Share data loss prevention alerts (preview)

Users with the appropriate permissionscan view Microsoft Purview Data Loss Prevention (DLP) alerts in the DLP Alerts console. However, as alerts are triaged and investigated, you may need to share them with other users who don't, and shouldn't, have full permissions to DLP and the alerts console.

You can share an alert with users to whom you give limited permissions for using the procedures described in this article.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Before you begin

If you aren't familiar with DLP Alerts, see Configure and view alerts for data loss prevention policies.

In this procedure, you need to create a custom role group for Microsoft Purview. If you haven't worked with permissions, roles, and role groups in Microsoft Purview, see Permissions in the Microsoft Purview compliance portal.

Configure DLP Alert URLs for review

  1. Open the Microsoft Purview compliance portal with an account that has Global Admin permissions.

  2. Create a Custom Role Group for the users you want to share alerts with. For example DLPAlertInvestigator. Add these roles to the group:

    1. View-Only DLP Compliance Management - required.
    2. Data Classification Content Viewer - required.
    3. Preview - this role is optional, assign this if the reviewer needs to see the source content.
  3. Add the users you the custom role group you just created, in this example DLPAlertInvestigator.

  4. Open the DLP Alerts tab and select the alert you want to share. This opens the flyout pane.

  5. Get the Alert ID and Time detected values for the alert.

Image showing details of a DLP alert

  1. The value in the Time detected field is the local time. You need to convert that value to UTC time for use in the creationtime parameter. There are a number of local-to-UTC time converters available via an internet search.

  2. Construct the shareable URL in this format:

<compliance-portal-domain>/datalossprevention/alerts/eventdeeplink?eventid={eventId}&creationtime={creationTime}

For example:

compliance.microsoft.com/datalossprevention/alerts/eventdeeplink?eventid=1eae3e53-c045-1c9b-ee00-08da7a6751dc&creationtime=2022-08-10T12:30:00Z

In this example, the Time detected value is August 9, 2022 5:30 PM Pacific Daylight Time. This converts to August 10, 12:30 AM UTC or 2022-08-10T12:30:00Z

  1. You can share this link with people in the group you created. They'll be able to access the alert for review and investigation.