Microsoft Message ID

microsoftmessageid

Microsoft Message ID: MC1199765 – 2026-02-18 | (Updated) Microsoft Purview: Role management update

Microsoft 365 Update

💡 Our Technical Review in summary

Here is the technical review of the Microsoft Purview role management update for IT Administrators.

Summary

  • Microsoft is introducing a synchronization mechanism between Microsoft Purview and Microsoft Entra ID to enhance security for high-privileged operations across M365 services (Exchange, SharePoint, OneDrive, and Teams).
  • Certain high-privileged admin roles within Purview will now be mapped to three specific, newly created roles in Microsoft Entra ID.
  • This update ensures that identity and permissions flow securely when performing sensitive tasks, such as content searches, data exports, or “search and purge” operations.
  • The rollout is scheduled to begin in mid-February 2026 and reach completion by late March 2026.

Impact

  • Automatic Synchronization: Role assignments will be synced from Purview to Entra ID automatically within 15 minutes of a change. No manual migration is necessary.
  • New Entra Roles: Administrators will see three new roles in Entra ID: Purview Workload Content Reader, Purview Workload Content Writer, and Purview Workload Content Administrator.
  • Permission Hierarchy: If an administrator holds multiple roles in Purview, Entra ID will assign the highest applicable privilege based on the following hierarchy: Administrator > Writer > Reader.
  • Audit Logs: Organizations may notice new Purview-specific Entra roles appearing in audit logs as the synchronization occurs.
  • Operational Changes: M365 services will now require these Entra-level permissions to authorize high-privileged data operations initiated via Purview.

Action Required

  • No Direct Action Needed: The mapping and synchronization process is fully automated by Microsoft.
  • Avoid Manual Entra Assignments: Do not manually assign users to the three new “Purview Workload Content” roles directly within the Microsoft Entra ID portal. Purview acts as the source of truth and will automatically overwrite any manual changes made in Entra.
  • Update Internal Documentation: IT teams should update internal security and governance documentation to reflect the new Entra roles and their purpose in the identity flow.
  • Review Mapping Table: Admins should review the specific mapping (e.g., “Search and Purge” mapping to “Purview Workload Content Administrator”) to understand which Entra permissions their staff will receive.

Microsoft Official Update

Service: N/A
Category: stayInformed
Severity: normal

Updated February 17, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we’re updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data.

[When this will happen:]

  • General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late March 2026.

[How this affects your organization:]

Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.

What will happen:

  • New roles will be created in Entra to map to Purview roles listed below.
  • Existing role assignments will sync automatically.
  • New assignments will sync from Purview to Entra within 15 minutes.
  • If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader.
  • Customers may see new Purview-specific Entra roles in audit logs.
  • Do not assign to these roles directly in Entra; Purview manages them.

Role Mapping Table:

Purview Role(s) Mapped Entra Role

Insider Risk Management Analysis
Insider Risk Management Investigation
Compliance Search
Export
Privacy Management Admin
Privacy Management Analysis
Privacy Management Investigation
Privacy Management Permanent Contribution
Privacy Management Temporary Contribution
Privacy Management Viewer
Data Security Investigation Reviewer

 Purview Workload Content Reader
Hold
Privacy Management Investigation
Data Security Investigation Investigator		 Purview Workload Content Writer
Search and Purge
Data Security Investigation Admin
Data Security Investigation Analyst (New Role)		 Purview Workload Content Administrator

Example: If you have both Export and Search and Purge roles, you’ll get the Purview Workload Content Administrator role in Entra.

[What you can do to prepare:]

  • No action is required.
  • Be aware that new Purview-specific Entra roles may appear in audit logs.
  • Do not manually assign these roles in Entra; Purview will overwrite changes.
  • For more details, review Microsoft Purview documentation.

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

Prev :
Next :

Most Read

Recent News