MC1099690 – Changes to case creation process in Purview portal when confirming alerts from Defender XDR portal (archived)

Product:

Defender, Purview, Purview Communication Compliance, Purview compliance portal, Purview Insider Risk Management

Platform:

Online, US Instances, Web, World tenant

Status:

Launched

Change type:

New feature, User impact, Admin impact

Links:

489228

Details:

Summary:
Insider Risk Management analysts must manually create cases in the Purview portal after confirming alerts in the Defender XDR portal. New alert-related content will be added for 30 days post-case creation. The change impacts workflows and requires training. Public Preview starts mid-June 2025, with General Availability by late September 2025.

Details:
To create a case, Insider Risk Management analysts must manually select "Confirm all alerts & create case" in the Purview portal after confirming an alert in the Defender XDR portal (security.microsoft.com). Once a case is created, related content such as online files and emails will be available in the Content explorer tab.
New content that contributes to alerts will continue to be added to the Content explorer for up to 30 days from the case creation date. After this period, any new alert-related content will not be added to the existing case. To access new content, analysts must close the current case and create a new one.
This change is associated with Microsoft 365 Roadmap ID 489228.
[When this will happen:]
Public Preview: Rolling out mid-June 2025; expected completion by late June 2025.
Targeted Release: Rolling out late July 2025; expected completion by mid-August 2025.
General Availability: Rolling out mid-September 2025; expected completion by late September 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Preview

Created:
2025-06-21

updated:
2025-06-21

Public Preview Start Date

XXXXXXX ... free basic plan only

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Manual Case Creation
Insider Risk Management analysts must manually create cases in the Purview portal, leading to potential delays in case handling and increased workload.
   - roles: Insider Risk Management Analysts, SOC Team Members
   - references: https://www.microsoft.com/microsoft-365/roadmap?rtc=1%26filters%3D&searchterms=489228

Workflow Disruption
Existing workflows that assume automatic case creation will be disrupted, requiring updates to internal documentation and processes.
   - roles: Insider Risk Management Analysts, Compliance Officers
   - references: https://www.microsoft.com/microsoft-365/roadmap?rtc=1%26filters%3D&searchterms=489228

Content Retention Issues
New alert-related content will not be added to existing cases after 30 days, potentially leading to incomplete case information and oversight.
   - roles: Insider Risk Management Analysts, Investigators
   - references: https://www.microsoft.com/microsoft-365/roadmap?rtc=1%26filters%3D&searchterms=489228

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Training and Documentation Improvement
With the introduction of the manual case creation process, there is a significant opportunity to enhance training materials and documentation for Insider Risk Management analysts and SOC teams. By providing comprehensive guides and training sessions, analysts can become more proficient in navigating the new process, reducing the likelihood of errors and improving overall efficiency.
   - next-steps: Develop and distribute updated training materials and conduct training sessions for Insider Risk Management and SOC teams. Collect feedback to refine the training process.
   - roles: Insider Risk Management Analysts, SOC Teams, Compliance Officers
   - references: https://www.microsoft.com/microsoft-365/roadmap?rtc=1%26filters%3D&searchterms=489228

Automation of Case Management
The current manual process of case creation presents an opportunity to explore automation solutions. By integrating workflows that trigger case creation based on alerts confirmed in the Defender XDR portal, organizations can streamline operations, reduce manual workload, and minimize the risk of missed alerts or delays in case processing.
   - next-steps: Evaluate existing IT systems for potential automation tools that can interface with both Defender XDR and Purview. Develop a proposal for automating the case creation process.
   - roles: IT Administrators, Business Analysts, Compliance Officers
   - references: https://www.microsoft.com/microsoft-365/roadmap?rtc=1%26filters%3D&searchterms=489228

Content Retention Policy Review
The change in how content is added to cases after 30 days provides an opportunity to review and potentially update content retention policies. Organizations can assess their current policies to ensure they align with the new case management process and compliance requirements, thus enhancing data governance and compliance monitoring.
   - next-steps: Conduct a review of current content retention policies in light of the new case management changes. Engage compliance teams to align policies with updated processes.
   - roles: Compliance Officers, Data Governance Teams, IT Administrators
   - references: https://www.microsoft.com/microsoft-365/roadmap?rtc=1%26filters%3D&searchterms=489228

Potentional Risks**

XXXXXXX ... paid membership only

Data Protection**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

Hypothetical Work Council Statement**

XXXXXXX ... paid membership only

DPIA Draft**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only