Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Least permissive role to access Content Explorer in Microsoft Purview

Brass Contributor

Hi all,

 

I have a relatively simple question about Microsoft Purview permissions. Tried to find info on the web. I have raised this as a support request with Microsoft Support. But it seems to be quite a tough one. Weeks later, no solution. So, trying my luck here.

 

I want some users (non-admin) to access the Content Explorer and allow them to drill into specific Sensitive info types, find out where they reside and take action on them to eliminate the confidential data.

 

I have assigned the permission role 'Data Classification List Viewer' (role group name = Content Explorer List Viewer) to the users. However, after a couple of weeks they can still not access the Content Explorer.

 

Once they try to access the Content Explorer, they receive the following error message:

JoostvanderLinden_0-1710251365000.png

Client error

It seems that you do not have the correct permissions to access this page...

 

I assume that the role group is not sufficient for the users to gain access to the Content Explorer. 

What would be the least permissive role for users to gain access to the Content Explorer and see where sensitive data resides? (without them seeing the file contents)

 

Thanks in advance for all help provided.

3 Replies
Hi,
According to the official Microsoft Documentation on Insider Risk Management, if you follow the table on the following link

https://learn.microsoft.com/en-us/purview/insider-risk-management-configure?tabs=purview-portal

It looks like the Insider Risk Management Investigators role gives you the least privileged access to the Content Explorer.

I hope this was helpful

@a-James_Bell thank you for your reply.

This role 'Insider Risk Management Investigators' didn't allow the user to access the Content Explorer in Microsoft Purview.

 

I ended up with assigning them the Purview role 'Information Protection Analysts'.

Hi @Joost van der Linden 

There are two roles that grant access to content explorer and it is granted using the Microsoft Purview compliance portal:

  • Content Explorer List viewer: Membership in this role group allows you to see each item and its location in list view. The data classification list viewer role has been pre-assigned to this role group.

  • Content Explorer Content viewer: Membership in this role group allows you to view the contents of each item in the list. The data classification content viewer role has been pre-assigned to this role group.

You can also assign either or both of the roles to a custom role group to tailor access to content explorer.

A Global admin, can assign the necessary Content Explorer List Viewer, and Content Explorer Content Viewer role group membership.