Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

Target Audience

This Permissions section of this blog series is aimed at Security and Compliance officers who are looking to understand what permissions are needed to run the Compliance center workloads, and specifically run the workloads detailed in this blog series.

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Purview through.

We will walk through adding Purview-related permissions. Here are the permissions that you will need:

• Compliance Administrator
• eDiscovery Manager
• Content Explorer Content Explorer

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Purview, including:

• Sensitive Information Types
• Exact Data Matching
• Sensitivity Labeling
• Data Protection Loss (DLP) for Exchange, OneDrive, Devices
• Microsoft Cloud App Security (MCAS)
• Records Management (retention and disposal)
• Advanced eDiscovery (AeD)
• Insider Risk Management
• Privacy Management

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

Overview of Document

1. We will add Compliance Permissions to an individual user in our tenant

Use Case

Definitions

Notes

• For production environments, it is recommended you work with Microsoft or a Microsoft Partner to refine the permission you will be using for Purview
• The permissions used in this document and blog series are meant to give broad control over your Purview components so that you can successfully run the configurations and tests in this blog series.

Requirements

• You have a test account to run the activities in this blog series.
• You have access to the compliance portal for your tenant (compliance.microsoft.com)

Pre-requisites

• You must have access to the compliance portal for your tenant (compliance.microsoft.com)
• You must have a Global Admin to be able to enable the permissions for your test user.

Microsoft and Zero Trust

For Microsoft, Zero Trust is not a tool or solution.  It is a mindset and a process. Here are the 3 principles of the Microsoft Zero Trust approach to security.

For more information about the Microsoft approach to Zero Trust, please look at the links in the Appendix and Links section below.

Enable Permissions

We will walk through adding Purview-related permissions. Here are the permissions that you will need perform the activities in this blog series:

• Compliance Administrator – Members can manage settings for device management, data protection, data loss prevention, reports, and preservation.
• eDiscovery Manager – Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery.
• Content Explorer Content Viewer – View the contents files in Content explorer.

1. Go to compliance.microsoft.com with your administrator account.

1. Click on Permissions in the left-hand side.

1. On the right-hand panel, click on View and Manage used to perform solution-specific tasks in the compliance center – Roles.

Compliance Administrator

1. In the search field on the right, type “compliance” and then click the search button

1. Select the Compliance Administrator role and in the popup window on the right, click Edit Role Group.

1. Click Choose Members and select the Edit option.

1. Click Add

1. Enter the name of the user you wish to make a Comliance Administrator, then click Add

1. Click Done

eDiscovery Administrator

1. In the search field on the right, type “ediscovery” and then click the search button

1. Select the Compliance Administrator role and in the popup window on the right, click Edit Role Group.

1. Click Choose Members and select the Edit option.

1. Click Add

1. Enter the name of the user you wish to make a Comliance Administrator, then click Add

1. Click Done

Content Explorer Content Viewer

1. In the search field on the right, type “content” and then click the search button

1. Select the Compliance Administrator role and in the popup window on the right, click Edit Role Group.

1. Click Choose Members and select the Edit option.

1. Click Add

1. Enter the name of the user you wish to make a Comliance Administrator, then click Add

1. Click Done

Appendix and Links

Zero Trust Model - Modern Security Architecture | Microsoft Security

Comprehensive Security for Business | Microsoft Security

Implementing a Zero Trust security model at Microsoft

Conditional Access for Zero Trust - Azure Architecture Center | Microsoft Docs

Conditional Acces s design principles and dependencies - Azure Architecture Center | Microsoft Docs

Learn about data classification - Microsoft Purview | Microsoft Docs

Get started with content explorer - Microsoft Purview | Microsoft Docs

Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs

Assign eDiscovery permissions in the Microsoft Purview compliance portal - Microsoft Purview | Micro...

Permissions - Security & Compliance Center - Office 365 | Microsoft Docs

Permissions in the Microsoft Purview compliance portal - Microsoft Purview | Microsoft Docs