If you’ve ever managed Data Loss Prevention (DLP) policies in Microsoft Purview, you know how quickly the alert notifications can pile up. One minute you’re reviewing a single alert, and before you know it, your dashboard is flooded with multiple alerts triggered by the same user for the same rule.
The good news is that Microsoft is rolling out a new feature called User-Based Alert Aggregation in the Purview compliance portal. This will make DLP alert management far more manageable and easier to triage.
What is User-Based Alert Aggregation?
In simple terms, this feature allows you to group DLP alerts by user within a set time window. Instead of getting multiple alerts for every single rule match event that a user triggers, the system consolidates them into a single, more meaningful alert.
For example, imagine User A accidentally tries to share a sensitive document multiple times within 15 minutes. Without aggregation, you’d get a separate alert for each attempt, five alerts for the same incident. With User-Based Alert Aggregation, all these events are grouped into a single alert per user per rule. This means you can focus on investigating the actual incident efficiently, instead of getting lost in a flood of repetitive notifications.
How to Configure User-based Aggregation in Microsoft Purview?
The best part is it’s opt-in. You’re not forced to use it, but if you want to reduce alert noise and streamline investigations, it’s worth enabling. Here’s how you can enable it in your tenant:
- Go to the Microsoft Purview compliance portal.
- Navigate to Settings > Data Loss Prevention > User-Based Alert Aggregation.
- Toggle the feature on and select your preferred aggregation time window.
Once enabled, DLP alerts for the same user and rule within the selected window will automatically be grouped. You can even communicate this change to your security operations team so everyone knows what to expect.
Release Timeline:
Microsoft is rolling out User-Based Alert Aggregation in phases.
- The Public Preview will start in late September 2025 and is expected to complete by early October 2025.
- General Availability worldwide will begin in late October 2025 and wrap up by early November 2025. This gives admins some time to explore the feature before it becomes fully available.
How User-Based Aggregation Helps
A few small things to note:
- Alerts will still be created per user and per rule, so multiple users triggering the same rule will generate separate alerts.
- If an alert is marked as resolved or closed, events can still be added as long as the aggregation window is active.
- Alert volume may increase slightly since each user gets their own alert but the trade-off is far more manageable, organized data.
Here’s why this feature truly helps your team:
- Security teams often spend a lot of time manually connecting multiple alerts for the same user. With user-based aggregation, related alerts are already grouped logically, letting you spot patterns and respond faster.
- Aggregated alerts provide a concise view of a user’s activities during the aggregation window. This makes it easier to detect risky behavior or potential insider threats without wading through repetitive alerts.
- Admins can select the aggregation window, with a minimum of 15 minutes. This flexibility lets you fine-tune the system to your organization’s needs, shorter windows catch rapid incidents, while longer windows reduce alert noise in busy environments.
From my perspective, User-Based Alert Aggregation is a smart move. If DLP alerts have been overwhelming your team, this feature is definitely worth trying. It’s easy to enable, straightforward to understand, and helps your team stay on top of security incidents without getting buried in repetitive alerts.
For anyone serious about efficient alert management, this is one feature you don’t want to miss. After all, in security, it’s all about seeing the forest, not just the trees and this feature helps you do exactly that.
