check before: 2025-01-15
Product:
Defender, Defender for Endpoint, Defender XDR, Microsoft Graph, Purview, Purview Communication Compliance, Purview compliance portal, Purview Information Protection, Purview Insider Risk Management
Platform:
Developer, Online, US Instances, Web, World tenant
Status:
Rolling out
Change type:
Admin impact, New feature, Updated message
Links:
Details:
Summary:
Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR and Microsoft Sentinel, enabling unified alert queues, advanced hunting, Graph API access, and richer metadata. Rollout begins January 2025 (preview) and late August 2025 (general availability). Admins must enable data sharing and assign permissions.
Details:
Updated September 24, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.
This message is associated with Microsoft 365 Roadmap ID 422730.
[When this will happen:]
Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.
General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025.
General Availability (GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by late May 2026 (previously mid-September).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2024-12-20
updated:
2025-09-24
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Data Access and Permissions
Without proper preparation, unauthorized users may gain access to sensitive IRM data in Defender XDR, leading to potential data breaches.
- roles: Admin, Insider Risk Analyst
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Alert Overload
The integration of IRM alerts into the unified alert queue may overwhelm analysts with excessive alerts, reducing their ability to respond effectively.
- roles: Security Analyst, Incident Response Team
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Compliance and Privacy Risks
The lack of anonymization in IRM data may lead to compliance issues, especially with GDPR regulations, if sensitive user data is exposed.
- roles: Compliance Officer, Data Protection Officer
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Analytics
With the integration of IRM alerts into Microsoft Defender XDR, security analysts can leverage advanced hunting capabilities to identify hidden risk patterns more effectively. This can lead to faster detection of insider threats and data breaches, improving overall security posture.
- next-steps: Train security analysts on using advanced hunting queries with the new IRM data tables. Set up regular reviews of the alerts and incidents to enhance response strategies.
- roles: Security Analysts, Compliance Officers, IT Security Managers
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Streamlined Incident Response
The unified alert queue will allow for more efficient incident management as IRM alerts will be correlated with other security alerts, enabling a holistic view of potential threats and reducing response times.
- next-steps: Implement a centralized incident response protocol that utilizes the unified alert queue for triaging alerts. Regularly assess the incident response workflow for improvements.
- roles: Incident Response Teams, IT Managers, Security Operations Center (SOC) Teams
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Improved Data Integration
Access to IRM data through Microsoft Graph API allows for better integration with external applications, facilitating automated workflows and enhancing data visibility across platforms.
- next-steps: Evaluate current applications that utilize Microsoft Graph API for integration opportunities with IRM data. Develop automation scripts or workflows that leverage this data for operational efficiency.
- roles: Application Developers, IT Administrators, Data Analysts
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Potentional Risks**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
Hypothetical Work Council Statement**
XXXXXXX ... paid membership only
DPIA Draft**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-09-24 | MC Last Updated | 09/23/2025 23:17:21 | 2025-09-24T15:52:56Z |
| 2025-09-24 | MC Messages | Updated September 23, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-October 2025 (previously mid-September). | Updated September 24, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025. General Availability (GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by late May 2026 (previously mid-September). |
| 2025-09-24 | MC End Time | 11/24/2025 08:00:00 | 2026-07-06T09:00:00Z |
| 2025-09-24 | MC Summary | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR, enabling unified alert queues, advanced hunting, Graph API access, and Microsoft Sentinel support. Rollout starts January 2025 (preview) and completes by October 2025 (general availability). Admins must enable data sharing and assign permissions. | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR and Microsoft Sentinel, enabling unified alert queues, advanced hunting, Graph API access, and richer metadata. Rollout begins January 2025 (preview) and late August 2025 (general availability). Admins must enable data sharing and assign permissions. |
| 2025-09-24 | MC Last Updated | 07/01/2025 18:33:31 | 2025-09-23T23:17:21Z |
| 2025-09-24 | MC Messages | Updated July 1, 2025: We have updated the timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025 (previously mid-July). | Updated September 23, 2025: We have updated the timeline. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-October 2025 (previously mid-September). |
| 2025-09-24 | MC End Time | 10/27/2025 08:00:00 | 2025-11-24T08:00:00Z |
| 2025-09-24 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) alerts will be integrated into Microsoft Defender XDR, with features like a unified alert queue, advanced hunting, Graph API access, and Microsoft Sentinel integration. Public preview starts mid-January 2025, with general availability in late August 2025. Admins need to enable data sharing and assign permissions. | Microsoft Purview Insider Risk Management (IRM) alerts will integrate into Microsoft Defender XDR, enabling unified alert queues, advanced hunting, Graph API access, and Microsoft Sentinel support. Rollout starts January 2025 (preview) and completes by October 2025 (general availability). Admins must enable data sharing and assign permissions. |
| 2025-07-02 | MC Messages | Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May). | Updated July 1, 2025: We have updated the timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025 (previously mid-July). |
| 2025-07-02 | MC Title | Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR | (Updated) Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR |
| 2025-07-02 | MC End Time | 08/28/2025 09:00:00 | 2025-10-27T08:00:00Z |
| 2025-07-02 | MC Last Updated | 01/24/2025 21:46:51 | 2025-07-01T18:33:31Z |
| 2025-07-02 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in late June 2025. Admins need to enable data sharing and assign permissions to access this feature. | Microsoft Purview's Insider Risk Management (IRM) alerts will be integrated into Microsoft Defender XDR, with features like a unified alert queue, advanced hunting, Graph API access, and Microsoft Sentinel integration. Public preview starts mid-January 2025, with general availability in late August 2025. Admins need to enable data sharing and assign permissions. |
| 2025-01-25 | MC Last Updated | 12/20/2024 00:16:49 | 2025-01-24T21:46:51Z |
| 2025-01-25 | MC Messages | Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by mid-May 2025. | Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May). |
| 2025-01-25 | MC MessageTagNames | New feature, Admin impact | Updated message, New feature, Admin impact |
| 2025-01-25 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in early May 2025. Admins need to enable data sharing and assign permissions to access this feature. | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in late June 2025. Admins need to enable data sharing and assign permissions to access this feature. |
Last updated 3 weeks ago ago
