance Administrators Administrators of communication compliance that can create/edit policies and define global settings. Communication Compliance Admin

Communication Compliance Case Management

Data Connector Admin

Scope Manager
Communication Compliance Analysts Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions. Communication Compliance Analysis

Communication Compliance Case Management
Communication Compliance Investigators Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions. Case Management

Communication Compliance Analysis

Communication Compliance Case Management

Communication Compliance Investigation

Data Classification Feedback Provider

View-Only Case
Communication Compliance Viewers Viewer of communication compliance that can access the available reports and widgets. Communication Compliance Case Management

Communication Compliance Viewer
Compliance Administrator¹ Members can manage settings for device management, data loss prevention, reports, and preservation. Admin Unit Extension Manager

Case Management

Communication Compliance Admin

Communication Compliance Case Management

Compliance Administrator

Compliance Manager Administration

Compliance Search

Credential Reader

Credential Writer

Data Classification Feedback Provider

Data Classification Feedback Reviewer

Data Connector Admin

Data Investigation Management

Data Map Reader

Device Management

Disposition Management

DLP Compliance Management

Hold

IB Compliance Management

Information Protection Admin

Information Protection Analyst

Information Protection Reader

Insider Risk Management Admin

Insights Reader

Manage Alerts

Organization Configuration

RecordManagement

Retention Management

Scan Reader

Scan Writer

Scope Manager

Source Reader

Source Writer

View-Only Audit Logs

View-Only Case

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts

View-Only Recipients

View-Only Record Management

View-Only Retention Management
Compliance Data Administrator Members can manage settings for device management, data protection, data loss prevention, reports, and preservation. Compliance Administrator

Compliance Manager Administration

Compliance Search

Device Management

Disposition Management

DLP Compliance Management

IB Compliance Management

Information Protection Admin

Information Protection Analyst

Information Protection Reader

Manage Alerts

Organization Configuration

RecordManagement

Retention Management

Scope Manager

Sensitivity Label Administrator

View-Only Audit Logs

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts

View-Only Recipients

View-Only Record Management

View-Only Retention Management
Compliance Manager Administrators Manage template creation and modification. Compliance Manager Administration

Compliance Manager Assessment

Compliance Manager Contribution

Compliance Manager Reader

Data Connector Admin
Compliance Manager Assessors Create assessments, implement improvement actions, and update test status for improvement actions. Compliance Manager Assessment

Compliance Manager Contribution

Compliance Manager Reader

Data Connector Admin
Compliance Manager Contributors Create assessments and perform work to implement improvement actions. Compliance Manager Contribution

Compliance Manager Reader

Data Connector Admin
Compliance Manager Readers View all Compliance Manager content except for administrator functions. Compliance Manager Reader
Content Explorer Content Viewer View the contents of files in content explorer, and the prompts and response in Data Security Posture Management for AI. Data Classification Content Viewer
Content Explorer List Viewer View all items in content explorer in list format only. Data Classification List Viewer
Data Catalog Curators Perform create, read, modify, and delete actions on catalog data objects and establish relationships between objects. Data Map Reader

Data Map Writer
Data Estate Insights Admins Provides admin access to all insights reports across platforms and providers. Data Map Reader

Insights Reader

Insights Writer
Data Estate Insights Readers Provides read-only access to all insights reports across platforms and providers. Data Map Reader

Insights Reader
Data Governance Grants access to data governance roles within Microsoft Purview. Data Governance Administrator
Data Investigator Perform searches on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Communication

Compliance Search

Custodian

Data Investigation Management

Export

Preview

Review

RMS Decrypt

Search And Purge
Data Security Management View all Data Security Posture Management insights, use CoPilot for Security, and manage Microsoft Purview data security solutions (Data Loss Prevention, Information Protection, and Insider Risk Management). Case Management

Custodian

Data Classification Content Download

Data Classification Content Viewer

Data Classification List Viewer

Data Connector Admin

Data Map Reader

Data Security Viewer

Information Protection Admin

Information Protection Analyst

Information Protection Investigator

Information Protection Reader

Insider Risk Management Admin

Insider Risk Management Analysis

Insider Risk Management Approval

Insider Risk Management Audit

Insider Risk Management Investigation

Insider Risk Management Reports Administrator

Insider Risk Management Sessions

Insights Reader

Purview Evaluation Administrator

Review

Scan Reader

Source Reader

View-Only Case
Data Source Administrators Manage data sources and data scans. Credential Reader

Credential Writer

Scan Reader

Scan Writer

Source Reader

Source Writer
eDiscovery Manager Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in eDiscovery (Premium).

