Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Members of your security and compliance teams who are responsible for managing AI apps in the Microsoft Purview Data Security Posture Management for AI need appropriate permissions when they sign in to the Microsoft Purview portal.
Roles and role groups that can view, create, and edit in Data Security Posture Management for AI:
- Microsoft Entra Compliance Administrator role
- Microsoft Entra Global Administrator role
- Microsoft Purview Compliance Administrator role group
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Roles and role groups that can view-only in Data Security Posture Management for AI:
- Microsoft Purview Security Reader role group
- Purview Data Security AI Viewer role
- AI Administrator role from Entra
- Purview Data Security AI Content Viewer role for AI interactions only
- Purview Data Security Content Explorer Content Viewer role for AI interactions and file details for data risk assessments only
To help you assign the right permissions to users, use the following guidance, depending on the portal you're using:
- Permissions in the Microsoft Purview portal
- Assign Microsoft Entra roles to users
- Permissions in Exchange Online
Use the following table to understand the detailed permissions for different activities in Data Security Posture Management for AI.
Permissions by activities
✓: Supported. The role or role group have permissions to do the specified activities.
✕: Not supported. The role or role group don't have permissions to do the specified activities.
| Activities | Microsoft Entra Compliance Administrator role | Microsoft Entra Global Administrator role | Microsoft Purview Compliance Administrator role group | Roles or role groups that are view-only* | When not supported, additional role groups required | 
|---|---|---|---|---|---|
| View all get started steps | ✓ | ✓ | ✓ | ✓ | Not applicable | 
| Complete action on getting started steps | ✓ | ✓ | ✓ Excludes Activate Audit | ✕ | Microsoft Exchange Compliance Management Microsoft Exchange Records Management Microsoft Exchange Organization Management | 
| View completion status of getting started steps | ✓ | ✓ | ✓ Excludes status of Activate Audit | ✓ Excludes: Status of Activate Audit Status of Extend Your Insights | For Activate Audit: Microsoft Exchange View-Only Organization Management Microsoft Exchange Hygiene Management Microsoft Exchange Compliance Management Microsoft Exchange Records Management Microsoft Exchange Organization Management For Extend Your Insights: Microsoft Purview Insider Risk Management Administrator Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator | 
| View all recommendations | ✓ | ✓ | ✓ | ✓ | Not applicable | 
| Complete actions on recommendation cards | ✓ | ✓ | ✓ | ✕ | Not applicable | 
| View completion status of recommendation cards | ✓ | ✓ | ✓ | ✓ Excludes Unethical Behavior card | Communication compliance Administrator | 
| View all graphs from the Reports page | ✓ | ✓ | ✓ | ✓ | Not applicable | 
| View all policies in the policy list | ✓ | ✓ | ✓ | ✓ Excludes: Insider risk management policies Communication compliance policies | For insider risk management polices: Microsoft Purview Insider Risk Management Administrator Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator For communication compliance policies: Communication Compliance Administrator | 
| View all events in activity explorer | ✓ Excludes browse to URL (AI Visit) from insider risk management | ✓ Excludes browse to URL (AI Visit) from insider risk management | ✓ Excludes browse to URL (AI Visit) from insider risk management | ✓ Excludes browse to URL (AI Visit) from insider risk management | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator | 
| View user risk level of an individual user in all events from activity explorer | ✕ | ✕ | ✕ | ✕ | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator | 
| View link to view user details in insider risk management in all events from activity explorer | ✕ | ✕ | ✕ | ✕ | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator | 
| View the prompts and responses within AI Interaction events from activity explorer | ✕ | ✕ | ✕ | ✕ | Content Explorer Content Viewer Microsoft Purview Data Security AI Content Viewer | 
| Create data risk assessments | ✓ | ✓ | ✓ | ✕ | Not applicable | 
| View data risk assessments | ✓ | ✓ | ✓ | ✓ | Not applicable | 
| View file details for data risk assessments | ✕ | ✕ | ✕ | ✕ | Content Explorer Content Viewer Content Explorer List Viewer | 
| View Apps and agents page | ✓ | ✓ | ✓ | ✓ | Not applicable | 
* Includes Microsoft Purview Security Reader role group, Microsoft Purview Data Security AI Viewer role, and the AI Administrator role from Entra
Custom role groups
Instead of granting access to Data Security Posture Management for AI by using the built-in role groups, you can grant access by including the Microsoft Purview Compliance Administrator role in a custom role group. For read-only permissions, include the the Microsoft Purview Security Reader role, the Purview Data Security AI Viewer role, or the AI Administrator role from Entra.
If a custom role group includes the Microsoft Purview Compliance Administrator role, the user has the same access to Data Security Posture Management for AI as the Microsoft Purview Compliance Administrator role group, except for the following:
- Create, view, update, and delete policies for insider risk management and communication compliance
If a custom role group includes the Microsoft Purview Security Reader role, the Purview Data Security AI Viewer role, or the AI Administrator role, the user has the same access to Data Security Posture Management for AI as the Microsoft Purview Security Reader role group, except for the following:
- View information protection policies