Microsoft has quietly rolled out a preview that arms security teams with new weapons against data leaks in two rapidly expanding frontiers: Microsoft Fabric and cloud storage services. The update to Purview Insider Risk Management adds activity triggers for these platforms directly into data leak policies, closing a detection gap that had been widening as organizations shifted analytics and file sharing to the cloud.

New Triggers for Changing Workflows

The core change is straightforward but significant. When configuring a data leak policy in the Microsoft Purview compliance portal, admins will now see a refreshed list of triggering activities. Alongside the existing indicators—like copying files to USB devices, printing sensitive documents, or forwarding emails outside the organization—there are fresh options tied to Microsoft Fabric and a broad set of cloud storage apps.

For Fabric, the new indicators cover actions such as downloading report visuals, exporting paginated reports, and sharing Fabric items (like semantic models or lakehouses) with external users or guests. These activities, if performed on data classified as sensitive, can now fire an alert exactly like a traditional endpoint exfiltration. On the cloud storage side, the policy engine can monitor activities across multiple services: Box, Dropbox, Google Drive, and even OneDrive consumer (distinct from OneDrive for Business). Uploading files, sharing externally, or bulk downloading from those services can all serve as policy triggers.

This is more than a list expansion. It reflects a recognition that the old perimeter—where data lived on managed endpoints, email servers, and SharePoint—no longer defines the modern workspace. Analytics workloads in Fabric often interact with the same sensitive datasets that DLP policies protect elsewhere, yet until now, security teams were blind to risky behaviour inside those environments. Likewise, employees routinely use third-party cloud storage, whether sanctioned or not, and a comprehensive insider risk program must account for that reality.

What It Means for Your Security Posture

For organisations that already run Purview Insider Risk Management, this preview is a force multiplier. Instead of relying solely on endpoint agents or email gateways, you can now illuminate data movements through two critical channels where exfiltration has been historically hard to track.

If your company uses Microsoft Fabric—the unified analytics platform that absorbed Synapse and Power BI workloads—you need to pay immediate attention. A data engineer with legitimate access could, for instance, download a dataset from a lakehouse, blend it with public data in a notebook, and then share the resulting report with an external email address. Traditional DLP rules wouldn't bat an eye because the activity happens inside the Fabric service, not on a managed device. With the new triggers, that exact sequence can be detected, scored, and fed into an insider risk case. The policy can even correlate the Fabric event with other risky actions—like a recent resignation notice or unusual VPN locations—to surface the most urgent threats.

Cloud storage triggers fill a different but equally important gap. Even in Microsoft 365-centric shops, users find ways to move files into personal Dropbox or Google Drive accounts, often for convenience rather than malice. The preview lets you set policies that treat a bulk download from OneDrive for Business followed by an upload to Box as an investigable sequence. Importantly, to pick up these third-party cloud signals, you need to have the corresponding connectors set up in Microsoft 365. The preview documentation makes clear that without a connector for, say, Box, Purview can't see what happens in Box. This means the initial setup requires cross-team coordination—IT, security, and compliance—but the resulting visibility is well worth the effort.

For smaller businesses or those without E5 licenses, the preview might feel out of reach. Insider Risk Management is part of the Microsoft 365 E5 compliance suite or available as an add-on. However, for organisations that already own the licensing, turning on the preview costs nothing extra and can be done in a few clicks. Early feedback suggests that tuning the thresholds is crucial during preview; with more triggers comes more noise, and every security team knows that alert fatigue is a fast track to ignoring real incidents.

How We Got Here

Microsoft Purview Insider Risk Management launched in 2020 as a response to the growing category of insider threats—both malicious and accidental. Early versions focused heavily on endpoint data leaks, email exfiltration, and risky behaviour patterns like departing employees downloading large amounts of data. The tool used machine learning to assign risk scores and surface anomalies, but its vision was largely confined to the classic Microsoft 365 and Windows estate.