An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:
  • View all eDiscovery cases in the organization.
  • Manage any eDiscovery case after they add themselves as a member of the case.


The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the eDiscovery cases page in the compliance portal. An eDiscovery manager can only access the cases they created or cases they're a member of. For more information about making a user an eDiscovery Administrator, see Assign eDiscovery permissions in the compliance portal.
Case Management

Communication

Compliance Search

Custodian

Export

Hold

Manage Review Set Tags

Preview

Review

RMS Decrypt
Exact Data Match Upload Admins Upload data for Exact Data Match. Exact Data Match Upload Admin
Global Reader Members have read-only access to reports, alerts, and can see all the configuration and settings.

The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings.
Compliance Manager Reader

Security Reader

Sensitivity Label Reader

Service Assurance View

View-Only Audit Logs

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts

View-Only Recipients

View-Only Record Management

View-Only Retention Management
Information Protection Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports. Data Classification Content Viewer

Data Classification Content Download

Data Classification List Viewer

Data Map Reader

Information Protection Admin

Information Protection Analyst

Information Protection Investigator

Information Protection Reader

Insights Reader

Purview Evaluation Administrator

Scan Reader

Source Reader
Information Protection Admins Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies. Data Map Reader

Information Protection Admin

Insights Reader

Purview Evaluation Administrator

Scan Reader

Source Reader
Information Protection Analysts Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. Data Classification List Viewer

Data Map Reader

Information Protection Analyst

Insights Reader

Purview Evaluation Administrator
Information Protection Investigators Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. Data Classification Content Viewer

Data Classification Content Download

Data Classification List Viewer

Data Map Reader

Information Protection Analyst

Information Protection Investigator

Insights Reader

Purview Evaluation Administrator

Scan Reader

Source Reader
Information Protection Readers View-only access to reports for DLP policies and sensitivity labels and their policies. Information Protection Reader
Insider Risk Management Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This role group is the easiest way to quickly get started with insider risk management and is a good fit for organizations that don't need separate permissions defined for separate groups of users. Case Management

Custodian

Data Connector Admin

Insider Risk Management Admin

Insider Risk Management Analysis

Insider Risk Management Approval

Insider Risk Management Audit

Insider Risk Management Investigation

Insider Risk Management Reports Administrator

Insider Risk Management Sessions

Review

View-Only Case
Insider Risk Management Admins Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments. Case Management

Data Connector Admin

Insider Risk Management Admin

View-Only Case
Insider Risk Management Analysts Use this group to assign permissions to users that act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They can't access the insider risk Content Explorer. Case Management

Insider Risk Management Analysis

View-Only Case
Insider Risk Management Approvers For internal approval use only. Insider Risk Management Approval
Insider Risk Management Auditors Use this group to assign permissions to users that audit insider risk management activities. Users in this role group can access the insider risk audit log. Insider Risk Management Audit
Insider Risk Management Investigators Use this group to assign permissions to users that act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. Case Management

Custodian

Insider Risk Management Investigation

Review

View-Only Case
Insider Risk Management Session Approvers For internal approval use only. Insider Risk Management Sessions
IRM Contributors This role group is visible, but is used by background services only. Insider Risk Management Permanent contribution

Insider Risk Management Temporary contribution
Knowledge Administrators Configure knowledge, learning, assign trainings and other intelligent features. Knowledge Admin
MailFlow Administrator Members can monitor and view mail flow insights and reports in the Defender portal. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user doesn't have access to Exchange admin-related tasks. Exchange Administrator

View-Only Recipients
Organization Management¹ Members can control permissions for accessing features in these portals, and also manage settings for device management, data loss prevention, reports, and preservation.

Users who aren't global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM).

Global admins are automatically added as members of this role group, but you don't see them in the output of the Get-RoleGroupMember cmdlet in Security & Compliance PowerShell.

Important: Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Admin Unit Extension Manager

Audit Logs

Case Management

Communication Compliance Admin

Communication Compliance Case Management

Compliance Administrator

Compliance Manager Administration

Compliance Search

Data Connector Admin

Device Management

DLP Compliance Management

Hold

IB Compliance Management

Insider Risk Management Admin

License Usage Reader

Manage Alerts

Organization Configuration

Priority Cleanup Admin

Priority Cleanup Viewer

Quarantine

RecordManagement

Retention Management

Role Management

Scope Manager

Search And Purge

Security Administrator

Security Reader

Sensitivity Label Administrator

Sensitivity Label Reader

Service Assurance View

Tag Contributor

Tag Manager

Tag Reader

View-Only Audit Logs

View-Only Case

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts

View-Only Recipients

View-Only Record Management

View-Only Retention Management
Privacy Management Manage access control for Privacy Management solution in the Microsoft Purview compliance portal. Case Management

Compliance Manager Contribution

Compliance Manager Reader

Data Classification Content Viewer

Data Classification List Viewer

Data Map Reader

Insights Reader

Privacy Management Admin

Privacy Management Analysis

Privacy Management Investigation

Privacy Management Permanent contribution

Privacy Management Temporary contribution

Privacy Management Viewer

Source Reader

Subject Rights Request Admin

View-Only Case
Privacy Management Administrators Administrators of privacy management solution that can create/edit policies and define global settings. Case Management

Compliance Manager Contribution

Compliance Manager Reader

Data Map Reader

Insights Reader

Privacy Management Admin

Source Reader

View-Only Case
Privacy Management Analysts Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions. Case Management

Compliance Manager Reader

Data Classification List Viewer

Data Map Reader

Insights Reader

Privacy Management Analysis

View-Only Case
Privacy Management Analysts Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions. Case Management

Compliance Manager Reader

Data Classification List Viewer

Data Map Reader

Insights Reader

Privacy Management Analysis

View-Only Case
Privacy Management Contributors Manage contributor access for privacy management cases. Compliance Manager Reader

Privacy Management Permanent contribution

Privacy Management Temporary contribution
Privacy Management Investigators Investigators of privacy management solution that can investigate policy matches, view message content, and take remediation actions. Case Management

Compliance Manager Reader

Data Classification Content Viewer

Data Classification List Viewer

Privacy Management Investigation

View-Only Case
Privacy Management Viewers Viewer of privacy management solution that can access the available dashboards and widgets. Compliance Manager Reader

Data Classification List Viewer

Privacy Management Viewer
Purview Administrators Create, edit, and delete domains and perform role assignments. Admin Unit Extension Manager

Purview Domain Manager

Role Management
Quarantine Administrator Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP Quarantine
Records Management Members can configure all aspects of records management, including retention labels and disposition reviews. Disposition Management

RecordManagement

Retention Management

Scope Manager
Reviewer Members can access review sets in eDiscovery (Premium) cases. Members of this role group can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set. Review
Security Administrator Members have access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals.

By default, this role group may not appear to have any members. However, the Security Administrator role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Microsoft Entra ID.

To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see Microsoft Entra built-in roles. If you edit this role group in these portals (membership or roles), those changes apply only to the security and compliance areas and not to any other services.

This role group includes all of the read-only permissions of the Security reader role, plus many additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals.
Audit Logs

Compliance Manager Administration

Device Management

DLP Compliance Management

IB Compliance Management

Manage Alerts

Quarantine

Security Administrator

Sensitivity Label Administrator

Tag Contributor

Tag Manager

Tag Reader

View-Only Audit Logs

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts
Security Operator Members can manage security alerts, and also view reports and settings of security features. Compliance Search

Manage Alerts

Security Reader

Tag Contributor

Tag Reader

Tenant AllowBlockList Manager

View-Only Audit Logs

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts
Security Reader Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals.

By default, this role group may not appear to have any members. However, the Security Reader role from Microsoft Entra ID is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Microsoft Entra ID.

