> For the complete documentation index, see [llms.txt](https://agents.glueckkanja.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://agents.glueckkanja.com/agents/policy-advisor/permissions.md). # Permissions ### Overview This page describes the permissions and access model for this agent.\ The agent uses **read-only access** to Microsoft Purview policies, DLP configurations, and compliance analytics through **Security Copilot Plugins**.\ It is designed to evaluate data protection posture, DLP policy effectiveness, and governance maturity trends — without changing or modifying any configurations. *** ### How It Works The agent connects securely to Microsoft Purview through Security Copilot Plugins to analyze policy activity, classification trends, and compliance telemetry.\ It correlates this data to provide actionable insights into DLP coverage, sensitivity label adoption, and data governance maturity across Microsoft 365 workloads. All interactions follow these principles: * **Read-only access:** The agent never modifies, deletes, or creates policies or configurations. * **Least privilege:** Only the permissions required to read Purview compliance data are used. * **Transparency:** All access is auditable within Microsoft Entra and aligned with Microsoft’s compliance standards. *** ### Required Entra ID Roles Assign the following roles to the administrator account that installs and runs the agent: | Role | Description | | ---------------------------- | ------------------------------------------------------------------------------ | | **Compliance Administrator** | Provides read-only access to Purview compliance configurations and policies. | | **Security Reader** | Grants visibility into alerts, compliance risks, and DLP event data. | | **Reports Reader** | Enables access to reporting and analytics data for policy and activity trends. | | **Global Reader** | Allows full read-only visibility across compliance workloads. | {% hint style="info" %} These roles are aligned with least-privilege principles. Adjust role assignments as needed for your organization’s compliance requirements. {% endhint %} *** ### Data Access Transparency The following table outlines what data the agent can access and the purpose for each dataset. | Data Type | Access Level | Purpose | | --------------------------------------- | ------------ | ------------------------------------------------------------------------------- | | **Purview policies and configurations** | Read-only | To assess DLP policy coverage, rule complexity, and deployment effectiveness. | | **Activity and incident logs** | Read-only | To analyze event frequency, policy triggers, and data protection success rates. | | **Sensitivity label metrics** | Read-only | To measure adoption, label usage, and classification trends. | | **Compliance analytics and dashboards** | Read-only | To generate maturity scoring and benchmark comparisons. | **Data handling:** * The agent does **not** modify, export, or delete data outside the tenant boundary. * All access occurs via **Security Copilot Plugins** using delegated or application-level permissions. * All access activity is recorded in **Microsoft Entra audit logs** for compliance and transparency. *** ### Agent Settings When running the agent, you can configure optional settings to refine analysis scope, time range, or output level. | Setting | Example | Description | | ----------------------- | -------------------------------------- | -------------------------------------------------------------------------------------- | | **TimeRange** | `30`, `90`, or `2025-01-01/2025-03-31` | Defines the period for policy and compliance data analysis. | | **FocusArea** | `DLP`, `Labels`, `Governance`, `All` | Filters analysis to a specific focus area or includes all. | | **BenchmarkComparison** | `true` | Enables comparison of DLP and compliance performance against best-practice benchmarks. | | **OutputFormat** | `summary` or `detailed` | Controls the report detail level for readability or in-depth reporting. | #### Example Queries * `"Analyze my Purview policy effectiveness"` * `"Show me sensitivity label adoption trends"` * `"Generate compliance readiness report"` * `"What’s my data governance maturity score?"` * `"Compare my DLP performance against benchmarks"` *** ### Data Requirements To ensure accurate and meaningful analysis, verify that: * **Purview policies** are active and generating activity data. * At least **30–90 days of data** is available for consistent trend evaluation. * **DLP policies** are deployed across Exchange, SharePoint, OneDrive, and Teams. * **Sensitivity labels** are configured and available to users, even if adoption is limited. * **Activity logging** is enabled in Purview for all data sources. *** ### Security and Compliance Considerations * All communication through Security Copilot Plugins is encrypted using HTTPS and secured via Microsoft identity services. * The agent operates under Microsoft’s **zero trust** and **least privilege** principles. * Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**. *** ### Next Steps * Confirm that the administrator account has the required roles assigned. * Run the agent to evaluate DLP performance, policy effectiveness, and governance maturity. * Review the generated insights in Security Copilot to enhance data protection strategies. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/policy-advisor/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.