Microsoft Roadmap, messagecenter and blogs updates from 03-12-2025

Updated December 1, 2025: We have updated the timeline. Thank you for your patience. 

As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting late December 2025 (previously mid-November) and ending early January 2026 (previously late November 2025). We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.

[How this will affect your organization:]

Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.

Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:

• For alerts and activities, Defender XDR streaming API: Stream Microsoft Defender XDR events – Microsoft Defender XDR | Microsoft Learn
• For Microsoft Entra ID Protection login events: IdentityLogonEvents table in the advanced hunting schema – Microsoft Defender XDR | Microsoft Learn
• For alerts, Microsoft Graph security alerts API (v2): List alerts_v2 – Microsoft Graph v1.0 | Microsoft Learn
• We also recommend viewing Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API. Learn more: Microsoft Defender XDR incidents APIs and the incidents resource type – Microsoft Defender XDR | Microsoft Learn

These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.

[What you need to do to prepare:]

To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities.

Learn more: Generic SIEM integration – Microsoft Defender for Cloud Apps | Microsoft Learn

Updated December 1, 2025: We have updated the timeline. Thank you for your patience.

Coming soon to Microsoft Teams: When users connect to their organization’s Wi-Fi, Teams can automatically set their work location to reflect the building they are working in. This makes it easier for users to coordinate work with their coworkers and connect in person.

This feature is opt-in and requires you to take action to configure it. After you turn it on, end-users remain in control and can choose whether to share their work location with their coworkers.

This message applies to Teams for Windows desktop and Teams for Mac desktop.

This message is associated with Microsoft 365 Roadmap ID 488800.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out early February 2026 (previously mid-January) and expect to complete by mid-February 2026 (previously late January).

[How this will affect your organization:]

This feature allows you to map Wi-Fi networks and devices to buildings, which allows your users to have their work location automatically updated when they connect. This is a major improvement over the current experience which relies on end-users to manually set their work location. When this feature is configured and enabled, Teams can automatically update the work location of users who connect their laptop to your organization’s Wi-Fi network or peripherals. The feature can leverage the mapping between your building names and your Wi-Fi networks to set the work location of your users to the right building. It can also leverage mappings to specific peripherals, such as monitors. Teams uses the same policy to enable or disable automatic updates of work location for Wi-Fi and peripherals. Learn more: New-CsTeamsWorkLocationDetectionPolicy (MicrosoftTeamsPowerShell) | Microsoft Learn

Teams will not update the location of your users if they connect after their working hours (that they can configure in the Microsoft Outlook Calendar). Also, their work location will be cleared at the end of their working hours.

[What you need to do to prepare:]

Automatic update of work location is off by default, but it can greatly improve the experience of your users. We recommend turning it on and configuring it in your tenant.

Before rollout, we will update this post with new documentation.

Updated December 1, 2025: We have updated the timeline. Thank you for your patience.

Prompt categories will be available in Microsoft Copilot Dashboard in Microsoft Viva Insights on the web to help you understand key Copilot use cases for your organization. In Microsoft Copilot Chat (work), which is grounded in work data, these prompt categories will include Ask and find, Catch up, Draft and brainstorm, and Other. These metrics will be added to the metrics library in the advanced insights app.

Learn more about Copilot Dashboard licensing requirements in Connect to the Microsoft Copilot Dashboard for Microsoft 365 customers | Microsoft Learn

This message is associated with Microsoft 365 Roadmap ID 486698.

Public Preview: We will begin rolling out in early September 2025 (previously mid-September) and will complete by late September 2025

General Availability (Worldwide): We will begin rolling mid-December 2025 (previously early December) and expect to complete by end of December 2025 (previously end of November).

[How this will affect your organization:]

Users enabled to view Copilot dashboard will see these updates:

1. Adoption tab: Prompt categories will be available at Viva Insights > Microsoft Copilot Dashboard > Adoption > Adoption by app > Copilot Chat (work) dropdown:

2. Impact tab: Admins can go to Viva Insights > Microsoft Copilot Dashboard > Impact > Copilot chat card > Explore more button to access the prompt categories as metrics in the Copilot impact trend section and the Comparison between groups section:

This change will be available by default.

