Table of Contents
Summary
- The Data Security Triage Agent in Microsoft Purview Insider Risk Management is being enhanced for better alert triage and investigation focus.
- This update prioritizes alerts based on user risk and activity, summarizes behavioral risk patterns, and provides expanded user context.
- Admins need to enable the Triage Agent; it is not on by default.
- Organizations using Microsoft 365 E5 will also receive Security Copilot to aid in investigations.
- No immediate action is required, but training for analysts and reviewing internal documentation is recommended.
Admin Impact: Medium
User Impact: Low
Release Start: 30 Jun 2026
Release End: 31 Jul 2026
Services: Purview
Category: Stay informed
Tags: New Feature, User Adoption, Admin Action
History
3/6/2026 Item Added to Message Center
Microsoft Message
Introduction
We’re enhancing the Data Security Triage Agent in Microsoft Purview Insider Risk Management to help analysts triage alerts more efficiently and focus investigations on the activities and users that matter most. These updates respond to customer feedback for clearer risk context, streamlined alert review, and improved investigation accuracy.
This message is associated with Microsoft 365 Roadmap ID 557683.
When this will happen
- Public Preview: We will begin rolling out in early March 2026 and expect to complete by early April 2026.
- General Availability (Worldwide): We will begin rolling out in late June 2026 and expect to complete by late July 2026.
How this affects your organization
Who is affected
- Admins and security analysts who use Microsoft Purview Insider Risk Management.
- Organizations with Insider Risk Management enabled and analysts using alert triage workflows.
What will happen
The newly enhanced Data Security Triage Agent acts as the front door to investigations, helping teams immediately understand who and what matters most. Instead of manually reviewing raw alerts, the Data Security Triage Agent provides:
- Prioritized alerts based on user risk and activity patterns.
- Behavioral risk patterns summarized into investigative themes, helping analysts move more quickly from alert to insight.
- Expanded user context, including role, employment status (such as last working date), and prior alert history.
- Access to the enhanced experience in:
- Purview portal → Insider Risk Management → Agent tab
- Alerts tab → Triage Agent toggle
- The enhancement is not enabled by default; admins must turn on the Data Security Triage Agent.
- Organizations using Microsoft 365 E5 will also receive Security Copilot to support investigations; rollout is ongoing and customers will receive advance notice.
Screenshot 1 – View of alerts
Screenshot 2 – How to access the enhanced Triage Agent in Microsoft Purview Insider Risk Management (IRM):
What you can do to prepare
No immediate action is required. However, to make use of the new capabilities, consider the following steps:
- Enable the Data Security Triage Agent in the Purview portal (Agent tab).
- Train analysts to access the enhanced view using the Triage Agent toggle in the Alerts tab.
- Review your internal documentation for Insider Risk investigation processes and update it as needed.
Learn more: Agents built into your workflow: Get Security Copilot with Microsoft 365 E5
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.