Data Security Investigations: Investigation templates for common data security scenarios

Microsoft just made investigations in Purview Data Security a lot simpler and faster. You can now use ready‑made search templates designed for common data security scenarios, so you don’t have to start from scratch every time.

These built‑in templates help standardize the way investigations are run and reduce the amount of manual setup, meaning security analysts can jump straight into the work with minimal input.

The best part? This feature is already available worldwide, requires no administrative setup, and is ready to use out of the box saving valuable time and streamlining the overall investigation process.

What’s new and why it matters

Microsoft is making investigations in Purview Data Security much more approachable by introducing built‑in search templates. These templates are designed for the scenarios analysts deal with most often—like data exfiltration, compromised mailboxes, exposure of personal data, or even risky AI interactions.

Instead of building queries from scratch every time, investigators can now choose a ready‑made template, enter a few basic details (such as a user or site), and get started immediately. This not only speeds things up but also ensures investigations are more consistent across teams. It’s especially helpful for less-experienced analysts, lowering the learning curve and reducing the time needed to get value from the solution.

(This update is tracked under Microsoft 365 Roadmap ID 560326.)

Rollout timeline

  • General Availability (Worldwide): Available now

What this means for your organization

Who it impacts

  • Security analysts and investigators working with Microsoft Purview Data Security Investigations

Where you’ll see it

  • Microsoft Purview (web portal)
  • Data Security Investigations solution

In short, this update removes a lot of the friction from starting an investigation helping teams move faster, stay consistent, and focus on what actually matters: understanding and responding to risks.

Microsoft Purview DSI Gets Smarter with OCR

Microsoft is continuing to strengthen Purview Data Security Investigations (DSI) by adding AI‑powered Optical Character Recognition (OCR) capabilities. This new enhancement allows DSI to read and analyze text that appears inside images, something traditional investigations often miss.

With OCR built in, DSI can now surface sensitive information hidden in screenshots, scanned documents, and embedded visuals within files. The result? Deeper investigations, better context, and more accurate risk detection across your organization.

This update is tracked under Microsoft 365 Roadmap ID 561489.

When is this rolling out?
  • Public Preview (Worldwide):
    Rolling out in late May 2026, with completion expected by early June 2026
  • General Availability (Worldwide):
    Rolling out in mid‑July 2026, with completion expected by late July 2026
Who is impacted?

This update is relevant for:

  • Admins and security analysts using Microsoft Purview Data Security Investigations
  • Organizations investigating data security risks with Purview
What’s changing?

Once OCR is enabled (and it will be on by default), DSI will automatically:

  • Extract text from image‑based content, including:
    • Images
    • Screenshots
    • Visuals embedded in documents
  • Add the extracted text to investigation datasets
  • Improve search, analysis, and risk detection using this newly visible content

The good news?
No workflow changes are required. Existing investigations will continue to work as they do today—just with richer insights.

Even better, all existing Purview controls and protections still apply. Sensitivity labels, DLP policies, and other compliance settings continue to be fully respected.

Why this matters

Sensitive information doesn’t always live in plain text. Credentials, personal data, or confidential details often end up in screenshots or images—especially in collaboration tools. OCR helps close that gap and gives security teams greater visibility into data risks that were previously hard to detect.

What do you need to do?

No action is required before rollout. However, you may want to:

  • Inform your security and compliance teams about the improved image‑based detection
  • Update internal investigation procedures to account for OCR‑driven findings
  • Refresh training materials or documentation that reference DSI capabilities