Microsoft has marked new notification and search capabilities for Microsoft Purview Data Security Investigations as launched worldwide for standard multi-tenant Microsoft 365 tenants. The update, tracked as Microsoft 365 Roadmap item 560325, was listed for general availability in June 2026 and last updated on July 13.
According to Microsoft’s roadmap entry, the changes are aimed at investigators working data-security cases in Purview. The service can now notify investigators when important events occur within an investigation, including completion of AI jobs and the addition of new data to an investigation’s scope.
The notification feature addresses a mundane but consequential problem in review workflows: investigators should no longer need to repeatedly return to a case merely to see whether a long-running AI task has finished or whether the evidence set has changed.
That does not alter the underlying investigation process or automate a disposition decision. It is a workflow improvement intended to surface state changes that may require a reviewer to resume work, validate results, or reassess the scope of a case. For security and compliance teams handling potential exposure of sensitive information, a newly added in-scope data source can materially change both the review workload and the incident’s priority.
Microsoft did not specify in the roadmap entry whether notifications are delivered by email, inside the Purview portal, or through another Microsoft 365 channel. Administrators should therefore treat the announcement as confirmation of the capability rather than assume a particular notification route or policy control.
This is the more substantive part of the release for day-to-day investigators. In a data-security review, the quality of the search determines the initial population of files, messages, records, or other data requiring inspection. A more usable query builder can reduce the friction of combining terms and conditions when an analyst is trying to locate content related to a suspected leak, policy violation, or misuse of sensitive data.
Microsoft’s wording is careful: the update helps investigators identify potentially impacted data. Search results still need human validation, and teams should not treat a narrower or broader query result as proof that all affected content has—or has not—been found.
Teams should also update any internal investigation runbooks that assume analysts must manually poll for AI-job completion or scope updates. The practical change is straightforward: Purview investigators should see case progress sooner, while the revised search experience may make it faster to build the searches that define their review set.
According to Microsoft’s roadmap entry, the changes are aimed at investigators working data-security cases in Purview. The service can now notify investigators when important events occur within an investigation, including completion of AI jobs and the addition of new data to an investigation’s scope.
Less waiting on investigation status
The notification feature addresses a mundane but consequential problem in review workflows: investigators should no longer need to repeatedly return to a case merely to see whether a long-running AI task has finished or whether the evidence set has changed.That does not alter the underlying investigation process or automate a disposition decision. It is a workflow improvement intended to surface state changes that may require a reviewer to resume work, validate results, or reassess the scope of a case. For security and compliance teams handling potential exposure of sensitive information, a newly added in-scope data source can materially change both the review workload and the incident’s priority.
Microsoft did not specify in the roadmap entry whether notifications are delivered by email, inside the Purview portal, or through another Microsoft 365 channel. Administrators should therefore treat the announcement as confirmation of the capability rather than assume a particular notification route or policy control.
Search gets a more guided query-building experience
Microsoft is also improving search construction in Data Security Investigations. The company says the updated query-building experience is designed to make it easier to identify potentially impacted data.This is the more substantive part of the release for day-to-day investigators. In a data-security review, the quality of the search determines the initial population of files, messages, records, or other data requiring inspection. A more usable query builder can reduce the friction of combining terms and conditions when an analyst is trying to locate content related to a suspected leak, policy violation, or misuse of sensitive data.
Microsoft’s wording is careful: the update helps investigators identify potentially impacted data. Search results still need human validation, and teams should not treat a narrower or broader query result as proof that all affected content has—or has not—been found.
What admins should do
There is no client update or Windows servicing action associated with this roadmap item; it is a web-based Purview capability. Organizations that use Data Security Investigations should review an active or test investigation to confirm the new notifications appear as expected and that assigned investigators can act on them.Teams should also update any internal investigation runbooks that assume analysts must manually poll for AI-job completion or scope updates. The practical change is straightforward: Purview investigators should see case progress sooner, while the revised search experience may make it faster to build the searches that define their review set.
References
- Primary source: Microsoft 365 Roadmap
Published: 2026-07-13T23:07:14.8221961Z
Microsoft 365 Roadmap | Microsoft 365
The Microsoft 365 Roadmap lists updates that are currently planned for applicable subscribers. Check here for more information on the status of new features and updates.www.microsoft.com