Section 15 – Implement and manage Microsoft Purview Insider Risk Management

Plan for insider risk management

Insider Risk Management Roles

Role	Description
Microsoft Entra ID Global Administrator	– Has full control over all Microsoft Entra and Microsoft Purview features, including Insider Risk Management.
Microsoft Entra ID Compliance Administrator	– Can manage compliance features within Microsoft Entra, including some Insider Risk Management configuration options.
Microsoft Purview Organization Management	– Can configure core Microsoft Purview settings, including enabling Insider Risk Management as a menu option.
Microsoft Purview Compliance Administrator	– Can manage compliance features within Microsoft Purview, including some Insider Risk Management configuration options.
Insider Risk Management	– A general use role for viewing and interacting with Insider Risk Management features, such as analysts and investigators.
Insider Risk Management Admins	– Has full control over Insider Risk Management (IRM). – Can manage policies, configure settings, assign permissions to other users, create and update notice templates, and delete templates.
User with Assigned Case (Optional)	– In some configurations, administrators can assign ownership of a case to specific users with appropriate permissions (Insider Risk Management, Analyst, or Investigator roles). – These assigned users can then view and manage the assigned case.

Here are a few reasons why you should plan before getting started with insider risk management.

• Smooth Implementation and Alignment: Planning ensures a smooth implementation of insider risk management features by involving the right teams (IT and Compliance) and considering best practices. This minimizes hiccups during setup and ensures your approach aligns with industry standards.
• Effective Use of Features: Upfront planning helps you understand the functionalities of insider risk management and how to leverage them effectively. This can help you avoid wasting resources or missing out on valuable features.
• Compliance Considerations: Different regions and organizations may have varying compliance requirements. Planning allows you to identify these requirements and tailor your insider risk management approach accordingly. This helps ensure you stay compliant with relevant regulations.

Stakeholders and Considerations

Stage	Stakeholders	Considerations
Initial Planning & Workflow	Information Technology Compliance Privacy Security Human Resources Legal	Collaboration on actions for insider risk alerts & cases. Understanding roles and responsibilities.
Regional Compliance	Stakeholders in specific regions Compliance & Privacy teams	Ensuring compliance & privacy controls are understood and applied across regions. Potential need for separate policies based on regional requirements. Language considerations for investigators & reviewers.
Permissions & Workflow	Security Team * IT Administrators	Assigning users to role groups for managing insider risk features. * Defining permissions for designated roles (administrators, analysts, investigators, viewers).
Licensing & Dependencies	IT Administrators Security Team	Verifying appropriate Microsoft 365 licensing for insider risk management. Understanding Azure service dependency availability for the organization’s region. Exploring trial options if needed.
Policy Template Requirements	Security Team HR Team	Understanding specific requirements for chosen policy templates. Configuring Microsoft 365 HR connector for user data import (resignations, performance data). Configuring Microsoft Purview DLP policies for data leak detection. Enabling Microsoft Defender for Endpoint integration (Security policy violation template).
Testing & Privacy	Security Team Legal Team	Testing insider risk management policies with a small production user group. Conducting necessary compliance, privacy, and legal reviews. Enabling anonymization of user display names during testing to protect privacy.

Create and manage insider risk management policies

You can open the overview page from https://purview.microsoft.com/insiderriskmgmt/overviewpage

And create a new Policy.

Start Fast with Quick Insider Risk Policies

New to insider risk management? Get started quickly with pre-configured “Quick Policies” based on your organization’s recent activity. Simply review and customize settings for common threats like data leaks or departing user theft. Stay informed with email notifications for policy warnings and high-severity alerts.

Policy templates

You can also choose these templates to create that policy.

