Permissions

Overview

This page describes the permissions and access model for this agent. The agent uses read-only access to Microsoft Purview policy, classification, and compliance data through Security Copilot Plugins. It is designed to detect missing policies, analyze protection coverage, and validate compliance readiness across Microsoft 365 workloads — without modifying any configurations.

How It Works

The agent connects securely to Microsoft Purview through Security Copilot Plugins to collect policy definitions, classification results, and activity logs. It evaluates your current DLP, labeling, and retention policies to identify configuration gaps and potential compliance blind spots.

All interactions follow these principles:

  • Read-only access: The agent does not modify or create policies, labels, or rules.

  • Least privilege: Only the permissions required to read Purview compliance data are used.

  • Transparency: All access is auditable within Microsoft Entra and aligned with Microsoft’s compliance and governance standards.

Required Entra ID Roles

Assign the following roles to the administrator account that installs and runs the agent:

Role
Description

Compliance Administrator

Provides visibility into Purview policy configurations and compliance assessments.

Security Reader

Grants read-only access to alerts and compliance-related insights.

Reports Reader

Enables access to analytics and compliance reporting data.

Global Reader

Allows read-only visibility across services for full coverage assessment.

These roles are based on least-privilege principles. Adjust assignments according to your organization’s governance policies.

Data Access Transparency

The following table outlines what data the agent can access and how it is used.

Data Type
Access Level
Purpose

Purview policy configurations

Read-only

To analyze existing DLP, labeling, and retention policies for completeness.

Classification and labeling data

Read-only

To assess which data categories are covered by current protection mechanisms.

Compliance assessments

Read-only

To evaluate readiness against frameworks such as GDPR, ISO 27001, or internal baselines.

Activity and audit logs

Read-only

To verify enforcement actions and ensure policies are being applied correctly.

Data handling:

  • The agent does not modify, delete, or export data outside the tenant boundary.

  • All access occurs through Security Copilot Plugins using delegated or application-level permissions.

  • All activity is logged in Microsoft Entra audit logs for transparency and traceability.

Agent Settings

When running the agent, you can configure optional settings to customize the scope and depth of analysis.

Setting
Example
Description

TimeRange

30, 90, or 2025-01-01/2025-03-31

Defines the time period for analyzing policy and classification data.

Framework

GDPR, ISO27001, Custom

Specifies which regulatory framework to validate compliance coverage against.

Scope

DLP, Labels, Retention, All

Filters analysis to a specific policy type or evaluates overall coverage.

OutputFormat

summary or detailed

Determines the level of detail in the report output.

Example Queries

  • "Identify policy gaps in my Purview environment"

  • "Validate GDPR compliance coverage"

  • "Show me DLP policy gaps for SharePoint"

  • "Where am I missing sensitivity label protection?"

  • "Check retention policy completeness"

Data Requirements

To ensure accurate and meaningful results, verify that:

  • Purview policies are deployed and generating activity data.

  • Data classification is running across major workloads.

  • Sensitivity labels are available and in use, even if adoption is incomplete.

  • Regulatory requirements are defined if validating against frameworks like GDPR or ISO.

  • Workload inventory is up-to-date so the agent can identify missing protection coverage.

Security and Compliance Considerations

  • All communication through Security Copilot Plugins is encrypted using HTTPS and secured via Microsoft identity services.

  • The agent follows Microsoft’s zero trust and least privilege principles.

  • Access can be reviewed or revoked at any time through Entra ID role assignments or application consent management.

Next Steps

  • Ensure the administrator account has all required roles assigned.

  • Run the agent to identify policy and compliance coverage gaps across your Purview environment.

  • Review findings in Security Copilot to prioritize remediation and strengthen governance posture.

PreviousOverviewNextChangelog

Last updated

Was this helpful?