Microsoft is putting more control into the hands of security administrators with a new capability for Data Security Investigations in Microsoft Purview. Custom examination focus areas, announced for general availability in June 2026, will allow admins to steer AI-assisted investigations toward the risks that matter most to their organization. The feature targets worldwide standard Microsoft 365 tenants, marking a significant step in customizable, intelligent data security response.
Data Security Investigations is the component of Microsoft Purview that helps teams dissect and resolve data security incidents. It aggregates signals from across the Microsoft 365 environment—including Data Loss Prevention (DLP), Insider Risk Management, and endpoint behavior—and uses AI models to surface patterns, identify root causes, and recommend remediation steps. Until now, investigations were driven by a set of predefined focus areas that the AI would automatically prioritize. The new custom focus areas let security teams define exactly what the AI should concentrate on during an investigation.
The announcement addresses a long-standing tension in security operations: the balance between comprehensiveness and relevance. Organizations vary widely in what they consider critical. A financial services firm might prioritize leakage of unclassified but sensitive deal memos, while a healthcare provider focuses on protected health information (PHI) moving to unmanaged devices. Custom focus areas allow each organization to mirror its own risk taxonomy in the investigation workflow.
How Custom Focus Areas Work
During an investigation, Purview’s AI examines a set of signals—file transfers, email patterns, user activity—to build a timeline and highlight anomalies. Custom focus areas allow an administrator to define a set of conditions or topics that the AI should weigh more heavily. For example, an admin could create a focus area named "PCI data exposure" that looks for credit card numbers, specific file labels, and activity from users in the finance department. When an investigation is launched, the AI will prioritize findings related to that focus area, scoring them higher in the investigation summary and surfacing them first in the incident timeline.
These focus areas are built from the same rich set of classifiers, sensitivity labels, and user attributes already used in Purview policies. Admins can combine them with logical operators to define nuanced risks. A focus area might look for documents containing social security numbers (built-in classifier) that are also labeled “Confidential – Internal” and shared outside the organization. This high degree of specificity means the AI can skip over low-risk noise and zero in on what truly matters.
Microsoft has designed the feature to be additive rather than restrictive. The AI will still evaluate all signals; custom focus areas simply suppress the prominence of findings that fall outside the defined areas. This ensures that while the investigation is guided, nothing is omitted. An admin can toggle between the "curated view" and a full view to see all activities.
Configuration and Management
Setting up custom focus areas is done through the Microsoft Purview compliance portal. Under Data Security Investigations > Settings, admins will find a new “Focus areas” tab. From there, they can create, edit, and enable multiple focus areas. Each area has a name, description, and a set of conditions. Conditions can include:
- Sensitivity label matches (e.g., “Highly Confidential”)
- Sensitive information types (e.g., GDPR, HIPAA)
- User risk level from Insider Risk Management
- Device compliance status
- Network location (on-premises vs. cloud)
- File size or extension
Once created, focus areas can be set as default for all investigations or applied on a per-case basis. This flexibility means a CISO can define organization-wide priorities while incident responders can add case-specific focus areas on the fly.
Microsoft has indicated that up to 50 custom focus areas can be defined per tenant, each with up to 10 conditions. This should accommodate even large enterprises with complex risk matrices.
Use Cases and Scenarios
The practical applications are broad. Consider an organization that receives frequent insider risk alerts from its finance team due to legitimate but high-volume data exfiltration to external auditors. By creating a focus area that excludes known auditor domains or emphasizes only unusual timing patterns, the AI investigation will automatically de-prioritize the noise, allowing analysts to concentrate on true anomalies.
In another scenario, a company undergoing a merger may want to watch for intellectual property leaks related to a specific project code name. A custom focus area can be set to flag any document containing that code name and being accessed by users from the acquiring company’s domain. The investigation AI will then highlight these activities and suggest containment actions.
