Forum Discussion

Copper Contributor

Apr 29, 2025

Solved

Importing Purview roles into XDR RBAC

I want to activate Email & collaboration into XDR RBAC, so in XDR RBAC, I go and "choose roles to import" and I see the built-in Purview eDiscovery Manager role. Ok, fine, so I choose to import it ...

microsoft defender for office 365

vimal_raj1984hotmail
Sep 07, 2025
This is an excellent and very detailed set of questions. You've hit upon one of the most confusing aspects of Microsoft's security and compliance ecosystem: the ongoing transition from multiple, separate permission models (Exchange, Purview, Defender) into a single, unified RBAC model in Microsoft Defender XDR.
Let's break this down logically. The core concept is that Microsoft is trying to simplify administration by letting you manage permissions for Security (Defender) and Compliance (Purview) in one place: the Defender portal. However, the transition is not a simple "lift and shift"; it's an "import and sync" model, which causes this confusion.
Here is a clear explanation of what is happening and answers to your questions.
The "Why": The Goal of Unified RBAC
The entire purpose of importing Purview roles into Defender XDR RBAC is to allow an analyst to have a single set of permissions that works across the entire investigation and response lifecycle.
Before: An analyst investigating a malicious email might need Defender permissions to see the alert, and then separate Purview permissions (like Search and Purge) to go find and delete the email. They had to be assigned roles in two different portals.
After (The Goal): You assign the analyst a single role in the Defender XDR portal that grants them both permissions simultaneously: "view alerts" and "purge emails."
To achieve this, Defender XDR needs to be aware of the Purview roles. The "import" process is essentially Defender reading the roles from Purview so you can bundle them into a unified XDR role.
Question 1: eDiscovery Roles and What Happens After Activation
"I'm confused on why the eDiscovery role is being imported... will something change with what Sally and Sue and Bob can do in Purview eDiscovery? Will I still be managing my eDiscovery users in Purview roles...?"
This is the most critical point of confusion.
Why is it imported? The eDiscovery role is imported because it contains permissions related to viewing email content ("Raw data (Email & collaboration)"). Defender XDR sees this as a relevant permission for a security investigation (e.g., viewing the content of a malicious email). It doesn't understand the nuance of eDiscovery cases (Sally vs. Bob). It just sees a "permission to view email" and imports it.
Will anything change in Purview? NO. After you activate the "Email & collaboration" workload, nothing will change for Sally, Sue, and Bob within the Purview eDiscovery portal.
Bob will still be an eDiscovery Admin who can see all cases.
Sally and Sue will still be eDiscovery Managers who can only see the cases they are assigned to.
The fine-grained permissions within the eDiscovery tool itself are respected and are managed exclusively in the Purview portal.
Where do you manage users? You continue to manage eDiscovery users in Purview. If you need to add Billy as an eDiscovery Admin, you will still go to the Purview compliance portal, navigate to Roles, and add Billy to the eDiscovery Administrator role group.
The Bottom Line: The import is a one-way read for the purpose of granting those permissions for Defender XDR scenarios. It does not push any changes back to Purview or alter how Purview's own RBAC works. The Defender XDR RBAC model simply uses the Purview role as a "permission template."
Question 2: Activating the Workload and Potential Impact
"Wondering what exactly will happen when I activate the Email & collaboration workload. Will anything negative happen to the PIM groups... Would I then need to clean anything up...?"
Activating the workload is like flipping the master switch. Before activation, all the imported roles and permissions are just sitting there, staged and inactive. After activation, the Defender XDR RBAC model becomes the source of authority for Email & collaboration permissions within the context of Defender XDR actions.
What happens when you activate?
The permissions you have configured in your Defender XDR roles (e.g., the imported "eDiscovery Manager" and "Search and Purge" permissions) will become active.
A user like Sally, who is in the imported eDiscovery role, will now be able to use Defender XDR features that require the "Read Raw Email Data" permission (like viewing the body of an email during a threat investigation in Defender).
A user in your "Search and Purge" role will be able to take purge actions directly from the Defender portal's Threat Explorer, instead of having to pivot to the Purview portal.
Will anything negative happen to PIM? NO. Your Privileged Identity Management (PIM) setup for the Azure AD groups assigned to Purview roles will not be affected. PIM controls membership in the group, while XDR RBAC controls what that group can do. The two systems work together. A user will still need to activate their PIM role to become a member of the group, and only then will they receive the permissions granted by the Defender XDR role.
Do you need to clean up Purview roles? NO. You do not need to clean up anything in Purview. The Purview roles must continue to exist because they are the source that Defender XDR is syncing from. If you delete the "Search and Purge" role in Purview, it will eventually disappear from the Defender XDR import, and your unified role will break.
The "Undo" Button
"Can I just undo it if it messes anything up?"
Yes. This is the most important safety net. If activating the workload causes unexpected issues, you can simply go back to Settings > Permissions > Email & collaboration roles and click a button to "Deactivate" the workload.
Deactivating will revert the permission model back to the way it was before. Defender XDR will stop being the source of authority, and the individual permission models of Exchange Online and Purview will take over again. It is a non-destructive process.

vimal_raj1984hotmail

MCT

Sep 07, 2025

This is an excellent and very detailed set of questions. You've hit upon one of the most confusing aspects of Microsoft's security and compliance ecosystem: the ongoing transition from multiple, separate permission models (Exchange, Purview, Defender) into a single, unified RBAC model in Microsoft Defender XDR.

Let's break this down logically. The core concept is that Microsoft is trying to simplify administration by letting you manage permissions for Security (Defender) and Compliance (Purview) in one place: the Defender portal. However, the transition is not a simple "lift and shift"; it's an "import and sync" model, which causes this confusion.

Here is a clear explanation of what is happening and answers to your questions.

The "Why": The Goal of Unified RBAC

The entire purpose of importing Purview roles into Defender XDR RBAC is to allow an analyst to have a single set of permissions that works across the entire investigation and response lifecycle.

Before: An analyst investigating a malicious email might need Defender permissions to see the alert, and then separate Purview permissions (like Search and Purge) to go find and delete the email. They had to be assigned roles in two different portals.

After (The Goal): You assign the analyst a single role in the Defender XDR portal that grants them both permissions simultaneously: "view alerts" and "purge emails."

To achieve this, Defender XDR needs to be aware of the Purview roles. The "import" process is essentially Defender reading the roles from Purview so you can bundle them into a unified XDR role.

Question 1: eDiscovery Roles and What Happens After Activation

"I'm confused on why the eDiscovery role is being imported... will something change with what Sally and Sue and Bob can do in Purview eDiscovery? Will I still be managing my eDiscovery users in Purview roles...?"

This is the most critical point of confusion.

Why is it imported? The eDiscovery role is imported because it contains permissions related to viewing email content ("Raw data (Email & collaboration)"). Defender XDR sees this as a relevant permission for a security investigation (e.g., viewing the content of a malicious email). It doesn't understand the nuance of eDiscovery cases (Sally vs. Bob). It just sees a "permission to view email" and imports it.

Will anything change in Purview? NO. After you activate the "Email & collaboration" workload, nothing will change for Sally, Sue, and Bob within the Purview eDiscovery portal.

Bob will still be an eDiscovery Admin who can see all cases.

Sally and Sue will still be eDiscovery Managers who can only see the cases they are assigned to.

The fine-grained permissions within the eDiscovery tool itself are respected and are managed exclusively in the Purview portal.

Where do you manage users? You continue to manage eDiscovery users in Purview. If you need to add Billy as an eDiscovery Admin, you will still go to the Purview compliance portal, navigate to Roles, and add Billy to the eDiscovery Administrator role group.

The Bottom Line: The import is a one-way read for the purpose of granting those permissions for Defender XDR scenarios. It does not push any changes back to Purview or alter how Purview's own RBAC works. The Defender XDR RBAC model simply uses the Purview role as a "permission template."

Question 2: Activating the Workload and Potential Impact

"Wondering what exactly will happen when I activate the Email & collaboration workload. Will anything negative happen to the PIM groups... Would I then need to clean anything up...?"

Activating the workload is like flipping the master switch. Before activation, all the imported roles and permissions are just sitting there, staged and inactive. After activation, the Defender XDR RBAC model becomes the source of authority for Email & collaboration permissions within the context of Defender XDR actions.

What happens when you activate?

The permissions you have configured in your Defender XDR roles (e.g., the imported "eDiscovery Manager" and "Search and Purge" permissions) will become active.

A user like Sally, who is in the imported eDiscovery role, will now be able to use Defender XDR features that require the "Read Raw Email Data" permission (like viewing the body of an email during a threat investigation in Defender).

A user in your "Search and Purge" role will be able to take purge actions directly from the Defender portal's Threat Explorer, instead of having to pivot to the Purview portal.

Will anything negative happen to PIM? NO. Your Privileged Identity Management (PIM) setup for the Azure AD groups assigned to Purview roles will not be affected. PIM controls membership in the group, while XDR RBAC controls what that group can do. The two systems work together. A user will still need to activate their PIM role to become a member of the group, and only then will they receive the permissions granted by the Defender XDR role.

Do you need to clean up Purview roles? NO. You do not need to clean up anything in Purview. The Purview roles must continue to exist because they are the source that Defender XDR is syncing from. If you delete the "Search and Purge" role in Purview, it will eventually disappear from the Defender XDR import, and your unified role will break.

The "Undo" Button

"Can I just undo it if it messes anything up?"

Yes. This is the most important safety net. If activating the workload causes unexpected issues, you can simply go back to Settings > Permissions > Email & collaboration roles and click a button to "Deactivate" the workload.

Deactivating will revert the permission model back to the way it was before. Defender XDR will stop being the source of authority, and the individual permission models of Exchange Online and Purview will take over again. It is a non-destructive process.