Policy template	Triggering events for policies	Prerequisites
Data theft by departing users	Resignation or termination date indicator from HR connector or Microsoft Entra account deletion	(optional) Microsoft 365 HR connector configured for termination and resignation date indicators
Data leaks	Data leak policy activity that creates a High severity alert or built-in exfiltration event triggers	DLP policy configured for High severity alerts OR Customized triggering indicators
Data leaks by priority users	Data leak policy activity that creates a High severity alert or built-in exfiltration event triggers	DLP policy configured for High severity alerts OR Customized triggering indicators Priority user groups configured in insider risk settings
Data leaks by risky users	– Performance improvement, poor performance, or job level change indicators from HR connector. – Messages containing potentially threatening, harassing, or discriminatory language	Microsoft 365 HR connector configured for disgruntlement indicators AND/OR Communication Compliance integration and dedicated disgruntlement policy
Security policy violations	Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint	Active Microsoft Defender for Endpoint subscription Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured
Patient data misuse	Defense evasion of security controls from EMR systems User and patient address matching indicators from HR systems	Healthcare access indicators selected in policy or insider risk settings Microsoft 365 HR connector configured for address matching Microsoft Healthcare or Epic connector configured
Risky browser usage	User browsing activity related to security that matches at least one selected Browsing indicator	See the complete list of prerequisites in the browser signal detection article
Security policy violations by departing users	Resignation or termination date indicators from HR connector or Microsoft Entra account deletion	(optional) Microsoft 365 HR connector configured for termination and resignation date indicators Active Microsoft Defender for Endpoint subscription Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured
Security policy violations by priority users	Defense evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint	Active Microsoft Defender for Endpoint subscription Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured Priority user groups configured in insider risk settings
Security policy violations by risky users	– Performance improvement, poor performance, or job level change indicators from HR connector. – Messages containing potentially threatening, harassing, or discriminatory language	Microsoft 365 HR connector configured for risk indicators AND/OR Communication Compliance integration and dedicated risky user policy AND Active Microsoft Defender for Endpoint subscription Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured

Policy template limits

Insider risk management policy templates have built-in limits to manage the workload associated with user risk scoring. These limits apply to the number of users actively assessed by a policy (receiving risk scores). While you can add any number of users to a policy, this limit ensures smooth operation.

Why are there limits?

These limits prevent overwhelming the system with alerts due to policy misconfigurations. If a policy nears or exceeds its user limit, performance may be impacted.

Can I increase the limit?

Yes, contacting Microsoft support can raise the limit for your organization. However, be aware that a higher limit may lead to a higher volume of alerts, so ensure your policies are well-configured to avoid unnecessary notifications. By default you can have up to 20 policies for any policy template.

Use the following table to determine the maximum number of in-scope users supported for each policy template. These maximum limits apply to users across all policies using a given policy template.

Policy template	In-scope user maximum
General data leak	15,000
Data leak by risky users	7,500
Data leak by priority users	1,000
Data theft by departing users	20,000
Security policy violations	1,000
Patient data misuse	5,000
Risky browser usage	7,000
Security policy violation by priority users	1,000
Security policy violations by departing users	15,000
Security policy violations by risky users	7,500
Forensic evidence	Unlimited

Investigate and remediate insider risk activities, alerts, and reports

Add permissions to review those Alerts

You actually don’t need any specific permissions to view alerts in Insider Risk Management (IRM). However, there are different permission levels that control what you can do with those alerts:

• View-only access: This is the most basic level and allows you to see a list of alerts but not take any action on them. This might be suitable for someone who just needs general awareness of potential insider risk activity.
• Investigator permissions: This level allows you to view alerts, explore user activity details, and take basic actions like resolving the case (if benign) or notifying the user.
• Administrator permissions: This level gives you full control over IRM, including managing policies, configuring settings, and assigning permissions to other users.

Here’s a breakdown of permissions and their relation to alerts:

Permission Level	Can View Alerts?	Can Investigate Alerts?	Can Manage Alerts (Resolve, Notify, Escalate)?
View-only access	Yes	No	No
Investigator permissions	Yes	Yes	Yes (basic actions)
Administrator permissions	Yes	Yes	Yes (full control)

If you need to add permissions, you can choose the wheel -> Roles and scopes

Make sure you have enabled Analytics

See more from Learn

If you want to generate those Alerts, you can start scoring for selected users manually instead of using DLP policies or other triggers.

