Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Microsoft Purview: Data Security Investigations – analyze files tied to audit log activities

Message ID
MC1259827
View in Message Center
Service
Microsoft Purview
Category
Stay Informed
Tags
New featureUser impactAdmin impact
Rollout
April 2026May 2026
Roadmap ID
558548
View in M365 Roadmap
Platform
Web

Summary

Microsoft Purview's Data Security Investigations will add a new Audit tab for building audit log queries directly within DSI, automatically surfacing related files. This feature, replacing CSV uploads, rolls out April-May 2026, enabling faster, more accurate investigations for admins and investigators without requiring prior configuration.

Details

[Introduction]

We’re introducing a new audit log querying experience in Data Security Investigations (DSI) in Microsoft Purview. This update allows administrators and investigators to build audit log queries directly within DSI by specifying criteria such as date range, users, activities, and keywords. DSI will then automatically surface files associated with those activities. This removes the previous manual process of exporting and reviewing large audit log datasets and makes investigations faster and more accurate.

This message is associated with Microsoft 365 Roadmap ID 558548.

[When this will happen]

  • Public Preview: Rollout will begin in early April 2026 and is expected to complete by late April 2026.
  • General Availability (Worldwide): Rollout will begin in early May 2026 and is expected to complete by early May 2026.

[How this affects your organization]

Who is affected

  • Admins and investigators who use Data Security Investigations in the Microsoft Purview compliance portal.

What will happen

  • A new Audit tab will appear in the DSI search experience alongside the existing Query Builder tab:

     user settings

  • Admins and investigators will be able to enter audit search criteria (date range, users, activities, keywords) directly within DSI.
  • Users can view estimated audit query results or add them directly to the investigation scope.
  • Associated files identified through the audit query will automatically appear in the investigation.
  • This feature is enabled by default and requires no configuration.
  • The previous CSV upload option is being removed.

[What you can do to prepare]

No action is required before rollout.

To prepare, you may want to:

  • Update internal documentation for investigation and incident response workflows.
  • Inform security teams and administrators who use DSI about this new capability and the removal of CSV upload support.
  • Review DSI investigation processes to incorporate audit-based file enrichment.

Learn more:

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.

Change History

Show
Published: March 23, 2026
Last Updated: March 23, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free