How to Fix Microsoft Purview TOC Not Loading
Why the Microsoft Purview TOC Isn't Loading
You open the Microsoft Purview compliance portal at purview.microsoft.com, you log in successfully , and then nothing. The left-hand navigation panel is blank, spinning, or completely absent. You can't reach Data Loss Prevention, Sensitivity Labels, eDiscovery, Insider Risk Management, or any other section because the entire table of contents (TOC) sidebar has vanished. I've seen this exact issue on dozens of enterprise tenants, and I know how disorienting it is when your compliance work grinds to a halt.
The Microsoft Purview TOC not loading is one of those errors that Microsoft's portal gives you zero useful feedback on. No error code. No warning banner. Just an empty sidebar where your navigation should be. Sometimes you get the dreaded infinite spinner. Sometimes the page loads but the left nav shows only a thin grey strip. Either way, you're locked out of the tool you need.
Here's what's actually going on under the hood. The Purview portal is a single-page React application hosted across multiple Azure endpoints. The TOC component fetches its configuration from a background API call , typically to compliance.microsoft.com endpoints, and renders the navigation dynamically based on your assigned roles and active licenses. When that API call fails silently, or when the browser can't parse the returned JSON (often because of a cached malformed response), the TOC simply never renders.
The most common root causes I see in the field, in rough order of frequency:
- Stale browser cache or corrupted session tokens, the single most common culprit by a wide margin
- Missing or misconfigured RBAC role assignments in the Purview compliance portal, the TOC is dynamically scoped to your roles, so if your role assignment is broken, the TOC won't know what to render
- Insufficient or expired Microsoft 365 licensing, Purview features are tied to E3, E5, or specific add-on SKUs; a lapsed license silently kills navigation sections
- Conditional Access policies or Azure AD token failures, particularly on domain-joined devices where hybrid identity can cause token mismatch errors
- Network-level blocks on required Microsoft endpoints, corporate proxies, Zscaler, Netskope, or firewall rules that intercept TLS traffic to
*.compliance.microsoft.comor*.purview.microsoft.com - Browser extension interference, ad blockers, security extensions, or corporate endpoint agents injecting JavaScript into the portal
- Tenant-level service incidents, though less common, genuine Microsoft-side outages do happen and are worth ruling out first
The frustrating part is that none of these causes produce a helpful on-screen message. You have to work through them methodically. That's exactly what this guide does. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you spend an hour digging through role assignments and Group Policy, try this. It resolves the Purview TOC not loading issue for roughly 60% of users who hit it.
Open a new InPrivate or Incognito window, press Ctrl+Shift+N in Edge or Chrome, then navigate directly to https://purview.microsoft.com and sign in fresh. If the TOC loads in the private window but not in your normal browser, the problem is definitively a corrupted session, cached token, or a browser extension. That's good news, it's entirely fixable on your end.
If the private window also fails, you're likely looking at a role assignment issue, a licensing gap, or a network-level block. Keep reading, the steps below cover all of it.
Assuming the private window worked, here's how you permanently fix your normal browser session:
- Close all tabs running any Microsoft 365 or Purview URLs
- Open Edge Settings → Privacy, search, and services → Clear browsing data
- Set time range to All time, check Cookies and other site data, Cached images and files, and Site permissions
- Click Clear now
- In the address bar, go to
edge://settings/content/cookiesand verify thatmicrosoft.comis not in the "Block" list - Reopen Purview and sign in
For Chrome, the equivalent path is Settings → Privacy and security → Clear browsing data → Advanced. Same checkboxes, same time range.
If you're on a corporate machine where IT has locked down cookie or cache clearing, you'll need to have your helpdesk do this, or jump straight to Step 3 in the detailed walkthrough below.
login.microsoftonline.com, and delete them manually. This is faster than clearing all browsing data and avoids logging you out of everything else.
