getting started with Microsoft Purview

Reading Time: 8 minutes

Hello and welcome to Part 3 of this blog post series on Microsoft Purview. You can visit the previous posts via the links below:

Part 1: Introduction to Microsoft Purview – Part 1 – Cloud Build
Part 2: Microsoft Purview Portal – Part 2 – Cloud Build

In this post, I explore Microsoft Purview roles and scopes.

As we know from the previous posts, Microsoft Purview offers a robust data governance and compliance solution, enabling organisations to manage sensitive information across multiple platforms. Given the highly sensitive nature of the data within Microsoft Purview, it is crucial to restrict access to authorised individuals only. To ensure that access is granted to the right individuals, Microsoft Purview leverages Role Based Access Control (RBAC), which allows for more precise control over who can access specific solutions and datasets.

Please note that holding a Compliance Admin or even a Global Admin role may not grant access to highly confidential data. Additional roles may need to be assigned to manage specific areas within Microsoft Purview. Furthermore, granting highly privileged roles to admins does not follow best practices and the principle of least privilege. We should always assign just enough permissions for the admin to perform their duties.

Let’s explore roles and scopes further.

Access purview.microsoft.com, click Settings, and click to expand Roles and scopes from the left pane.

2. The first two options available under Roles and scopes are Microsoft Entra ID and Role groups.

Microsoft Entra ID roles, visible within Entra ID at entra.microsoft.com, include over 100 built in roles that serve various administrative functions. In the Microsoft Purview Portal, however, only 9 specific Entra ID roles are listed, each capable of performing tasks related to compliance and governance in Microsoft Purview. These roles, when assigned or if already assigned to users, grant them permissions to access and perform specific tasks within Microsoft Purview. Therefore, if you’re assigned one of these roles via Entra ID, you will have certain permissions inside Microsoft Purview depending on the role assigned. However, this does not mean you have full control to Microsoft Purview, as additional Purview roles need to be assigned to perform specific tasks.

For example, to view Role Groups (under the option Entra ID) in the Purview portal, users need to have the Global Administrator role assigned. If you’re already a Global Admin, you’ll automatically have access to view and manage users within Role Groups in Microsoft Purview.

However, assigning such a powerful role (Global Administrator) might not always be ideal, as it provides extensive permissions beyond just viewing Role Groups in Entra ID. To address this, there is a more targeted Microsoft Purview role available under Role Groups, the Role Management role. This role enables users to view, create, and modify Role Groups and much more inside Microsoft Purview without granting the broad permissions associated with a Global Admin, which has significant control over your environment.

But what is the purpose of Role Groups? Role groups in Microsoft Purview are specific to data governance and compliance tasks within Purview itself. These groups allow you to manage user permissions for accessing and performing tasks in Purview, like working with policies or data classifications. Essentially, Entra ID roles control broader administrative access, while the 65 built in Role Groups target Purview specific permissions. Apart from the one Entra ID role (Global Administrator), the remaining 8 Entra ID roles can also be located inside Role Groups.

Why is it called a Role Group? Because it’s a group of roles. Let’s take Organization Management as an example.

3. If I click on the Organization Management role group, I see a number of roles included as part of this role group.

The image above displays a list of roles in the Organization Management group.

4. Click Edit to add members to this group.

5. From here, we can add members to this role group and click next to complete.

6. But what if one of the role groups was ideal for you, but you wanted to remove some roles or slightly tweak the role group to fulfil your requirements? You can clone the role by clicking “Copy” and configure it as needed.

7. Give the role group a suitable name and click Copy.

8. Locate the custom role group you created from the list, open it, and click Edit. You can then remove any unwanted roles as needed.

9. What if you wanted to create a role group and add the required roles from scratch? Click Role groups located under Roles and scopes, and click + Create role group as shown in the images below.

Important note:
It’s crucial to assign the right permissions following the principle of least privilege, ensuring that users managing Purview have only the permissions necessary to perform their job functions. Over provisioning permissions can increase the attack surface and lead to excessive control in the event the account is compromised by a bad actor.

Finally, we come to Adaptive scopes.

Adaptive Scopes

What are Adaptive Scopes?

