Forum Discussion

AlaaAy's avatar
AlaaAy
Copper Contributor
Apr 29, 2026

Activity explorer scoping to AU

I remember that Activity Explorer can be fully scoped to Admin Units, and that the Restricted admin can see activity explorer and DLP matching events for the scoped AU only, is that correct? Cause I...
data loss prevention
microsoft purview
cder's avatar
cder
MCT
Apr 30, 2026

From my understanding, Administrative Unit scoping in Purview should restrict what a scoped/restricted admin can see, including DLP-related alerts and Activity Explorer events, but the behavior can depend on the exact workload, policy scope, and the permissions assigned to the admin account.

One important point is that the restricted admin should not have any additional unscoped roles, such as Compliance Administrator, Security Reader, Security Administrator, Information Protection-related roles, or any broader Purview/M365 role that could override the AU restriction. https://learn.microsoft.com/en-us/purview/purview-permissions#role-precedence-and-scope-behavior

It is also worth checking whether the DLP policy itself is scoped to the Administrative Unit, and whether the activity being shown is linked to an in-scope resource, such as a SharePoint site or OneDrive location, even if the user displayed in the activity is outside the AU.

So if the admin can see activity for users outside the scoped AU, I would first validate:

 

  1. Review all role assignments for the restricted admin and confirm there are no unscoped or tenant-wide roles.
  2. Confirm whether the DLP policy is global or scoped to the Administrative Unit.
  3. Check whether the activity is tied to an in-scope resource, especially a SharePoint site, OneDrive account, mailbox, or device.
  4. Confirm whether the specific workload and activity type support AU scoping.

So, to answer the question: yes, AU scoping should restrict what the admin can see, but seeing users outside the AU can make sense if the activity is tied to an in-scope resource or if the admin has another broader role assignment.
If the admin can see activity where the user, resource, policy context, and workload are all outside the Administrative Unit — and there are no unscoped roles involved — then I would consider that unexpected and worth raising with Microsoft Support.

  • AlaaAy's avatar
    AlaaAy
    Copper Contributor
    Apr 30, 2026

    Hello
    Thank you for your reply
    1. I tested two restricted admins that don't have any roles from Entra and from any other Purview role group.
    2. The DLP policies are scoped indeed only to the admin unit, no global assignment.
    3. I can see all kinds of activities for all workloads for all other AUs. Even I compared with the Purview admin, and I had the same results.
    4. The DLP policy targets the three basic workloads (SP, OneDrive, Exchange)

    This case is strange because Microsoft says clearly that Activity Explorer is fully scoped and respects AU, but recently I discover lots of mismatching between documentation and the real environment when testing.
    I opened a case with Microsoft, but you know, L1 junior support technicians started to talk to me, and they will need 1 month to realize that they need to escalate to L2s ... Karma !!!!

     

    • cder's avatar
      cder
      MCT
      Apr 30, 2026

      Hello,

      Thanks for sharing the details. Based on your tests, this does sound unexpected, especially if the restricted admins have no other Entra or Purview roles, and the DLP policies are scoped only to the AU.

      I have not noticed this behavior myself, but I will also try to reproduce it in my environment and compare the results.

      It would be interesting to see what Microsoft says after escalation, because this clearly does not align with the expected AU-scoped behavior.