I always tell people to check this before doing anything else, and most people skip it. Don't. If Microsoft is having a genuine Purview portal incident, nothing you do locally will fix it, and you'll waste an hour chasing phantom causes.
Go to Microsoft 365 admin center at admin.microsoft.com, then navigate to Health → Service health. Look specifically for incidents tagged against Microsoft Purview, Microsoft 365 Compliance, or Azure Active Directory. Active incidents will show in yellow or red.
Alternatively, check the Microsoft 365 Status Twitter/X page or the Azure Status page at status.azure.com. Filter by region. If you're in a specific Azure geography, US East, West Europe, Southeast Asia, filter to your region to see if it's localized.
Also worth checking: open a PowerShell session and run the following to see if your tenant is receiving any advisory messages related to Purview:
Connect-ExchangeOnline
Get-ServiceHealth | Where-Object {$_.WorkloadDisplayName -like "*Purview*" -or $_.WorkloadDisplayName -like "*Compliance*"} | Format-ListYou need the Exchange Online PowerShell module for this, and you'll need at least a Service Support Admin role in your tenant. If you see any active incidents here, open a Microsoft support ticket and wait for resolution, that's the right call.
If everything shows green, move on. The problem is specific to your environment.
This one catches a lot of people. The Microsoft Purview TOC is dynamically built based on the roles assigned to your account inside the Purview compliance portal's own role-based access control system, which is separate from your Microsoft 365 admin roles and separate from Azure RBAC. Even if you're a Global Administrator in Microsoft 365, that doesn't automatically give you a populated Purview TOC.
To check and fix role assignments:
- Sign in to
https://purview.microsoft.comusing a different account that you know works, ideally a Global Administrator account - Go to Settings → Roles and scopes → Role groups
- Find the role group relevant to what you need, e.g., Compliance Administrator, eDiscovery Manager, Information Protection
- Click the role group → Edit → Choose members → verify your affected user account is listed
If your account isn't in any role group, add it to Compliance Administrator as a baseline. Then wait 5–10 minutes for replication before testing again. Role changes in Purview don't propagate instantly.
You can also do this via PowerShell using the Security & Compliance module:
Connect-IPPSSession
Get-RoleGroupMember -Identity "Compliance Administrator"
Add-RoleGroupMember -Identity "Compliance Administrator" -Member "user@yourdomain.com"After the role is applied, sign out of the Purview portal completely, clear your session tokens as described in the Quick Fix section, and sign back in. If the TOC was blank due to missing role assignments, it will now render fully.
The Purview compliance portal TOC is license-aware. Navigation items for features you're not licensed for are simply hidden, and in some misconfigured tenant states, this can result in an entirely blank TOC if no features are licensed at all. I know this sounds aggressive, but I've seen it happen during M365 license migrations where Purview add-ons weren't carried across.
Check licensing in the Microsoft 365 admin center at admin.microsoft.com → Billing → Licenses. For full Purview access you need one of:
- Microsoft 365 E5 or Office 365 E5, includes the full Purview suite
- Microsoft 365 E3 with the Microsoft 365 E5 Compliance add-on
- Microsoft Purview Information Protection and Governance add-on (standalone)
Also verify the license is actually assigned to the affected user account, a license can exist in your tenant but not be assigned. Go to admin.microsoft.com → Users → Active users, find the user, click their name, go to Licenses and apps, and confirm the appropriate license has a checkmark.
If a license was recently renewed, removed, or changed, the Purview portal can take up to 24 hours to reflect the new state, though in practice it's usually under an hour. Signing out and back in tends to accelerate this.
For a PowerShell license check against a specific user:
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUserLicenseDetail -UserId "user@yourdomain.com" | Select-Object SkuPartNumberLook for SPE_E5, ENTERPRISEPREMIUM, or INFORMATION_PROTECTION_COMPLIANCE in the output.
