Configure Microsoft Purview Insider Risk Management policies to detect and investigate potential insider threats, set up indicators, create investigation workflows, and deploy user-level risk scoring.
Insider threats are among the hardest risks to detect because the actors already have legitimate access to corporate systems. In this lab you will configure Microsoft Purview Insider Risk Management (IRM) policies to detect potential insider threats such as data exfiltration, intellectual property theft, and security policy violations. You will set up risk indicators that correlate signals across Microsoft 365 services, create investigation workflows for triaging alerts, configure user-level risk scoring with adaptive protection, and establish privacy controls that balance security needs with employee rights.
A global technology company with 10,000 employees has experienced two IP theft incidents in the past year. both by departing employees who exfiltrated proprietary source code and customer data in the weeks before their departure date. The company needs to detect data exfiltration patterns, identify security policy violations by disgruntled or departing insiders, and build automated investigation workflows that surface risky behaviour before data loss occurs. all while maintaining employee privacy and complying with regional data protection regulations.
Insider threats cause the most damage per incident of any attack vector. 34% of all data breaches involve insiders according to industry research. Unlike external attacks that must bypass perimeter defences, insiders already have legitimate access and know exactly where the most valuable data resides. Microsoft Purview Insider Risk Management provides behavioural analytics that correlate hundreds of signals to detect risky patterns before data loss occurs, enabling security teams to intervene early and reduce the average cost of an insider incident from $15.4 million to a fraction of that through proactive detection.
Get-AdminAuditLogConfig | Select UnifiedAuditLogIngestionEnabled. Without audit logging, IRM cannot detect user activities.Insider Risk Management detects potentially risky activities by correlating signals across Microsoft 365 services: file downloads, email forwarding, SharePoint access, and more.
# Connect to Security & Compliance PowerShell
# WHY: Required session for Insider Risk Management and compliance cmdlets
Connect-IPPSSession -UserPrincipalName admin@contoso.com
# Verify IRM role group membership
# WHAT: Lists all members of the Insider Risk Management role group
# WHY: Only members of this role group can view alerts, cases, and user activity
# timelines. Confirms your admin account has the necessary permissions.
# OUTPUT: DisplayName and email of each role group member
# CONCERN: If your account is not listed, you won't see IRM alerts or cases
Get-RoleGroupMember -Identity "Insider Risk Management" | Format-Table DisplayName, PrimarySmtpAddress
# Check if audit logging is enabled
# WHAT: Verifies that unified audit log ingestion is active in the tenant
# WHY: IRM depends on audit logs to detect user activities (file downloads,
# email forwarding, USB copies). Without audit logging, IRM is blind.
# OUTPUT: UnifiedAuditLogIngestionEnabled should be True
# CONCERN: If False, run Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabledGo to Settings > Insider risk management. Configure the global Privacy setting. decide whether to show anonymized usernames or actual names during investigations. Anonymized mode protects employee privacy until risk is confirmed.
Configure the Intelligent detections settings: set the file extension exclusions (ignore .log, .tmp files), volume thresholds for anomaly detection, and domain exclusions for trusted external domains.
Navigate to Settings > Indicators. Enable the indicators that align with your risk scenarios: Office indicators (file downloads, email to external domains), Device indicators (USB copy, print), and Security policy violation indicators.
Select indicator thresholds carefully: low thresholds generate more alerts but include more noise; high thresholds miss subtle patterns but produce higher-fidelity alerts. Start with medium thresholds and tune based on alert volume.
This template correlates HR departure signals with data exfiltration indicators to identify employees who may be stealing data before leaving.