When you create retention and communication compliance policies (more on these policies later) in Microsoft Purview, you can add an adaptive scope for your policy. But, what’s the benefit? An adaptive scope allows you to create policies that automatically adjust to include or exclude data based on a specific criteria. This helps ensure that the right policies are applied to the right data without needing constant manual updates. For, example, you want to create a retention policy that ensures all documents related to financial transactions are retained for 7 years, regardless of where the data is stored. You can create and assign an adaptive scope based on queries, such as if the user’s country is the US. The retention policy will retain data for the specified number of years in the US only. If the requirement for retention in the UK is different, you could create a retention policy to retain data for 10 years and assign the adaptive scope including a query based on UK users. An adaptive scope reduces the management overhead.

Adaptive scopes are similar to dynamic groups in Entra ID but offer more and work with specific Purview policies, which will be covered later. To summarise, an adaptive scope is a scope that is dynamically filled based on a query you configure.

Adaptive scopes can also be applied to SharePoint site names and URL’s, OneDrive, Teams messages and more. See image below for a list. Source: Adaptive scopes | Microsoft Learn

Let’s go through the steps

Navigate to the Microsoft Purview portal and click on Adaptive scopes.

2. Click on Create scope to start creating a new adaptive scope

3. Enter a name for your adaptive scope. For example, you want to create an adaptive scope for your finance team. You can later create a retention policy to store data for the finance team for 7 years and assign this adaptive scope to the policy. Microsoft Purview will look for individuals in the finance team with a specific attribute, which we will configure shortly.

Click Next to proceed

4. The next page allows you to assign an admin unit you may have created in Entra ID. You don’t have to select admin units and could click Next to move to the next page, but it’s worth knowing why you would want to use an admin unit.

Explanation of Admin Units
Admin units provide the ability to assign admins to one or more administrative units, with the result that these now restricted admins can manage only the users in their assigned administrative units. For example, a university may have thousands of student user accounts located in Entra ID. You need to split support responsibility amongst three IT teams. IT Team A are responsible for taking support calls from the Law students. IT Team A have the needed permissions to manage Law student user accounts. Team B will only manage Medicine students and Team C will only manage Engineering students. Admin units allow us to split responsibility between the IT teams.

This boundary of management flows into Microsoft Purview for supported solutions to ensure that restricted admins can manage only the users they have been assigned to manage.

For example, let’s take IT team A who manage and support Law students. IT team A only have the permissions to manage Law student user accounts. We create a new adaptive scope for Law students and select the administrative unit named Law Students. Then, because we want the adaptive scope to include only Law students, we use the department attribute to specify Department = Faculty of Law. If we misconfigure this attribute and instead specify, Department = Faculty of Art, but the users with that value aren’t included in the Law students administrative unit, the scope won’t contain any users. The target users can be Law students only. You can learn more about administrative units at the following Microsoft Learn link, Administrative units in Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn.

In this demo, I won’t be assigning an admin unit. Click Next

5. On the scope type page, we can select the scope. Here we can scope the adaptive scope to users, SharePoint sites or Microsoft 365 groups.

6. I’ll select SharePoint sites and click Next.

7. This is where we can build a query. For example, these attributes can be used in our policy to apply a retention policy of 7 years if the SharePoint URL or name starts with “finance”.

8. Here is an example query

Query: Site URL starts with finance

and here is my SharePoint page starting with finance in the URL.

You can also add additional queries if required

You can also add custom attributes if needed

You can also use a different condition if you don’t wish to use “starts with”

9. Now, when I apply the adaptive scope to a policy, it will only apply the policy to SharePoint sites starting with Finance.

We can also create an adaptive scope for users, SharePoint site or Microsoft 365 Groups. Images below.

User attributes available for users

Microsoft 365 Groups

Attributes available for Microsoft 365 Group

That’s it for roles and scopes.

I hope this post was useful.

Stay tuned for further blog posts where we explore the different solutions available in Microsoft Purview.

Reading Time: 4 minutes

In this blog series, I’ll be covering Microsoft Purview, starting with an introduction and then exploring the features Microsoft Purview has to offer in further posts.

Please subscribe to our email list to be notified of new posts as they are published

Why Microsoft Purview?
Microsoft Purview is a comprehensive set of tools designed to help organisations govern, protect, and manage their data across various platforms and environments. It provides a unified platform for data governance, security, and compliance, making it easier to manage data and meet regulatory requirements, wherever the data is stored.

