check before: 2025-11-01
Product:
Copilot, Microsoft 365 Apps, Purview, Purview Communication Compliance, Purview compliance portal, Purview Information Protection, Purview Insider Risk Management
Platform:
Online, Web, World tenant
Status:
Rolling out
Change type:
Admin impact, New feature, Updated message, User impact
Links:
Details:
Summary:
Microsoft Purview Insider Risk Management's Security Copilot alert triage agent is generally available worldwide from late November to mid-December 2025. It prioritizes alerts, allows user feedback on prioritization, disables custom instructions temporarily, and removes the file risk summary. No admin changes are needed; SCUs must be provisioned.
Details:
Updated November 14, 2025: We have updated the content. Thank you for your patience.
Microsoft Purview Insider Risk Management (IRM) has reached General Availability for the Security Copilot alert triage agent. The agent helps analysts focus on the most urgent alerts by analyzing and prioritizing Insider Risk Management alerts. It also provides a summary of findings to help users quickly understand the risky activities that make an alert critical to review.
With this release, users can report miscategorized alerts and provide feedback on prioritization. Feedback is sent directly to Microsoft but is not used for agent memory. We will temporarily disable the ability to add new custom instructions in IRM alert triage agent. Existing instructions will not be honored during this period. This feature will return in 2026. Additionally, the file risk section of the agent summary has been deprecated.
This message is associated with Microsoft 365 Roadmap ID 503764.
[When this will happen:]
General Availability (Worldwide): Rollout begins in late November 2025 and is expected to complete by mid-December 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability
Created:
2025-10-28
updated:
2025-11-15
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Alert Prioritization Issues
Without preparation, users may face challenges in alert prioritization, leading to critical alerts being overlooked, which can result in delayed responses to insider threats.
- roles: Security Analysts, Compliance Officers
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
User Feedback Mechanism
The introduction of a feedback mechanism without prior training may lead to misuse or misunderstanding of the feedback process, resulting in ineffective prioritization of alerts.
- roles: Security Analysts, IT Support Staff
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Deprecation of File Risk Summary
The removal of the file risk summary without user preparation may cause confusion among users who rely on this information for decision-making, potentially leading to uninformed actions.
- roles: Data Protection Officers, Security Analysts
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Temporary Disablement of Custom Instructions
The temporary disabling of custom instructions may disrupt established workflows, leading to inefficiencies and frustration among users accustomed to personalized settings.
- roles: Security Analysts, Compliance Officers
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Provisioning of Security Compute Units (SCUs)
If SCUs are not provisioned in advance, the alert triage agent will not function, leading to a complete lack of alert management capabilities during the rollout period.
- roles: IT Administrators, Security Analysts
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Alert Prioritization
The new alert triage agent allows analysts to focus on the most critical alerts, improving response times to potential insider threats. This prioritization can significantly enhance security posture by addressing high-risk alerts first.
- next-steps: Train security analysts on how to effectively use the alert triage agent to maximize its benefits. Monitor feedback submissions to Microsoft for continuous improvement.
- roles: Security Analysts, Compliance Officers, IT Security Managers
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
User Feedback Mechanism
The ability for users to provide feedback on alert prioritization enables continuous improvement of the system. This feedback loop can lead to better accuracy in identifying true insider threats, reducing false positives.
- next-steps: Establish a process for collecting and analyzing user feedback on alert prioritization to inform future training and system adjustments.
- roles: Security Analysts, Compliance Officers, IT Administrators
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Streamlined Incident Response
By providing a summary of findings for each alert, the triage agent reduces the time analysts spend on understanding alerts, allowing for quicker decision-making and incident response.
- next-steps: Integrate the alert summary findings into existing incident response workflows to ensure rapid action on prioritized alerts.
- roles: Security Analysts, Incident Response Teams, IT Security Managers
- references: https://purview.microsoft.com/agent/agentoverview, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-11-15 | MC prepare | No action is required to enable the feature.
Access the alert triage agent on the Microsoft Purview portal. [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. https://purview.microsoft.com/agent/agentoverview https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764 | The Microsoft Purview Triage Agents run on Security Compute Units (SCU). Your organization must have SCUs provisioned for the agents to run.
Access the alert triage agent on the Microsoft Purview portal. [Compliance considerations:] No compliance considerations identified, review as appropriate for your organization. https://purview.microsoft.com/agent/agentoverview https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=503764 |
| 2025-11-15 | MC Summary | Microsoft Purview Insider Risk Management's Security Copilot alert triage agent is generally available worldwide from late November to mid-December 2025. It prioritizes alerts, allows user feedback on prioritization, deprecates the file risk section, and requires no action to enable or policy changes. | Microsoft Purview Insider Risk Management's Security Copilot alert triage agent is generally available worldwide from late November to mid-December 2025. It prioritizes alerts, allows user feedback on prioritization, disables custom instructions temporarily, and removes the file risk summary. No admin changes are needed; SCUs must be provisioned. |
| 2025-11-15 | MC Last Updated | 10/27/2025 23:38:36 | 2025-11-14T22:46:30Z |
| 2025-11-15 | MC Messages | Microsoft Purview Insider Risk Management (IRM) has reached General Availability for the Security Copilot alert triage agent. The agent helps analysts focus on the most urgent alerts by analyzing and prioritizing Insider Risk Management alerts. It also provides a summary of findings to help users quickly understand the risky activities that make an alert critical to review.
With this release, users can report miscategorized alerts and provide feedback on prioritization. Feedback is sent directly to Microsoft but is not used for agent memory. Additionally, the file risk section of the agent summary has been deprecated. This message is associated with Microsoft 365 Roadmap ID 503764. [When this will happen:] General Availability (Worldwide): Rollout begins in late November 2025 and is expected to complete by mid-December 2025. | Updated November 14, 2025: We have updated the content. Thank you for your patience.
Microsoft Purview Insider Risk Management (IRM) has reached General Availability for the Security Copilot alert triage agent. The agent helps analysts focus on the most urgent alerts by analyzing and prioritizing Insider Risk Management alerts. It also provides a summary of findings to help users quickly understand the risky activities that make an alert critical to review. With this release, users can report miscategorized alerts and provide feedback on prioritization. Feedback is sent directly to Microsoft but is not used for agent memory. We will temporarily disable the ability to add new custom instructions in IRM alert triage agent. Existing instructions will not be honored during this period. This feature will return in 2026. Additionally, the file risk section of the agent summary has been deprecated. This message is associated with Microsoft 365 Roadmap ID 503764. [When this will happen:] General Availability (Worldwide): Rollout begins in late November 2025 and is expected to complete by mid-December 2025. |
| 2025-11-15 | MC Title | Microsoft Purview | Insider Risk Management - Data security alert triage agent generally available | (Updated) Microsoft Purview | Insider Risk Management - Data security alert triage agent generally available |
| 2025-11-15 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
Last updated 3 days ago ago
