Go to glueckkanja Website

Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to Microsoft Purview policies, DLP configurations, and compliance analytics through Security Copilot Plugins. It is designed to evaluate data protection posture, DLP policy effectiveness, and governance maturity trends — without changing or modifying any configurations.

How It Works

The agent connects securely to Microsoft Purview through Security Copilot Plugins to analyze policy activity, classification trends, and compliance telemetry. It correlates this data to provide actionable insights into DLP coverage, sensitivity label adoption, and data governance maturity across Microsoft 365 workloads.

All interactions follow these principles:

  • Read-only access: The agent never modifies, deletes, or creates policies or configurations.

  • Least privilege: Only the permissions required to read Purview compliance data are used.

  • Transparency: All access is auditable within Microsoft Entra and aligned with Microsoft’s compliance standards.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Compliance Administrator

Provides read-only access to Purview compliance configurations and policies.

Security Reader

Grants visibility into alerts, compliance risks, and DLP event data.

Reports Reader

Enables access to reporting and analytics data for policy and activity trends.

Global Reader

Allows full read-only visibility across compliance workloads.

These roles are aligned with least-privilege principles. Adjust role assignments as needed for your organization’s compliance requirements.

Data Access Transparency

The following table outlines what data the agent can access and the purpose for each dataset.

Data Type
Access Level
Purpose

Purview policies and configurations

Read-only

To assess DLP policy coverage, rule complexity, and deployment effectiveness.

Activity and incident logs

Read-only

To analyze event frequency, policy triggers, and data protection success rates.

Sensitivity label metrics

Read-only

To measure adoption, label usage, and classification trends.

Compliance analytics and dashboards

Read-only

To generate maturity scoring and benchmark comparisons.

Data handling:

  • The agent does not modify, export, or delete data outside the tenant boundary.

  • All access occurs via Security Copilot Plugins using delegated or application-level permissions.

  • All access activity is recorded in Microsoft Entra audit logs for compliance and transparency.

Agent Settings

When running the agent, you can configure optional settings to refine analysis scope, time range, or output level.

Setting
Example
Description

TimeRange

30, 90, or 2025-01-01/2025-03-31

Defines the period for policy and compliance data analysis.

FocusArea

DLP, Labels, Governance, All

Filters analysis to a specific focus area or includes all.

BenchmarkComparison

true

Enables comparison of DLP and compliance performance against best-practice benchmarks.

OutputFormat

summary or detailed

Controls the report detail level for readability or in-depth reporting.

Example Queries

  • "Analyze my Purview policy effectiveness"

  • "Show me sensitivity label adoption trends"

  • "Generate compliance readiness report"

  • "What’s my data governance maturity score?"

  • "Compare my DLP performance against benchmarks"

Data Requirements

To ensure accurate and meaningful analysis, verify that:

  • Purview policies are active and generating activity data.

  • At least 30–90 days of data is available for consistent trend evaluation.

  • DLP policies are deployed across Exchange, SharePoint, OneDrive, and Teams.

  • Sensitivity labels are configured and available to users, even if adoption is limited.

  • Activity logging is enabled in Purview for all data sources.

Security and Compliance Considerations

  • All communication through Security Copilot Plugins is encrypted using HTTPS and secured via Microsoft identity services.

  • The agent operates under Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Confirm that the administrator account has the required roles assigned.

  • Run the agent to evaluate DLP performance, policy effectiveness, and governance maturity.

  • Review the generated insights in Security Copilot to enhance data protection strategies.

PreviousOverviewNextChangelog

Last updated

Was this helpful?