[What you need to do to prepare:]

This rollout will happen automatically by the specified dates with no admin action required before the rollout. You may want to notify your admins and/or users about this change and update internal documentation.

Review and assess the impact for your organization. You might consider reviewing with your works council and updating your training and documentation as appropriate.

Learn more: Connect to the Microsoft Copilot Dashboard for Microsoft 365 customers | Microsoft Learn

Updated December 2, 2025: We have updated the timeline. Thank you for your patience. 

We’re introducing a new Account Manager experience in Outlook for Windows. This feature helps users better manage their Microsoft accounts by providing quick access to account details, displaying their profile picture, and enabling account switching (if permitted by your organization). This update aligns the experience with classic Outlook and enhances user productivity.

This message is associated with Microsoft 365 Roadmap ID 497546

When this will happen:

General Availability (Worldwide): Rollout will begin in early March 2026 (previously early January) and is expected to complete by late March 2026 (previously late January).
Targeted Release: Rollout will begin in early February 2026 (previously early December 2025) and is expected to complete by late February 2026 (previously late December 2025).

How this affects your organization:

Once the rollout is complete, users will see the new Account Manager in the title bar of Outlook for Windows. Key capabilities include:

• Displaying the user’s profile picture, automatically synced from their Microsoft account.
• Providing access to the Microsoft account page, consistent with the experience in classic Outlook.
• Allowing users to add and manage accounts, if permitted by your organization’s policies.

This feature is on by default and does not require admin configuration.

What you can do to prepare:

No admin action is required. You may wish to inform your helpdesk and users about the new experience to reduce potential confusion.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Updated December 1, 2025: We have updated the timeline. Thank you for your patience.

[Introduction:]

We’re updating the AI Disclaimer experience in Microsoft Copilot Chat based on customer feedback. To address this, we’re introducing an admin control that allows organizations to customize how the disclaimer appears, improving user awareness and flexibility.

[When this will happen:] 

Rollout will begin in early December 2025 (previously late November) and complete by:

• Worldwide & GCC: mid-December 2025 (previously early December)
• GCC High & DoD: mid-January 2026 (previously mid-December 2025)

[How this affects your organization:]

Who is affected:

• All users of Microsoft Copilot Chat on desktop and web experiences.

What will happen:

• The AI disclaimer will remain visible in the user experience.
• Admins will gain the ability to heighten this message and to provide a link to their own documentation:
  • The disclaimer will display bolded text for increased visibility.
  • Admins can configure a custom URL pointing to their AI policy documentation.

[Introduction]

We’re introducing a new capability in Microsoft Purview Data Lifecycle Management that allows admins to override existing retention policies and delete content from OneDrive and SharePoint Online before the retention or legal hold duration expires. This feature supports organizations managing Copilot-related artifacts—such as Teams recordings and transcripts—independently of OneDrive retention policies, giving admins greater control over how long this content is retained.

This message is associated with Microsoft 365 Roadmap ID 489454.

[When this will happen:]

• General Availability (GCC): We will begin rolling out late November 2025 and expect to complete by early December 2025.
• General Availability (GCC High, DOD): We will begin rolling out late December 2025 and expect to complete by early January 2026.

[How this will affect your organization:]

Who is affected:

• Admins managing OneDrive and SharePoint Online retention policies
• Organizations using Microsoft Purview for data lifecycle management

What will happen:

• Admins can create Priority Cleanup policies to delete content before retention or hold periods expire.
• Feature includes simulation mode, audit logging, and disposition reviews.
• New admin policy authoring flows are introduced, governed by Microsoft Purview role groups.
• Feature is not enabled by default; requires explicit policy creation and enforcement.
• Requires at least two admins to author and enforce a Priority Cleanup policy.

