check before: 2026-02-15
Product:
Entra, Exchange, OneDrive, Purview, Purview Communication Compliance, Purview Insider Risk Management, SharePoint, Teams
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Microsoft Purview is updating role management by mapping certain Purview admin roles to three new Microsoft Entra roles, syncing assignments automatically to enhance security with Microsoft 365 services. Rollout begins mid-February 2026, finishing by late May 2026. No customer action is required.
Details:
Updated April 16, 2026: We have updated the timeline and content. Thank you for your patience.
[Introduction]
To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we're updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data.
[When this will happen:]
General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late May 2026 (previously late March).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-12-19
updated:
2026-04-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Role Synchronization Issues
If the role synchronization between Purview and Entra fails, admins may not have the correct permissions, leading to potential access issues for critical operations.
- roles: Purview Admin, IT Security Manager
- references: https://learn.microsoft.com/microsoft-365/compliance/
Audit Log Overload
The bulk update of role assignments may generate excessive entries in the Entra Audit logs, making it difficult for admins to track relevant changes and potential security incidents.
- roles: Compliance Officer, IT Auditor
- references: https://learn.microsoft.com/microsoft-365/compliance/
User Experience Disruption
Admins may experience confusion or frustration if they are not aware of the new role mappings, leading to delays in accessing necessary features or data.
- roles: Purview Admin, End User
- references: https://learn.microsoft.com/microsoft-365/compliance/
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
Hypothetical Work Council Statement**
XXXXXXX ... paid membership only
DPIA Draft**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-04-17 | MC prepare | No action is required.
Be aware that new Purview-specific Entra roles may appear in audit logs. Do not manually assign these roles in Entra; Purview will overwrite changes. For more details, review Microsoft Purview documentation. [Compliance considerations:] No compliance considerations identified; review as appropriate for your organization. https://learn.microsoft.com/microsoft-365/compliance/ | No action is required.
You will see these changes in assignments in the Entra Audit logs. These changes will happen in two modes: Bulk/One time update when all existing assignments to Purview roles are synced with Entra. This will be done once for each customer. This will generate extra activities in the Entra Audit logs as all previous assignments are synced from Purview to Entra. Continuous mode: all changes made subsequently in assignments for these Purview roles will be kept in sync with Entra. Customers will see these changes in Entra Audit Logs too. The amount of activity in audit logs will be in sync with the changes being made to Purview roles by admins. Active Assignments in Privileged Identity Management (PIM) Although the 3 new Entra roles are PIM-enabled, the assignments made to them by the sync process will be active (not eligible). If customers have PIM-enabled security groups assigned to Purview roles, then the same PIM-enabled security groups will be assigned to these 3 new Entra roles. Do not manually assign these roles in Entra; Purview will overwrite changes. For more details, review Microsoft Purview documentation. [Compliance considerations:] No compliance considerations identified; review as appropriate for your organization. https://learn.microsoft.com/microsoft-365/compliance/ |
| 2026-04-17 | MC Summary | Microsoft Purview is updating role management by mapping certain Purview admin roles to new Microsoft Entra roles, synchronizing assignments automatically from mid-February to late March 2026. No customer action is needed, but new Entra roles will appear in audit logs and should not be assigned manually. | Microsoft Purview is updating role management by mapping certain Purview admin roles to three new Microsoft Entra roles, syncing assignments automatically to enhance security with Microsoft 365 services. Rollout begins mid-February 2026, finishing by late May 2026. No customer action is required. |
| 2026-04-17 | MC Last Updated | 02/18/2026 20:21:52 | 2026-04-17T00:33:59Z |
| 2026-04-17 | MC Messages | Updated February 17, 2026: We have updated the content. Thank you for your patience.
[Introduction] To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we're updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data. [When this will happen:] General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late March 2026. | Updated April 16, 2026: We have updated the timeline and content. Thank you for your patience.
