Microsoft has placed a new data loss prevention capability on its public roadmap: Purview Endpoint DLP will soon support Just-in-Time (JIT) audit scoping with user-level inclusion and exclusion lists. The feature, tracked as roadmap item 562991, is now in development and eyed for general availability in September 2026, according to the Microsoft 365 roadmap. For administrators and security teams, this represents a significant shift toward more precise, less noisy audit controls—only the users you specify will generate audit logs when you need them.
A Closer Look at JIT Audit Scoping
Microsoft Purview Endpoint DLP already provides auditing capabilities that track user interactions with sensitive data across endpoints. However, until now, scoping an audit has been relatively coarse. Policies are applied to devices or user groups, and audits can generate volumes of logs, many of which may be irrelevant to a specific investigation.
JIT audit scoping changes that. Instead of a static assignment, administrators will be able to define ad-hoc scopes—listing individual users or groups to either include or exclude from an audit. Think of it as a focused lens: you turn on detailed logging for a user you suspect is exfiltrating data, or you exclude the CEO from a company-wide audit to avoid unnecessary privacy intrusions. The “Just-in-Time” aspect implies that this scoping is temporary and targeted, activated only when needed, reducing the background noise and storage costs associated with always-on auditing.
The roadmap entry itself is sparse on technical detail, but its implications are clear. When you initiate an audit for endpoint DLP activities—such as printing sensitive documents, copying to USB drives, or uploading to unsanctioned cloud apps—you’ll be able to specify exactly which users’ actions you care about. This granularity plugs a long-standing gap: security teams often have to sift through mountains of data to find the signal. Now, the signal can be isolated from the start.
What This Means for IT and Security Teams
For the day-to-day administrator, this feature will cut hours from incident response workflows. Instead of filtering audit logs after collection, you scope the collection itself. If an employee flags a potential insider threat, you spin up a JIT audit for that person’s account, review the logs, and then turn it off. No permanent overhead, no wasted storage.
For compliance officers and governance teams, the value is twofold. First, it allows for more surgical demonstrations of regulatory compliance. If an auditor asks for proof that no one in the finance department accessed specific customer data in March, you can run a scoped audit for that department and that timeframe. Second, it reinforces data privacy principles by minimizing the collection of user telemetry when it isn’t needed—a tangible step toward responsible security practices.
There’s also a cost angle. Log analytics and storage in Microsoft Sentinel or other SIEMs can balloon when DLP audits are verbose. By scoping audits down to relevant users, you ingest fewer logs, which directly translates into lower operational costs. Over a large enterprise with thousands of endpoints, those savings can be substantial.
That said, this feature will be tied to the Microsoft 365 E5 compliance suite or add-on licenses for Purview Endpoint DLP. Organizations already invested in that licensing will get the benefit; those on lower tiers won’t see it until they upgrade. So it’s a strong incentive for enterprises to evaluate their license footprint well before the 2026 launch.
The Road to Granular Audit Control
Purview Endpoint DLP has been steadily maturing since its introduction alongside Microsoft 365’s broader data governance push. Early iterations could only block or audit actions based on sensitive info types, with limited user targeting. Over time, Microsoft added group-based policy assignments, device-based scoping, and integration with Insider Risk Management, which allowed triggering policies on risky users.
Yet true per-user, on-demand audit scoping remained elusive. Investigators had to rely on broader audit events, then manually correlate user identities—a tedious process at scale. This new feature appears to be the culmination of customer feedback and internal alignment between the DLP and Insider Risk Management teams. The latter already supports “forensic evidence” collection for specific users, and JIT audit scoping likely borrows from that playbook.
Notably, the September 2026 timeline suggests this is not a minor tweak but a substantial engineering effort, possibly requiring changes to the endpoint DLP agent, the policy engine, and the telemetry pipeline. That long lead also gives Microsoft ample room for a public preview, which we expect sometime in late 2025 or early 2026. Keep an eye on Microsoft’s Tech Community blog and the Microsoft 365 roadmap updates for signs of a preview program.
What You Should Do Now
While September 2026 feels distant, there are immediate steps to prepare:
- Review your current DLP audit posture. Identify which policies generate the most noise. Talk to your incident response teams about which users or groups they frequently need to investigate. This will help you design effective scoping rules when the feature arrives.
- Assess your licensing. Endpoint DLP is part of Microsoft 365 E5/A5/G5, Microsoft 365 E5 Compliance, or the E5 Info Protection & Governance add-on. If you’re on E3 or lower, now is the time to start budget conversations so you’re ready to adopt the feature when it ships.
- Provide feedback. Microsoft uses the roadmap to signal intent, but also to gather input. If there are specific user-scoping scenarios you need—like group nesting, dynamic Azure AD groups, or integration with Microsoft Graph—share that through your account team or the Microsoft 365 admin center feedback portal.
- Test Insider Risk Management settings. If you already use Insider Risk Management, experiment with its analytical scoping capabilities. JIT audit scoping for Endpoint DLP will likely feel similar, so familiarity now will ease adoption later.
- Plan for log storage and retention. Once audits become more targeted, you may need to adjust retention policies in Microsoft Purview Audit (Premium) to ensure those targeted logs are kept long enough for investigations. Balance this with your data lifecycle strategies.
The feature is still in development, so there’s no guarantee of exact timelines. But the fact that Microsoft has given it a specific quarter—Q3 2026—suggests a relatively high confidence level. Roadmap items can slip, but this one has moved from a general idea to a concrete commitment.
Looking Ahead
The addition of user-level scoping to Endpoint DLP audits aligns with a broader industry trend toward adaptive data protection. Instead of binary block/allow or always-on logging, organizations want security controls that flex with context and risk. We expect Microsoft to integrate JIT audit scoping with other Purview capabilities, like adaptive protection in Insider Risk Management, where a user’s risk level automatically adjusts the scope of monitoring.
What remains to be seen is the user experience. Will admins define scopes through a simple search-and-select interface in the Microsoft Purview compliance portal, or will they need PowerShell scripts? How granular will the exclusion be—only user accounts, or also device identifiers, file paths, and sensitive info types? These details will emerge as the feature gets closer to public preview.
For now, the takeaway is clear: if you rely on Purview Endpoint DLP for data security, you’ll soon have a powerful tool to make audits smarter, not just larger. Start the conversation with your teams today, and keep an eye on that September 2026 target.