MC1199765 - Microsoft Purview: Role management update
Message Center
Metadata at Feb 18, 2026
Last Updated
Published Dec 18, 2025
Service
Tag
Metadata changes
- End date
- Jun 29, 2026Apr 30, 2026
Body changes
Updated April 16,February 17, 2026: We have updated the timeline and content. Thank you for your patience.
Introduction
To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we’re updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data.
When this will happen:
- General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late
May 2026 (previously late March).March 2026.
How this affects your organization:
Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen:
- New roles will be created in Entra to map to Purview roles listed below.
- Existing role assignments will sync automatically.
- New assignments will sync from Purview to Entra within 15 minutes.
- If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader.
- Customers may see new Purview-specific Entra roles in audit logs.
- Do not assign to these roles directly in Entra; Purview manages them.
Role Mapping Table:
| Purview Role(s) | Mapped Entra Role |
|---|---|
Insider Risk Management Analysis | Purview Workload Content Reader |
| Hold Privacy Management Investigation Data Security Investigation Investigator | Purview Workload Content Writer |
| Search and Purge Data Security Investigation Admin Data Security Investigation Analyst (New Role) | Purview Workload Content Administrator |
Example: If you have both Export and Search and Purge roles, you’ll get the Purview Workload Content Administrator role in Entra.
Audit logs:
The Audit logs will look like below, with Display Name always shown as “PurviewRoleAssignmentMigrator”.
New Value for Role would always be one of the 3 new Entra roles created in Entra for protecting Purview customers
What you can do to prepare:
- No action is required.
You will see these changes in assignments in theBe aware that new Purview-specific EntraAudit logs. These changes will happen in two modes:Bulk/One time update when all existing assignments to Purviewrolesare synced with Entra. This will be done once for each customer.This will generate extra activities in the Entra Audit logs as all previous assignments are synced from Purview to Entra.Continuous mode: all changes made subsequently in assignments for these Purview roles will be kept in sync with Entra. Customers will see these changes in Entra Audit Logs too. The amount of activitymay appear in auditlogs will be in sync with the changes being made to Purview roles by admins.logs.
Active Assignments in Privileged Identity Management (PIM)Although the 3 new Entra roles are PIM-enabled, the assignments made to them by the sync process will be active (not eligible). If customers have PIM-enabled security groups assigned to Purview roles, then the same PIM-enabled security groups will be assigned to these 3 new Entra roles.
- Do not manually assign these roles in Entra; Purview will overwrite changes.
- For more details, review Microsoft Purview documentation.
Compliance considerations:
No compliance considerations identified; review as appropriate for your organization.