Share via

InformationProtectionAdmins role grants Content Explorer content viewing without Content Explorer Content Viewer role

Hernán Velasco 0 Reputation points
2026-06-04T07:32:47.2666667+00:00

Environment: Microsoft Purview portal (purview.microsoft.com), commercial tenant.

Observed behavior: A user assigned to the following Purview role groups can view document contents in Content Explorer (classic), without being a member of the "Content Explorer Content Viewer" role group:

  • ComplianceAdministrator
  • PurviewAdministrators
  • InformationProtection
  • InformationProtectionAdmins
  • RecordsManagement

The user also has the Entra ID role "Purview Workload Content Administrator", automatically assigned by the PurviewRoleAssignmentMigrator service principal.

Expected behavior per documentation: According to Get started with Content Explorer, the Information Protection roles grant access to the Content Explorer tab only, but not permission to view item contents. That requires explicit membership in "Content Explorer Content Viewer".

Question:

  1. Does the Purview Workload Content Administrator Entra ID role implicitly grant content viewing permissions in Content Explorer, overriding what the documentation states?
  2. If so, is there a supported way to allow a user to manage DLP and auto-labeling policies without being able to view document contents in Content Explorer?
Microsoft Security | Microsoft Purview
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pilladi Padma Sai Manisha 9,945 Reputation points Microsoft External Staff Moderator
    2026-06-05T06:42:47.84+00:00

    Hi @Hernán Velasco
    Thanks for providing the detailed role assignments.

    Based on the documentation, membership in Information Protection Administrators should provide access to Content Explorer, while viewing the actual content of items is expected to require the Content Explorer Content Viewer permission.

    Since the user is also assigned the Purview Workload Content Administrator Entra ID role through the Purview RBAC migration process, it is possible that this role (or another inherited permission) is contributing to the content-viewing capability. However, Microsoft documentation does not clearly state that this role independently grants Content Explorer content-view permissions.

    At this point, it would be difficult to determine whether the behavior is by design or the result of permission inheritance without product team confirmation.

    For your second question, the recommended approach is to use the principle of least privilege and assign only the specific Purview role groups required for DLP and auto-labeling administration. If content viewing remains available despite the absence of the Content Explorer Content Viewer role, I recommend opening a Microsoft support case so the product team can verify the effective permissions and confirm whether the observed behavior is expected.

    Could you also confirm whether removing the Information Protection Administrators role group (while retaining the other assignments) changes the behavior? That information would help narrow down which role is granting the content-view capability.

    Was this answer helpful?

  2. Hernán Velasco 0 Reputation points
    2026-06-04T07:34:37.27+00:00

    "Thank you for the response. However, my question is specifically about observed behavior that contradicts the documentation. In our tenant, a user assigned to InformationProtectionAdmins and other IP role groups — but NOT to Content Explorer Content Viewer — CAN view document contents in Content Explorer. The user also has the Entra ID role 'Purview Workload Content Administrator' automatically assigned by PurviewRoleAssignmentMigrator. We need to understand whether this automatic Entra ID role assignment is what grants content viewing, as it would make the documented separation of duties ineffective."

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.