Microsoft Purview is officially supported on Microsoft Edge (Chromium-based) and Google Chrome. Firefox and Safari have partial support, and older versions of any browser can cause the TOC rendering to fail silently. The portal uses modern JavaScript APIs, specifically Fetch, WebSockets, and MSAL 2.0, that older browsers handle inconsistently.
Here's what I recommend:
Step 1, Disable all browser extensions. Open Edge and go to edge://extensions/. Toggle every extension off. Then reload Purview. If the TOC appears, re-enable extensions one at a time to identify the culprit. Common offenders: uBlock Origin, Ghostery, corporate security agents like CrowdStrike's browser extension, and some password managers that inject content scripts into all pages.
Step 2, Check browser version. In Edge, go to edge://settings/help. You need Edge 100 or later for full Purview compatibility. In Chrome, go to chrome://settings/help. Update if needed.
Step 3, Add Purview to trusted sites. On corporate machines, Internet Explorer/Edge security zones can interfere even in modern Edge. Open Control Panel → Internet Options → Security → Trusted Sites → Sites, and add:
https://*.purview.microsoft.com
https://*.compliance.microsoft.com
https://login.microsoftonline.comClick Add for each, then Close → Apply → OK. Restart Edge and test again.
If the TOC loads after any of these steps, you've found your fix. If not, continue to Step 5.
Corporate environments with proxy servers, SSL inspection, or next-gen firewalls are a common hidden cause of Purview TOC failures. The portal makes background API calls to multiple Microsoft endpoints. If any of these are blocked or TLS-inspected in a way that breaks certificate chains, the API responses come back malformed and the TOC component silently fails to render.
The endpoints that must be reachable without TLS interception from client machines:
https://purview.microsoft.com
https://compliance.microsoft.com
https://*.compliance.microsoft.com
https://login.microsoftonline.com
https://login.microsoft.com
https://aadcdn.msftauth.net
https://graph.microsoft.com
https://*.protection.outlook.comTo test quickly from the affected machine, open PowerShell and run:
Test-NetConnection -ComputerName compliance.microsoft.com -Port 443
Test-NetConnection -ComputerName purview.microsoft.com -Port 443Both should return TcpTestSucceeded : True. If either fails, your network team needs to open those ports or add bypass rules for these endpoints in your proxy.
For SSL inspection specifically: check whether your proxy is replacing Microsoft's TLS certificates. In Edge, click the padlock icon in the address bar when visiting purview.microsoft.com → Connection is secure → Certificate is valid. The issuer should be DigiCert or Microsoft. If it shows your company's internal CA, your proxy is intercepting the traffic, work with your network admin to add a bypass rule for *.purview.microsoft.com and *.compliance.microsoft.com.
On Zscaler specifically, your admin needs to add these FQDNs to the SSL bypass list under Policy → SSL Inspection → SSL Bypass.
Advanced Troubleshooting
Analyzing Browser Console Errors
When the basic fixes don't work, the browser's developer console almost always tells you exactly what's failing. Open Purview, press F12 to open DevTools, click the Console tab, and reload the page. Look for red errors, particularly anything mentioning 401, 403, CORS, Failed to fetch, or specific API endpoint failures like https://compliance.microsoft.com/api/v1/navigation.
A 401 Unauthorized against the navigation API is a definitive sign of a token issue. A 403 Forbidden usually means role assignment is the problem. A CORS error or network failure points to proxy/firewall interference.
Checking Event Viewer for Azure AD Sign-In Failures
On domain-joined or hybrid Azure AD-joined machines, sign-in token failures are logged locally. Open Event Viewer (Win+R, type eventvwr.msc), navigate to Applications and Services Logs → Microsoft → Windows → AAD → Operational. Look for Event ID 1098 (token acquisition failure) or Event ID 1104 (silent sign-in failure). These events include the exact error code and AADSTS error number, for example, AADSTS50076 means MFA is required, and AADSTS700003 means your device isn't registered properly in Azure AD.
