Permissions for Microsoft Purview AI Hub
Members of your security and compliance teams who are responsible for managing AI apps in the Microsoft Purview AI Hub need appropriate permissions when they sign in to the Microsoft Purview portal or sign in to Microsoft Purview compliance portal.
Roles and role groups that can view, create, and edit in the AI hub:
- Microsoft Entra ID Compliance Administrator role
- Microsoft Entra ID Global Administrator role
- Microsoft Purview Compliance Administrator role group
Roles and role groups that can view-only in the AI hub:
- Microsoft Purview Security Reader role group
To help you assign the right permissions to users, use the following guidance, depending on the portal you're using:
- Permissions in the Microsoft Purview portal
- Permissions in the Microsoft Purview compliance portal
- Assign Microsoft Entra roles to users
- Permissions in Exchange Online
Use the following table to understand the detailed permissions for different activities in the AI hub.
Permissions by AI hub activities
| AI hub activities | Microsoft Entra ID Compliance Administrator role | Microsoft Entra ID Global Administrator role | Microsoft Purview Compliance Administrator role group | Microsoft Purview Security Reader role group | When not supported, additional role groups required |
|---|---|---|---|---|---|
| View all get started steps | ✓ | ✓ | ✓ | ✓ | Not applicable |
| Complete action on getting started steps | ✓ | ✓ | ✓ Excludes Activate Audit |
✕ | Microsoft Exchange Compliance Management Microsoft Exchange Records Management Microsoft Exchange Organization Management |
| View completion status of getting started steps | ✓ | ✓ | ✓ Excludes status of Activate Audit |
✓ Excludes: Status of Activate Audit Status of Extend Your Insights |
For Activate Audit: Microsoft Exchange View-Only Organization Management Microsoft Exchange Hygiene Management Microsoft Exchange Compliance Management Microsoft Exchange Records Management Microsoft Exchange Organization Management For Extend Your Insights: Microsoft Purview Insider Risk Management Administrator Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View all recommendations from the Analytics and Policy page | ✓ | ✓ | ✓ | ✓ | Not applicable |
| Complete actions on recommendation cards | ✓ | ✓ | ✓ | ✕ | Not applicable |
| View completion status of recommendation cards | ✓ | ✓ | ✓ | ✓ Excludes Unethical Behavior card |
Communication Compliance Administrator |
| View all graphs within the Analytics page | ✓ | ✓ | ✓ | ✓ | Not applicable |
| View all policies in the policy list | ✓ | ✓ | ✓ | ✓ Excludes: Insider risk management policies Communication compliance policies |
For insider risk management polices: Microsoft Purview Insider Risk Management Administrator Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator For communication compliance policies: Communication Compliance Administrator |
| View all events in activity explorer | ✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
✓ Excludes browse to URL (AI Visit) from insider risk management |
Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View user risk level of an individual user in all events from activity explorer View link to view user details in insider risk management in all events from activity explorer |
✕ | ✕ | ✕ | ✕ | Microsoft Purview Insider Risk Management Analyst Microsoft Purview Insider Risk Management Investigator |
| View the prompts and responses within AI Interaction events from activity explorer | ✕ | ✕ | ✕ | ✕ | Microsoft Purview Content Explorer Content Viewer |
Custom role groups for the AI hub
Instead of granting access to the AI hub by using the built-in role groups, you can grant access by including either the Microsoft Purview Compliance Administrator role or the Microsoft Purview Security Reader role in a custom role group.
If a custom role group includes the Microsoft Purview Compliance Administrator role, the user has the same access to the AI hub as the Microsoft Purview Compliance Administrator role group, except for the following:
- Create, view, update, and delete policies for insider risk management and communication compliance
If a custom role group includes the Microsoft Purview Security Reader role, the user has the same access to the AI hub as the Microsoft Purview Security Reader role group, except for the following:
- View information protection policies