To manage permissions centrally, add and remove group members in the Microsoft Entra admin center. For more information, see Microsoft Entra built-in roles. If you edit this role group in the portals (membership or roles), those changes apply only to security and compliance areas and not to any other services.
Compliance Manager Reader

Security Reader

Sensitivity Label Reader

Tag Reader

View-Only Device Management

View-Only DLP Compliance Management

View-Only IB Compliance Management

View-Only Manage Alerts
Service Assurance User Members can access the Service assurance section in the compliance portal. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see Service assurance in the compliance portal. Service Assurance View
Subject Rights Request Administrators Create subject rights requests. Case Management

Compliance Manager Contribution

Compliance Manager Reader

Subject Rights Request Admin

View-Only Case
Subject Rights Request Approvers Approvers who are able to approve subject rights requests. Compliance Manager Reader

Subject Rights Request Approver
Supervisory Review Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see Configure communication compliance policies for your organization. Supervisory Review Administrator

Note

¹ This role group doesn't assign members the permissions necessary to search the audit log or to use any reports that might include Exchange data, such as the DLP or Defender for Office 365 reports. To search the audit log or to view all reports, a user has to be assigned permissions in Exchange Online. This action is required because the underlying cmdlet that's used to search the audit log is an Exchange Online cmdlet. Global admins can search the audit log and view all reports because they're automatically added as members of the Organization Management role group in Exchange Online. For more information, see Search the audit log in the compliance portal.

Roles in Microsoft Defender for Office 365 and Microsoft Purview

The table in this section lists the available roles and the role groups that they're assigned to by default.

Roles that aren't assigned to the Organization Management role group by default are marked with *

Role Description Default role group assignments
Admin Unit Extension Manager Compliance Administrator

Organization Management

Purview Administrators
*Attack Simulator Admin Don't use this role. Use the Attack Simulation Administrator role in Microsoft Entra ID. Attack Simulator Administrators
Attack Simulator Payload Author Don't use this role. Use the Attack Payload Author role in Microsoft Entra ID.
Data Map Reader Data Estate Insights Admins

Privacy Management

Privacy Management Administrators

Privacy Management Analysts

Privacy Management Contributors

Privacy Management Investigators

Privacy Management Viewers
*Attack Simulator Payload Author Don't use this role in the portals. Use the corresponding role in Microsoft Entra ID. Attack Simulator Payload Authors
Audit Logs Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file. Audit Manager

Organization Management

Security Administrator
*Billing Admin Allows billing admin for selected feature. Billing Administrator
Case Management Create, edit, delete, and control access to eDiscovery cases. Communication Compliance

Communication Compliance Investigators

Compliance Administrator

eDiscovery Manager

Insider Risk Management

Insider Risk Management Admins

Insider Risk Management Analysts

Insider Risk Management Investigators

Organization Management

Privacy Management

Privacy Management Administrators

Privacy Management Analysts

Privacy Management Investigators

Subject Rights Request Administrators
*Communication Manage all communications with the custodians identified in an eDiscovery (Premium) case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that's used by each custodian in a case to track communications for the cases where they were identified as a custodian. Data Investigator

eDiscovery Manager
Communication Compliance Admin Used to manage policies in the Communication Compliance feature. Communication Compliance

Communication Compliance Administrators

Compliance Administrator

Organization Management
*Communication Compliance Analysis Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data. Communication Compliance

Communication Compliance Analysts

Communication Compliance Investigators
Communication Compliance Case Management Used to access Communication Compliance cases. Communication Compliance

Communication Compliance Administrators

Communication Compliance Analysts

Communication Compliance Investigators

Communication Compliance Viewers

Compliance Administrator

Organization Management
*Communication Compliance Investigation Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message. Communication Compliance

Communication Compliance Investigators
*Communication Compliance Viewer Used to access reports and widgets in the Communication Compliance feature. Communication Compliance

Communication Compliance Viewers
Compliance Administrator View and edit settings and reports for compliance features. Compliance Administrator

Compliance Data Administrator

Organization Management
Compliance Manager Administration Manage template creation and modification. Compliance Administrator

Compliance Data Administrator

Compliance Manager Administrators

Organization Management

Security Administrator
*Compliance Manager Assessment Create assessments, implement improvement actions, and update test status for improvement actions. Compliance Manager Administrators

Compliance Manager Assessors
*Compliance Manager Contribution Create assessments and perform work to implement improvement actions. Compliance Manager Administrators

