Purview Data Security Investigations Adds Alerts and Guided Search

Microsoft has marked new notification and search capabilities for Microsoft Purview Data Security Investigations as launched worldwide for standard multi-tenant Microsoft 365 tenants. The update, tracked as Microsoft 365 Roadmap item 560325, was listed for general availability in June 2026 and last updated on July 13.
According to Microsoft’s roadmap entry, the changes are aimed at investigators working data-security cases in Purview. The service can now notify investigators when important events occur within an investigation, including completion of AI jobs and the addition of new data to an investigation’s scope.

An analyst reviews an insider data risk investigation dashboard on a desktop monitor.Less waiting on investigation status​

The notification feature addresses a mundane but consequential problem in review workflows: investigators should no longer need to repeatedly return to a case merely to see whether a long-running AI task has finished or whether the evidence set has changed.
That does not alter the underlying investigation process or automate a disposition decision. It is a workflow improvement intended to surface state changes that may require a reviewer to resume work, validate results, or reassess the scope of a case. For security and compliance teams handling potential exposure of sensitive information, a newly added in-scope data source can materially change both the review workload and the incident’s priority.
Microsoft did not specify in the roadmap entry whether notifications are delivered by email, inside the Purview portal, or through another Microsoft 365 channel. Administrators should therefore treat the announcement as confirmation of the capability rather than assume a particular notification route or policy control.

Search gets a more guided query-building experience​

Microsoft is also improving search construction in Data Security Investigations. The company says the updated query-building experience is designed to make it easier to identify potentially impacted data.
This is the more substantive part of the release for day-to-day investigators. In a data-security review, the quality of the search determines the initial population of files, messages, records, or other data requiring inspection. A more usable query builder can reduce the friction of combining terms and conditions when an analyst is trying to locate content related to a suspected leak, policy violation, or misuse of sensitive data.
Microsoft’s wording is careful: the update helps investigators identify potentially impacted data. Search results still need human validation, and teams should not treat a narrower or broader query result as proof that all affected content has—or has not—been found.

What admins should do​

There is no client update or Windows servicing action associated with this roadmap item; it is a web-based Purview capability. Organizations that use Data Security Investigations should review an active or test investigation to confirm the new notifications appear as expected and that assigned investigators can act on them.
Teams should also update any internal investigation runbooks that assume analysts must manually poll for AI-job completion or scope updates. The practical change is straightforward: Purview investigators should see case progress sooner, while the revised search experience may make it faster to build the searches that define their review set.

References​

  1. Primary source: Microsoft 365 Roadmap
    Published: 2026-07-13T23:07:14.8221961Z
 

Back
Top