Search Tutorials


SC-401 Insider Risk Management | Microsoft Purview | JavaInUse

SC-401 - Insider Risk Management

Quick Navigation

IRM Overview and Architecture

Microsoft Purview Insider Risk Management (IRM) detects, investigates, and helps remediate internal risks - actions by current or former employees that could expose sensitive data or harm the organization. IRM uses a privacy-by-design approach: users are pseudonymized in alerts until an authorized investigator chooses to de-anonymize.

IRM Signal Sources

IRM correlates signals from multiple Microsoft 365 data sources to build user risk scores:

  • Microsoft 365 activities (SharePoint, OneDrive, Exchange, Teams)
  • Azure AD signals (HR connector events like resignation notices)
  • Microsoft Defender for Endpoint (endpoint activities: USB copy, browser upload, printing)
  • HR connector (resignation, performance review data from HRIS systems)
  • Custom connectors (via Logic Apps or Graph API)
  • Communication Compliance signals (communication policy matches)
IRM requires at minimum: Microsoft 365 E5 or Microsoft 365 E3 + Insider Risk Management add-on. The service processes activity data in the Microsoft Purview compliance tenant. Users must be in scope for an active IRM policy to generate alerts - IRM does not monitor all users by default.

IRM Roles and Permissions

IRM uses dedicated role groups to maintain privacy and separation of duties between different participants in the investigation process:

Role GroupPermissionsTypical User
Insider Risk ManagementFull access to all IRM features including policy creation, alert investigation, case management, and de-anonymization of usersIRM program owner
Insider Risk Management AdminsCreate and manage policies; configure settings; cannot see alert details or de-anonymizeSecurity admin configuring IRM
Insider Risk Management AnalystsAccess to alerts, cases, and user activity; can de-anonymize (if setting enabled); cannot create policiesSOC analyst, HR investigator
Insider Risk Management InvestigatorsFull investigative access: alerts, cases, user activity, content explorer within cases; can de-anonymizeLegal counsel, compliance investigator
Insider Risk Management AuditorsRead-only access to IRM audit log onlyInternal auditor
The privacy protection in IRM is a key feature of its design. User activities show as pseudonyms (anonymous IDs) in alerts by default. Only users in Analyst or Investigator role groups can choose to de-anonymize (reveal the true name) when investigating a case. This protects user privacy until there is a legitimate investigative reason to identify the user.

Connectors and Data Sources

IRM can ingest signals from external HR and business systems via data connectors configured in the Purview compliance portal.

HR Connector

The HR connector imports employee data from your HR information system (Workday, ADP, SAP SuccessFactors, etc.) via CSV file upload to correlate with IRM risk indicators:

  • Resignation date: Triggers "data theft by departing employee" detection window
  • Last working day: Used as the trigger event for departing user policies
  • Performance notice: Can be used with "disgruntled employee" scenario policies
  • Job level / department: Enrichment data for risk scoring context

HR connector setup: configure a Microsoft Entra app registration, provide app credentials to the HR connector wizard, then schedule automated CSV uploads via PowerShell script or Logic App.

Physical Badging Connector

Imports physical access events (building entry/exit, after-hours access) from physical security systems to correlate with digital activities in IRM.

Other Available Connectors

ConnectorIRM Use Case
Bloomberg MessageImport financial communication data for regulated industry compliance
ICE Chat / RefinitivFinancial services communication monitoring
ServiceNowIT ticket data for correlating admin activities with risk signals
WorkdayHR events including resignations and performance data

Policy Templates

IRM policy templates provide pre-built detection logic for the most common insider risk scenarios. Each template defines which risk indicators to monitor and how to score user behavior.

TemplateSignal SourcesKey Scenarios Detected
Data theft by departing employeesHR connector (resignation) + M365 activities + MDEBulk download, email to personal accounts, USB copy in 30-day window before last day
Data leaksM365 activities + DLP alerts + MDEMass downloads, sharing to external parties, DLP policy bypasses
Data leaks by priority usersSame as data leaks but scoped to a priority user groupHigher risk scoring for C-suite, privileged admin accounts
Data leaks by risky usersM365 activities + Adaptive Protection risk levelWorks in conjunction with Adaptive Protection risk levels
Security policy violationsMDE signalsDisabling MDE sensors, tampering with security settings
Offensive language in messagesCommunication Compliance signalsWorkplace harassment, discrimination, threatening content in Teams/email
Patient data misuseEHR connector (Epic) + M365 activitiesHealthcare-specific patient record access violations
Risky browser usageMicrosoft Edge browsing indicatorsAccess to job search sites, competitor sites, personal file hosting services
Policy templates require the appropriate signal sources to be configured. For example, "Data theft by departing employees" requires the HR connector to be set up and providing resignation dates - without it, IRM cannot detect the departure trigger window. Always verify that required connectors are active before enabling a dependent policy template.

Risk Indicators

Risk indicators are the specific activities that IRM monitors. They are organized into categories and can be enabled/disabled in IRM global settings. Enabling an indicator makes it available for inclusion in policy templates.

