Microsoft 365 Message Center Archive

MC1169572 - Microsoft Purview | Data loss prevention - Alert classification property for DLP alerts on Purview portal

Message ID

MC1169572

View in Message Center

Service

Microsoft Purview

Published

Oct 10, 2025

Tag

New feature
User impact
Admin impact

Roadmap ID

511795

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview introduces a new DLP alert classification property—True Positive, False Positive, Benign Positive, or Not Set—syncing with Microsoft Defender. Rolling out from late October to December 2025, it enables individual or bulk classification by admins, enhancing alert management and reporting without requiring activation.

More information

Introduction

To help security teams better manage and report on data loss prevention (DLP) alerts, Microsoft Purview is introducing a new classification property. This feature allows alerts to be categorized directly in the Purview portal as True Positive, False Positive, or Benign Positive. Classifications can be applied individually or in bulk, and they sync bi-directionally with Microsoft Defender.

This message is associated with Microsoft 365 Roadmap ID 511795.

When this will happen:

Public Preview: Rollout will begin in late October 2025 and is expected to complete by early November 2025.

General Availability (Worldwide): Rollout will begin in late November 2025 and is expected to complete by early December 2025.

How this affects your organization:

  • Who is affected: Admins managing DLP alerts in the Microsoft Purview portal.
  • What will happen:
    • A new classification property will be available for DLP alerts.
    • Alerts can be classified as True Positive, False Positive, Benign Positive, or Not Set.
    • Classification can be applied individually or in bulk.
    • Classification will sync between Purview and Defender portals.
    • Feature will be enabled by default; no admin action is required to activate.

What you can do to prepare:

  • No action is required to enable this feature.
  • Review internal documentation and update any alert handling workflows.
  • Communicate this change to security and compliance teams.
  • Use the classification property to enhance reporting and incident response.
  • For bulk classification, select multiple alerts and use the Set Status button in the alerts queue page.

For visual guidance, refer to the confirmation email attachments for high-resolution PNGs.

How to use the feature:

  1. Generate a DLP alert.
  2. Open the Purview alerts page.
  3. Open the alert details and classify the alert:

    user settings
  4. Alerts can be classified using the left panel on the alerts queue page after clicking the Manage Alerts button:

    user settings

    user settings
  5. You can also classify multiple alerts in bulk by selecting them and clicking the Set Status button:

    user settings

    user settings
Compliance considerations:

Does the change store new customer data?Yes, it stores a new classification property in alert data.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities?Yes, admins can now use the classification property on alerts to generate reports.