Permissions in the Security & Compliance Center
Important
The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.
Applies to
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
The Security & Compliance Center lets you grant permissions to people who perform compliance tasks like device management, data loss prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to. To access the Security & Compliance Center, users need to be a global administrator or a member of one or more Security & Compliance Center role groups.
Permissions in the Security & Compliance Center are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by Exchange, so if you're familiar with Exchange, granting permissions in the Security & Compliance Center will be very similar. It's important to remember, however, that Exchange role groups and Security & Compliance Center role groups don't share membership or permissions. While both have an Organization Management role group, they aren't the same. The permissions they grant, and the members of the role groups, are different. There's a list of Security & Compliance Center role groups below.
Relationship of members, roles, and role groups
A role grants permissions to do a set of tasks; for example, the Case Management role lets people work with eDiscovery cases.
A role group is a set of roles that lets people do their jobs across the Security & Compliance Center. For example, the Compliance Administrator role group includes (among other roles) the roles for Case Management, Content Search, and Organization Configuration (plus others) because someone who's a compliance admin will need the permissions for those tasks to do their job.
The Security & Compliance Center includes default role groups for the most common tasks and functions that you'll need to assign people to. We recommend simply adding individual users as members to the default role groups.
Permissions needed to use features in the Security & Compliance Center
The following table lists the default role groups that are available in the Security & Compliance Center, and the roles that are assigned to the role groups by default. To grant permissions to a user to perform a compliance task, add them to the appropriate Security & Compliance Center role group.
Managing permissions in the Security & Compliance Center only gives users access to the compliance features that are available within the Security & Compliance Center itself. If you want to grant permissions to other compliance features that aren't in the Security & Compliance Center, such as Exchange mail flow rules (also known as transport rules), you need to use the Exchange admin center.
To see how to grant access to the Security & Compliance Center, check out Give users access to Microsoft 365 Compliance admin center.
Note
To view the Permissions tab in the Security & Compliance Center, you need to be an admin. Specifically, you need to be assigned the Role Management role, and that role is assigned only to the Organization Management role group in the Security & Compliance Center by default. Furthermore, the Role Management role allows users to view, create, and modify role groups.
Role group | Description | Default roles assigned |
---|---|---|
Communication Compliance | Provides permission to all the communication compliance roles: administrator, analyst, investigator, and viewer. | Case Management Communication Compliance Admin Communication Compliance Analysis Communication Compliance Case Management Communication Compliance Investigation Communication Compliance Viewer Data Classification Feedback Provider View-Only Case |
Communication Compliance Administrators | Administrators of communication compliance that can create/edit policies and define global settings. | Communication Compliance Admin Communication Compliance Case Management |
Communication Compliance Analysts | Analysts of communication compliance that can investigate policy matches, view message meta data, and take remediation actions. | Communication Compliance Analysis Communication Compliance Case Management |
Communication Compliance Investigators | Analysts of communication compliance that can investigate policy matches, view message content, and take remediation actions. | Case Management Communication Compliance Analysis Communication Compliance Case Management Communication Compliance Investigation Data Classification Feedback Provider View-Only Case |
Communication Compliance Viewers | Viewer of communication compliance that can access the available reports and widgets. | Communication Compliance Case Management Communication Compliance Viewer |
Compliance Administrator1 | Members can manage settings for device management, data loss prevention, reports, and preservation. | Case Management Compliance Administrator Compliance Search Data Classification Feedback Provider Data Classification Feedback Reviewer Device Management Disposition Management DLP Compliance Management Hold IB Compliance Management Manage Alerts Organization Configuration RecordManagement Retention Management View-Only Audit Logs View-Only Case View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
Compliance Data Administrator | Members can manage settings for device management, data protection, data loss prevention, reports, and preservation. | Compliance Administrator Compliance Search Device Management DLP Compliance Management Disposition Management IB Compliance Management Manage Alerts Organization Configuration RecordManagement Retention Management Sensitivity Label Administrator View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
Compliance Manager Administrators | Manage template creation and modification. | Compliance Manager Administration Compliance Manager Assessment Compliance Manager Contribution Compliance Manager Reader |
Compliance Manager Assessors | Create assessments, implement improvement actions, and update test status for improvement actions. | Compliance Manager Assessment Compliance Manager Contribution Compliance Manager Reader |
Compliance Manager Contributors | Create assessments and perform work to implement improvement actions. | Compliance Manager Contribution Compliance Manager Reader |
Compliance Manager Readers | View all Compliance Manager content except for administrator functions. | Compliance Manager Reader |
Content Explorer Content Viewer | View the contents files in Content explorer. | Data Classification Content Viewer |
Content Explorer List Viewer | View all items in Content explorer in list format only. | Data Classification List Viewer |
eDiscovery Manager | Members can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. Members can also create and manage eDiscovery cases, add and remove members to a case, create and edit Content Searches associated with a case, and access case data in Advanced eDiscovery. An eDiscovery Administrator is a member of the eDiscovery Manager role group who has been assigned additional permissions. In addition to the tasks that an eDiscovery Manager can perform, an eDiscovery Administrator can:
The primary difference between an eDiscovery Manager and an eDiscovery Administrator is that an eDiscovery Administrator can access all cases that are listed on the eDiscovery cases page in the Security & Compliance Center. An eDiscovery manager can only access the cases they created or cases they are a member of. For more information about making a user an eDiscovery Administrator, see Assign eDiscovery permissions in the Security & Compliance Center. |
Case Management Communication Compliance Search Custodian Export Hold Preview Review RMS Decrypt |
Global Reader | Members have read-only access to reports, alerts, and can see all the configuration and settings. The primary difference between Global Reader and Security Reader is that a Global Reader can access configuration and settings. |
Security Reader Sensitivity Label Reader Service Assurance View View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
Insider Risk Management | Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users. | Case Management Insider Risk Management Admin Insider Risk Management Analysis Insider Risk Management Investigation View-Only Case |
Insider Risk Management Admins | Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments. | Case Management Insider Risk Management Admin View-Only Case |
Insider Risk Management Analysts | Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer. | Case Management Insider Risk Management Analysis View-Only Case |
Insider Risk Management Auditors | Auditors of insider risk management that can view the audit logs of actions performed by Analysts, Investigators and Administrators. | Insider Risk Management Audit |
Insider Risk Management Investigators | Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. | Case Management Insider Risk Management Investigation View-Only Case |
IRM Contributors | This role group is visible, but is used by background services only. | Insider Risk Management Permanent contribution Insider Risk Management Temporary contribution |
MailFlow Administrator | Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks. | View-Only Recipients |
Organization Management1 | Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). Global admins are automatically added as members of this role group. |
Audit Logs Case Management Compliance Administrator Compliance Search Device Management DLP Compliance Management Hold IB Compliance Management Manage Alerts Organization Configuration Quarantine RecordManagement Retention Management Role Management Search And Purge Security Administrator Security Reader Sensitivity Label Administrator Sensitivity Label Reader Service Assurance View Tag Contributor Tag Manager Tag Reader View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Case View-Only Manage Alerts View-Only Recipients View-Only Record Management View-Only Retention Management |
Quarantine Administrator | Members can access all Quarantine actions. For more information, see Manage quarantined messages and files as an admin in EOP | Quarantine |
Records Management | Members can configure all aspects of records management, including retention labels and disposition reviews. | Disposition Management RecordManagement Retention Management |
Reviewer | Members can access review sets in Advanced eDiscovery cases. Members of this role group can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Members of this role group can only access the data in a review set. | Review |
Security Administrator | Members have access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. By default, this role group may not appear to have any members. However, the Security Administrator role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Administrator role from Azure Active Directory. To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see Administrator role permissions in Azure Active Directory. If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. This role group includes all of the read-only permissions of the Security reader role, plus a number of additional administrative permissions for the same services: Azure Information Protection, Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. |
Audit Logs Device Management DLP Compliance Management IB Compliance Management Manage Alerts Quarantine Security Administrator Sensitivity Label Administrator Tag Contributor Tag Manager Tag Reader View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts |
Security Operator | Members can manage security alerts, and also view reports and settings of security features. | Compliance Search Manage Alerts Security Reader Tag Contributor Tag Reader View-Only Audit Logs View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts |
Security Reader | Members have read-only access to a number of security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and Security & Compliance Center. By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see Administrator role permissions in Azure Active Directory. If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services. |
Security Reader Sensitivity Label Reader Tag Reader View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts |
Service Assurance User | Members can access the Service assurance section in the Security & Compliance Center. Service assurance provides reports and documents that describe Microsoft's security practices for customer data that's stored in Microsoft 365. It also provides independent third-party audit reports on Microsoft 365. For more information, see Service assurance in the Security & Compliance Center. | Service Assurance View |
Supervisory Review | Members can create and manage the policies that define which communications are subject to review in an organization. For more information, see Configure communication compliance policies for your organization. | Supervisory Review Administrator |
Note
1 This role group doesn't assign members the permissions necessary to search the audit log or to use any reports that might include Exchange data, such as the DLP or Defender for Office 365 reports. To search the audit log or to view all reports, a user has to be assigned permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet. Global admins can search the audit log and view all reports because they're automatically added as members of the Organization Management role group in Exchange Online. For more information, see Search the audit log in the Security & Compliance Center.