Indicator Categories

  • Office indicators: SharePoint/OneDrive downloads, email forwards, Teams message activities, label downgrade
  • Device indicators (requires MDE): USB copy, browser upload, printing sensitive files, screen capture
  • Microsoft Defender for Cloud Apps indicators: Third-party app file activities, anomalous downloads
  • Physical access indicators: Requires physical badging connector
  • Health record indicators: Requires EHR connector (Epic)
  • HR indicators: Performance notice received, put on leave
  • Risky browsing indicators: Requires Microsoft Edge (browser history access)

Indicators have a threshold setting - you can set how many occurrences of an activity in a given time window constitute a risk signal (e.g., "10 or more file downloads in a day").

Forensic Evidence

Forensic evidence is an optional IRM Premium feature that captures screen recordings of risky user activities on Windows managed devices, providing visual context for investigations.

Forensic Evidence Configuration

  1. Enable forensic evidence in IRM settings (requires E5 Compliance or E5 Insider Risk Management add-on)
  2. Create a forensic evidence policy defining which users to monitor and which activities trigger captures
  3. Users selected for forensic evidence monitoring must be notified (privacy notice requirement)
  4. The MDE sensor on the device captures screen recordings and uploads to the IRM case
  5. Investigators with the IRM Investigators role can view the recordings in case details

Forensic Evidence Controls

ControlDescription
Trigger conditionsWhich activities start a recording: specific risk indicators, DLP policy match, or any IRM policy match
Capture bandwidthBalance between capture resolution/frequency and device/network performance
Storage limitMaximum storage per user per day for forensic captures
Privacy protectionsConfiguration to pause capture during certain app categories (password managers, banking apps, healthcare apps)
Forensic evidence is a high-sensitivity feature that must be handled carefully from a legal and HR perspective. Many organizations require documented HR and legal approval before deploying forensic evidence monitoring. The captures are stored in the Microsoft 365 compliance tenant and are accessible only to IRM Investigators role members. Review your local privacy laws before enabling this feature.

Adaptive Protection Integration

Adaptive Protection connects IRM risk scoring with DLP policy enforcement. As a user's IRM risk level increases due to risky behavior, the DLP policies applied to them become progressively stricter - without any manual intervention.

IRM Risk Levels for Adaptive Protection

Risk LevelDescriptionTypical DLP Response
Minor riskBelow threshold - normal user behaviorStandard DLP policy applies (audit only or allow with policy tip)
Moderate riskSome signals indicate potential riskDLP policy provides warning and requires justification for sensitive actions
Elevated riskMultiple strong risk signalsDLP policy blocks sensitive actions (USB copy, external sharing of labeled files)

To view Adaptive Protection in action: in the Purview portal, navigate to Insider Risk Management - Adaptive Protection to see the current risk level distribution of users and the DLP policies linked to each level.

Adaptive Protection requires both IRM and DLP to be licensed and active. The IRM policy should be configured with Adaptive Protection enabled (in policy settings). The DLP policies need to include the condition "Insider risk level for the user is" with the desired level. Users move between risk levels automatically - you can view the timeline of risk level changes in the user activity page in IRM.

Defender for Endpoint Integration

Integrating Microsoft Defender for Endpoint (MDE) with IRM enriches insider risk detection with endpoint behavioral signals that would not be visible from cloud activity alone.

Endpoint Signals Available via MDE Integration

  • File copy to removable media (USB drives, SD cards)
  • File upload via browser (to personal cloud storage, file sharing sites)
  • Print of sensitive files (local and network printers)
  • Screen capture while accessing sensitive content
  • File copy to network share
  • Access to sensitive files by unallowed applications

Enabling MDE Integration

  1. Go to Insider Risk Management - Settings - Microsoft Defender for Endpoint data sharing
  2. Enable the toggle to allow IRM to receive endpoint signals from MDE
  3. Devices must be onboarded to MDE (enrolled as managed endpoints)
  4. Enable the relevant device activity indicators in IRM policy settings
MDE integration for IRM requires devices to be Intune-managed or MDE-onboarded with the relevant Purview information protection client installed. Pure BYOD devices without MDE enrollment cannot contribute endpoint signals to IRM. The integration is one-way: IRM reads signals from MDE; IRM does not send commands back to MDE to take device actions.

Popular Posts

1Z0-830 Java SE 21 Developer Certification Prepare with Notes and Real Time Practice Tests Azure AI Foundry Hello World What is Azure AI Foundry Azure AI Agent Hello World Set up and run your first agent Foundry vs Hub Projects When to choose Foundry or hub-based Build Agents with SDK Threads, messages, runs in Python Bing Web Search Agent Ground agents with real-time data Function Calling Agent Custom functions & tool integration Spring Boot + Azure Key Vault Hello World Example Fetch secrets from Azure Key Vault in Spring Boot Spring Boot + Elasticsearch + Azure Key Vault Example Secure Elasticsearch config using Azure Key Vault Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication Connect Spring Boot to Azure AD using OAuth2 Deploy Spring Boot App to Azure App Service Host Spring Boot application on Azure App Service Secure Azure App Service using Azure API Management Protect deployed Spring Boot app with API Management Deploy Spring Boot JAR to Azure App Service Deploy executable JAR directly to Azure Deploy Spring Boot + MySQL to Azure App Service Host Spring Boot with MySQL database on Azure Spring Boot + Azure Managed Identity Example Access Azure Key Vault using Managed Identity Secure Spring Boot Azure Web App with Managed Identity + App Registration Secure Spring Boot app via Azure Portal configuration Elasticsearch 8 Security - Integrate Azure AD OIDC Integrate Azure AD OIDC with Elasticsearch & Kibana
��