Microsoft 365 Message Center Archive

MC1246005 - Microsoft Purview | Insider Risk Management – Enhancements to the Data Security Triage Agent

Message ID

MC1246005

View in Message Center

Service

Microsoft Purview

Published

Mar 6, 2026

Tag

New feature
User impact
Admin impact

Roadmap ID

557683

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview Insider Risk Management is enhancing the Data Security Triage Agent to prioritize alerts, summarize behavioral risks, and expand user context for more efficient investigations. The update rolls out from March to July 2026, requires admin activation, and includes Security Copilot for Microsoft 365 E5 users.

More information

Introduction

We’re enhancing the Data Security Triage Agent in Microsoft Purview Insider Risk Management to help analysts triage alerts more efficiently and focus investigations on the activities and users that matter most. These updates respond to customer feedback for clearer risk context, streamlined alert review, and improved investigation accuracy.

This message is associated with Microsoft 365 Roadmap ID 557683.

When this will happen

  • Public Preview: We will begin rolling out in early March 2026 and expect to complete by early April 2026.
  • General Availability (Worldwide): We will begin rolling out in late June 2026 and expect to complete by late July 2026.

How this affects your organization

Who is affected

  • Admins and security analysts who use Microsoft Purview Insider Risk Management.
  • Organizations with Insider Risk Management enabled and analysts using alert triage workflows.

What will happen

The newly enhanced Data Security Triage Agent acts as the front door to investigations, helping teams immediately understand who and what matters most. Instead of manually reviewing raw alerts, the Data Security Triage Agent provides:

  • Prioritized alerts based on user risk and activity patterns.
  • Behavioral risk patterns summarized into investigative themes, helping analysts move more quickly from alert to insight.
  • Expanded user context, including role, employment status (such as last working date), and prior alert history.
  • Access to the enhanced experience in:
    • Purview portal → Insider Risk Management → Agent tab
    • Alerts tab → Triage Agent toggle
  • The enhancement is not enabled by default; admins must turn on the Data Security Triage Agent.
  • Organizations using Microsoft 365 E5 will also receive Security Copilot to support investigations; rollout is ongoing and customers will receive advance notice.

Screenshot 1 - View of alerts

 user settings

Screenshot 2 - How to access the enhanced Triage Agent in Microsoft Purview Insider Risk Management (IRM):

 user settings

What you can do to prepare

No immediate action is required. However, to make use of the new capabilities, consider the following steps:

  • Enable the Data Security Triage Agent in the Purview portal (Agent tab).
  • Train analysts to access the enhanced view using the Triage Agent toggle in the Alerts tab.
  • Review your internal documentation for Insider Risk investigation processes and update it as needed.

Learn more: Agents built into your workflow: Get Security Copilot with Microsoft 365 E5

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.