Summary
Table of Contents
- Microsoft Purview Endpoint DLP Just-in-time protection audit logging is changing from automatic logging to an explicitly scoped setting: admins must configure which users or groups have activities audited.
- Affected: Purview/Endpoint DLP administrators who manage Just-in-time protection and Activity explorer visibility; audited vs blocked scopes determine whether activities are logged or enforcement occurs.
- Admin action required: deploy anti-malware client 4.18.26060 or later, review current Just-in-time configuration, and explicitly add any users or groups that should continue generating audit events.
- Verify after configuration by validating expected events appear in Activity explorer; users not added to audit or block scopes will no longer have their Just-in-time activities recorded.
Primary Service: Purview
Admin Impact: High
User Impact: Low
Release Start: 01 Jul 2026
Release End: 01 Jul 2026
Services: DLP, Purview
Category: Stay informed
Tags: Admin Action, New Feature
History
6/11/2026 Item Added to Message Center
Microsoft Message
What and Why
Admins can now scope which users and groups have their activities audited when Just-in-time protection is enabled in Microsoft Purview Endpoint Data Loss Prevention.
Previously, when Just-in-time protection was turned on, user activities were logged automatically for users who were not targeted by policies. With this update, audit logging must be explicitly configured so that only users or groups included in the audit scope have their activities logged. This change gives organizations greater control over audit signal collection and helps reduce unnecessary audit noise.
This message is associated with Microsoft 365 Roadmap ID 562991.
Rollout Schedule
Global: We will begin rolling out in early July 2026 and expect to complete by early July 2026.
Impact on Your Organization
Who is affected: Admins managing Microsoft Purview Endpoint Data Loss Prevention and Just-in-time protection settings.
Platforms/Services:
- Microsoft Purview
- Endpoint Data Loss Prevention
- Activity explorer.
What will happen:
- Just-in-time audit behavior is now managed through the Audit covered user activities setting under Settings > Data loss prevention > Just-in-time protection. Under the Devices tab, turn on Audit covered user activities.
- Screenshot: Just-in-time protection settings with Audit covered user activities turned on:
- Users included in audit scope will not see enforcement actions, and their activities will be recorded in Activity explorer.
- Users included in block scope will be prevented from completing actions while files are evaluated for sensitive information. Their activities are recorded in Activity explorer.
- Users not included in audit or block scope will not have activities covered by Just-in-time protection recorded.
- Audited activities include printing, transfers to removable media or network shares, copying or moving files using Remote Desktop Protocol or an unapproved Bluetooth app, and uploading files to a restricted cloud service domain.
Action Required / Recommendations
- Deploy anti-malware client version 4.18.26060 or later before enabling this feature.
- Review your existing Just-in-time configuration to identify users currently generating audit events.
- Explicitly add all users or groups that should continue generating Just-in-time audit events to the audit scope.
- Validate your configuration to ensure expected activities appear in Activity explorer.
Learn more: Get started with Microsoft Purview Data Loss Prevention just-in-time protection | Microsoft Learn
Compliance considerations
Compliance area: Audit logging capabilities
Impact: Audit logging behavior changes from automatic to explicitly scoped, affecting which user activities are recorded for Just-in-time protection.
Compliance area: Admin compliance monitoring and reporting
Impact: Admins must configure audit scope to maintain expected visibility of user activity in Activity explorer.
Compliance area: Purview reporting and compliance workflows
Impact: The change alters how Just-in-time audit data is collected and reviewed for compliance and investigation workflows.
Compliance area: Admin controls and group-based configuration
Impact: The feature introduces additional admin configuration controls for scoping audit behavior, which may be applied using user or group selection.