Step	Detailed Steps	Description (Technical Details)
Triaging Alerts	Access the Insider Risk Management dashboard. Select the “Alerts” tab. Review the list of alerts and prioritize based on severity (consider data classification). Select a specific alert for detailed investigation.	Review alert details (activity type, user, time, location, risk score) Analyze context (user role, department, recent activities) Assess severity (potential impact of the activity, consider data classification) Look for indicators of compromise (IOCs) in alert details (e.g., suspicious IP addresses, malware signatures)
User Activity Exploration	Open the “Activity explorer” tab for the selected user. Apply filters based on specific activities relevant to the alert (e.g., data downloads, file transfers to external locations). Analyze the historical timeline for patterns or anomalies in user behavior (e.g., sudden spikes in activity, unusual access times). Correlate current alert with previous alerts for similar activity types or data access patterns. Consider using User Behavior Analytics (UBA) tools for advanced anomaly detection.	Review historical activity timeline (Activity explorer) with filters based on specific activities (e.g., data downloads, file transfers) Identify patterns or anomalies in user behavior (e.g., sudden spikes in activity, unusual access times) Correlate current alert with previous alerts for similar activity types or data access patterns Leverage user behavior analytics (UBA) tools for advanced anomaly detection
Case Management	Choose an appropriate action from the case action toolbar: Resolve (if benign) Notify User (data security reminder) Escalate (high-risk scenarios, security/HR involvement) If escalated, document the justification and next steps.	Utilize forensic tools for in-depth analysis if escalation occurs (e.g., endpoint investigation for malware or data exfiltration attempts)
Additional Considerations	Ensure data used for investigation complies with data privacy regulations (pseudonymized data usage, role-based access controls). Document investigation process and findings (including timestamps, logs, and screenshots). Continuously monitor and update insider risk policies and systems (consider threat intelligence feeds and machine learning model retraining). Integrate with other security solutions (e.g., SIEM) for a holistic view of potential insider threats.	Maintain data privacy compliance (pseudonymized data usage, role-based access controls) Document investigation process and findings (including timestamps, logs, and screenshots) Continuously monitor and update insider risk policies and systems (consider threat intelligence feeds and machine learning model retraining) Integrate with other security solutions (e.g., SIEM) for a holistic view of potential insider threats

Manage insider risk cases

Cases Dashboard Summary Table

Feature	Description
Active Cases	Total number of ongoing investigations.
Cases Over Past 30 Days	Breakdown of created cases in the last 30 days (Active & Closed).
Statistics	Average time an active case remains open (hours, days, or months).
Case Queue	Lists all active and closed cases with details:
	* Case ID: Unique identifier for the case.
	* Case Name: User-defined name assigned when creating the case.
	* Status: Active (ongoing) or Closed (resolved).
	* User: Involved user (anonymized if enabled).
	* Time Case Opened: Time elapsed since case creation.
	* Total Policy Alerts: Number of policy matches linked to the case (can increase as new alerts are added).
	* Case Last Updated: Time since the last case note or status change.
	* Last Updated By: Name of the analyst/investigator who last modified the case.
Search	Find cases by ID or specific text in case names.
Filter Cases	Sort cases by:
	* Status
	* Time Case Opened (start/end date)
	* Last Updated (start/end date)
Assign a Case	Assign case ownership to an administrator with appropriate permissions (if applicable).
Filter Cases (Advanced)	Refine case list based on additional attributes (available depending on portal):
	* Assigned To: Filter by assigned administrator (if applicable).
	* Status
	* Time Case Opened (start/end date)
	* Last Updated (start/end date)
Save Filter Views	Save specific filter combinations for later reuse (up to 5).
Customize Columns	Choose which case details to display in the list.
Search for Alerts	Find alerts within a case using user name, assigned admin, or alert ID.