Conditional Access Policy Conflicts
If your organization uses Conditional Access (CA) policies, a policy targeting the Microsoft 365 Compliance application might be blocking token issuance or requiring a device compliance check that your machine fails. In the Azure AD admin center at entra.microsoft.com, go to Security → Conditional Access → Sign-in logs and filter by your user account and the last 24 hours. Look for any "Failure" entries targeting the Office 365 or Microsoft Purview cloud app. Each failure entry shows exactly which CA policy triggered and why.
Common CA-related Purview TOC failures include: device compliance requirement not met, trusted location requirement when working from home, and legacy authentication block applied too broadly.
Clearing the MSAL Token Cache via Registry
In persistent enterprise environments where browser cache clearing doesn't resolve stale tokens, you can clear the MSAL token cache stored in the Windows Credential Manager. Open Credential Manager from Control Panel, click Windows Credentials, and remove any entries starting with MicrosoftOffice16_Data or containing microsoftonline.com. Then run:
reg delete "HKCU\Software\Microsoft\Office\16.0\Common\Identity" /f
reg delete "HKCU\Software\Microsoft\Office\16.0\Common\Internet" /fRestart your machine after this. These registry keys store cached authentication state for the Office/M365 suite, and stale entries here can conflict with fresh Purview portal token requests.
Tenant-Level Portal Reset via PowerShell
If the TOC is broken for multiple users in your tenant, not just one, the issue may be at the tenant configuration level. Run the following to check for any compliance portal configuration errors:
Connect-IPPSSession
Get-ComplianceTag | Select-Object -First 5
Get-DlpCompliancePolicy | Select-Object -First 5If either of these commands returns errors about tenant provisioning or service endpoints, open a Microsoft support ticket immediately, this is a tenant-side configuration issue that requires Microsoft's backend team to resolve.
Prevention & Best Practices
Once you've fixed the Microsoft Purview TOC loading issue, you want to make sure you're not dealing with it again in a month. Here's what I recommend for keeping the Purview portal running reliably in enterprise environments.
Document your role group assignments. One of the most common reasons the TOC breaks after a routine admin change is that a role group membership was inadvertently removed during a user account modification. Keep a living spreadsheet of which accounts belong to which Purview role groups, and review it monthly. Even better, use Microsoft Entra ID Privileged Identity Management (PIM) to make Purview role assignments just-in-time and audited, this creates a natural log of every change.
Monitor your M365 license assignments proactively. Set up an alert in the Microsoft 365 admin center under Health → Message center for any licensing changes. When a renewal lapses or an admin removes an E5 license, you want to know within hours, not when a compliance officer can't open their Purview dashboard in the middle of an audit.
Maintain an endpoint allowlist for Purview. Work with your network team to create a standing bypass rule in your proxy for all *.purview.microsoft.com and *.compliance.microsoft.com endpoints. Microsoft publishes their IP and URL lists at aka.ms/o365endpoints, subscribe to the RSS feed for change notifications and sync those changes into your firewall ruleset within 30 days of any update.
Test Purview access monthly as part of your compliance operations runbook. Many teams only discover the portal is broken when they need it urgently. Add a 5-minute monthly check to your IT ops calendar, sign into Purview, verify the TOC loads, and verify you can navigate to your three most-used sections. Catching a degraded state early costs far less than scrambling to restore access during an active eDiscovery request or regulatory audit.
Keep browsers updated on compliance-team machines. Edge and Chrome ship fixes for authentication and rendering issues regularly. Most corporate environments use managed update policies, make sure Purview-heavy users (compliance officers, legal, information security) are in a "fast ring" or at least not blocking updates for more than 30 days.
- Pin
purview.microsoft.comas a Trusted Site in Internet Options on all compliance team machines, this prevents a whole class of zone-related issues - Create a dedicated service account with Compliance Administrator rights for automated Purview tasks, so personal account role changes don't break scripted workflows
- Subscribe to the M365 Message Center digest email, Purview feature deprecations and portal changes are announced there 30+ days in advance
- Run
Test-NetConnection -ComputerName purview.microsoft.com -Port 443as part of your onboarding checklist for new compliance team members, catches network blocks on day one instead of mid-project
Frequently Asked Questions
The Purview TOC loads for other users but not for me, what's different about my account?
