# Permissions ### Overview This page describes the permissions and access model for this agent.\ The agent uses **read-only access** to Microsoft Purview policy, classification, and compliance data through **Security Copilot Plugins**.\ It is designed to detect missing policies, analyze protection coverage, and validate compliance readiness across Microsoft 365 workloads — without modifying any configurations. *** ### How It Works The agent connects securely to Microsoft Purview through Security Copilot Plugins to collect policy definitions, classification results, and activity logs.\ It evaluates your current DLP, labeling, and retention policies to identify configuration gaps and potential compliance blind spots. All interactions follow these principles: * **Read-only access:** The agent does not modify or create policies, labels, or rules. * **Least privilege:** Only the permissions required to read Purview compliance data are used. * **Transparency:** All access is auditable within Microsoft Entra and aligned with Microsoft’s compliance and governance standards. *** ### Required Entra ID Roles Assign the following roles to the administrator account that installs and runs the agent: | Role | Description | | ---------------------------- | ---------------------------------------------------------------------------------- | | **Compliance Administrator** | Provides visibility into Purview policy configurations and compliance assessments. | | **Security Reader** | Grants read-only access to alerts and compliance-related insights. | | **Reports Reader** | Enables access to analytics and compliance reporting data. | | **Global Reader** | Allows read-only visibility across services for full coverage assessment. | {% hint style="info" %} These roles are based on least-privilege principles. Adjust assignments according to your organization’s governance policies. {% endhint %} *** ### Data Access Transparency The following table outlines what data the agent can access and how it is used. | Data Type | Access Level | Purpose | | ------------------------------------ | ------------ | ---------------------------------------------------------------------------------------- | | **Purview policy configurations** | Read-only | To analyze existing DLP, labeling, and retention policies for completeness. | | **Classification and labeling data** | Read-only | To assess which data categories are covered by current protection mechanisms. | | **Compliance assessments** | Read-only | To evaluate readiness against frameworks such as GDPR, ISO 27001, or internal baselines. | | **Activity and audit logs** | Read-only | To verify enforcement actions and ensure policies are being applied correctly. | **Data handling:** * The agent does **not** modify, delete, or export data outside the tenant boundary. * All access occurs through **Security Copilot Plugins** using delegated or application-level permissions. * All activity is logged in **Microsoft Entra audit logs** for transparency and traceability. *** ### Agent Settings When running the agent, you can configure optional settings to customize the scope and depth of analysis. | Setting | Example | Description | | ---------------- | -------------------------------------- | ----------------------------------------------------------------------------- | | **TimeRange** | `30`, `90`, or `2025-01-01/2025-03-31` | Defines the time period for analyzing policy and classification data. | | **Framework** | `GDPR`, `ISO27001`, `Custom` | Specifies which regulatory framework to validate compliance coverage against. | | **Scope** | `DLP`, `Labels`, `Retention`, `All` | Filters analysis to a specific policy type or evaluates overall coverage. | | **OutputFormat** | `summary` or `detailed` | Determines the level of detail in the report output. | #### Example Queries * `"Identify policy gaps in my Purview environment"` * `"Validate GDPR compliance coverage"` * `"Show me DLP policy gaps for SharePoint"` * `"Where am I missing sensitivity label protection?"` * `"Check retention policy completeness"` *** ### Data Requirements To ensure accurate and meaningful results, verify that: * **Purview policies** are deployed and generating activity data. * **Data classification** is running across major workloads. * **Sensitivity labels** are available and in use, even if adoption is incomplete. * **Regulatory requirements** are defined if validating against frameworks like GDPR or ISO. * **Workload inventory** is up-to-date so the agent can identify missing protection coverage. *** ### Security and Compliance Considerations * All communication through Security Copilot Plugins is encrypted using HTTPS and secured via Microsoft identity services. * The agent follows Microsoft’s **zero trust** and **least privilege** principles. * Access can be reviewed or revoked at any time through **Entra ID role assignments** or **application consent management**. *** ### Next Steps * Ensure the administrator account has all required roles assigned. * Run the agent to identify policy and compliance coverage gaps across your Purview environment. * Review findings in Security Copilot to prioritize remediation and strengthen governance posture. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://agents.glueckkanja.com/agents/policy-gap-remediator/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.