Message Center
Microsoft Purview Insider Risk Management is enhancing alerts and cases with note-taking capabilities for better investigator collaboration and auditability. Users can add notes, and system-generated notes will track investigation events. Expanded user details and integrated Entra ID profiles improve context. Rollout begins late June 2026.
What and Why:
Microsoft is expanding note-taking capabilities in Microsoft Purview Insider Risk Management (IRM) alerts and cases to improve investigator collaboration and auditability. Analysts and investigators will be able to add notes directly to alerts and cases, while system-generated notes will automatically capture key investigation events such as status changes and user assignments. This enhancement helps security and compliance teams maintain a centralized investigation history, improve collaboration, and streamline insider risk investigations within a single experience.
This message is associated with Microsoft 365 Roadmap ID 564620.
Rollout Schedule:
Impact on Your Organization:
Who is affected:
Platforms/Services:
What will happen:
Screenshot: New Notes experience in Insider Risk Management alerts showing investigator notes and automated activity tracking:

Action Required/Recommendations:
No immediate action is required.
Recommended actions:
Learn more:
Where to find the feature
Compliance Considerations:
| Area | Explanation |
|---|---|
| Stores new customer data | Investigator-authored notes and system-generated notes are new records associated with Insider Risk Management alerts and cases. The post does not specify retention behavior, storage location, or whether data is cached or permanently stored. |
| Alters how existing customer data is processed, stored, or accessed | Additional user context from Microsoft Entra profiles (office location, employee type, department, last working date) and insider risk history are surfaced within the alert experience, providing investigators with consolidated access to existing organizational data. |
| Modifies audit logging capabilities | System-generated notes automatically capture events such as alert status changes and investigator assignments, creating a more detailed and auditable investigation timeline. |
| Alters how admins can monitor, report on, or demonstrate compliance activities | Investigation activities become better documented through investigator notes and automated timeline entries, improving traceability, review readiness, and audit support for insider risk investigations. |
| Admin control available | The announcement references pseudo-anonymization settings that control visibility of user profile information. However, it does not explicitly state whether the new notes capability itself can be enabled, disabled, or scoped by administrators. |
| Can be controlled through Entra ID group membership | The feature surfaces Entra profile information and references priority user groups, but the announcement does not explicitly state whether access to the feature or functionality can be controlled through Entra ID group membership. |
| Modifies GDPR Data Subject Rights processes | Additional investigation notes and profile information become available in alerts and cases. The announcement does not specify whether this changes export, correction, deletion, or access processes for personal data. |