Table of Contents
Use the Graph API to Report Information about DLP Alerts
MC1169572 (10 October 2025, Microsoft 365 roadmap item 511795) announced a new ability for administrators to add classifications to DLP alerts. The update should now be available in all tenants.
DLP signals alerts when policy rules detect a violation. The update allows administrators to note if the alert is a false positive, true positive, or benign positive (one that you don’t need to worry about) when reviewing the status of alerts (Figure 1). Although I could update the classifier for DLP alerts, any attempt to update the comments for an alert through the UX failed.
Alerts generated for DLP events are synchronized bi-directionally with Defender.
Tenant don’t have to classify events, but MC1169572 says that tenants can “use the classification property to enhance reporting and incident response.” Which then creates the question of how to report DLP alerts.
The Graph Alert Resource Type
The answer is that alert data is available through the alert resource type from the Graph Security API. For example, this Graph request against the alerts_v2 endpoint filters on the serviceSource property to find the set of DLP alerts. We can see the classification entered for the alert.
$Uri = "https://graph.microsoft.com/v1.0/security/alerts_v2?`$filter=serviceSource eq 'DataLossPrevention'&`$orderby=createdDateTime desc&`$top=200" [array]$Alerts = Invoke-MgGraphRequest -Method GET -Uri $Uri -OutputType PSObject $Alerts = $Alerts.Value $Alerts | Format-Table ServiceSource, CreatedDateTime, Title, Classification serviceSource createdDateTime title classification ------------- --------------- ----- -------------- dataLossPrevention 11/12/2025 14:41:47 DLP-Block Confidential Documents truePositive dataLossPrevention 20/11/2025 01:33:40 DLP-DLP Policy for Sensitive Data 1 dataLossPrevention 20/11/2025 01:27:41 DLP-DLP Policy for Sensitive Data 1 dataLossPrevention 20/11/2025 01:26:09 DLP-DLP Policy for Sensitive Data 1
The Alerts resource caters for alerts generated by many other solutions, including Defender for Identity, Defender for Cloud Apps, Defender for Office 365, App governance, threat intelligence, and so on.
Working with DLP Alerts via the Microsoft Graph PowerShell SDK
Graph API requests can also be made through Microsoft Graph PowerShell SDK cmdlets. In this case, the Get-MgSecurityAlertV2 cmdlet (from the Microsoft.Graph.Security module) does the same job as the request discussed above.
Before attempting to work with security alerts, make sure that the signed in account is a security administrator and that the delegated SecurityAlert.Read.All permission (scope) is available:
[array]$DLPAlerts = Get-MgSecurityAlertV2 -Filter "serviceSource eq 'dataLossPrevention'" -PageSize 500 -All -Sort "CreatedDateTime Desc" $DLPAlerts | Format-Table ServiceSource, CreatedDateTime, Title, Classification ServiceSource CreatedDateTime Title Classification ------------- --------------- ----- -------------- dataLossPrevention 11/12/2025 14:41:47 DLP-Block Confidential Documents truePositive dataLossPrevention 20/11/2025 01:33:40 DLP-DLP Policy for Sensitive Data 1 dataLossPrevention 20/11/2025 01:27:41 DLP-DLP Policy for Sensitive Data 1 dataLossPrevention 20/11/2025 01:26:09 DLP-DLP Policy for Sensitive Data 1
Note: after updating an alert with a classification, it takes a few seconds before the update appears in the alert record available through the Graph.
Updating a DLP Alert with PowerShell
It’s also possible to set a classification for an alert with the Update-MgSecurityAlertV2 cmdlet. In this example, a hash table holds several properties as input to update an alert, including the classification.
$AlertId = $DLPAlerts[1].Id
$Parameters = @{}
$Parameters.Add("determination", "other")
$Parameters.Add("status", "inProgress")
$Parameters.Add("assignedTo", "Hans.Geering@office365itpros.com")
$Parameters.Add("classification", "truePositive")
Update-MgSecurityAlertV2 -AlertId $AlertId -BodyParameter $Parameters
Reporting DLP Alerts
Once we know how to retrieve DLP alerts, it’s easy to create a basic report. Figure 2 shows the result:
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Alert in $DLPAlerts) {
If ($Alert.LastUpdateDateTime) { $LastUpdated = Get-Date $Alert.LastUpdateDateTime -Format 'dd-MMM-yyyy HH:mm'
} Else {
$LastUpdated = "N/A"
}
$ReportLine = [PSCustomObject][Ordered]@{
Id = $Alert.id
Title = $Alert.title
CreatedDateTime = Get-Date $Alert.createdDateTime -Format 'dd-MMM-yyyy HH:mm'
Severity = $Alert.severity
Status = $Alert.status
Category = $Alert.category
AssignedTo = $Alert.AssignedTo
LastUpdateDateTime = $LastUpdated
Classification = $Alert.classification
}
$Report.Add($ReportLine)
}
I hate seeing something in a message center notification that I can’t quite figure out how to do. I’ve never really thought about working with DLP alerts through PowerShell in the past, but I’m glad that the addition of administrator-controlled classifications to DLP alerts prompted me to check out how to report this information.
Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.