[What you need to do to prepare:]

• Ensure at least two admins are assigned the Priority Cleanup Admin and Retention Management roles.
• Review and configure role assignments in Microsoft Purview portal
• Communicate this change to your compliance and records management teams
• Update internal documentation to reflect new policy authoring and enforcement capabilities

Learn more: Override holds to clean up files for Copilot and reclaim storage

[Compliance considerations:]

Updated December 1, 2025: We have updated the timeline. Thank you for your patience. 

[Introduction]

The new Designer editor integration in PowerPoint introduces a modern, intuitive image editing experience directly within your slides—eliminating the need to switch apps or interrupt your workflow. Whether you’re refining visuals for a pitch deck, enhancing marketing assets, or simply making your slides more engaging, the Designer editor enables fast, seamless image enhancements powered by AI.

Screenshot 1: Designer editor is now built into PowerPoint, so you can edit pictures without leaving the app. To get started, select a picture and then select Picture Format > Edit Picture, or right-click it and select Edit Picture.

Screenshot 2: Transform your visuals using AI-powered tools like Remove background, Auto enhance, and more—right from the canvas.

This message is associated with Microsoft 365 Roadmap ID 508530.

[When this will happen:]

• General Availability (Worldwide): Rollout will begin in mid-December 2025 (previously early December) and is expected to complete in January 2026 (previously mid-December 2025).

[How this affects your organization:]

• Who is affected: All users of PowerPoint in Microsoft 365 across commercial and education tenants.
• What will happen:
  • Users will gain access to a new AI-powered image editing experience within PowerPoint.
  • The Designer editor will be available directly in the PowerPoint interface.
  • The following capabilities will be included:
    • Generative Erase:  Remove unwanted elements from images.
    • Generative Move: Reposition objects within an image.
    • Add Text: Insert text directly onto images.
    • Edit Text: Recognize existing text in an image and edit it.
    • Upscale: Improve image resolution for sharper visuals.
    • Background Removal: Remove backgrounds for clean designs.
    • Auto Enhance (Color Adjustment): Automatically improve color balance and vibrancy.
    • Effects: Apply creative filters and styles.
  • The feature will be enabled by default for all users.
  • No changes to existing admin policies are required unless your organization chooses to manage availability.
  • AI usage limits for this feature:
    • Commercial users:
      • Copilot users have fair use access to all generative AI features.
      • Starter users have capacity-limited access; in-product messaging will notify users when limits are reached.
    • Consumer users:
      • Free and Basic MSA accounts: 15 credits/month for generative AI features.
      • Personal and Family subscribers: 60 credits/month.
      • Microsoft 365 Premium and Copilot Pro (while supported): fair use access.

[What you can do to prepare:]

• No action is required to enable the feature—it will be on by default.
• Review internal documentation if you provide guidance on PowerPoint features.
• Communicate this change to helpdesk and support teams to prepare for potential user questions.
• If your organization wishes to manage availability:
  • Configure access through policy or permissions as needed.
• Be aware:
  • This feature uses AI capabilities to edit and enhance images in PowerPoint.
  • AI usage disclaimers are included within the editor interface for end users.

[Compliance considerations:]

Updated December 1, 2025: We have updated the timeline. Thank you for your patience. 

[Introduction:]

We’re introducing the ability to use Microsoft 365 Copilot directly from the OneDrive activity center on macOS. This update enables users to perform Copilot actions—such as summarizing documents, generating FAQs, and asking questions—by selecting a file and clicking the vertical ellipsis. This enhancement brings Copilot closer to where users work, helping them extract insights and take action faster.

[When this will happen:]

General Availability (Worldwide, GCC, GCCH, and DoD): Rollout began in mid-November 2025 and is expected to complete by mid-December 2025 (previously early December).

[How this affects your organization:]

Who is affected: Users of OneDrive on macOS with a Microsoft 365 Copilot license.

What will happen:

• Users will be able to access Copilot actions from the OneDrive activity center by selecting a file and clicking the vertical ellipsis.
• Available actions include summarizing documents, generating FAQs, and asking questions:

 

• The feature is ON by default and does not require admin configuration.
• Microsoft 365 Copilot availability depends on market and language support.
• A qualifying Microsoft 365 enterprise or business plan is required.