For regulatory compliance, organizations can define focus areas mapped to specific regulations. A GDPR focus area could look for personal data of EU residents leaving the European Economic Area, while a SOX focus area tracks changes to financial documents by users who aren’t in the finance role group. This alignment between investigative tools and compliance frameworks reduces the time to demonstrate due diligence during audits.
Timeline and Availability
The feature will reach general availability in June 2026. Microsoft has confirmed it will be available to all Microsoft 365 E5 and Microsoft Purview Data Security Investigations add-on subscribers. Tenants must be on the worldwide standard cloud instance; government and sovereign cloud support will follow at a later date.
This long lead time—the announcement came well over a year before GA—suggests Microsoft is investing significant engineering effort in the underlying AI orchestration. It may also reflect the need for extensive preview feedback to ensure the customization engine doesn’t inadvertently create blind spots in investigations.
A public preview is expected to begin in early 2026, though Microsoft has not committed to an exact date. Organizations in the Microsoft 365 Insider program will likely get early access.
Impact on Security Operations
For security teams, custom focus areas promise to slash investigation times by up to 40%, according to early internal tests cited by Microsoft. By steering the AI toward the signals that matter, the average time to triage an incident could drop from hours to minutes. This efficiency gain is critical in an era of alert fatigue; many SOC analysts report spending more than half their day triaging false positives.
Custom focus areas also facilitate a more proactive posture. Since the AI learns from the defined focus areas, it can start correlating seemingly benign activities that together match a pattern of concern. For example, a sequence of printing a document, renaming it, and then uploading it to a personal cloud might not individually trigger an alert, but if all three fall within a focus area for "suspicious exfiltration," the investigation dashboard will flag the sequence as high risk.
Moreover, the ability to tailor investigations aligns with the broader principle of least privilege in data security. By restricting the AI’s attention to specific areas during an investigation, organizations can limit inadvertent exposure of unrelated sensitive information to analysts. This is particularly important when investigations involve personal data of employees.
Integration with Existing Features
Custom focus areas build on the existing Data Security Investigations workflow, which already includes:
- Automated evidence collection
- Timeline visualization
- NLP-based policy match explanations
- Exportable investigation reports
With custom focus areas, these elements become more context-aware. The timeline will highlight events within focus areas with distinct visual cues. The NLP explanations will reference why a particular activity matched the custom focus area’s logic. Investigation reports will include a “Focus Area Summary” section, making it easier for managers and auditors to understand what the team was prioritizing.
This deep integration prevents the feature from being a mere filter; it becomes a lens through which the entire investigation is viewed, while still allowing analysts to zoom out when needed.
Potential Challenges and Considerations
As with any new capability, there are risks. Overly narrow focus areas could cause the AI to miss vital indicators outside the defined scope. Microsoft mitigates this by always keeping the full investigation view available, but it places a burden on admins to periodically review and adjust focus areas.
Admins must also be mindful of the logical interplay between sensitivity labels, classifiers, and user attributes. A poorly constructed focus area could inadvertently include or exclude the wrong users. Microsoft plans to include a “test against recent investigations” feature in the configuration UI, allowing admins to see which past incidents would have been surfaced differently before they save a focus area.
Training the team on how to create effective focus areas will be crucial. Microsoft will provide documentation and best practices, but the real mastery will come from iterative tuning. Organizations should designate a data security architect to own this configuration.
Looking Ahead
Custom focus areas are a stepping stone toward fully autonomous investigation and response. By giving admins the ability to teach the AI what’s important, Microsoft is laying the groundwork for future capabilities where the system can auto-create focus areas based on organizational risk profiles or even recommend them based on industry benchmarks.
In the meantime, the June 2026 GA date gives organizations plenty of time to prepare. Security teams can start cataloging their most critical data assets, mapping out investigation scenarios, and defining the conditions that would flag a high-priority incident. Early engagement with the preview will help shape the final feature.
Microsoft’s investment in Purview reflects the growing recognition that data security is not one-size-fits-all. Custom focus areas turn Data Security Investigations from a one-tool-fits-all searchlight into a precision instrument—one that every admin will want to calibrate.