Compliance Manager Assessors

Compliance Manager Contributors

Privacy Management

Privacy Management Administrators

Subject Rights Request Administrators
*Compliance Manager Reader View all Compliance Manager content except for administrator functions. Compliance Manager Administrators

Compliance Manager Assessors

Compliance Manager Contributors

Compliance Manager Readers

Global Reader

Privacy Management

Privacy Management Administrators

Privacy Management Analysts

Privacy Management Contributors

Privacy Management Investigators

Privacy Management Viewers

Security Reader

Subject Rights Request Administrators

Subject Rights Request Approvers
Compliance Search Perform searches across mailboxes and get an estimate of the results. Compliance Administrator

Compliance Data Administrator

Data Investigator

eDiscovery Manager

Organization Management

Security Operator
*Credential Reader Read the different credentials created in the tenant. Compliance Administrator

Data Source Administrators
*Credential Writer Create and edit credentials. Compliance Administrator

Data Source Administrators
*Custodian Identify and manage custodians for eDiscovery (Premium) cases and use the information from Microsoft Entra ID and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case. Data Investigator

eDiscovery Manager

Insider Risk Management

Insider Risk Management Investigators
*Data Classification Content Download When evidence collection is turned on from Endpoint DLP settings, this role lets admins download endpoint-related evidence files from activity explorer and DLP alerts. Data Security Management

Information Protection

Information Protection Investigators
*Data Classification Content Viewer View in-place rendering of files in Content explorer. Content Explorer Content Viewer

Information Protection

Information Protection Investigators

Privacy Management

Privacy Management Investigators
*Data Classification Feedback Provider Allows providing feedback to classifiers in content explorer. Communication Compliance

Communication Compliance Investigators

Compliance Administrator
*Data Classification Feedback Reviewer Allows reviewing feedback from classifiers in feedback explorer. Compliance Administrator
*Data Classification List Viewer View the list of files in content explorer. Content Explorer List Viewer

Information Protection

Information Protection Analysts

Information Protection Investigators

Privacy Management

Privacy Management Analysts

Privacy Management Investigators

Privacy Management Viewers
Data Connector Admin Create and manage connectors to import and archive non-Microsoft data in Microsoft 365. Communication Compliance

Communication Compliance Administrators

Compliance Administrator

Compliance Manager Administrators

Compliance Manager Assessors

Compliance Manager Contributors

Insider Risk Management

Insider Risk Management Admins

Organization Management
*Data Governance Administrator Delegates the first level of access for business domain creators and other application-level permissions. Data Governance
*Data Investigation Management Create, edit, delete, and control access to data investigation. Compliance Administrator

Data Investigator
*Data Map Reader Read actions on data map objects. Compliance Administrator

Data Catalog Curators

Data Estate Insights Readers

Information Protection

Information Protection Admins

Information Protection Analysts

Information Protection Investigators
*Data Map Writer Create, read, modify, and delete actions on data map objects and establish relationships between objects. Data Catalog Curators
Data Security Viewer View access to Data Security Posture Management dashboard insights. Allows users to use Copilot for Security to view details. Data Security Management
Device Management View and edit settings and reports for device management features. Compliance Administrator

Compliance Data Administrator

Organization Management

Security Administrator
*Disposition Management Control permissions for accessing Manual Disposition in the Defender and compliance portals. Compliance Administrator

Compliance Data Administrator

Records Management
DLP Compliance Management View and edit settings and reports for data loss prevention (DLP) policies. Compliance Administrator

Compliance Data Administrator

Organization Management

Security Administrator
*Exact Data Match Upload Admin Lets users upload data for Exact Data Match. Exact Data Match Upload Admins
*Exchange Administrator Allows Exchange administrator for selected features. MailFlow Administrator
*Export Export mailbox and site content that's returned from searches. Data Investigator

eDiscovery Manager
Hold Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners are still able to modify or delete the original content. Compliance Administrator

eDiscovery Manager

Organization Management
IB Compliance Management View, create, remove, modify, and test Information Barrier policies. Compliance Administrator

Compliance Data Administrator

Organization Management

Security Administrator
*Information Protection Admin Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies. Compliance Administrator

