MC1000267 - Microsoft Purview | Data Loss Prevention: New role for downloading original file evidence for Endpoint
Service
Published
Tag
Platforms
More information
Coming soon to Microsoft Purview | Data Loss Prevention (DLP): A new RBAC (role-based access control) role called Data Classification Content Download. When evidence collection is turned on from Endpoint DLP settings, this role lets admins download endpoint-related evidence files from activity explorer and DLP alerts in the Purview portal and Microsoft Defender XDR portal.
By default, the new role is available in these built-in role groups:
- Data Security Management
- Information Protection
- Information Protection Investigators
To view the evidence, users can continue using the Data Classification Content Viewer role.
For more information on the roles and role groups in Microsoft Purview refer to Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview - Microsoft Defender for Office 365 | Microsoft Learn
This message is associated with Microsoft 365 Roadmap ID 478660.
When this will happen:
General Availability (Worldwide): We will begin rolling out late February 2025 and expect to complete by early March 2025.
How this will affect your organization:
After this rollout, DLP investigators who are assigned to any role group (custom or default) without the role Data Classification Content Download role will be unable to download the endpoint DLP evidence and will encounter the error message, “You need the role Data Classification Content Download to download the evidence":
We understand the significance of secure data management, and this new role is designed to enhance security. If a user encounters the error message, admins can deploy one of these options from Permissions in the Microsoft Purview compliance portal | Microsoft Learn:
- Existing user in built-in role group: Add the role Data Classification Content Download to the built-in role group using the steps in Add users or groups to a Microsoft Purview built-in role group.
- Existing user in custom role group: Add the role Data Classification Content Download to the built-in role group using the steps in Update a custom Microsoft Purview role group.
- New user: Add the user to an existing role group with the role Data Classification Content Download or create a new custom role group using the steps in Create a custom Microsoft Purview role group.
This rollout will have no impact on previewing the evidence.
What you need to do to prepare:
This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.