022: Segment administration using Administrative Units and RBAC
Overview
For most administrative tasks, including Information Protection Admin and DLP admin, the Purview administration portal allows the scoping of policies and artifacts to specific administrative units, so management of such elements can be limited to specified admins (e.g. those for a specific region or business unit) and application of the same can be scoped to users in those administrative units.
For businesses with compartmentalized or tented units, this capability should be utilized by defining administrative units including the users in those parts of the businesses and the corresponding administrators. You must then assign DLP policies, labels, label policies, autolabeling policies and insider risk management policies to the corresponding admin units to ensure administrators cannot alter policies or view results for users outside of their unit.
Reference
- Administrative units in Microsoft Purview https://learn.microsoft.com/en-us/purview/purview-admin-units