020: Set RBAC for DLP/MIP/IRM Admins

Overview

Review the Role-Based Access control options available for administrators of Data Loss Prevention, Microsoft Information Protection and Insider Risk Management, and make the configurations needed for your organization's needed.

In particular, consider restricting the use of the following roles and privileges which offer company-wide access to content:

• Content Explorer content viewer role group. This role group allows an administrator to view any content in the tenant, regardless of the content's access restrictions. This role is by default only assigned to global administrators and compliance administrators, and should be granted only to personnel involved in data investigations.
• Content Explorer list viewer role group. This role group allows an administrator to enumerate any content in the tenant, and view matches to sensitive information in it, regardless of the content's access restrictions. This role is by default only assigned to global administrators and compliance administrators, and should be granted only to personnel involved in data investigations and alert processing.
• AIP SuperUser. This role (assigned via the Add-AIPServiceSuperUser and Set-AIPServiceSuperUserGroup PowerShell commandlets) allows a user to decrypt any MIP-encrypted content protected in the tenant (other than content protected with Dual Key Encryption) regardless of the policy on the label assigned to the content.

Reference

• Roles and role groups in Microsoft Defender for Office 365 and Microsoft Purview https://learn.microsoft.com/en-us/defender-office-365/scc-permissions