Roles in the Security & Compliance Center
The following table lists the available roles and the role groups that they're assigned to by default.
Note that the following roles aren't assigned to the Organization Management role group by default:
- Attack Simulator Admin
- Attack Simulator Payload Author
- Communication
- Communication Compliance Admin
- Communication Compliance Analysis
- Communication Compliance Case Management
- Communication Compliance Investigation
- Communication Compliance Viewer
- Compliance Manager Administration
- Compliance Manager Assessment
- Compliance Manager Contribution
- Compliance Manager Reader
- Custodian
- Data Classification Content Viewer
- Data Classification Feedback Provider
- Data Classification Feedback Reviewer
- Data Classification List Viewer
- Disposition Management
- Export
- Insider Risk Management Admin
- Insider Risk Management Analysis
- Insider Risk Management Audit
- Insider Risk Management Investigation
- Insider Risk Management Permanent contribution
- Insider Risk Management Temporary contribution
- Preview
- Review
- RMS Decrypt
- Supervisory Review Administrator
Role | Description | Default role group assignments |
---|---|---|
Attack Simulator Admin | Used to create and manage all aspects of attack simulation campaigns. | |
Attack Simulator Payload Author | Used to create and manage attack payloads that can be deployed by attack simulator administrator. | |
Audit Logs | Turn on and configure auditing for the organization, view the organization's audit reports, and then export these reports to a file. | Organization Management Security Administrator |
Case Management | Create, edit, delete, and control access to eDiscovery cases. | Communication Compliance Communication Compliance Investigators Compliance Administrator eDiscovery Manager Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider Risk Management Investigators Organization Management |
Communication | Manage all communications with the custodians identified in an Advanced eDiscovery case. Create hold notifications, hold reminders, and escalations to management. Track custodian acknowledgment of hold notifications and manage access to the custodian portal that is used by each custodian in a case to track communications for the cases where they were identified as a custodian. | eDiscovery Manager |
Communication Compliance Admin | Used to manage policies in the Communication Compliance feature. | Communication Compliance Communication Compliance Administrators |
Communication Compliance Analysis | Used to perform investigation, remediation of the message violations in the Communication Compliance feature. Can only view message meta data. | Communication Compliance Communication Compliance Analysts Communication Compliance Investigators |
Communication Compliance Case Management | Used to access Communication Compliance cases. | Communication Compliance Communication Compliance Administrators Communication Compliance Analysts Communication Compliance Investigators Communication Compliance Viewers |
Communication Compliance Investigation | Used to perform investigation, remediation, and review message violations in the Communication Compliance feature. Can view message meta data and message. | Communication Compliance Communication Compliance Investigators |
Communication Compliance Viewer | Used to access reports and widgets in the Communication Compliance feature. | Communication Compliance Communication Compliance Viewers |
Compliance Administrator | View and edit settings and reports for compliance features. | Compliance Administrator Compliance Data Administrator Organization Management |
Compliance Manager Administration | Manage template creation and modification. | Compliance Manager Administrators |
Compliance Manager Assessment | Create assessments, implement improvement actions, and update test status for improvement actions. | Compliance Manager Administrators Compliance Manager Assessors |
Compliance Manager Contribution | Create assessments and perform work to implement improvement actions. | Compliance Manager Administrators Compliance Manager Assessors Compliance Manager Contributors |
Compliance Manager Reader | View all Compliance Manager content except for administrator functions. | Compliance Manager Administrators Compliance Manager Assessors Compliance Manager Contributors Compliance Manager Readers |
Compliance Search | Perform searches across mailboxes and get an estimate of the results. | Compliance Administrator Compliance Data Administrator eDiscovery Manager Organization Management Security Operator |
Custodian | Identify and manage custodians for Advanced eDiscovery cases and use the information from Azure Active Directory and other sources to find data sources associated with custodians. Associate other data sources such as mailboxes, SharePoint sites, and Teams with custodians in a case. Place a legal hold on the data sources associated with custodians to preserve content in the context of a case. | eDiscovery Manager |
Data Classification Content Viewer | View in-place rendering of files in Content explorer. | Content Explorer Content Viewer |
Data Classification Feedback Provider | Allows providing feedback to classifiers in content explorer. | Communication Compliance Communication Compliance Investigators Compliance Administrator |
Data Classification Feedback Reviewer | Allows reviewing feedback from classifiers in feedback explorer. | Compliance Administrator |
Data Classification List Viewer | View the list of files in content explorer. | Content Explorer List Viewer |
Device Management | View and edit settings and reports for device management features. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator |
Disposition Management | Control permissions for accessing Manual Disposition in the Security & Compliance Center. | Compliance Administrator Compliance Data Administrator Records Management |
DLP Compliance Management | View and edit settings and reports for data loss prevention (DLP) policies. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator |
Export | Export mailbox and site content that's returned from searches. | eDiscovery Manager |