[What you can do to prepare:]

• Inform users about the new Copilot capabilities in the OneDrive activity center.
• Review your organization’s Copilot licensing and availability.

Learn more: Get started with Copilot in OneDrive | Microsoft Support

[Compliance considerations:]

Question	Explanation
Does the change introduce or significantly modify AI/ML or agent capabilities that interact with or provide access to customer data?	Yes – This feature enables users to interact with Microsoft 365 Copilot, which uses AI to process and summarize file content.
Does the change provide end users any new way of interacting with generative AI?	Yes – Users can now initiate Copilot actions (e.g., summarization, Q&A) directly from the OneDrive activity center on macOS.

Updated December 2, 2025: We have updated the content. Thank you for your patience. 

[Introduction]

We’re introducing a new flexible layout option in future Teams meetings to give users more control over how shared content and participant videos appear. A resizable divider will let users adjust the space between shared content and the video gallery. Want to focus more on the presentation? Expand the content area. Prefer to see more people? Shrink the content area to make room for more video tiles. Users can also swap the position of content and participants to suit their viewing preference. This works with spotlighted speakers, pinned videos, and Speaker View, providing a more personalized meeting experience—especially helpful on larger or ultra-wide screens.

Screenshot 1: When someone is sharing content or when you are in Speaker view, grab the divider between the left and right views to resize them.

Screenshot 2. When you drag the divider to the left, you will see more people in the right gallery view. When you drag the divider to the right, you will see less people in the gallery but the content or speaker will become larger.

This message is associated with Microsoft 365 Roadmap ID 528930 and applies to Teams for Windows desktop and Teams for Mac desktop.

When this will happen:

• Targeted Release: Rolling out early January 2026, expected completion by late January 2026.
• General Availability (Worldwide and GCC): Rolling out early February 2026, expected completion by late March 2026.

How this will affect your organization:

Who is affected: All Teams users in Worldwide and GCC environments.

What will happen:

• Users will see a new resizable divider in Teams meetings during content sharing.
• Users can adjust layouts to prioritize content or participant video tiles.
• Users can swap positions of shared content and video gallery.
• Works with spotlighted speakers, pinned videos, and Speaker View.
• Enabled by default; no admin configuration required.

What you can do to prepare:

• No configuration is required; the feature is enabled by default.
• Update training materials and FAQs to explain:
  • How to find and use the resizable divider.
  • How to adjust layouts during content sharing and Speaker View.
• Communicate this change to helpdesk staff to prepare for user questions, especially from those with large or ultra-wide monitors.

Compliance considerations:

No compliance considerations identified; review as appropriate for your organization.

[Introduction]

Microsoft Teams is improving the experience for Network Device Interface (NDI) users by increasing bandwidth for NDI feeds during Teams meetings, webinars, and town halls. This enhancement enables higher-quality streams without requiring event organizers to pin or spotlight participants. To take advantage of this feature, first set-up NDI for Teams and then ensure that any participant’s video that you want to send to NDI is visible in the Teams’ client. Customers can now experience up to eight distinct 1080p NDI streams with appropriate hardware and network conditions.

This message is associated with Roadmap ID 529854 and is applicable to Teams for Windows desktop and Teams for Mac desktop.

[When this will happen:]

General Availability: Rollout begins early January 2026; expected completion by mid-January 2026.

[How this affects your organization:]

Who is affected: Organizations using Microsoft Teams with NDI enabled for meetings, webinars, or town halls.

What will happen:

• Bandwidth will automatically increase when an NDI feed is subscribed within a meeting.
• No need to pin or spotlight participants for prioritization.
• Up to eight distinct 1080p NDI streams will be supported based on network conditions.
• No changes to admin settings or policies; feature works automatically when NDI is enabled.

[What you can do to prepare:]

• No action is required.
• If you maintain internal documentation for NDI usage, you may want to update it to reflect this improvement.