Over the last three years, three trends forced the evolution we're seeing today. First, the pandemic accelerated adoption of cloud analytics platforms, and Microsoft's own Fabric (then called Azure Synapse Analytics) became a hub for sensitive data processing. Second, the explosion of bring-your-own-app culture meant that employees routinely used unsanctioned cloud storage for work files, a problem that CASB solutions tried to solve but often left visibility gaps. Third, regulators worldwide began insisting that insider risk programs cover all data repositories, not just email and endpoints.

Microsoft responded by progressively adding signals. Adaptive Protection arrived, using insider risk levels to dynamically revoke access. Teams and SharePoint indicators were integrated. Browser-based exfiltration detection was added. But Fabric and cloud apps remained blind spots until now. The preview, announced in early 2025, is a direct acknowledgment that data leaks through analytics workloads and third-party storage are no longer edge cases—they are mainstream.

What to Do Now

If you want to kick the tires on these new triggers, here's a pragmatic roadmap.

Step 1: Check licensing and roles. You need Microsoft 365 E5, Microsoft 365 E5 Compliance, or the Insider Risk Management add-on. The user configuring policies must be in the Insider Risk Management or Insider Risk Management Admin role group.

Step 2: Set up cloud connectors. For cloud storage triggers to work, head to the Microsoft 365 compliance center and navigate to Data connectors. Set up connectors for any third-party cloud storage apps you want to monitor (Box, Dropbox, Google Drive). The connectors will sync activity logs into Microsoft 365 for analysis. This step may take a day or two for initial sync.

Step 3: Enable the preview features. In the Purview compliance portal, go to Insider risk management > Settings > Preview features. Toggle on "Data leak policy triggers for Fabric and cloud storage apps." The UI will immediately show the new indicators when you create or edit a data leak policy.

Step 4: Create a test policy first. Don't roll this out enterprise-wide without understanding the signal-to-noise ratio. Create a dedicated data leak policy that uses only the new Fabric and cloud storage triggers. Target a small subset of users—maybe your IT team or a user group you can control. Let it run for a week in audit mode (alerts created but no cases generated) so you can see what normal behaviour looks like.

Step 5: Tune thresholds. Once you have baseline data, you'll notice that some activities are benign. For example, a report developer regularly exports paginated reports for testing. Use the policy's threshold settings to require multiple risky events or a minimum amount of data exfiltrated before an alert fires. You can also tailor the sensitive data types that matter most—credit card numbers, health records, proprietary code—to reduce noise from less critical classifications.

Step 6: Integrate with incident response. When a case is generated, it will appear in the Insider Risk Management dashboard with all associated activity timestamps and risk scores. Make sure your SOC or response team knows which playbooks to follow. Microsoft provides templates for investigation, but you'll want to customize them based on your internal escalation paths.

A word of caution: because this is preview, Microsoft may still tweak the feature before general availability. Keep an eye on the Microsoft 365 roadmap and the Purview tech community blog for updates. Do not rely on these triggers as your only line of defense in production environments until the feature is GA and you've fully validated its behaviour.

Step 7: Consider complementary controls. Even with the new triggers, Purview Insider Risk Management works best as part of a layered strategy. Combine it with endpoint DLP, Microsoft Defender for Cloud Apps, and Conditional Access policies that restrict access from unmanaged devices. The Fabric triggers, for instance, pair well with tenant restrictions on external sharing within Fabric itself.

Outlook

This preview signals where Microsoft is heading: a unified insider risk platform that sees across the entire digital estate—whether data lives in Exchange, SharePoint, OneDrive, Teams, Fabric, Azure, or third-party clouds. Rumours already point to future triggers that will cover AI interactions in Copilot for Microsoft 365 and even on-device activities like clipboard use in virtual desktops.

For now, the immediate takeaway is that security teams can finally extend their data leak policies into the analytics workloads and unsanctioned cloud storage that have traditionally been shadows on the network. The preview is available now in Purview tenants, and there's no reason not to start experimenting. The longer-term question is whether Microsoft will accelerate the GA timeline based on preview feedback. Given the sensitivity of insider risk detection, a cautious rollout with plenty of customer validation is likely—but the foundations are already in place for one of the most significant purview expansions in years.