[Introduction] To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we're updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data. [When this will happen:] General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late May 2026 (previously late March). |
| 2026-04-17 | MC End Time | 04/30/2026 09:00:00 | 2026-06-29T09:00:00Z |
| 2026-04-17 | MC How Affect | Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen: New roles will be created in Entra to map to Purview roles listed below. Existing role assignments will sync automatically. New assignments will sync from Purview to Entra within 15 minutes. If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader. Customers may see new Purview-specific Entra roles in audit logs. Do not assign to these roles directly in Entra; Purview manages them. Role Mapping Table: Purview Role(s)Mapped Entra Role Insider Risk Management Analysis Insider Risk Management Investigation Compliance Search Export Privacy Management Admin Privacy Management Analysis Privacy Management Investigation Privacy Management Permanent Contribution Privacy Management Temporary Contribution Privacy Management Viewer Data Security Investigation ReviewerPurview Workload Content Reader Hold Privacy Management Investigation Data Security Investigation InvestigatorPurview Workload Content Writer Search and Purge Data Security Investigation Admin Data Security Investigation Analyst (New Role)Purview Workload Content Administrator Example: If you have both Export and Search and Purge roles, you'll get the Purview Workload Content Administrator role in Entra. | Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen: New roles will be created in Entra to map to Purview roles listed below. Existing role assignments will sync automatically. New assignments will sync from Purview to Entra within 15 minutes. If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader. Customers may see new Purview-specific Entra roles in audit logs. Do not assign to these roles directly in Entra; Purview manages them. Role Mapping Table: Purview Role(s)Mapped Entra Role Insider Risk Management Analysis Insider Risk Management Investigation Compliance Search Export Privacy Management Admin Privacy Management Analysis Privacy Management Investigation Privacy Management Permanent Contribution Privacy Management Temporary Contribution Privacy Management Viewer Data Security Investigation ReviewerPurview Workload Content Reader Hold Privacy Management Investigation Data Security Investigation InvestigatorPurview Workload Content Writer Search and Purge Data Security Investigation Admin Data Security Investigation Analyst (New Role)Purview Workload Content Administrator Example: If you have both Export and Search and Purge roles, you'll get the Purview Workload Content Administrator role in Entra. Audit logs: The Audit logs will look like below, with Display Name always shown as "PurviewRoleAssignmentMigrator". New Value for Role would always be one of the 3 new Entra roles created in Entra for protecting Purview customers |
| 2026-02-19 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2026-02-19 | MC Summary | Microsoft Purview will map certain admin roles to new Microsoft Entra roles to enhance security and synchronize permissions automatically by March 2026. High-privileged Purview roles will correspond to three Entra roles, with no customer action needed. Do not assign these roles directly in Entra. | Microsoft Purview is updating role management by mapping certain Purview admin roles to new Microsoft Entra roles, synchronizing assignments automatically from mid-February to late March 2026. No customer action is needed, but new Entra roles will appear in audit logs and should not be assigned manually. |
| 2026-02-19 | MC Last Updated | 12/19/2025 00:40:28 | 2026-02-18T20:21:52Z |
| 2026-02-19 | MC Messages | [Introduction]
To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we're updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data. [When this will happen:] General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late March 2026. | Updated February 17, 2026: We have updated the content. Thank you for your patience.
[Introduction] To strengthen security when Microsoft Purview interacts with Microsoft 365 services (Exchange, SharePoint, OneDrive, and Teams), we're updating how roles are managed in Microsoft Purview. Certain admin roles in Purview will now be mapped to three newly created roles in Microsoft Entra. Role assignments will be synchronized between Purview roles and Entra roles without any customer action. This ensures that user permissions and identity flow securely from Purview to Microsoft 365. M365 services will only allow high-privileged operations like search/export to Purview users with the correct level of permissions in Entra, further protecting customer data. [When this will happen:] General Availability (Worldwide): Rollout begins mid-February 2026, finishes by late March 2026. |
| 2026-02-19 | MC Title | Microsoft Purview: Role management update | (Updated) Microsoft Purview: Role management update |
| 2026-02-19 | MC How Affect | Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen: New roles will be created in Entra to map to Purview roles listed below. Existing role assignments will sync automatically. New assignments will sync from Purview to Entra within 15 minutes. If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader. Customers may see new Purview-specific Entra roles in audit logs. Do not assign to these roles directly in Entra; Purview manages them. Role Mapping Table: Purview Role(s)Mapped Entra Role Insider Risk Management Analysis Insider Risk Management Investigation Compliance Search Export Privacy Management Admin Privacy Management Analysis Privacy Management Investigation Privacy Management Permanent Contribution Privacy Management Temporary Contribution Privacy Management ViewerPurview Workload Content Reader Hold Privacy Management InvestigationPurview Workload Content Writer Search and PurgePurview Workload Content Administrator Example: If you have both Export and Search and Purge roles, you'll get the Purview Workload Content Administrator role in Entra. | Who is affected: All customers with admins assigned to high-privileged roles in Purview that access Microsoft 365 data. These admins will have their assignments synced to Entra, meaning they will be assigned membership to mapped Entra roles.
What will happen: New roles will be created in Entra to map to Purview roles listed below. Existing role assignments will sync automatically. New assignments will sync from Purview to Entra within 15 minutes. If an admin has multiple Purview roles, they will receive the highest privilege Entra role: Administrator > Writer > Reader. Customers may see new Purview-specific Entra roles in audit logs. Do not assign to these roles directly in Entra; Purview manages them. Role Mapping Table: Purview Role(s)Mapped Entra Role Insider Risk Management Analysis Insider Risk Management Investigation Compliance Search Export Privacy Management Admin Privacy Management Analysis Privacy Management Investigation Privacy Management Permanent Contribution Privacy Management Temporary Contribution Privacy Management Viewer Data Security Investigation ReviewerPurview Workload Content Reader Hold Privacy Management Investigation Data Security Investigation InvestigatorPurview Workload Content Writer Search and Purge Data Security Investigation Admin Data Security Investigation Analyst (New Role)Purview Workload Content Administrator Example: If you have both Export and Search and Purge roles, you'll get the Purview Workload Content Administrator role in Entra. |
Last updated 1 month ago ago
