What are the main permissions required for MIP and DLP and what does each do?
Release : 15.8
There are 4 main permissions that are required for DLP to work with MIP. Below you can view which permissions are directed to Detection server and which to Endpoint.
Detection server permissions:
Content.SuperUser: needed for Detection server to be able to decrypt any content encrypted in tenant's context.
UnifiedPolicy.Tenant.Read: needed for Enforce to sync labels from Azure
User_Impersonation: needed for Endpoint Agent to impersonate the endpoint user so that it can decrypt that user's content
UnifiedPolicy.User.Read: Endpoint Agent to fetch all the MIP labels a logged-in user has access to. Endpoint Agent suggests/enforces a label from only the label(s) that are accessible to that specific user.