|
Updated April 16, 2026: We have updated the timeline and content. Thank you for your patience.
[Introduction]
To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we’re updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data.
[When this will happen:]
- General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late May 2026 (previously late March).
[How this affects your organization:]
Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen:
- New roles will be created in Entra to map to Purview roles listed below.
- Existing role assignments will sync automatically.
- New assignments will sync from Purview to Entra within 15 minutes.
- If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader.
- Customers may see new Purview-specific Entra roles in audit logs.
- Do not assign to these roles directly in Entra; Purview manages them.
Role Mapping Table:
| Purview Role(s) |
Mapped Entra Role |
|
Insider Risk Management Analysis
Insider Risk Management Investigation
Compliance Search
Export
Privacy Management Admin
Privacy Management Analysis
Privacy Management Investigation
Privacy Management Permanent Contribution
Privacy Management Temporary Contribution
Privacy Management Viewer
Data Security Investigation Reviewer
|
Purview Workload Content Reader |
Hold
Privacy Management Investigation
Data Security Investigation Investigator |
Purview Workload Content Writer |
Search and Purge
Data Security Investigation Admin
Data Security Investigation Analyst (New Role) |
Purview Workload Content Administrator |
Example: If you have both Export and Search and Purge roles, you’ll get the Purview Workload Content Administrator role in Entra.
Audit logs:
The Audit logs will look like below, with Display Name always shown as “PurviewRoleAssignmentMigrator”.
New Value for Role would always be one of the 3 new Entra roles created in Entra for protecting Purview customers
[What you can do to prepare:]
- No action is required.
- You will see these changes in assignments in the Entra Audit logs. These changes will happen in two modes:
- Bulk/One time update when all existing assignments to Purview roles are synced with Entra. This will be done once for each customer. This will generate extra activities in the Entra Audit logs as all previous assignments are synced from Purview to Entra.
- Continuous mode: all changes made subsequently in assignments for these Purview roles will be kept in sync with Entra. Customers will see these changes in Entra Audit Logs too. The amount of activity in audit logs will be in sync with the changes being made to Purview roles by admins.
- Active Assignments in Privileged Identity Management (PIM)
- Although the 3 new Entra roles are PIM-enabled, the assignments made to them by the sync process will be active (not eligible). If customers have PIM-enabled security groups assigned to Purview roles, then the same PIM-enabled security groups will be assigned to these 3 new Entra roles.
- Do not manually assign these roles in Entra; Purview will overwrite changes.
- For more details, review Microsoft Purview documentation.
[Compliance considerations:]
No compliance considerations identified; review as appropriate for your organization.
|