IT administrators rely heavily on Microsoft Purview Audit alerts to monitor critical activities in their organization’s Microsoft 365 environment. However, with Microsoft announcing the retirement of event alerts within the Purview Audit solution on March 24, 2025, admins need to rethink how they manage alert policies. This retirement will impact organizations that have been using Audit-based alerts and associated cmdlets such as:
- Get-AuditConfigurationRule
- New-AuditConfigurationRule
- Remove-AuditConfigurationRule
- Set-AuditConfigurationRule
Since these commands will be deprecated, admins must migrate to Purview Data Loss Prevention (DLP) alerts to continue receiving relevant security notifications. This guide breaks down the impact of this change and provides step-by-step instructions to ensure a smooth transition.
Understanding the Change: What’s Being Retired?
Previously, Microsoft Purview allowed organizations to create event alert policies in both the Audit solution and DLP. While DLP alerts remain unaffected, Microsoft is completely removing Audit-based event alerts and its UI components.
Key takeaways:
- Audit-based alert policies will stop generating alerts after March 24, 2025.
- You won’t be able to create new alert policies within Purview Audit.
- Purview DLP remains the preferred solution for alerting, with continued investment in development.
- Existing cmdlets for managing Audit alert policies will be retired, requiring admins to switch to DLP alternatives.
Why Is Microsoft Making This Change?
Microsoft is consolidating alerting functionalities into DLP to streamline security monitoring and improve alert management efficiency. This ensures that IT admins get a more unified and robust security monitoring experience.
How This Affects Your Organization
If you currently use Purview Audit for alerting:
- Your existing Audit-based alert policies will no longer work after March 24, 2025.
- You must migrate your policies to DLP to continue receiving security alerts.
- Any scripts, automations, or workflows using the cmdlets (“, etc.) will fail after the retirement date.
If you already use Purview DLP alerts:
- You remain unaffected by this change.
- You should review your alert policies to ensure they cover all necessary events previously managed under Audit.
Step-by-Step Migration Plan: Moving from Audit Alerts to DLP Alerts
1: Identify Existing Audit-Based Alert Policies
Before migrating, find all the active alert policies currently managed through Purview Audit.
Run the following PowerShell command:
Get-AuditConfigurationRule | Format-List Name,Workload,AuditOperation,Policy
This command provides a list of all alert policies created under Purview Audit, including details on their workload and policy rules.
2: Recreate Audit Alerts in Purview DLP
Since DLP is now the preferred solution, you must manually recreate your Audit alert policies in Purview DLP. Here’s how:
- Go to the Microsoft Purview compliance portal
- Create a new DLP policy
- Configure alert conditions
- Define alert severity and response actions
- Save and deploy the policy
3: Validate the Migration
After setting up your DLP alerts, perform a validation check:
- Manually trigger an event that should generate a DLP alert.
- Monitor the Microsoft Purview compliance portal to ensure alerts appear as expected.
- Adjust policy configurations as needed to match previous Audit-based alerts.
Additional Considerations: Licensing & Permissions
Before configuring Purview DLP alerts, ensure you have the necessary licenses:
Additionally, users must have the right permissions to manage DLP alerts. Recommended role groups include:
- Compliance Administrator
- Security Administrator
- DLP Compliance Management
For a full list of applicable role groups, refer to Permissions in the Microsoft Purview compliance portal.
What Should You Do Next?
- If you rely on Audit alerts, act now to migrate to Purview DLP alerts before March 24, 2025.
- Use the “ cmdlet to review existing policies before they stop functioning.
- Follow the step-by-step guide to recreate alerts in Purview DLP and ensure continued monitoring.
- Review licensing and permissions to avoid disruptions in alert management.
By proactively transitioning to DLP alerts, IT admins can maintain security visibility and avoid losing critical alerts when the Audit-based alerting feature is retired.
For detailed guidance, visit Microsoft’s official DLP Alert Policies documentation.
