Microsoft 365 Message Center Archive

MC1148528 - Microsoft Purview compliance portal: Data Loss Prevention: User based alert aggregation

Message ID

MC1148528

View in Message Center

Service

Microsoft Purview

Published

Sep 5, 2025

Tag

Major change
Admin impact

Roadmap ID

501786

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview DLP introduces opt-in User-Based Alert Aggregation, consolidating alerts by user within a set time window to improve security triage. Rolling out from September to November 2025, admins can enable it in the compliance portal to group rule match events per user, enhancing investigation efficiency.

More information

Introduction

We're introducing User-Based Alert Aggregation in Microsoft Purview Data Loss Prevention (DLP) to help security teams triage alerts more efficiently. This feature consolidates DLP rule match events by user identity within a defined time window, enabling faster investigation and remediation of potential insider threats.

This message is associated with Roadmap ID 501786.

When this will happen:

Public Preview: We will begin rolling out late September 2025 and expect to complete by early October 2025.

General Availability (Worldwide): We will begin rolling out late October 2025 and expect to complete by early November 2025.

How this affects your organization:

Who is affected: Admins managing DLP policies in Microsoft Purview compliance portal.

What will happen:

  • This feature is opt-in and can be enabled via the Microsoft Purview compliance portal.
  • Navigate to Settings > Data Loss Prevention > User-Based Alert Aggregation.
  • Toggle on User-Based Aggregation and select an aggregation time window (minimum 15 minutes).

user settings

  • DLP rule match events for the same user and rule within the selected window will be grouped into a single alert.
  • Alerts will be created per user and per rule. For example, if User A and User B violate the same rule within 15 minutes, two separate alerts will be generated.
  • Alert volume may increase due to per-user aggregation.
  • Events will continue to be added to an alert even if it is marked resolved or closed, as long as the aggregation window is active.

What you can do to prepare:

  • No preparation is required unless you choose to enable the feature.
  • To opt in:
    • Go to Microsoft Purview compliance portal.
    • Navigate to Settings > Data Loss Prevention > User-Based Alert Aggregation.
    • Toggle on the feature and select your preferred aggregation time window.
    • Review internal documentation and communicate the change to your security operations team.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.