Microsoft Purview | Data loss prevention – Alert classification property for DLP alerts on Purview portal

Originally posted by Microsoft Oct 13, 2025 Uncategorized 0 Comments

Microsoft Purview introduces a new DLP alert classification property—True Positive, False Positive, Benign Positive, or Not Set—syncing with Microsoft Defender. Rolling out from late October to December 2025, it enables individual or bulk classification by admins, enhancing alert management and reporting without requiring activation.

To help security teams better manage and report on data loss prevention (DLP) alerts, Microsoft Purview is introducing a new classification property. This feature allows alerts to be categorized directly in the Purview portal as True Positive, False Positive, or Benign Positive. Classifications can be applied individually or in bulk, and they sync bi-directionally with Microsoft Defender.

This message is associated with Microsoft 365 Roadmap ID 511795.

When this will happen:

Public Preview: Rollout will begin in late October 2025 and is expected to complete by early November 2025.

General Availability (Worldwide): Rollout will begin in late November 2025 and is expected to complete by early December 2025.

How this affects your organization:

  • Who is affected: Admins managing DLP alerts in the Microsoft Purview portal.

  • What will happen:
    • A new classification property will be available for DLP alerts.

    • Alerts can be classified as True Positive, False Positive, Benign Positive, or Not Set.

    • Classification can be applied individually or in bulk.

    • Classification will sync between Purview and Defender portals.

    • Feature will be enabled by default; no admin action is required to activate.

What you can do to prepare:

  • No action is required to enable this feature.

  • Review internal documentation and update any alert handling workflows.

  • Communicate this change to security and compliance teams.

  • Use the classification property to enhance reporting and incident response.

  • For bulk classification, select multiple alerts and use the Set Status button in the alerts queue page.

For visual guidance, refer to the confirmation email attachments for high-resolution PNGs.

How to use the feature:

  1. Generate a DLP alert.

  2. Open the Purview alerts page.

  3. Open the alert details and classify the alert:

    user settings
    View image in new tab

  4. Alerts can be classified using the left panel on the alerts queue page after clicking the Manage Alerts button:

    user settings
    View image in new tab

    user settings
    View image in new tab

  5. You can also classify multiple alerts in bulk by selecting them and clicking the Set Status button:

    user settings
    View image in new tab

    user settings
    View image in new tab


Compliance considerations:

Does the change store new customer data? Yes, it stores a new classification property in alert data.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities? Yes, admins can now use the classification property on alerts to generate reports.

Message ID: MC1169572

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: