Services
Summary
Microsoft Purview will enforce Entra conditional access policies for eDiscovery admins by blocking non-compliant users from accessing SharePoint content and adding a new ‘FilePreviewed’ audit log activity. Rollout begins now and completes by November 2025, enhancing security and compliance monitoring.
Details
To strengthen Microsoft’s security posture, we’re introducing updates to Microsoft Purview that enhance audit logging and enforce Entra conditional access policies for eDiscovery admins. These changes help ensure that sensitive content is accessed only by users who meet your organization’s security requirements.
When this will happen:
General Availability (Worldwide, GCC, GCCH, and DoD): Rollout will begin and is expected to conclude in late November 2025.
How this affects your organization:
Who is affected: Admins using Microsoft Purview for eDiscovery and subject to Entra conditional access policies.
What will happen:
- When eDiscovery admins preview a file in the Purview portal, the action will be logged under the FilePreviewed activity in Audit logs.
- eDiscovery and Compliance admins who do not meet Entra conditional access policies (such as MFA or Trusted Network Policy) will be blocked from accessing SharePoint Online content via the Purview portal.
- Access behavior is being altered. Previously, eDiscovery Admins could access SharePoint Online content in Purview regardless of their compliance with Entra Conditional Access policies. With this update, access will be restricted for non-compliant admins, representing a change in enforcement behavior.
- Microsoft recommends compliance with Entra policies to maintain uninterrupted access.
- As a temporary workaround, Global admins may use the exclude Users and groups option to exempt specific eDiscovery admins from conditional access enforcement.
What you can do to prepare:
- Ensure all eDiscovery admins comply with your organization’s Entra conditional access policies.
- Review and update your conditional access configurations if exemptions are needed.
Learn more:
- Audit log activities | Microsoft Purview | Microsoft Learn
- How To: Configure the multifactor authentication registration policy | Microsoft Entra ID Protection | Microsoft Entra | Microsoft Learn
Compliance considerations:
| Question | Answer |
| Does the change modify, interrupt, or disable Conditional Access policies? | Yes. Admins who do not meet Entra conditional access requirements will be blocked from accessing SharePoint content via the Purview portal. |
| Does the change modify, interrupt, or disable Audit logging capabilities? | Yes. A new audit log activity, ‘FilePreviewed’, will be recorded when eDiscovery Admins preview files in the Purview portal. |
| Does the change modify, interrupt, or disable eDiscovery or Content Search? | Yes. Access to SharePoint content via eDiscovery will be restricted for non-compliant admins. |
| Does the change alter how admins can monitor, report on, or demonstrate compliance activities? | Yes. The addition of the ‘FilePreviewed’ audit log activity enhances visibility into admin actions and supports compliance reporting. |