Microsoft to Phase Out Event Alerts in Purview Audit – How to Prepare for the Change
Microsoft will retire the event alerts feature in Purview Audit by March 2025.
Published: Feb 18, 2025
Key Takeaways:
- Microsoft will retire the event alerts feature in its Purview Audit solution by March 2025.
- Microsoft recommends users migrate their alert policies to Purview Data Loss Prevention (DLP).
- Administrators will lose access to related cmdlets and the ability to create new alert policies in Purview Audit.
Microsoft is preparing to retire the event alerts feature in its Purview Audit solution. The company announced on the Microsoft 365 Admin Center that this change will take effect in March 2025.
Microsoft Purview Audit is an auditing solution designed to support organizations in conducting forensic and compliance investigations. It provides high-bandwidth access to audit logs, allowing efficient data retrieval and allows for customized retention policies to meet regulatory requirements.
In the Microsoft Purview Audit solution, the event alerts feature enables administrators to be notified through email when specific events occur within their tenants. They can create alert policies to monitor specific activities such as file access, user logins, and changes to permissions. These alerts help IT admins quickly respond to potential security issues and policy violations.
Starting on March 24, any alert policies previously set up using the Microsoft Purview Audit solution will stop functioning. These policies will no longer trigger email notifications when the specified event occurs. Microsoft will retire support for the following cmdlets: Get-AuditConfigurationRule, New-AuditConfigurationRule, Remove-AuditConfigurationRule, and Set-AuditConfigurationRule.
Additionally, administrators will no longer be able to create new alert policies using the Audit solution. Last year, Microsoft removed this functionality from the Purview Portal’s Audit UI.
“Please note that the event alerts capability within Purview DLP will remain unaffected by this change. Any alert policies created through Purview DLP will continue to generate alerts as expected. We recommend that you use the alerts functionality within DLP, which is where we will continue to invest our development resources,” Microsoft explained.
Migrate alert policies from Purview Audit to Purview DLP
For customers with existing alert policies in Purview Audit, Microsoft advises migrating them to the Purview Data Loss Prevention (DLP) solution. Administrators can use the Get-AuditConfigurationRule cmdlet to review all alert policies previously set up in Purview Audit.
If you have alert policies set up in the Purview Audit service, Microsoft advises recreating them in the Purview Data Loss Prevention (DLP) solution. You can use the Get-AuditConfigurationRule cmdlet to view a list of all alert policies created through Purview Audit.