Hold | Place content in mailboxes, sites, and public folders on hold. When on hold, a copy of the content is stored in a secure location. Content owners will still be able to modify or delete the original content. | Compliance Administrator eDiscovery Manager Organization Management |
IB Compliance Management | View, create, remove, modify, and test Information Barrier policies. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator |
Insider Risk Management Admin | Create, edit, delete, and control access to Insider Risk Management feature. | Insider Risk Management Insider Risk Management Admins |
Insider Risk Management Analysis | Access all insider risk management alerts, cases, and notices templates. | Insider Risk Management Insider Risk Management Analysts |
Insider Risk Management Audit | Allow viewing Insider Risk audit trails. | Insider Risk Management Auditors |
Insider Risk Management Investigation | Access all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases. | Insider Risk Management Insider Risk Management Investigators |
Insider Risk Management Permanent contribution | This role group is visible, but is used by background services only. | IRM Contributors |
Insider Risk Management Temporary contribution | This role group is visible, but is used by background services only. | IRM Contributors |
Manage Alerts | View and edit settings and reports for alerts. | Compliance Administrator Compliance Data Administrator Organization Management Security Administrator Security Operator |
Organization Configuration | Run, view, and export audit reports and manage compliance policies for DLP, devices, and preservation. | Compliance Administrator Compliance Data Administrator Organization Management |
Preview | View a list of items that are returned from content searches, and open each item from the list to view its contents. | eDiscovery Manager |
Quarantine | Allows viewing and releasing quarantined email. | Quarantine Administrator Security Administrator Organization Management |
RecordManagement | View and edit the configuration of the records management feature. | Compliance Administrator Compliance Data Administrator Organization Management Records Management |
Retention Management | Manage retention policies, retention labels, and retention label policies. | Compliance Administrator Compliance Data Administrator Organization Management Records Management |
Review | This role lets users access review sets in Advanced eDiscovery cases. Users who are assigned this role can see and open the list of cases on the eDiscovery > Advanced page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select Review sets to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set. | eDiscovery Manager Reviewer |
RMS Decrypt | Decrypt RMS-protected content when exporting search results. | eDiscovery Manager |
Role Management | Manage role group membership and create or delete custom role groups. | Organization Management |
Search And Purge | Lets people bulk-remove data that matches the criteria of a content search. | Organization Management |
Security Administrator | View and edit the configuration and reports for Security features. | Organization Management Security Administrator |
Security Reader | View the configuration and reports for Security features. | Global Reader Organization Management Security Operator Security Reader |
Sensitivity Label Administrator | View, create, modify, and remove sensitivity labels. | Compliance Data Administrator Organization Management Security Administrator |
Sensitivity Label Reader | View the configuration and usage of sensitivity labels. | Global Reader Organization Management Security Reader |
Service Assurance View | Download the available documents from the Service Assurance section. Content includes independent auditing, compliance documentation, and trust-related guidance for using Microsoft 365 features to manage regulatory compliance and security risks. | Global Reader Organization Management Service Assurance User |
Supervisory Review Administrator | Manage supervisory review policies, including which communications to review and who should do the review. | Supervisory Review |
Tag Contributor | View and update membership of existing user tags. | Organization Management Security Administrator Security Operator |
Tag Manager | View, update, create, and delete user tags. | Organization Management Security Administrator |
Tag Reader | Read-only access to existing user tags. | Security Reader |
View-Only Audit Logs | View and export audit reports. Because these reports might contain sensitive information, you should only assign this role to people with an explicit need to view this information. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator |
View-Only Case | Communication Compliance Communication Compliance Investigators Compliance Administrator Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider RiskManagement Investigators Organization Management |
|
View-Only Device Management | View the configuration and reports for the Device Management feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
View-Only DLP Compliance Management | View the settings and reports for data loss prevention (DLP) policies. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
View-Only IB Compliance Management | View the configuration and reports for the Information Barriers feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
View-Only Manage Alerts | View the configuration and reports for the Manage Alerts feature. | Compliance Administrator Compliance Data Administrator Global Reader Organization Management Security Administrator Security Operator Security Reader |
View-Only Recipients | View information about users and groups. | Compliance Administrator Compliance Data Administrator Global Reader MailFlow Administrator Organization Management |
View-Only Record Management | View the configuration of the records management feature. | Compliance Administrator Compliance Data Administrator
Global Reader Organization Management |
View-Only Retention Management | View the configuration of retention policies, retention labels, and retention label policies. | Compliance Administrator Compliance Data Administrator Global Administrator Organization Management |