Microsoft 365 Message Center Archive

MC1199765 - Microsoft Purview: Role management update

Message ID

MC1199765

View in Message Center

Service

Microsoft Purview

Published

Dec 18, 2025

Tag

Feature update
Admin impact

Summary

Microsoft Purview will map certain admin roles to new Microsoft Entra roles to enhance security and synchronize permissions automatically by March 2026. High-privileged Purview roles will correspond to three Entra roles, with no customer action needed. Do not assign these roles directly in Entra.

More information

Introduction

To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we’re updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data.

When this will happen:

  • General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late March 2026.

How this affects your organization:

Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.

What will happen:

  • New roles will be created in Entra to map to Purview roles listed below.
  • Existing role assignments will sync automatically.
  • New assignments will sync from Purview to Entra within 15 minutes.
  • If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader.
  • Customers may see new Purview-specific Entra roles in audit logs.
  • Do not assign to these roles directly in Entra; Purview manages them.

Role Mapping Table:

Purview Role(s)Mapped Entra Role
Insider Risk Management Analysis
Insider Risk Management Investigation
Compliance Search
Export
Privacy Management Admin
Privacy Management Analysis
Privacy Management Investigation
Privacy Management Permanent Contribution
Privacy Management Temporary Contribution
Privacy Management Viewer		Purview Workload Content Reader
Hold
Privacy Management Investigation		Purview Workload Content Writer
Search and PurgePurview Workload Content Administrator

Example: If you have both Export and Search and Purge roles, you’ll get the Purview Workload Content Administrator role in Entra.

What you can do to prepare:

  • No action is required.
  • Be aware that new Purview-specific Entra roles may appear in audit logs.
  • Do not manually assign these roles in Entra; Purview will overwrite changes.
  • For more details, review Microsoft Purview documentation.

Compliance considerations:

No compliance considerations identified; review as appropriate for your organization.