Policy-DataTheft-DepartingUsers# List all insider risk policies in the tenant
# WHAT: Shows all configured IRM policies with their status and template type
# OUTPUT: Name, IsEnabled (active or disabled), PolicyTemplate (Data theft,
# Data leaks, Security violations), CreatedDate
# WHY: Confirms the policy was created successfully and is actively monitoring
# CONCERN: If IsEnabled=False, the policy exists but is not generating alerts
Get-InsiderRiskPolicy | Format-Table Name, IsEnabled, PolicyTemplate, CreatedDate
# Get detailed configuration of a specific policy
# WHAT: Shows full settings including indicators, thresholds, and trigger events
# OUTPUT: All policy properties in list format for detailed review
# USE: Verify indicator thresholds, user scope, and triggering events match
# what was configured in the portal
Get-InsiderRiskPolicy -Identity "Policy-DataTheft-DepartingUsers" | Format-ListCreate a second policy: Data leaks by risky users. This template identifies ongoing data exposure from users exhibiting risky behavior patterns. regardless of employment status.
Configure the triggers: DLP policy match (connect to your Lab 02 DLP policies), security policy violation, or sequence of risky activities. Set the indicator thresholds for: volume of files downloaded, number of external emails, and cloud upload activity.
Create a third policy: Security policy violations. This template detects users who bypass or violate security controls: disabling endpoint protection, modifying security settings, or accessing restricted resources.
Configure the indicators: endpoint protection disabled, Windows security settings changed, administrative privilege escalation, and access to restricted SharePoint sites. Weight these indicators by severity.
Navigate to Settings > Priority user groups. Create groups for high-value targets: executives, finance team members, users with access to trade secrets, and employees in notice period.
Priority user groups receive enhanced monitoring. lower thresholds, additional indicators, and faster alert generation. This ensures the highest-risk users get the most scrutiny without overwhelming the system with alerts for the entire organization.
Define the alert triage process: Level 1 analysts review new alerts and dismiss false positives, Level 2 analysts investigate confirmed alerts and create cases, Level 3 analysts conduct deep investigations and coordinate with HR and Legal.
Navigate to Alerts and review the queue. Each alert shows: the user, the activity that triggered it, the risk score, the number of related activities, and the policy that generated it.
Select a high-severity alert and create a case. The case view shows: a timeline of all risky activities, cumulative risk score trend, file activity details, email activity details, and user profile information.
Use the Content explorer tab to examine specific files that were accessed, downloaded, or shared. Review the User activity tab to see the full sequence of actions leading to the alert.
Navigate to Settings > Forensic evidence (preview). This feature captures screen recordings and keystrokes when high-risk activities are detected, providing visual evidence for investigations.
Configure forensic evidence carefully: capture only during confirmed high-risk activities, store recordings in a secure location with limited access, and set retention periods that comply with your legal and privacy requirements.
For completed cases, generate investigation reports that document: the triggering activity, the investigation timeline, evidence reviewed, findings, and recommended actions.
Reports should be factual and objective. avoid drawing conclusions about intent. Present the evidence and let HR, Legal, and management make decisions about appropriate responses.
Navigate to Settings > Notice templates. Create notification templates for different scenarios: awareness reminder (low risk), formal notice (medium risk), and investigation notification (high risk, coordinated with HR and Legal).
Notices serve both as intervention tools and documentation. A well-timed awareness reminder can stop risky behavior before it escalates, while formal notices create a record for potential disciplinary action.
Connect Insider Risk with your DLP policies (Lab 02) and Communication Compliance. DLP detections feed into insider risk scoring, and communication compliance violations contribute to the user's overall risk profile.
Review the Integrated view showing how signals from multiple Purview solutions combine to create a comprehensive risk picture for each user. Cross-solution correlation is one of the most powerful capabilities of the Purview platform.
Document the operational procedures: daily alert triage cadence, weekly case review meetings, monthly policy tuning reviews, and quarterly reporting to leadership.
Create a RACI matrix: who is Responsible for alert triage, who is Accountable for case investigations, who is Consulted for policy changes (Legal, HR, Privacy), and who is Informed about program metrics (CISO, executives).
| Resource | Description |
|---|---|
| Learn about insider risk management | Overview of insider risk capabilities |
| Plan for insider risk management | Planning guide for deployment |
| Insider risk management policies | Policy template reference and configuration |
| Insider risk management settings | Configure global settings and indicators |
| Insider risk management activities | Investigate and triage insider risk alerts |
| Insider risk management cases | Case management and escalation workflow |