Like Microsoft 365 Defender, Microsoft Purview can leverage both Azure AD global roles as well as more refined role groups specifically designed for Microsoft Purview. Some features (such as eDiscovery) can only be configured using the Purview-specific roles.
You can view the global Azure AD roles by navigating to the Microsoft Purview compliance center, expanding Roles & scopes, selecting Permissions, and then selecting Roles under Azure AD. See Figure 3.11:
Figure 3.11 – Viewing the Azure AD roles in the Microsoft 365 admin center
By comparison, the Microsoft Purview-specific roles are more detailed. They can be seen in the Microsoft Purview compliance center (https://compliance.microsoft.com) by expanding Roles & scopes, selecting Permissions, and then selecting Roles under Microsoft Purview solutions.See Figure 3.12:
Figure 3.12 – Microsoft Purview solutions roles
Like Microsoft 365 Defender, you can also create custom role groups for Microsoft Purview solutions. Microsoft Purview roles also support scoping with administrative units. Currently, the features described in Table 3.2 support administrative units:
| Solution or feature | Configuration areas |
| Data lifecycle management | Retention policies, retention label policies, role groups |
| Data Loss Prevention (DLP) | DLP policies, role groups |
| Communications compliance | Adaptive scopes |
| Records management | Retention policies, retention label policies, adaptive scopes, |
| role groups | |
| Sensitivity labels | Sensitivity label policies, auto-labeling policies, role groups |
Table 3.2 – Microsoft Purview’s support for administrative units
Next, you’ll look at managing role groups for Microsoft 365 workloads.
Microsoft 365 Workloads
The core Microsoft 365 workloads, such as Exchange Online and SharePoint Online, have built-in support for a number of role groups.
Figure 3.13 – Microsoft 365 workload roles
In the case of Exchange Online, there are additional management roles that can be assigned within the Exchange admin center’s existing RBAC mechanisms. Exchange Online’s RBAC model predates the modern Microsoft 365 and Azure role assignments; Exchange Online’s roles provide extra security granularity.
While many workloads will have a single role group (such as Kaizala Administrator or SharePoint Administrator), some, such as Teams, have multiple role groups that can be used to further segmentor delegate administration. You can review the current list of roles available in the Microsoft 365 admin center by navigating to the admin center (https://admin.microsoft.com), expanding Roles, and then selecting Role assignments.
Managing Administrative Units
Administrative units are collections of users and devices that can be delegated to certain administrators. In on -premises Active Directory, you may choose to delegate control of administrative functions using the Delegation of Control wizard in Active Directory Users and Computers or the Active Directory Administration Center. Unlike on-premises Active Directory, Azure AD is not hierarchical. Delegation must be achieved by defining boundaries and then controlling which users or devices are placed inside the boundaries.
Administrative units can be role-scoped—that is to say, administrators can both be granted administrative roles (such as Helpdesk Administrator) as well as be limited to administrative tasks only for assigned administrative units.
Leave a Reply