MC1099690 - Changes to case creation process in Purview portal when confirming alerts from Defender XDR portal

To create a case, Insider Risk Management analysts must manually select “Confirm all alerts & create case” in the Purview portal after confirming an alert in the Defender XDR portal (security.microsoft.com). Once a case is created, related content such as online files and emails will be available in the Content explorer tab.

New content that contributes to alerts will continue to be added to the Content explorer for up to 30 days from the case creation date. After this period, any new alert-related content will not be added to the existing case. To access new content, analysts must close the current case and create a new one.

This change is associated with Microsoft 365 Roadmap ID 489228.

When this will happen:

Public Preview: Rolling out mid-June 2025; expected completion by late June 2025.

Targeted Release: Rolling out late July 2025; expected completion by mid-August 2025.

General Availability: Rolling out mid-September 2025; expected completion by late September 2025.

How this affects your organization:

Insider Risk Management analysts and investigators will need to manually create cases in the Purview portal for alerts confirmed in Defender XDR. This change may impact existing workflows and requires awareness among security and compliance teams.

What you can do to prepare:

• Inform and train Insider Risk Management and SOC teams about the new manual case creation process.
• Review internal documentation and update any automated workflows or playbooks that assume automatic case creation.

Compliance considerations:

• Changes to data processing/storage/access? Yes – changes how confirmed alerts are handled and stored in cases
• Modifies Purview capabilities (DLP, labels, audit, etc.)? Maybe – affects case content visibility and retention
• Changes to compliance monitoring/reporting? Maybe – may impact how case data is reviewed or reported