Services
Affected Platforms
Summary
Microsoft Purview's Data Security Investigations will add a new Audit tab for building audit log queries directly within DSI, automatically surfacing related files. This feature, replacing CSV uploads, rolls out April-May 2026, enabling faster, more accurate investigations for admins and investigators without requiring prior configuration.
Details
Introduction
Weβre introducing a new audit log querying experience in Data Security Investigations (DSI) in Microsoft Purview. This update allows administrators and investigators to build audit log queries directly within DSI by specifying criteria such as date range, users, activities, and keywords. DSI will then automatically surface files associated with those activities. This removes the previous manual process of exporting and reviewing large audit log datasets and makes investigations faster and more accurate.
This message is associated with Microsoft 365 Roadmap ID 558548.
When this will happen
- Public Preview: Rollout will begin in early April 2026 and is expected to complete by late April 2026.
- General Availability (Worldwide): Rollout will begin in early May 2026 and is expected to complete by early May 2026.
How this affects your organization
Who is affected
- Admins and investigators who use Data Security Investigations in the Microsoft Purview compliance portal.
What will happen
- A new Audit tab will appear in the DSI search experience alongside the existing Query Builder tab:
Β
- Admins and investigators will be able to enter audit search criteria (date range, users, activities, keywords) directly within DSI.
- Users can view estimated audit query results or add them directly to the investigation scope.
- Associated files identified through the audit query will automatically appear in the investigation.
- This feature is enabled by default and requires no configuration.
- The previous CSV upload option is being removed.
What you can do to prepare
No action is required before rollout.
To prepare, you may want to:
- Update internal documentation for investigation and incident response workflows.
- Inform security teams and administrators who use DSI about this new capability and the removal of CSV upload support.
- Review DSI investigation processes to incorporate audit-based file enrichment.
Learn more:
- Audit log activities | Microsoft Purview | Microsoft Learn
- Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.