This is almost always a role group membership issue specific to your account. Even if you're a Global Administrator, you need to be explicitly added to one or more Purview role groups for the TOC to render navigation items. Have another admin check your membership in purview.microsoft.com → Settings → Roles and scopes → Role groups. Also verify your M365 license is assigned to your specific account, a tenant can have licenses available while yours is unassigned. Clear your browser cache and sign-in tokens after any changes, then wait 10 minutes for role replication before retesting.
Purview TOC was working yesterday and now it's blank, did something break overnight?
Three things typically cause an overnight regression: a Microsoft service incident, an expired session token that couldn't silently refresh, or a Conditional Access policy that kicked in during a routine policy sync. Check the M365 Service Health dashboard at admin.microsoft.com → Health → Service health first. If that's clean, open an InPrivate window and sign in fresh, if the TOC loads there, the issue is a stale token in your normal session. Clear your browser cookies and cached data scoped to microsoft.com, then sign in again. If neither helps, pull the Azure AD sign-in logs for your account and look for failures in the last 24 hours.
Can a Group Policy setting on my company laptop cause the Purview TOC to not load?
Yes, absolutely. Several Group Policy settings can interfere. The most common ones I see in enterprise environments: Enhanced Protected Mode enabled in Internet Explorer settings (which Edge can inherit), cookie blocking policies applied to microsoft.com domains, and JavaScript restrictions pushed through GPO to managed browsers. Run gpresult /h gpreport.html from a command prompt and review the output for any browser-related policies. Also check Edge for Business policies at edge://policy/, look for anything referencing cookies, third-party access, or site isolation that might be overriding your trusted sites settings.
I'm getting a spinning loader on the Purview left nav but it never finishes, is that the same problem?
Yes, an infinite spinner on the TOC is the same underlying failure manifesting differently. The TOC component is stuck waiting for an API response that never completes. Open browser DevTools (F12) and go to the Network tab, then reload the page. Filter by XHR or Fetch request type and look for any request to a compliance.microsoft.com URL that shows status pending indefinitely or returns a 401, 403, or net::ERR_FAILED. That failing request is your root cause, a 401 is a token issue, a 403 is a role issue, and a network error is a proxy/firewall block.
Does the new unified Microsoft Purview portal work differently than the old compliance.microsoft.com URL?
The new portal at purview.microsoft.com, introduced in 2023 and now the primary interface, uses a different underlying navigation architecture than the legacy compliance.microsoft.com portal. Some role groups and licensing checks behave slightly differently between the two. If the TOC loads on the legacy URL but not on the new one, your issue is likely specific to the new portal's navigation API. The legacy URL redirects to the new portal as of early 2025, but you can still access specific compliance workloads directly via deep links. Microsoft recommends fully transitioning to purview.microsoft.com and the legacy portal's role group system has been merged into the new one.
We moved from an E3 to E5 license last week and now Purview TOC is broken, how do I fix it?
License migrations are a frequent trigger for Purview TOC issues because Microsoft's backend licensing service can take 12–48 hours to fully propagate changes to all dependent services, including Purview's navigation API. First, confirm the E5 licenses are actually assigned, not just purchased, in admin.microsoft.com → Billing → Licenses. Then do a full sign-out from all Microsoft 365 services (go to myaccount.microsoft.com → Sign out everywhere) and sign back in fresh. If the TOC still shows the wrong items after 48 hours, run the PowerShell licensing check from Step 3 of this guide, and if everything looks correct there, open a Microsoft support case with your tenant ID and the migration date, this is a known post-migration sync issue that Microsoft's backend team can force-refresh.