A Quick Look at Purview Data Security Investigations
Investigations Get a New Purge Mitigation Action
During the quiet holiday period, I took the time to check out the Purview Data Security Investigation (DSI) solution. My interest was prompted by message center notification MC1199763 (18 December 2025, Microsoft 365 roadmap item 542930) announcing the inclusion of an option to purge items found by an investigation (Figure 1).
The new capability is called the purge mitigation action and is in preview and due for general availability in March 2026.
Data Security Investigations
Purview’s DSI solution is currently in preview. The idea is that DSI “helps cybersecurity teams in your organization use generative artificial intelligence (AI) to analyze and respond to data security incidents, risky insiders, and data breaches.” Anyone used to the management of Purview eDiscovery cases will find DSI a familiar place because a lot of the UX is borrowed from the eDiscovery solution. Even the new purge mitigation action comes from the eDiscovery Graph API (implemented as the Clear-MgSecurityCaseEdiscoveryCaseSearchData cmdlet in the Microsoft Graph PowerShell SDK.
Indeed, DSI seems to be the product of melding a hefty chunk of eDiscovery with some of the generative AI used by Security Copilot to analyze and highlight anomalies in data, in this case, information found in Microsoft 365 data sources like mailboxes and SharePoint sites that might point to problems such as data breaches or actions taken by employees to exfiltrate data.
Combining bits of Microsoft 365 and other components together to form new solutions is a well-trodden path. Teams is the best example in the Microsoft 365 ecosystem because it borrows heavily from Exchange Online (calendar and compliance), SharePoint Online (file storage for channels), OneDrive for Business (file storage for chats), Planner, and a bunch of Azure microservices. Indeed, if Microsoft hadn’t used other services to assemble large parts of Teams, there’s no way that the application could have been as functional as it is today.
The compliance records captured by the Microsoft 365 substrate for Teams, Viva Engage, Planner, and Copilot interactions and stored in hidden folders in user mailboxes are another example. The compliance records are used by many Purview solutions like eDiscovery, communication compliance policies, and insider risk management.
DSI Incurs Costs for AI Processing
DSI doesn’t require a specific Microsoft 365 license. Instead, Microsoft charges for the security compute units (SCUs) and storage used by investigations. Part of configuring DSI for a tenant is to associate DSI with a valid Azure subscription that Purview can charge for processing costs. The costs are incurred when generative AI runs against a body of collected items to determine if any problems exist.
Other Microsoft solutions use SCUs are, such as Security Copilot investigations and the Entra ID agents for conditional access and access reviews. At the Ignite 2025 conference, Microsoft announced plans to bundle Security Copilot with Microsoft 365 E5, together with 400 “free” monthly SCUs per 1,000 licensed accounts. The SCUs bundled with Microsoft 365 E5 can be used for any purpose, but tenants without Microsoft 365 E5 must purchase SCUs. To help tenants understand the potential costs to run investigations, DSI includes a cost estimator (Figure 2).
Obviously, a large-scale investigation might cost a lot more than a smaller investigation because of the amount of data involved and the additional AI processing. Running a search estimate to find items of interest should tell you how much data is involved. Estimating the AI costs depends on how intensive the subsequent processing is.
For example, increasing the investigation size (data) from 1 GB to 15 GB resulted in monthly cost going from $323 to $587. Going to 60 GB of data increases the monthly cost to $1,436. Why figure out a monthly cost? Well, the nature of investigations is that they can last a long time, so a monthly figure is a good estimate to have.
Costs Can Mount Rapidly
Be careful about starting off a new data security investigation because you can incur costs from the start. As an example, while testing DSI out for this article, my Azure account racked up over $150 in costs. I assume this was for storage of items found by an investigation, but the cost came as as a surprise that disrupted operations because it blew the monthly Azure budget for my subscription (Figure 3) and disabled the subscription from running any Azure services until funding was available:
Interestingly, when I opened the Purview DSI page to remove the investigation that was racking up the Azure costs, I couldn’t access the investigation through the UX because DSI insisted that I had to set up an Azure subscription first. Because the subscription was blocked, I had to remove the investigation with PowerShell. Log into the Exchange Online management module and then run the Connect-IPPSsession cmdlet. Then find and remove the relevant compliance case using the Get-ComplianceCase cmdlet. DSI investigations have a case type of DataSecurityInvestigation:
Connect-IPPSSession -EnableSearchOnlySession Get-ComplianceCase -CaseType DataSecurityInvestigation Name Status CreatedDateTime ---- ------ --------------- DSI-2026-001 Active 02/01/2026 16:16:41 Remove-ComplianceCase -Identity DSI-2026-001 Confirm Are you sure you want to perform this action? Deleting the compliance case Identity:"DSI-2026-001" will also remove all searches and search actions associated with this case. Do you want to continue? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Get-ComplianceCase -casetype DataSecurityInvestigation ...
Hard to Test DSI Effectiveness
Getting back to the question of how well DSI works, this is a difficult question for me to answer. I don’t have a compromised tenant to hand, so it’s difficult to test the outcome. The good thing about assembling a solution from off-the-shelf components from other Microsoft solutions is that the components usually work as expected. Because all I can feed the AI with is test data, the difficulty is to measure how well generative AI detects real problems in the data that it’s asked to assess. I’ll leave that exercise to a competent investigative team that’s coping with a real problem.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
