Microsoft 365 Message Center item MC1430534
MC1430534 - Microsoft Purview: Insider Risk Management - Expanding note capabilities across alerts and cases
Microsoft Purview Insider Risk Management is enhancing alerts and cases with note-taking capabilities for better investigator collaboration and auditability. Users can add notes, and system-generated notes will track investigation events. Expanded user details and integrated Entra ID profiles improve context. Rollout begins late June 2026.
- Message Center ID
- MC1430534
- Category
- stay Informed
- Severity
- normal
- Services
- Microsoft Purview
- Tags
- Feature update, User impact, Admin impact
- Roadmap ID
- 564620
- Platforms
- Web
- Published
- 2026-07-17
- Last updated
- 2026-07-17
- Expires
- 2026-11-16
[What and Why:] Microsoft is expanding note-taking capabilities in Microsoft Purview Insider Risk Management (IRM) alerts and cases to improve investigator collaboration and auditability. Analysts and investigators will be able to add notes directly to alerts and cases, while system-generated notes will automatically capture key investigation events such as status changes and user assignments. This enhancement helps security and compliance teams maintain a centralized investigation history, improve collaboration, and streamline insider risk investigations within a single experience.This message is associated with Microsoft 365 Roadmap ID 564620.[Rollout Schedule:] Public Preview: Began in late June 2026; expected to complete by mid-July 2026 General Availability (Worldwide, GCC, GCC High, DoD): Beginning in late September 20266; expected to complete by mid-October 2026 [Impact on Your Organization:] Who is affected: Organizations using Microsoft Purview Insider Risk Management IRM analysts, investigators, and administrators Organizations using the Alerts (preview) experience Platforms/Services: Microsoft Purview Insider Risk Management Alerts (preview) Cases Microsoft Entra ID profile integration What will happen: Users will be able to add investigation notes directly within Insider Risk Management alerts.System-generated notes will automatically record investigation events such as:Alert status changesInvestigator assignmentsOther investigation lifecycle updatesNote capabilities will also be available within Insider Risk Management Cases.Screenshot: New Notes experience in Insider Risk Management alerts showing investigator notes and automated activity tracking:Expanded User Details will provide investigators with additional user context directly within alerts.User details may include:Office locationEmployee typeDepartmentLast working dateThe experience will aggregate insider risk context such as:Entra ID profile informationPrior alert historyPrior case historyPriority user group statusPolicy inclusion statusWhen pseudo-anonymization is enabled, user profile attributes will remain hidden.The feature is integrated into the Insider Risk Management experience and does not require investigators to leave the alert workflow.[Action Required/Recommendations:] No immediate action is required.Recommended actions:Review the upcoming alert and case note capabilities with Insider Risk Management investigators.Inform investigation and compliance teams about the new collaboration features.Update internal investigation procedures and documentation, if applicable.Validate your organization's privacy and pseudonymization settings to ensure they align with investigation requirements.Learn more:New IRM Alert ExperienceAlert Notes (Preview) Documentation | Microsoft LearnWhere to find the featureOpen Alerts (preview) from the left navigation pane in Insider Risk Management.Open an alert.Navigate to User details.Select View user details. [Compliance Considerations:] Area Explanation Stores new customer data Investigator-authored notes and system-generated notes are new records associated with Insider Risk Management alerts and cases. The post does not specify retention behavior, storage location, or whether data is cached or permanently stored. Alters how existing customer data is processed, stored, or accessed Additional user context from Microsoft Entra profiles (office location, employee type, department, last working date) and insider risk history are surfaced within the alert experience, providing investigators with consolidated access to existing organizational data. Modifies audit logging capabilities System-generated notes automatically capture events such as alert status changes and investigator assignments, creating a more detailed and auditable investigation timeline. Alters how admins can monitor, report on, or demonstrate compliance activities Investigation activities become better documented through investigator notes and automated timeline entries, improving traceability, review readiness, and audit support for insider risk investigations. Admin control available The announcement references pseudo-anonymization settings that control visibility of user profile information. However, it does not explicitly state whether the new notes capability itself can be enabled, disabled, or scoped by administrators. Can be controlled through Entra ID group membership The feature surfaces Entra profile information and references priority user groups, but the announcement does not explicitly state whether access to the feature or functionality can be controlled through Entra ID group membership. Modifies GDPR Data Subject Rights processes Additional investigation notes and profile information become available in alerts and cases. The announcement does not specify whether this changes export, correction, deletion, or access processes for personal data.