Microsoft 365 Message Center Archive

MC990961 - Microsoft Purview | Insider Risk Management: DLP alerts as indicators

Message ID

MC990961

View in Message Center

Service

Microsoft Purview

Published

Jan 29, 2025

Tag

New feature
Admin impact

Roadmap ID

475057

View in M365 Roadmap

Platforms

Web

More information

Coming soon to Microsoft Purview Insider Risk Management (IRM) admins will be able to select Data Loss Prevention (DLP) alerts as indicators in IRM policies. After this rollout, IRM admins can select DLP policies that they would like to bring into IRM and detect if a user has alerts for the pre-selected DLP policies. When an IRM alert is generated, admin and analysts can see if there are any high-risk alerts for this user within DLP for the policies that are enabled as indicators. This feature will help admins and analysts view this information in IRM without switching to DLP.

This message is associated with Microsoft 365 Roadmap ID 475057.

When this will happen:

Public Preview: We will begin rolling out early March 2025 and expect to complete by late March 2025.

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out late May 2025 and expect to complete by mid-June 2025.

How this will affect your organization:

Admins will be able to enable this indicator in IRM’s global settings for policy indicators. When enabled, this indicator can be selected in the Data Theft by departing users, Data leaks, Data leaks by risky users, Data leaks by priority users, and Risky AI Usage policy templates.

Using the indicator

1. In Settings > Insider Risk Management > Policy indicators > Built-in Indicators: Open the Data loss prevention (DLP) alerts indicators (preview) drop-down menu. Select Add DLP policies and choose the DLP policies to bring into IRM. Check the box for Generating alerts from selected DLP policies. Save the changes. Note: This indicator will not work if no DLP policies are added and if the checkbox is not selected.

admin controls

2. To use in a policy: In the policy wizard for Data theft by departing users, Data leaks, Data leaks by risky users, Data leaks by priority users, and Risky AI usage policy templates, configure the policies as applicable until you get to the Indicators page. Open the Data loss prevention (DLP) alerts indicators (preview) drop-down menu and check the box for Generating alerts from selected DLP policies. Configure the rest of the policy as applicable.

admin controls

3. Example of an alert generated by this indicator:

admin controls

The indicator will be available by default for admins to configure.

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.

Learn more: Configure policy indicators in insider risk management | Microsoft Learn (will be updated before rollout)