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

[Introduction]

Microsoft Planner will soon support Microsoft Information Protection (MIP) sensitivity labels at the content level. This enhancement enables encryption, restricts unauthorized actions such as copying, printing, or exporting plan contents, and adds visual markings like watermarks for clear sensitivity awareness. By enforcing content-level protections, Planner helps organizations prevent data leaks, maintain compliance, and enable secure collaboration without impacting productivity. This update aligns Planner with Microsoft Purview standards for consistent enforcement of security and data protection policies.

This message is associated with Microsoft 365 Roadmap ID 523819.

[When this will happen:]

General Availability (Worldwide): Rollout will begin in early December 2025 and is expected to complete by mid-December 2025.

[How this affects your organization:]

Who is affected: Admins and users of Microsoft Planner across Microsoft 365 tenants.

What will happen:

• Planner will support Microsoft Information Protection (MIP) sensitivity labels at the content level.
• Container-level labels (already supported) control who can join a plan and enforce restrictions like guest access and sharing limits.
• Content-level labels (new):
  • Block copy, print, and export actions.
  • Enforce read-only access for highly confidential plans.
  • Restrict duplicating or exporting plans.
• Feature will be enabled by default and progressively available across all tenants by December 15, 2025.

Screenshot 1: Label Picker

Screenshot 2: Label Details

Screenshot 3: Label induced restrictions

[What you can do to prepare:]

• No changes are required for existing labels.
• Review Purview label protection settings (copy/print/export restrictions) and confirm RMS usage rights align with expected Planner behaviors.
• Update governance guidance and user training for label behaviors in Planner.
• Update help and user training for label behaviors in Planner.

Learn more: Learn about sensitivity labels (updates in progress)

FAQ

Question: What label types does Planner support now?
Answer: Planner has long supported container‑level labels (Teams/M365 Group/roster access controls). With this release, Planner adds enforcement for content‑level labels (block copy/print/export, read‑only, etc.) on plans and tasks consistent with Microsoft Purview policies and RMS usage rights.

Question: Which plan types are covered and when?
Answer: Rollout begins with Roster Plans followed by Group‑backed Plans.

Question: Do I need to change any Purview policies or configurations?
Answer: No changes are required for existing labels; however, you should review label protection settings (e.g., copy/print/export restrictions) and confirm RMS usage rights align with expected Planner behaviors. Update governance guidance accordingly.

Question: How does this interact with Loop and Teams meeting notes/TLC?
Answer: Loop meeting notes apply a single content label across the page and its components (including Task List components (TLC)). Planner now inherits and enforces those restrictions on the corresponding roster plan, preventing prior sync breaks when restrictive labels were applied.

Question: What happens to guest/external users under different label combinations?
Answer: Container labels determine who can be added; content labels determine what actions are permitted. For example, guests can be added when the container allows it, but content‑level restrictions may prevent plan access or actions (copy/export/print).

Question: Who can change a plan’s sensitivity label?
Answer: Typically, owners/editors with the appropriate rights can change labels. Permissions are enforced service‑side and reflected in the UI according to RMS usage rights.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

[Introduction]

We’re adding more customization to your communities in the Viva Engage app for Microsoft Teams in iOS. Soon, as a community admin, you’ll be able to update your communities’ cover photos directly from the Teams iOS app. This feature is already available on Teams for Windows desktop, Teams for Mac desktop, Teams for the web, and Teams for Android, and supports a consistent and personalized experience across platforms.

Screenshot 1: A community’s cover photo, with options to Take a photo or Upload a picture.

This message is associated with Roadmap ID 526783.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out in late December 2025 and expect to complete by early January 2026.

[How this will affect your organization:]

Who is affected: All Viva Engage community admins using the Viva Engage app in Microsoft Teams.

What will happen:

• Users will be able to update community cover photos directly from the Teams iOS app.
• This feature is enabled by default and does not require admin configuration.
• There is no change to existing admin policies or controls.

[What you can do to prepare:]

• Update any internal documentation that references community customization.
• No admin action is required to enable this feature.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

We’re making some changes to Exchange Web Services (EWS).

