check before: 2025-01-15
Product:
Defender, Defender for Endpoint, Defender XDR, Microsoft Graph, Purview, Purview Communication Compliance, Purview compliance portal, Purview Information Protection, Purview Insider Risk Management
Platform:
Developer, Online, US Instances, Web, World tenant
Status:
Launched
Change type:
Admin impact, New feature, Updated message
Links:
Details:
Summary:
Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR's unified alert queue, Advanced Hunting, Graph API, and Microsoft Sentinel. Rolling out from January to September 2025, admins must enable data sharing and assign permissions. IRM data supports enhanced investigation and external integrations.
Details:
Updated December 2, 2025: We have updated the content. We will communicate special cloud progress in a separate Message center post in future. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.
This message is associated with Microsoft 365 Roadmap ID 422730.
[When this will happen:]
Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.
General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2024-12-20
updated:
2025-12-03
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is integrating Microsoft Purview's Insider Risk Management alerts into Microsoft Defender XDR, allowing for centralized monitoring and advanced hunting of potential risks, with alerts accessible via Microsoft's Graph API and Microsoft Sentinel for enhanced security management.
Direct effects for Operations**
Integration of IRM alerts into Defender XDR
Without proper preparation, the integration of IRM alerts into the unified alert queue may lead to confusion among security analysts due to an influx of alerts, potentially overwhelming their ability to respond effectively.
- roles: Security Analyst, IT Administrator
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Advanced Hunting capabilities
The introduction of new tables for Advanced Hunting without prior training may result in analysts misusing KQL queries, leading to inaccurate risk assessments and missed threats.
- roles: Security Analyst, Compliance Officer
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Permissions and data access
If permissions are not properly assigned before the rollout, unauthorized users may gain access to sensitive IRM data, leading to potential data breaches and compliance issues.
- roles: IT Administrator, Data Protection Officer
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
Hypothetical Work Council Statement**
XXXXXXX ... paid membership only
DPIA Draft**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-12-03 | MC Last Updated | 09/24/2025 15:52:56 | 2025-12-02T20:34:07Z |
| 2025-12-03 | MC Messages | Updated September 24, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025. General Availability (GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by late May 2026 (previously mid-September). | Updated December 2, 2025: We have updated the content. We will communicate special cloud progress in a separate Message center post in future. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025. |
| 2025-12-03 | MC End Time | 07/06/2026 09:00:00 | 2025-12-08T08:00:00Z |
| 2025-12-03 | MC Summary | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR and Microsoft Sentinel, enabling unified alert queues, advanced hunting, Graph API access, and richer metadata. Rollout begins January 2025 (preview) and late August 2025 (general availability). Admins must enable data sharing and assign permissions. | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR's unified alert queue, Advanced Hunting, Graph API, and Microsoft Sentinel. Rolling out from January to September 2025, admins must enable data sharing and assign permissions. IRM data supports enhanced investigation and external integrations. |
| 2025-09-24 | MC Last Updated | 09/23/2025 23:17:21 | 2025-09-24T15:52:56Z |
| 2025-09-24 | MC Messages | Updated September 23, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-October 2025 (previously mid-September). | Updated September 24, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025. General Availability (GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by late May 2026 (previously mid-September). |
| 2025-09-24 | MC End Time | 11/24/2025 08:00:00 | 2026-07-06T09:00:00Z |
| 2025-09-24 | MC Summary | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR, enabling unified alert queues, advanced hunting, Graph API access, and Microsoft Sentinel support. Rollout starts January 2025 (preview) and completes by October 2025 (general availability). Admins must enable data sharing and assign permissions. | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR and Microsoft Sentinel, enabling unified alert queues, advanced hunting, Graph API access, and richer metadata. Rollout begins January 2025 (preview) and late August 2025 (general availability). Admins must enable data sharing and assign permissions. |
| 2025-09-24 | MC Last Updated | 07/01/2025 18:33:31 | 2025-09-23T23:17:21Z |
| 2025-09-24 | MC Messages | Updated July 1, 2025: We have updated the timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025 (previously mid-July). | Updated September 23, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-October 2025 (previously mid-September). |
| 2025-09-24 | MC End Time | 10/27/2025 08:00:00 | 2025-11-24T08:00:00Z |
| 2025-09-24 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) alerts will be integrated into Microsoft Defender XDR, with features like a unified alert queue, advanced hunting, Graph API access, and Microsoft Sentinel integration. Public preview starts mid-January 2025, with general availability in late August 2025. Admins need to enable data sharing and assign permissions. | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR, enabling unified alert queues, advanced hunting, Graph API access, and Microsoft Sentinel support. Rollout starts January 2025 (preview) and completes by October 2025 (general availability). Admins must enable data sharing and assign permissions. |
| 2025-07-02 | MC Messages | Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May). | Updated July 1, 2025: We have updated the timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025 (previously mid-July). |
| 2025-07-02 | MC Title | Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR | (Updated) Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR |
| 2025-07-02 | MC End Time | 08/28/2025 09:00:00 | 2025-10-27T08:00:00Z |
| 2025-07-02 | MC Last Updated | 01/24/2025 21:46:51 | 2025-07-01T18:33:31Z |
| 2025-07-02 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in late June 2025. Admins need to enable data sharing and assign permissions to access this feature. | Microsoft Purview's Insider Risk Management (IRM) alerts will be integrated into Microsoft Defender XDR, with features like a unified alert queue, advanced hunting, Graph API access, and Microsoft Sentinel integration. Public preview starts mid-January 2025, with general availability in late August 2025. Admins need to enable data sharing and assign permissions. |
| 2025-01-25 | MC Last Updated | 12/20/2024 00:16:49 | 2025-01-24T21:46:51Z |
| 2025-01-25 | MC Messages | Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by mid-May 2025. | Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May). |
| 2025-01-25 | MC MessageTagNames | New feature, Admin impact | Updated message, New feature, Admin impact |
| 2025-01-25 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in early May 2025. Admins need to enable data sharing and assign permissions to access this feature. | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in late June 2025. Admins need to enable data sharing and assign permissions to access this feature. |
Last updated 2 months ago ago
