MC1199765: Microsoft Purview: Role management update
Microsoft Purview will map certain admin roles to new Microsoft Entra roles to enhance security and synchronize permissions automatically by March 2026. High-privileged Purview roles will correspond to three Entra roles, with no customer action needed. Do not assign these roles directly in Entra.
[Introduction]
To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we’re updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data.
[When this will happen:]
- General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late March 2026.
[How this affects your organization:]
Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen:
- New roles will be created in Entra to map to Purview roles listed below.
- Existing role assignments will sync automatically.
- New assignments will sync from Purview to Entra within 15 minutes.
- If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader.
- Customers may see new Purview-specific Entra roles in audit logs.
- Do not assign to these roles directly in Entra; Purview manages them.
Role Mapping Table:
| Purview Role(s) | Mapped Entra Role |
|---|---|
| Insider Risk Management Analysis Insider Risk Management Investigation Compliance Search Export Privacy Management Admin Privacy Management Analysis Privacy Management Investigation Privacy Management Permanent Contribution Privacy Management Temporary Contribution Privacy Management Viewer | Purview Workload Content Reader |
| Hold Privacy Management Investigation | Purview Workload Content Writer |
| Search and Purge | Purview Workload Content Administrator |
Example: If you have both Export and Search and Purge roles, you’ll get the Purview Workload Content Administrator role in Entra.
[What you can do to prepare:]
- No action is required.
- Be aware that new Purview-specific Entra roles may appear in audit logs.
- Do not manually assign these roles in Entra; Purview will overwrite changes.
- For more details, review Microsoft Purview documentation.
[Compliance considerations:]
No compliance considerations identified; review as appropriate for your organization.