← Back to blog
Security

Purview Triage Agent: Automatically triage and resolve DLP alerts through Teams

By Zarioh Digital Solutions5 min read
Share
Purview Triage Agent: Automatically triage and resolve DLP alerts through Teams

Microsoft Purview introduces the Data Security Triage Agent: an AI agent that automatically triages DLP alerts and prompts users via Teams to remediate sensitive files themselves. Public preview launched in June 2026. What does it do exactly, which licence do you need, and how do you enable it?

DLP has always had a fundamental problem: SharePoint, OneDrive, Exchange, and Teams collectively generate dozens to hundreds of alerts every day. Compliance staff must manually assess which alerts represent real risk, who created the file in question, how sensitive the data is, and what the user should do to resolve the situation. In larger environments, alerts pile up and the most relevant signals get lost in the noise.

Microsoft Purview now introduces a structural answer to that problem: the Data Security Triage Agent. This AI agent automatically triages DLP alerts and sends users a Teams message prompting them to remediate sensitive files themselves. The public preview launched at the end of June 2026 and the rollout across tenants continues through late July 2026.

What does the Triage Agent do exactly?

The Data Security Triage Agent analyses incoming DLP alerts for files in SharePoint and OneDrive. Not every alert reaches the end user: only alerts the agent classifies as 'Needs attention' are eligible for the automated remediation flow. Alerts assessed as low-risk are filtered out and remain in the Purview console for optional manual review.

The agent weighs multiple factors in its assessment: the type of sensitive information detected, the policy that was violated, the file's sharing status, and the presence of external access. By combining all that context, the system distinguishes an inadvertently shared HR document from a situation that requires immediate attention.

Teams as the escalation channel

Once the agent marks an alert as 'Needs attention', the system automatically sends a Teams message to the person who most recently modified the file. That message states which file is involved, why it triggered a DLP violation, and what the user should specifically do: restrict access, remove sensitive content, or request an exception through the appropriate flow.

If the user does not respond, the agent sends daily reminders. The number of reminder days is configurable by the tenant administrator. Once the user has taken the required action, the sequence stops automatically. For compliance teams, this means they can rely on an automated escalation process without having to follow up every alert manually or contact users individually.

The feature is disabled by default and requires explicit opt-in. That is intentional: the setting has a direct visible impact on end users and must therefore be activated deliberately, not run automatically without IT management having consciously chosen to enable it.

AI reasoning traces and confidence scores

The current public preview version triages alerts but does not yet surface a visible explanation of the AI decision. That changes in August 2026 when Microsoft brings a further expansion into preview: reasoning traces and confidence scores. A reasoning trace is a concise textual explanation of the agent's rationale, similar to how a compliance analyst would describe their judgement. Why did this file score high? Which combination of signals led to the 'Needs attention' classification?

The confidence score indicates how certain the agent is of its judgement. Both elements are intended for internal audit purposes and for compliance staff who want to challenge or override the agent's decision. They will be visible in the Purview console and accessible via an RBAC role aligned with the existing Purview role groups for DLP management. General availability is planned for September 2026.

Required licence

The Data Security Triage Agent requires a Microsoft 365 E5 or Office 365 E5 licence, or a separate Purview Compliance add-on. The functionality is not available in Business or F licences, nor in E3 without an add-on. For organisations already on E5, no additional licence action is required: the functionality is made available automatically once the tenant rollout is reached. The tenant administrator receives a Message Center notification before the rollout begins.

How do you enable it?

Enabling the agent is done through the Microsoft Purview portal. Navigate to Data Loss Prevention and open the settings of the Data Security Triage Agent. Enable the Teams remediation option and configure the desired number of reminder days. You can also limit the scope to specific SharePoint sites and OneDrive accounts. For an initial rollout, starting with a limited scope lets you evaluate the user experience and the quality of the triage decisions before expanding the agent's reach.

Also consider communicating to employees before the agent goes live. A Teams message from 'Microsoft Purview' asking for action on a file can feel unexpected if users are unaware that their organisation actively enforces DLP policies. A short internal announcement significantly increases the likelihood of a fast and correct response.

Limitations to be aware of

The Teams remediation currently applies only to SharePoint and OneDrive locations. Exchange alerts, Teams chat messages, and Endpoint DLP alerts fall outside the scope of the automated flow. This is a deliberate boundary: files in SharePoint and OneDrive are the most common channel for unintentional oversharing, and the remediation action requested of the user is clearest and most actionable in that context.

Not every DLP alert reaches the Teams flow: only alerts the agent classifies as 'Needs attention' are sent to the user. That is deliberately designed to avoid noise. How many alerts that represents in your environment depends on the DLP policies you have configured and how strictly or permissively they are set.

What does this mean for your compliance approach?

For IT teams and compliance officers, the Triage Agent delivers tangible time savings. Instead of manually working through a list of alerts and reaching out to users by email or phone, the agent streamlines the entire escalation process. Users are reached through the channel where they are already active, which lowers the threshold for a response. Because remediations are tracked automatically, the compliance department gains an audit trail without additional manual effort.

The Triage Agent reflects a broader shift visible across Microsoft Purview: from a portal where compliance staff manually sift through alerts to a proactive system that prioritises, escalates, and tracks on its own. Combined with the Data Security Posture Agent, which proactively detects oversharing and exposure of sensitive data, this creates a layered defence that aligns with what organisations can now expect from a modern DLP system.

Want to enable the Purview Triage Agent in your tenant, have your current DLP configuration reviewed, or put together an implementation plan for a broader Purview rollout? Contact Zarioh. We guide organisations through Microsoft Purview, from policy design to rollout and user communication.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share