489228 – Microsoft Purview Compliance Portal: Changes to case creation process in Purview portal when confirming alerts from Defender XDR portal and content retention periods in cases

Product:

Defender, Purview Communication Compliance, Purview Insider Risk Management

Platform:

Online, US Instances, Web, World tenant

Status:

Launched

Change type:

Links:

MC1099690

Details:

With this release, alerts confirmed from the Defender XDR portal (security.microsoft.com) will not result in automatic case creation in the Purview portal. To create a case, Insider Risk Management analysts or investigators must manually click on the "Confirm all alerts & create case" button in the Purview portal from the alert that was previously confirmed through Defender XDR. When a case is created for a specific user based on the generated alert, related content such as online files and emails, is made available in the Content explorer tab. Additionally, any new content that generates or adds to an alert is included in the Content explorer for review during up to the 30 days from the creation of the Case. After these 30 days, new content identified for the user based on alerts will NOT be added to the Content explorer. To access new content, the existing case must be closed and a new Case created.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Preview

Created:
2025-05-02

updated:
2025-10-17

Public Preview Start Date

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Please, look at the most relevant linked item for details

explanation for non-techies**

In the world of legal and HR, think of the Microsoft Purview Compliance Portal as a digital filing cabinet where you manage cases related to insider risks and compliance issues. Recently, there have been some changes to how you handle alerts and cases within this system, especially when these alerts come from the Defender XDR portal.

Previously, when an alert was confirmed in the Defender XDR portal, it would automatically create a case in the Purview portal. Imagine if every time you received a piece of mail, it automatically opened a new file in your cabinet, whether you needed it or not. This could lead to a cluttered and overwhelming filing system. Now, with the updated process, you have more control. You need to manually confirm that you want to create a case from an alert. It's like deciding which pieces of mail are important enough to file away, rather than automatically filing everything.

Once you decide to create a case, all related content, such as emails and online files, is organized in a section called the Content Explorer. This is similar to having a folder within your filing cabinet where all related documents are neatly stored for easy access. However, there's a time limit on how long new content can be added to this folder. You have 30 days from the creation of the case to add any new content related to the alert. After this period, if new information comes in, you can't just add it to the existing folder. Instead, you need to close the current case and start a new one to include the new content. It's like having a deadline for when you can add documents to a file, after which you need to start a new file for any additional information.

This change gives you more control over the cases you manage, allowing you to keep your digital filing system organized and relevant, ensuring that only necessary cases are created and maintained.