check before: 2025-11-01
Product:
Copilot, Microsoft 365 Apps, Purview, Purview Communication Compliance, Purview compliance portal, Purview Information Protection, Purview Insider Risk Management
Platform:
Online, Web, World tenant
Status:
Launched
Change type:
Admin impact, New feature, Updated message, User impact
Links:
Details:
Summary:
Microsoft Purview Insider Risk Management's Security Copilot alert triage agent is generally available worldwide from late November to mid-December 2025. It prioritizes alerts, allows user feedback on prioritization, disables custom instructions temporarily, and removes the file risk summary. No admin changes are needed; SCUs must be provisioned.
Details:
Updated November 14, 2025: We have updated the content. Thank you for your patience.
Microsoft Purview Insider Risk Management (IRM) has reached General Availability for the Security Copilot alert triage agent. The agent helps analysts focus on the most urgent alerts by analyzing and prioritizing Insider Risk Management alerts. It also provides a summary of findings to help users quickly understand the risky activities that make an alert critical to review.
With this release, users can report miscategorized alerts and provide feedback on prioritization. Feedback is sent directly to Microsoft but is not used for agent memory. We will temporarily disable the ability to add new custom instructions in IRM alert triage agent. Existing instructions will not be honored during this period. This feature will return in 2026. Additionally, the file risk section of the agent summary has been deprecated.
This message is associated with Microsoft 365 Roadmap ID 503764.
[When this will happen:]
General Availability (Worldwide): Rollout begins in late November 2025 and is expected to complete by mid-December 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability
Created:
2025-10-28
updated:
2025-11-15
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft's new Security Copilot alert triage agent in Purview Insider Risk Management prioritizes alerts for analysts, allows feedback for future improvements, and requires Security Compute Units to operate, with custom instruction capabilities paused until 2026.
Direct effects for Operations**
Alert Prioritization Issues
Without proper preparation, users may face challenges in identifying critical alerts, leading to potential security risks being overlooked.
- roles: Security Analysts, Compliance Officers
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
User Feedback Mismanagement
The inability to add new custom instructions may frustrate users, leading to ineffective alert management and decreased user satisfaction.
- roles: Security Analysts, IT Support Staff
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Deprecation of File Risk Summary
The removal of the file risk section may hinder users' ability to assess data risks effectively, impacting decision-making processes.
- roles: Data Protection Officers, Security Analysts
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Increased Alert Volume
The new alert triage agent may generate a higher volume of alerts without adequate training, overwhelming users and leading to alert fatigue.
- roles: Security Analysts, Compliance Officers
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
SCU Provisioning Issues
If SCUs are not provisioned in advance, the alert triage agent will not function, leading to a lack of alert management capabilities.
- roles: IT Administrators, Security Analysts
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-11-15 | MC prepare | No action is required to enable the feature.
Access the alert triage agent on the Microsoft Purview portal. [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. https://purview.microsoft.com/agent/agentoverview https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764 | The Microsoft Purview Triage Agents run on Security Compute Units (SCU). Your organization must have SCUs provisioned for the agents to run.
Access the alert triage agent on the Microsoft Purview portal. [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. https://purview.microsoft.com/agent/agentoverview https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764 |
| 2025-11-15 | MC Summary | Microsoft Purview Insider Risk Management's Security Copilot alert triage agent is generally available worldwide from late November to mid-December 2025. It prioritizes alerts, allows user feedback on prioritization, deprecates the file risk section, and requires no action to enable or policy changes. | Microsoft Purview Insider Risk Management's Security Copilot alert triage agent is generally available worldwide from late November to mid-December 2025. It prioritizes alerts, allows user feedback on prioritization, disables custom instructions temporarily, and removes the file risk summary. No admin changes are needed; SCUs must be provisioned. |
| 2025-11-15 | MC Last Updated | 10/27/2025 23:38:36 | 2025-11-14T22:46:30Z |
| 2025-11-15 | MC Messages | Microsoft Purview Insider Risk Management (IRM) has reached General Availability for the Security Copilot alert triage agent. The agent helps analysts focus on the most urgent alerts by analyzing and prioritizing Insider Risk Management alerts. It also provides a summary of findings to help users quickly understand the risky activities that make an alert critical to review.
With this release, users can report miscategorized alerts and provide feedback on prioritization. Feedback is sent directly to Microsoft but is not used for agent memory. Additionally, the file risk section of the agent summary has been deprecated. This message is associated with Microsoft 365 Roadmap ID 503764. [When this will happen:] General Availability (Worldwide): Rollout begins in late November 2025 and is expected to complete by mid-December 2025. | Updated November 14, 2025: We have updated the content. Thank you for your patience.
Microsoft Purview Insider Risk Management (IRM) has reached General Availability for the Security Copilot alert triage agent. The agent helps analysts focus on the most urgent alerts by analyzing and prioritizing Insider Risk Management alerts. It also provides a summary of findings to help users quickly understand the risky activities that make an alert critical to review. With this release, users can report miscategorized alerts and provide feedback on prioritization. Feedback is sent directly to Microsoft but is not used for agent memory. We will temporarily disable the ability to add new custom instructions in IRM alert triage agent. Existing instructions will not be honored during this period. This feature will return in 2026. Additionally, the file risk section of the agent summary has been deprecated. This message is associated with Microsoft 365 Roadmap ID 503764. [When this will happen:] General Availability (Worldwide): Rollout begins in late November 2025 and is expected to complete by mid-December 2025. |
| 2025-11-15 | MC Title | Microsoft Purview | Insider Risk Management - Data security alert triage agent generally available | (Updated) Microsoft Purview | Insider Risk Management - Data security alert triage agent generally available |
| 2025-11-15 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
Last updated 4 weeks ago ago
