Changes to case creation process in Purview portal when confirming alerts from Defender XDR portal

Message Center ID: MC1099690
Microsoft Purview
Plan for Change
New feature User impact Admin impact
June 2025 July 2025 August 2025 September 2025
Web

Summary

Insider Risk Management analysts must manually create cases in the Purview portal after confirming alerts in the Defender XDR portal. New alert-related content will be added for 30 days post-case creation. The change impacts workflows and requires training. Public Preview starts mid-June 2025, with General Availability by late September 2025.

Details

To create a case, Insider Risk Management analysts must manually select “Confirm all alerts & create case” in the Purview portal after confirming an alert in the Defender XDR portal (security.microsoft.com). Once a case is created, related content such as online files and emails will be available in the Content explorer tab.

New content that contributes to alerts will continue to be added to the Content explorer for up to 30 days from the case creation date. After this period, any new alert-related content will not be added to the existing case. To access new content, analysts must close the current case and create a new one.

This change is associated with Microsoft 365 Roadmap ID 489228.

[When this will happen:]

Public Preview: Rolling out mid-June 2025; expected completion by late June 2025.

Targeted Release: Rolling out late July 2025; expected completion by mid-August 2025.

General Availability: Rolling out mid-September 2025; expected completion by late September 2025.

[How this affects your organization:]

Insider Risk Management analysts and investigators will need to manually create cases in the Purview portal for alerts confirmed in Defender XDR. This change may impact existing workflows and requires awareness among security and compliance teams.

[What you can do to prepare:]

  • Inform and train Insider Risk Management and SOC teams about the new manual case creation process.
  • Review internal documentation and update any automated workflows or playbooks that assume automatic case creation.

[Compliance considerations:]

  • Changes to data processing/storage/access? Yes – changes how confirmed alerts are handled and stored in cases
  • Modifies Purview capabilities (DLP, labels, audit, etc.)? Maybe – affects case content visibility and retention
  • Changes to compliance monitoring/reporting? Maybe – may impact how case data is reviewed or reported

Related Roadmap Items

🗺️ Roadmap ID: 489228

Change History

Published: June 20, 2025
Last Updated: June 20, 2025
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

View Full Details Sign Up Free