Starting March 1, 2026, we will start to block EWS access for all mailboxes without license rights to EWS. This is another step in our ongoing commitment to enhance the security and control mechanisms of EWS.

[How this will affect your organization:]

The impacted licenses are:

• Exchange Online Kiosk
• Microsoft 365 and Office 365 F1
• Microsoft 365 and Office 365 F3

As stated in the Service Descriptions, these licenses do not provide access to mailboxes via EWS, but these restrictions were never enforced. With this change, EWS access for users with only these license types will be blocked.

[What you need to do to prepare:]

If you wish these users to continue to use EWS, and your users are licensed with one of these noted above, you’ll need to assign a new license, one containing EWS access rights. For example, you could assign an Exchange Online Plan 1 or 2 license, or a Microsoft 365 or Office 365 E3 or E5 license.

Starting March 1, 2026, requests to use EWS without a suitable license will result in a HTTP 403 response.

Learn more: Update to EWS Access for Kiosk / Frontline Worker Licensed Users 

Updated December 1, 2025: We have updated the timeline below. Thank you for your patience.

Data storage for shared Loop workspaces will be located in the expected geo for multi-geo tenants.

This message is associated with Microsoft 365 Roadmap ID 421616

[When this will happen:]

General Availability (Worldwide): We will begin rolling out mid-December 2025 (previously late November) and expect to complete by mid-January 2026 (previously late December 2025).

[How this will affect your organization:]

If your organization uses multi-geo configuration, data storage for shared Loop workspaces in SharePoint Embedded will be located in the expected geo for multi-geo tenants:

• M365 group-owned workspaces are created in the group’s geo (delivery of M365 group-owned workspaces is associated with Microsoft 365 Roadmap ID 422728)
• non-M365 group-owned workspaces are created in the creator’s preferred data location.

[What you need to do to prepare:]

There is nothing you need to do to prepare. These changes will roll to your multi-geo configured tenants automatically.

Updated December 2, 2025: We have updated the content. We will communicate special cloud progress in a separate Message center post in future. Thank you for your patience.

Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:

• Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
• Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
• Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
• Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.

This message is associated with Microsoft 365 Roadmap ID 422730.

[When this will happen:]

Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.

General Availability (WW): We will begin rolling out late August 2025 (previously late June) and expect to complete by mid-September 2025.

[How this will affect your organization:]

Enable this feature by turning on Share data with other security solutions in the IRM global settings.

Only users with Insider risk analysis or investigation roles in the Microsoft Purview portal can access IRM data in Defender XDR.

To access alerts, incidents, and events from Defender XDR via API, you need to provision apps with the necessary permissions. IRM data is accessible via Microsoft Security Graph APIs, allowing for reading and updating alert or incident statuses. Permissions are set at the application level, without solution-specific scoping. Any existing apps pulling data from these APIs will also access IRM data. So, if you integrate XDR alerts into external ticketing systems, IRM alerts will show up, unless you specifically filter out the alerts.

IRM alerts will appear in Sentinel if your tenant has the Defender XDR connector enabled in Microsoft Sentinel.

In Defender XDR, IRM data is not pseudonymized to allow effective correlation of IRM alerts with alerts from other solutions within the platform, such as Defender for Endpoint and Defender for Cloud apps.

These changes will be available by default for admins to configure in IRM global settings.

Admins will be able to view Insider Risk Management alerts in Defender XDR:

Harness the power of Advanced Hunting queries with two new tables that contain Insider Risk Management data: DataSecurityBehaviors and DataSecurityEvents. In this query, 54 confidential files were exfiltrated through mail.google.com by 2 unique users:

[What you need to do to prepare:]

• Opt-in to data sharing settings in IRM global settings page.
• Assign necessary permissions to analysts
• Review existing apps accessing Defender XDR data through Graph APIs.
• If your organization is using Microsoft Defender XDR connector, please review the list of users who will gain access to this data through Sentinel.

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration in IRM global settings to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.