Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤️ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1148528

Microsoft Purview compliance portal: Data Loss Prevention: User based alert aggregation

Plan for Change
Major Change

Message ID

MC1148528
View in Admin Center

Roadmap ID

501786
View in Roadmap

Services

Microsoft Purview

Affected Platforms

Web

Summary

Microsoft Purview DLP introduces opt-in User-Based Alert Aggregation, consolidating alerts by user within a set time window to improve security triage. Rolling out from September to November 2025, admins can enable it in the compliance portal to group rule match events per user, enhancing investigation efficiency.

Details

Introduction

We're introducing User-Based Alert Aggregation in Microsoft Purview Data Loss Prevention (DLP) to help security teams triage alerts more efficiently. This feature consolidates DLP rule match events by user identity within a defined time window, enabling faster investigation and remediation of potential insider threats.

This message is associated with Roadmap ID 501786.

When this will happen:

Public Preview: We will begin rolling out late September 2025 and expect to complete by early October 2025.

General Availability (Worldwide): We will begin rolling out late October 2025 and expect to complete by early November 2025.

How this affects your organization:

Who is affected: Admins managing DLP policies in Microsoft Purview compliance portal.

What will happen:

  • This feature is opt-in and can be enabled via the Microsoft Purview compliance portal.
  • Navigate to Settings > Data Loss Prevention > User-Based Alert Aggregation.
  • Toggle on User-Based Aggregation and select an aggregation time window (minimum 15 minutes).

user settings

  • DLP rule match events for the same user and rule within the selected window will be grouped into a single alert.
  • Alerts will be created per user and per rule. For example, if User A and User B violate the same rule within 15 minutes, two separate alerts will be generated.
  • Alert volume may increase due to per-user aggregation.
  • Events will continue to be added to an alert even if it is marked resolved or closed, as long as the aggregation window is active.

What you can do to prepare:

  • No preparation is required unless you choose to enable the feature.
  • To opt in:
    • Go to Microsoft Purview compliance portal.
    • Navigate to Settings > Data Loss Prevention > User-Based Alert Aggregation.
    • Toggle on the feature and select your preferred aggregation time window.
    • Review internal documentation and communicate the change to your security operations team.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Timeline

📅
Published
Sep 5, 2025
Message published to Message Center
✏️
Updated
Sep 5, 2025
Message content updated
🏁
End Date
Dec 12, 2025
Message timeline ends

Tags

#Admin impact

Category

📋Plan for Change

Related Messages

Similar updates

MC1129711●

Microsoft Purview | ​Retirement of the classic eDiscovery (Premium) experience

Aug 5, 2025
MC1180884●

Microsoft Purview | Insider Risk Management - Data security alert triage agent generally available

Oct 27, 2025
MC1154787

Microsoft Purview: Paid public preview of Inline Protection of Sensitive Text transmitted in Edge for Business

Sep 17, 2025
MC1151234

Microsoft Purview DLP and Edge for Business: Automated blocking of unmanaged GenAI apps in unprotected browsers

Sep 10, 2025
MC1143996

Microsoft Purview compliance portal: Data Loss Prevention - Upcoming Change to DLP Alert Settings

Aug 29, 2025