Microsoft Purview: View only Role management enhancements
🚨 The Signal: Microsoft Purview and Defender portals now include a new view-only role for Global Reader and Security Reader. This enhances visibility into member assignments without granting elevated write permissions, improving least privilege principles.
The Impact
Security and Global Admins are affected, gaining read-only access to Purview/Defender assignments, reducing the risk of over-privileged accounts.
- Security Admins: Reduced need for higher privileges to review assignments, lowering risk.
- Global Admins: Enhanced visibility into security configurations without write access, improving oversight.
- Compliance Teams: Easier auditing of access controls within Purview and Defender.
- Auditors: Simplified verification of role assignments and adherence to least privilege.
The Action
- Review existing Global Reader and Security Reader assignments in Entra ID to understand who gains this new visibility.
- Communicate the enhanced read-only capabilities to relevant security and compliance teams.
- Leverage this new visibility for auditing and compliance checks within Microsoft Purview and Microsoft Defender portals.
Domain: Entra · Impact: low · Workload: Microsoft Purview · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898