Manage forensic evidence settings

Feature	Description
Visual Capturing	Records user activity videos for critical security events, enhancing visibility and compliance.
Selective Monitoring	Focuses recording on specific high-risk applications and websites (excluding personal accounts) to save storage and protect privacy.
Enhanced Phishing Protection (Preview)	Captures user interactions related to suspicious websites or applications, like entering login credentials.
Privacy Protection	Requires multiple approvals before activating recording, ensuring user privacy.
Customizable Triggers & Capturing	Allows security teams to configure recording based on specific incidents or for continuous monitoring (e.g., capture activity before/after a file download).
User-Centric Policy Targeting	Tracks activity by user, not device, for better context and risk assessment.
Role-Based Access Controls (RBAC)	Restricts access to setting up and reviewing recordings to authorized personnel.
Deep Integration	Seamlessly integrates with existing insider risk management features for familiar workflows and a unified platform.
Trial Capacity (20 GB)	Provides a trial storage limit with usage monitoring and the option to purchase additional storage.

And the settings page itself.

Manage notice templates

HTML for Insider Risk Management Notices

• Creating HTML Notices: Compose notification emails with rich text formatting using HTML in the message body.
• Example HTML Structure: Provides a basic template for an HTML notification email.
• Important Note: Single quotation marks are currently required for URLs within the href attribute.

Creating and Updating Notice Templates (Microsoft Purview Portal)

1. Go to Insider Risk Management.
2. Select Notification templates.
3. Click Create notification template.
4. Fill in details:
   • Template name: Enter a friendly name for the template.
   • Send from: Set the sender email address.
   • Subject: Enter the subject line for the email.
   • Message body: Enter the message content (text or HTML).
5. Click Create to save the template.

Updating Notice Templates:

1. Go to Insider Risk Management.
2. Select Notification templates.
3. Choose the template you want to edit.
4. Click Edit.
5. Update details as needed (refer to Create steps).
6. Click Save to update the template.

Deleting Notice Templates (Microsoft Purview Portal)

1. Go to Insider Risk Management.
2. Select Notification templates.
3. Choose the template you want to delete.
4. Click the Delete icon on the toolbar.
5. Confirm deletion by clicking Yes.

Closure

That it, let’s do some lessons learned.

Access Levels

• Administrative Access: Requires specific role groups for configuration (e.g., Microsoft Entra ID Global Administrator, Insider Risk Management Admins).
• User Access: Allows viewing and interacting with IRM features (e.g., Insider Risk Management).

Planning is Key

• Smooth Implementation: Involve relevant teams (IT, Compliance) to minimize setup hiccups and ensure alignment with best practices.
• Effective Use: Understand IRM functionalities to leverage them efficiently.
• Compliance Considerations: Identify and tailor your approach to meet regional and organizational requirements.

Stakeholders and Considerations

• Initial Planning & Workflow: Collaborate on actions for IRM alerts & cases. Define roles and responsibilities.
• Regional Compliance: Ensure compliance & privacy controls are understood and applied across regions. Consider potential need for separate policies and language considerations.
• Permissions & Workflow: Assign users to role groups and define permissions for designated roles.
• Licensing & Dependencies: Verify appropriate Microsoft 365 licensing and understand Azure service dependency availability for your region. Explore trial options if needed.
• Policy Template Requirements: Understand specific requirements for chosen policy templates and configure relevant integrations (e.g., Microsoft 365 HR connector, DLP policies).

Creating and Managing Policies

• Access the overview page at https://purview.microsoft.com/insiderriskmgmt/overviewpage to create new policies.
• Leverage pre-configured “Quick Policies” or choose from available templates to address common threats like data leaks or departing user theft.
• Policy templates have built-in limits to manage the workload associated with user risk scoring. These limits apply to the number of users actively assessed by a policy.

Investigating and Remediating Insider Risk

• You don’t need specific permissions to view alerts, but different permission levels control what you can do with them (View-only, Investigator, Administrator).
• The Cases Dashboard provides an overview of active cases, cases over the past 30 days, and relevant statistics.
• You can search, filter, and manage cases (assign ownership, etc.) within the dashboard.

Finally, read here a case study on Insider Risk Management.

Link to main post