Compliance Data Administrator

Information Protection

Information Protection Admins
*Information Protection Analyst Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. Compliance Administrator

Compliance Data Administrator

Information Protection

Information Protection Analysts

Information Protection Investigators
*Information Protection Investigator Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types. Information Protection

Information Protection Investigators
*Information Protection Reader View-only access to reports for DLP policies and sensitivity labels and their policies. Compliance Administrator

Compliance Data Administrator

Information Protection

Information Protection Readers
Insider Risk Management Admin Create, edit, delete, and control access to Insider Risk Management feature. Compliance Administrator

Insider Risk Management

Insider Risk Management Admins

Organization Management
*Insider Risk Management Analysis Access all insider risk management alerts, cases, and notices templates. Insider Risk Management

Insider Risk Management Analysts
*Insider Risk Management Approval Perform investigation, remediation, and review message violations in Privacy Management solution. Can view message metadata and full messages. Insider Risk Management

Insider Risk Management Approvers
*Insider Risk Management Audit Allow viewing Insider Risk audit trails. Insider Risk Management

Insider Risk Management Auditors
*Insider Risk Management Investigation Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. Insider Risk Management

Insider Risk Management Investigators
*Insider Risk Management Permanent contribution This role group is visible, but is used by background services only. IRM Contributors
*Insider Risk Management Reports Administrator Insider Risk Management
*Insider Risk Management Sessions Perform investigation and remediation of message violations in Privacy Management solution. Can view only message metadata. Insider Risk Management

Insider Risk Management Session Approvers
*Insider Risk Management Temporary contribution This role group is visible, but is used by background services only. IRM Contributors
*Insights Reader Provides read-only access to all Insights reports in the Data Estate Insights app. Insights readers need to have at least data reader role access to a collection to view reports about that specific collection. Compliance Administrator

Data Estate Insights Admins

Data Estate Insights Readers

Information Protection

Information Protection Admins

Information Protection Analysts

Information Protection Investigators

Privacy Management

Privacy Management Administrators

Privacy Management Analysts

Privacy Management Investigators

Privacy Management Viewers
*Insights Writer Data Estate Insights Admins
*Knowledge Admin Configure knowledge, learning, assign trainings and other intelligent features. Knowledge Administrators
License Usage Reader Organization Management
Manage Alerts View and edit settings and reports for alerts. Compliance Administrator

Compliance Data Administrator

Organization Management

Security Administrator

Security Operator
*Manage Review Set Tags This role lets users create, edit, and delete review set tags for cases they can access. eDiscovery Manager
Organization Configuration Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation. Compliance Administrator

Compliance Data Administrator

Organization Management
*Preview View a list of items that are returned from content searches, and open each item from the list to view its contents. Data Investigator

eDiscovery Manager
Priority Cleanup Admin Organization Management
Priority Cleanup Viewer Organization Management
*Privacy Management Admin Manage policies in Privacy Management and has access to all functionality of the solution. Privacy Management

Privacy Management Administrators
*Privacy Management Analysis Perform investigation and remediation of the message violations in Privacy Management. Can only view messages metadata. Privacy Management

Privacy Management Analysts
*Privacy Management Investigation Perform investigation, remediation, and review message violations in Privacy Management. Can view message metadata and the full message. Privacy Management

Privacy Management Investigators
*Privacy Management Permanent contribution Access Privacy Management cases as a permanent contributor. Privacy Management

Privacy Management Contributors
*Privacy Management Temporary contribution Access Privacy Management cases as a temporary contributor. Privacy Management

Privacy Management Contributors
*Privacy Management Viewer Access dashboards and widgets in Privacy Management. Privacy Management

Privacy Management Viewers
*Purview Domain Manager Create, edit, and delete domains and perform role assignments. Purview Administrators
*Purview Evaluation Administrator Create and manage the Microsoft 365 Purview Evaluation lab. Information Protection

Information Protection Admins

Information Protection Analysts

Information Protection Investigators
Quarantine Allows viewing and releasing quarantined email. Organization Management

Quarantine Administrator

Security Administrator
RecordManagement View and edit the configuration of the records management feature. Compliance Administrator

Compliance Data Administrator

Organization Management

Records Management
Retention Management Manage retention policies, retention labels, and retention label policies. Includes permissions to add and remove adaptive scopes from these policies, and to create, delete, and modify adaptive scopes. Compliance Administrator

