Microsoft DSI and PAYG Services Rack Up Unexpected Compute Charges for M365 Admins

Microsoft's Data Security Investigations (DSI), part of Microsoft Purview, promises to accelerate security probes with AI-driven analysis. Launched in general availability, DSI scans Microsoft 365 data like emails, Teams messages, Copilot interactions, and documents to uncover risks. However, its pay-as-you-go (PAYG) model ties directly to Azure compute usage, potentially racking up hefty bills for unsuspecting admins.

DSI targets three key investigation stages: identifying impacted data, deep AI content analysis across 95+ languages, and risk mitigation. Admins start probes from Microsoft Defender XDR incidents, search templates, or custom drafts. AI features like vector search, semantic indexing, categorization, and examinations for credentials, risks, and customer data speed up workflows from weeks to hours.

Unlike licensed features, DSI bills through security compute units (SCUs) and storage, charged to a linked Azure subscription. Costs trigger during generative AI processing of collected itemsscanning mailboxes, SharePoint sites, or other sources for anomalies like data exfiltration or breaches. Other PAYG services in Microsoft 365 follow suit, consuming compute resources without upfront licensing alerts.

• DSI Compute Triggers: AI analysis for risks, credentials, or mitigation recommendations.
• Integration Points: Defender XDR auto-populates incidents; eDiscovery-like UI familiar to admins.
• Risk Categories: Privileged content, customer info, access assets scored for priority.

This model supports scalability but demands cost monitoring. Microsoft enhanced DSI post-preview with AI search and context input based on feedback, yet billing remains opaque until invoices arrive.

Purview's DSI integrates with broader security stackInsider Risk Management, Data Loss Prevention, Audit logsunifying SOC and data teams. It maps data-risk graphs, correlates user activities, and generates mitigation plans, reducing manual effort. Video demos highlight deep content inspection beyond metadata, vital for Copilot-era data estates.

Organizations face rising AI tool costs amid expanding data volumes. DSI's PAYG avoids per-user fees but risks overspend on large probes. Admins must configure Azure links carefully, review SCU usage, and scope investigations narrowly. Similar to eDiscovery's Graph API purges, DSI borrows proven mechanics while adding AI.

For enterprises, DSI transforms reactive security into proactive defense. Probes reveal hidden leaks in files, emails, or AI chats, prioritizing high-risk items via scores. Yet, without budget controls, a single broad scan could spike costsespecially in multi-tenant environments.

Microsoft positions DSI within Purview's data security posture management, alongside governance and compliance tools. Early adopters praise efficiency gains, but cost stories emerge as usage scales. Tenants should audit Azure bills post-DSI rollout, set alerts, and test small scopes first.

• Link only necessary Azure subscriptions during DSI setup.
• Use pre-scoped templates over full drafts to limit data volume.
• Monitor SCU consumption in Azure portal after investigations.
• Prioritize high-risk items via AI risk scores to avoid reprocessing.
• Integrate with Defender for automated, contained incidents.

As Microsoft 365 evolves with AI, PAYG services like DSI highlight the shift to usage-based pricing. While empowering security teams, they underscore the need for disciplined governance to prevent compute charges from undermining ROI.