Microsoft Purview

Updates to Data Security Investigation roles in Microsoft Purview

6. April 2026

Microsoft is simplifying how organizations manage access to Data Security Investigations (DSI) in Microsoft Purview.
To align with Data Security Posture Management, Insider Risk Management, and Microsoft Defender XDR, the DSI Admin and DSI Contributor roles will automatically be included in additional role groups. This reduces manual role assignments, ensuring that teams working across these solutions receive the right access by default.


Timeline

The role update should be completed in April 2026.


About Data Security Investigations in Microsoft Purview

Data Security Investigations (DSI) in Microsoft Purview is a solution that helps cybersecurity teams use generative AI to analyze and respond to data security incidents, risky insiders, and data breaches. It allows analysts to quickly search and identify impacted data, perform deep AI-powered content analysis to uncover hidden data risks, take mitigation actions to reduce incident impact, and collaborate with internal and external stakeholders.

DSI integrates with:

No dedicated license is required. DSI uses a pay-as-you-go billing model; you pay for the storage and AI capacity you use. Usage charges may take up to 48 hours to be shown.

Data Security Investigations in Microsoft Purview


What is changing for Data Security Investigations roles?

Data Security Investigation Admins
Microsoft is adding the Data Security Investigation Admin role to the Compliance Administrator role group. Read my role description below to know the permissions of the Data Security Investigation Admin role.

Compliance Administrator role group
Compliance Administrator role group

Data Security Investigation Contributor
Microsoft is adding the Data Security Investigation Contributor role to the three Purview role groups:

  • Organization Management
  • Data Security Management
  • Insider Risk Management
Update to the Data Security Investigation Contributor role
Update to the Data Security Investigation Contributor role

The updated role assignments are included in the Microsoft Purview role group overview.

The updated Data Security Investigation Contributor role membership
The updated Data Security Investigation Contributor role membership
Data Security Investigations roles in Microsoft Purview

While reviewing this update, I noticed a discrepancy. The Data Security Investigations permissions page lists only three role groups. The Contributor role is not mentioned there, which may indicate a pending documentation update.

Data Security Investigation permission page (April 2026)
Data Security Investigation permission page (April 2026)

However, searching for all Data Security Investigation roles in Purview reveals five roles in total.

Data Security Investigation roles
Data Security Investigation roles

Microsoft documents three roles, but the portal lists five.
I prepared a summary for myself.

Data Security Investigation Admins
Users with this role group have full access across all investigations, tenant-wide. They can create and manage all investigations regardless of ownership, create searches and add items to investigations, estimate and preview search results, manage investigation scope, run categorization and examination activities, run vector searches, create and run purge queries, view data risk graphs, and manage mitigation plan items. They are the only ones with access to the pay-as-you-go usage dashboard and the only ones who can configure AI capacity.


Data Security Investigation Investigators
Users with this role group can create and manage investigations they are assigned to. They can create searches and add items to investigations, estimate and preview search results, manage investigation scope, run categorization and examination activities, run vector searches, create and run purge queries, view data risk graphs, and manage mitigation plan items. They do not have access to the pay-as-you-go usage dashboard and cannot manage investigations they are not assigned to.

Data Security Investigation Analyst
Users with this role have full capabilities within investigations they own or are members of, including the ability to execute mitigation actions, such as purging content, to reduce or contain data security risks. Like the Contributor role, access is scoped to investigations they own or are a member of, with no tenant-wide visibility. Unlike the Contributor role, users can fully act on data within those investigations.


Data Security Investigation Contributor
Users with this role can create new investigations and list or view investigations they own or are a member of. They have no visibility into investigations outside of their own involvement. Unlike the Analyst role, they cannot act on data within investigations; they can only create and view it.


Data Security Investigation Reviewers
Users with this role group have the least access of the DSI roles. They can run categorization and examination activities, run vector searches, view data risk graphs, and manage mitigation plan items. They cannot create or manage investigations, create searches, manage investigation scope, or create and run purge queries, and they have no access to the pay-as-you-go usage dashboard.

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with more than 10 years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *