Microsoft Purview · Purview Agents (Preview)

Data Security DLP Triage Agent

Combined role requirements for setting up, configuring, and viewing results from the DLP Triage Agent. This agent automatically triages DLP alerts from Exchange, Teams, OneDrive, SharePoint, and Devices, categorizing them as "Needs attention", "Less urgent", or "Not categorized".

Scope: DLP alert triage automation across Exchange, Teams, OneDrive, SharePoint, and Devices

Permissions

  • Enable DLP Triage Agent - Set up agent using user identity (requires Information Protection Analyst/Investigator + Purview Content Analyst)
  • Configure Agent - Customize triage rules and agent behavior (requires Purview Agent Analysis role)
  • View Triaged Alerts - Access agent-categorized DLP alerts and justifications (requires Purview Agent Analysis)
  • Data Classification Content Download - Required for agent to access content for triage analysis
  • Security Copilot Contributor - Required for agent interaction and customization

Common use cases

  • Automating initial DLP alert triage to reduce analyst workload
  • Prioritizing high-severity DLP incidents for immediate investigation
  • Reducing false positive fatigue for DLP alert reviewers
  • Accelerating DLP incident response times
  • Providing consistent alert categorization across DLP workloads

Best practices

  • Use agent identity (recommended) instead of user identity when possible
  • Start with a subset of DLP policies before expanding scope
  • Review triage accuracy regularly and adjust agent configuration
  • Ensure analysts still review "Needs attention" alerts promptly
  • Monitor SCU consumption as alert volume impacts costs
  • Coordinate with Information Protection team for triage rule customization

Security considerations

  • Agent accesses DLP alert content including potentially sensitive data
  • Data Classification Content Download grants access to classified content
  • Triage categorizations should be verified by human analysts before action
  • Agent processes data across Exchange, Teams, OneDrive, SharePoint, and Devices
  • Security Copilot Contributor provides access to all SCU-based features
  • Monitor agent activity through audit logs

Official Microsoft Learn documentation →

Open the interactive RBACMap →