Permissions in the Microsoft Purview compliance portal
The Microsoft Purview compliance portal supports directly managing permissions for users who perform compliance tasks in Microsoft 365. Using the new Permissions page in the compliance portal, you can manage permissions to users for compliance tasks in features like device management, Microsoft Purview Data Loss Prevention, eDiscovery, insider risk management, retention, and many others. Users can perform only the compliance tasks that you explicitly grant them access to.
To view the Permissions tab in the compliance portal, users need to be a global administrator or need to be assigned the Role Management role (a role is assigned only to the Organization Management role group). The Role Management role allows users to view, create, and modify role groups.
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Permissions in the compliance portal are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services, so if you're familiar with the permission structure in these services, granting permissions in the compliance portal will be familiar. It's important to remember that the permissions managed in the compliance portal don't cover the management of all the permissions needed in each individual service. You'll still need to manage certain service-specific permissions in the admin center for the specific service. For example, if you need to assign permissions for archiving, auditing, and MRM retention policies, you'll need to manage these permissions in the Exchange admin center.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Relationship of members, roles, and role groups
A role grants permissions to do a set of tasks; for example, the Case Management role lets users work with eDiscovery cases.
A role group is a set of roles that enable users do their jobs across compliance solutions the compliance portal. For example, by adding users to the Insider Risk Management role group, designated administrators, analysts, investigators, and auditors are configured for the necessary insider risk management permissions in a single group. The compliance portal includes default role groups for tasks and functions for each compliance solution that you'll need to assign people to. Generally, we recommend simply adding individual users as members to the default compliance role groups as needed.
Permissions needed to use features in the compliance portal
To view all of the default role groups that are available in the compliance portal and the roles that are assigned to the role groups by default, see Roles and role groups in the Microsoft Defender XDR and Microsoft Purview compliance portals.
Managing permissions in the compliance portal only gives users access to the compliance features that are available within the compliance portal. If you want to grant permissions to other features that aren't in the compliance portal, such as Exchange mail flow rules (also known as transport rules), you'll need to use the Exchange admin center.
Azure roles in the compliance portal
The roles that appear in the Microsoft Entra ID > Roles section of the compliance portal Permissions page are Microsoft Entra roles. These roles are designed to align with job functions in your organization's IT group, making it easy to give a person all the permissions necessary to get their job done. You can view the users currently assigned to each role by selecting an Admin role and viewing the role panel details. To manage members of a Microsoft Entra role, select Manage members in Microsoft Entra ID. This choice redirects you to the Azure management portal.
Role | Description |
---|---|
Global administrator | Access to all administrative features in all Microsoft 365 services. Only global administrators can assign other administrator roles. For more information, see Global Administrator / Company Administrator. |
Compliance data administrator | Keep track of your organization's data across Microsoft 365, make sure it's protected, and get insights into any issues to help mitigate risks. For more information, see Compliance Data Administrator. |
Compliance administrator | Help your organization stay compliant with any regulatory requirements, manage eDiscovery cases, and maintain data governance policies across Microsoft 365 locations, identities, and apps. For more information, see Compliance Administrator. |
Security operator | View, investigate, and respond to active threats to your Microsoft 365 users, devices, and content. For more information, see Security Operator. |
Security reader | View and investigate active threats to your Microsoft 365 users, devices, and content, but (unlike the Security operator) they don't have permissions to respond by taking action. For more information, see Security Reader. |
Security administrator | Control your organization's overall security by managing security policies, reviewing security analytics and reports across Microsoft 365 products, and staying up-to-speed on the threat landscape. For more information, see Security Administrator. |
Global reader | The read-only version of the Global administrator role. View all settings and administrative information across Microsoft 365. For more information, see Global Reader. |
Attack simulation administrator | Create and manage all aspects of attack simulation creation, launch/scheduling of a simulation, and the review of simulation results. For more information, see Attack Simulation Administrator. |
Attack payload author | Create attack payloads but not actually launch or schedule them. For more information, see Attack Payload Author. |
Administrative units
Administrative units let you subdivide your organization into smaller units, and then assign specific administrators that can manage only the members of those units. They also allow you to assign administrative units to members of role groups in Microsoft Purview solutions, so that these administrators can manage only the members (and associated features) of those assigned administrative units. Visit Administrative units for detailed information about using and configuring administrative units.
Add users or groups to a Microsoft Purview built-in role group
Complete the following steps to add users or groups to a Microsoft Purview role group:
Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to Permissions to select the link to view and manage compliance roles in Microsoft 365.
Expand the Microsoft Purview solutions section and select Roles.
On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to add users to, then select Edit on the control bar.
On the Edit members of the role group page, select Choose users or Choose groups.
Important
Security groups are supported only in Microsoft 365 commercial cloud organizations.
Select the checkbox for all users or groups you want to add to the role group.
Select Select.
If the selected users or groups need organization-wide access as part of this role group assignment, go to Step 10.
If the selected users or groups need to be assigned to administrative units, select the users or groups and select Assign admin units.
On the Assign admin units pane, select the checkbox for all the administrative units you want to assign to the users or groups. Select Select.
Select Next and Save to add the users or groups to the role group. Select Done to complete the steps.
Remove users or groups from a Microsoft Purview built-in role group
Complete the following steps to remove users or groups from a Microsoft Purview role group:
- Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to Permissions to select the link to view and manage the Microsoft Purview compliance roles.
- Expand the Microsoft Purview solutions section and select Roles.
- On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to remove users or groups from, then select Edit on the control bar.
- On the Edit members of the role group page, select the checkbox for all users or groups you want to remove to the role group.
- Select Remove members, then select Next.
- Select Save to remove the users or groups from the role group. Select Done to complete the steps.
Create a custom Microsoft Purview role group
Complete the following steps to create a custom Microsoft Purview role group:
Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to Permissions.
Expand the Microsoft Purview solutions section and select Roles.
On the Role groups for Microsoft Purview solutions page, select Create role group.
On the Name the role group page, enter a name for the custom role group in the Name field. The name of the role group can't be changed after creation of the role group. If needed, enter a description for the custom role group in the Description field. Select Next to continue.
On the Add roles to the role group page, select Choose roles.
Select the checkboxes for the roles to add to the custom role group. Select Select.
Select Next to continue.
On the Add members to the role group page, select Choose users (or Choose groups if applicable).
Important
Security groups are supported only in Microsoft 365 commercial cloud organizations.
Select the checkboxes for the users (or groups) to add to the custom role group. Select Select.
Select Next to continue.
If the selected users or groups need organization-wide access as part of this role group assignment, go to Step 14.
If the selected users or groups need to be assigned to administrative units, select the users or groups and select Assign admin units.
On the Assign admin units pane, select the checkbox for all the administrative units you want to assign to the users or groups. Select Select.
Select Next.
On the Review the role group and finish page, review the details for the custom role group. If you need to edit the information, select Edit in the appropriate section. When all the settings are correct, select Create to create the custom role group or select Cancel to discard the changes and not create the custom role group.
Update a custom Microsoft Purview role group
Complete the following steps to update a custom Microsoft Purview role group:
- Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to Permissions.
- Expand the Microsoft Purview solutions section and select Roles.
- On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to update, then select Edit on the control bar.
- On the Name the role group page, update the description for the custom role group in the Description field. The name of the custom role group can't be changed. Select Next.
- On the Edit roles of the role group page, you can select Choose roles to add roles to update the roles assigned to the role group. You can also select any of the currently assigned roles and select Remove roles to remove the roles from the role group. After you've updated the roles, select Next.
- On the Edit members of the role group page, you can select Choose users or Choose groups to add users or groups assigned to the role group. To update the administrative units for users or groups, select any of the currently assigned user or groups and select Assign admin units. You can also select any of the currently assigned users and groups and select Remove members to remove the users or groups from the role group. After you've updated the members, select Next.
- On the Review the role group and finish page, review the details for the custom role group. If you need to edit the information, select Edit in the appropriate section. When all the settings are correct, select Save to update the custom role group or select Cancel to discard the changes and not update the custom role group.
Delete a custom Microsoft Purview role group
Complete the following steps to delete a custom Microsoft Purview role group:
- Sign into the permissions area of the compliance portal using credentials for an admin account in your Microsoft 365 organization, and go to Permissions.
- Expand the Microsoft Purview solutions section and select Roles.
- On the Role groups for Microsoft Purview solutions page, select a Microsoft Purview role group you want to delete, then select Delete on the control bar.
- On the Delete role group dialog, select Delete to delete the role group or select Cancel to cancel the deletion process.