Data often moves across boundaries and is shared with external partners or accessed from personal devices. Ensuring consistent security is key. Relying on multiple tools can lead to inefficiencies and gaps. To understand where critical data resides often requires a comprehensive review across on-premises and cloud environments.

Data is being created, stored, and shared at unprecedented rates. With increasing regulation and complexity, understanding how to secure and manage data effectively is more important than ever. One of the biggest challenges organisations face is becoming overwhelmed by the sheer volume and complexity of managing data. It can be difficult to keep track of what data is out there and ensure it’s all properly protected throughout its lifecycle.

By 2025, it’s estimated that the world will produce up to 175 zettabytes of data, a tenfold increase from 2016. This rapid growth brings new challenges for organisations trying to manage a wide range of data types, including emails, documents, instant messages, videos, and images. Generative AI adds further complexity by introducing new layers of data and risks like privacy concerns and misinformation.

As data grows, so do the demands for protecting it. The need for strong controls around sensitive data is more critical than ever. Without a robust data management strategy, organisations risk financial penalties, reputational damage, and loss of customer trust.

Managing and protecting data is a growing challenge. Research highlights that:

88% of organisations lack confidence in their ability to detect or prevent sensitive data loss.
More than 80% of corporate data remains “dark”, meaning it isn’t classified, protected, or governed.
Protecting and governing sensitive data is one of the biggest challenges for compliance with regulations.
As the environment grows more complex, so do the risks of data breaches and non-compliance.

This is where Microsoft Purview can help. This service provides organisations the ability to configure features such as, but not limited to, Data Loss Prevention (DLP), encryption of sensitive data, and insider risk management. According to research by Microsoft in 2023, 20% of data breaches were due to internal actors, costing businesses an average of $7.5 million annually.

Utilising Microsoft Purview offers a unified approach ensuring consistent classification, labeling, and protection of sensitive data, no matter where it resides. Microsoft Purview can be configured to provide a bird’s eye view of an organisation’s entire data landscape, helping them discover, classify, and manage their data with ease. This data could reside in a number of locations including Software As a Service applications (such as Dropbox, Salesforce), Azure, Microsoft 365, AWS (Amazon Web Services), Google Cloud, on-premises and more.

Another useful feature offered by Microsoft Purview is Information Barriers. Information Barriers is a tool that helps you control communication and collaboration between different groups of people in Microsoft Teams, SharePoint, and OneDrive. It’s often used in industries with strict regulations to prevent conflicts of interest and to keep sensitive information secure between different departments inside an organisation.

There is more! Microsoft Purview Privileged Access Management (PAM) helps organisations control who can perform important admin tasks in Office 365. It protects your organisation from breaches by making sure only the right people have access to sensitive data or critical settings, and only when they need it. User’s must request temporary access to perform special tasks, which are approved through a specific process. This way, users get just enough access to do their job without risking the security of sensitive information.

Furthermore, Microsoft Purview can be configured to scan your data, provide a data map and identify and secure sensitive data which you may not be protecting. Microsoft Purview can provide you with the insights your organisation requires, not only helping identify and protecting your data, but providing insights on how that data is used.

Microsoft Purview can also assist your compliance and risk teams by providing tools to audit your data and whether you’re meeting compliance standards. The service also offers tools you can use in the event of a legal issue, known as eDiscovery. These useful insights are provided via an easy to understand reporting dashboard.

Microsoft Purview is structured into three main pillars, these include Data Security, Data Governance and Risk & Compliance. These pillars combined, provide organisations with a powerful platform for governing and securing data across the entire data estate. More info on the three pillars can be found at the following Microsoft Learn link, Learn about Microsoft Purview | Microsoft Learn.

I hope you now have a basic understanding on what Microsoft Purview has to offer.

In part 2 of this blog post series, I explore the new Microsoft Purview portal. Click the following link to continue, Microsoft Purview Portal – Part 2 – Cloud Build.

Cloud Build

Microsoft Azure, 365 and all things Tech

getting started with Microsoft Purview

Part 3 – Microsoft Purview Roles and Scopes

Introduction to Microsoft Purview – Part 1

Subscribe