MC1226226: Microsoft Purview | Role group changes in Microsoft Purview
Microsoft Purview introduces a new Purview Agent Deployment role added to several built-in role groups, allowing analysts to deploy and manage Purview agents without admin help. Rollout starts late February 2026. No default data access changes occur; organizations can customize roles to restrict ...
[Introduction]
We are introducing a new Microsoft Purview Role-Based Access Control (RBAC) role—Purview Agent Deployment—and adding it to several existing Purview built‑in role groups. This update enables analysts who intend to work with Purview agents to also deploy them directly without requiring administrator involvement. This change improves onboarding efficiency and supports broader adoption of Purview’s AI‑powered agent capabilities.
[When this will happen:]
General Availability (Worldwide): Rollout begins late February 2026 and is expected to complete by mid‑March 2026.
[How this will affect your organization:]
Who is affected:
Admins and analysts who intend to use Microsoft Purview agents or manage Purview role groups.
What will happen:
- The new Purview Agent Deployment role will be added to these built‑in role groups:
- Compliance Administrator
- Data Security Management
- Information Protection
- Information Protection Analysts
- Information Protection Investigators
- Insider Risk Management
- Insider Risk Management Analyst
- Insider Risk Management Investigator
- Purview Agent Management
- The Purview Agent Management role group will continue to include Purview Content Analyst role and maintain access to Posture agent capabilities.
- Users assigned to these role groups will be able to deploy, use, and manage Purview agents end‑to‑end, including:
- Data Security Triage Agent (DLP)
- Data Security Triage Agent (IRM)
- Data Security Posture Agent (DSPM)
- Future agents as released
- No default data access permissions are changed.
- No additional visibility into customer content is added.
- Organizations can optionally enforce separation of deployment vs. analysis roles using custom role groups.
[What you can do to prepare:]
- Analysts assigned to built‑in Purview role groups will automatically be able to deploy agents.
- If restricting agent deployment:
- Create a custom role group without the Purview Agent Deployment role.
- Assign analysts accordingly.
- Ensure custom groups include the Purview Agent Deployment role only where intended.
- Review and update internal RBAC documentation, training, and onboarding materials.
Learn more: Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview | Microsoft Learn
[Compliance considerations:]
| Question | Explanation |
|---|---|
| Does the change alter how existing customer data is processed, stored, or accessed? | Purview Agents may process or access existing customer data (for example, DLP, IRM, and DSPM signals) during triage and security posture workflows. This update expands who can deploy agents but does not change default data access permissions. |
| Does the change modify Conditional Access policies? | Agent deployment and operation interact with existing Conditional Access enforcement. Conditional Access policies continue to apply, but more roles will now be able to initiate workflows that are governed by those policies. |