Microsoft Purview Data Security Investigations is now generally available

Every data security investigation starts with the same question: What data security risks are buried in this data? Exposed credentials in thousands of files across a data estate. Evidence of fraud hidden in vendor communications. Sensitive documents accidentally shared to a large group. Finding these risks manually — reviewing content file by file, message by message — is no longer viable when organizations are managing 220 zettabytes of data[1] and facing over 12,000 confirmed breaches annually[2].

That's why we built Microsoft Purview Data Security Investigations, now generally available.

Microsoft Purview Data Security Investigations enables data security teams to identify investigation-relevant data, investigate that data with AI-powered deep content analysis, and mitigate risk — all within one unified solution. Teams can quickly analyze data at scale to surface sensitive data and security risks, then collaborate securely to address them. By streamlining complex, time‑consuming investigative workflows, admins can resolve investigations in hours instead of weeks or months.

Proactive and reactive investigation scenarios

Organizations are using Data Security Investigations to tackle diverse data security challenges — from reactive incident response to proactive risk assessment. Some of our top use cases from preview include:

• Data breach and leak: Understand severity, sensitivity, and significance of data that has been leaked or breached, including risks buried in impacted data, to take action and mitigate its impact to the organization.
• Credentials exposure: Proactively scan thousands of SharePoint sites to identify files containing credentials like passwords, which can give a threat actor prolonged access to an organization's environment.
• Internal fraud and bribery: Uncover suspicious communications tied to vendor payments or client interactions, uncovering hard-to-find patterns in large volumes of emails and messages.
• Sensitive data exposure in Teams: Determine who accessed classified documents after accidental sharing — and whether that data was further distributed.
• Inappropriate content investigations: Quickly find what was posted, where, and by whom, even when teams only know a timeframe or channel name.

Investigations that once took weeks — or weren’t possible at all — can now be completed in hours. By eliminating manual effort and surfacing hidden risks across sprawling data estates, Data Security Investigations empowers teams to investigate more efficiently and confidently, making deep, scalable investigations a reality.

What Microsoft Purview Data Security Investigations does – and what’s new

Since launching public preview, we've listened closely to customer feedback and made significant enhancements to help teams investigate faster, mitigate more effectively, and manage costs with confidence.  Data Security Investigations addresses three critical stages of an investigation:

1. Identify impacted data

Data Security admins can efficiently identify relevant data by searching their Microsoft 365 data estate to locate emails, Teams messages, Copilot prompts and responses, and documents. Investigators can also launch pre-scoped investigations from a Microsoft Defender XDR incident or a Microsoft Purview Insider Risk Management case. We’ve recently added a new integration that allows admins to launch a Data Security Investigation from Microsoft Purview Data Security Posture Management as well. This capability can help a data security admin investigate an objective, such as preventing data exfiltration.

2. Investigate using deep content analysis

Once the investigation is scoped, the solution's generative AI capabilities allow admins to gain deeper insights into the data, analyzing across 95+ languages to uncover critical sensitive data and security risks. Teams can quickly answer three questions: What data security risks exist within the data? Why do they matter? And what actions can be taken to mitigate them? To help answer these questions, two new investigative capabilities, AI search and AI context input, as well as enhancements to existing features were added in November. Data Security Investigations help admins scale their impact and accelerate investigations with the following features:

• AI search: Using a new AI-powered natural language search experience, admins can find key risks using keywords, metadata, and semantic embeddings — making it easier to locate investigation-relevant content across large data estates.
• Categorization: By automatically classifying investigation data into meaningful categories, admins can quickly understand incident severity, what types of content is at risk, and trends within an investigation.
• Vector search: Using semantic search, admins can find contextually related content — even when exact keywords don't match. 
• Risk examination: Using deep content analysis, admins can examine content for sensitive data and security risks, providing a risk score, recommended mitigation steps, and AI-generated rationale for each analyzed asset.
• AI context input: Admins can now add investigation-specific context before analysis, resulting in more efficient, higher-quality insights tailored to the specific incident.Figure 1: AI search in action, finding credentials present in the dataset being investigated.

3. Mitigate identified risks

Investigators can use Data Security Investigations to securely collaborate with partner teams to mitigate identified risks, simplifying tasks that have traditionally been time consuming and complex. In September, we launched an integration with the Microsoft Sentinel graph, the data risk graph, allowing admins to visualize correlations between investigation data, users, and their activities. This automatically combines unified audit logs, Entra audit logs, and threat intelligence, which would otherwise need to be manually correlated, saving time, providing critical context, and allowing investigators to understand all nodes in their investigation. At the start of January 2026, we launched a new mitigation action, purge, that helps admins quickly and efficiently delete sensitive or overshared content directly within the investigation workflow in the product interface. This reduces exposure immediately and keeps incidents from escalating or recurring.

Built-in cost management tools

To help customers predict and manage costs associated with using Data Security Investigations, we recently released a lightweight cost estimator and usage dashboard. The in-product cost estimator is now available to help analysts model and forecast both storage and compute unit costs based on specific use cases, enabling more accurate budget planning. Additionally, the usage dashboard provides granular breakdowns of billed storage and compute unit usage, empowering data security admins to identify cost-saving opportunities and optimize resource allocation. For detailed guidance on managing costs, see https://aka.ms/DSIcostmanagementtips.

Refined business model for general availability 

These cost management tools are designed to support our updated business model, which offers greater flexibility and transparency. Customers need the freedom to scale investigations without overcommitting resources. To better align with how customers investigate data risk at scale, we refined the Data Security Investigations business model as part of general availability. The product now uses two consumptive meters:

1. Data Security Investigations Storage Meter – For storing investigation-related data, charged by GB
2. Data Security Investigations Compute Meter – For the computational capacity required to complete AI-powered data analysis and actions, charged by Compute Units (CUs)

Monthly charges are determined by the amount of data stored and the number of CUs consumed per hour. This pay-as-you-go model ensures customers only pay for what they need when they need it, providing the flexibility, scalability, and cost efficiency needed for both urgent incident response and proactive data security hygiene assessments. Find more information on pricing at aka.ms/purviewpricing.

Get started today

As data security threats evolve, so must the way we investigate them. Microsoft Purview Data Security Investigations is now generally available, giving organizations a modern, AI-powered approach to uncovering and mitigating risk — without the complexity of disconnected tools or manual workflows.  Whether investigating an active breach or proactively hunting for hidden risks, Data Security Investigations gives data security teams the speed and precision needed to act decisively in today's threat landscape.

• Join for a live Ask Me Anything with the people behind the product on Thursday February 5th at 10am PST, more details here: aka.ms/PurviewDSIAMA2
• Learn more about Data Security Investigations at aka.ms/DSIdocs
• View pricing details at aka.ms/purviewpricing
• Try Data Security Investigations today! Visit the product https://purview.microsoft.com/dsi and find setup instructions at aka.ms/DSIsetup

[1] Worldwide IDC Global DataSphere Forecast, 2025–2029

[2] 2025-dbir-data-breach-investigations-report.pdf