Compliance Data Administrator

Organization Management

Records Management
*Review This role lets users access review sets in eDiscovery (Premium) cases. Users who are assigned this role can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft Purview compliance portal that they're members of. After the user accesses an eDiscovery (Premium) case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set. Data Investigator

eDiscovery Manager

Insider Risk Management

Insider Risk Management Investigators

Reviewer
*RMS Decrypt Decrypt RMS-protected content when exporting search results. Data Investigator

eDiscovery Manager
Role Management Manage role group membership and create or delete custom role groups. Organization Management

Purview Administrators
*Scan Reader Read the different scans created in the tenant. Compliance Administrator

Data Source Administrators

Information Protection

Information Protection Admins

Information Protection Investigators
*Scan Writer Create, update and delete scans in the tenant. Compliance Administrator

Data Source Administrators
Scope Manager Enables administrators to create, edit, delete, and control access to scoping features such as Adaptive Scopes in the organization. Communication Compliance

Communication Compliance Administrators

Compliance Administrator

Compliance Data Administrator

Organization Management

Records Management
Search And Purge Lets people bulk-remove data that matches the criteria of a content search. Data Investigator

Organization Management
Security Administrator View and edit the configuration and reports for Security features. Organization Management

Security Administrator
Security Reader View the configuration and reports for Security features. Global Reader

Organization Management

Security Operator

Security Reader
Sensitivity Label Administrator View, create, modify, and remove sensitivity labels. Compliance Data Administrator

Organization Management

Security Administrator
Sensitivity Label Reader View the configuration and usage of sensitivity labels. Global Reader

Organization Management

Security Reader
Service Assurance View Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks. Global Reader

Organization Management

Service Assurance User
*Source Reader Read the different sources created in the tenant. Compliance Administrator

Data Source Administrators

Information Protection

Information Protection Admins

Information Protection Investigators

Privacy Management

Privacy Management Administrators
*Source Writer Create, update and delete sources in the tenant. Compliance Administrator

Data Source Administrators
*Subject Rights Request Admin Manage supervisory review policies, including which communications to review and who should perform the review. Privacy Management

Subject Rights Request Administrators
*Subject Rights Request Approver Create, edit, delete, and control access to custodian. Subject Rights Request Approvers
*Supervisory Review Administrator Manage supervisory review policies, including which communications to review and who should do the review. Supervisory Review
Tag Contributor Enables viewing and updating of existing tags. Organization Management

Security Administrator

Security Operator
Tag Manager View, update, create, and delete user tags. Organization Management

Security Administrator
Tag Reader Read-only access to existing user tags. Organization Management

Security Administrator

Security Operator

Security Reader
*Tenant AllowBlockList Manager Manage Tenant Allow/Block List settings. Security Operator
View-Only Audit Logs View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information. Audit Manager

Audit Reader

Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management

Security Administrator

Security Operator
View-Only Case Communication Compliance

Communication Compliance Investigators

Compliance Administrator

Insider Risk Management

Insider Risk Management Admins

Insider Risk Management Analysts

Insider Risk Management Investigators

Organization Management

Privacy Management

Privacy Management Administrators

Privacy Management Analysts

Privacy Management Investigators

Subject Rights Request Administrators
View-Only Device Management View the configuration and reports for the Device Management feature. Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management

Security Administrator

Security Operator

Security Reader
View-Only DLP Compliance Management View the settings and reports for data loss prevention (DLP) policies. Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management

Security Administrator

Security Operator

Security Reader
View-Only IB Compliance Management View the configuration and reports for the Information Barriers feature. Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management

Security Administrator

Security Operator

Security Reader
View-Only Manage Alerts View the configuration and reports for the Manage Alerts feature. Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management

Security Administrator

Security Operator

Security Reader
View-Only Recipients View information about users and groups. Compliance Administrator

Compliance Data Administrator

Global Reader

MailFlow Administrator

Organization Management
View-Only Record Management View the configuration of the records management feature. Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management
View-Only Retention Management View the configuration of retention policies, retention labels, and retention label policies. Compliance Administrator

Compliance Data Administrator

Global Reader

Organization Management