Skip to Content
ComplianceRisk ManagementInsider Risk Management

Insider Risk Management

Detect and investigate risky user activities that could harm your organization. Insider risk management uses signals from across Microsoft 365 to identify potential data theft, security violations, and policy breaches by employees.

Note: Insider Risk Management requires Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management add-on.

Dashboard Overview

MetricDescription
High Severity AlertsAlerts requiring immediate attention
Active CasesOngoing investigations
Users in ScopeUsers monitored by active policies
Active PoliciesNumber of insider risk policies enabled

Risk Categories

Data Theft by Departing Users

Detect potential data exfiltration by employees who have resigned or been terminated. Correlates HR signals with data movement. Risk: High

Data Leaks

Identify unintentional or intentional sharing of sensitive information outside the organization. Includes DLP policy matches. Risk: Medium

Security Policy Violations

Detect violations of security policies like disabling security tools, accessing blocked sites, or installing prohibited software. Risk: High

Patient Data Misuse (Healthcare)

Healthcare-specific template for detecting unauthorized access to electronic health records (EHR) and HIPAA violations. Category: Healthcare

Risky Browser Usage

Detect potentially risky browsing activities like accessing competitor sites, job boards, or data storage services. Risk: Medium

Cumulative Exfiltration

Detect gradual data exfiltration over time that might evade single-event detection thresholds. Risk: High

Signal Sources

Insider risk correlates signals from multiple sources:

Microsoft 365

  • SharePoint file downloads
  • Email to personal accounts
  • Teams file sharing
  • OneDrive sync activity

Endpoint (Defender)

  • USB file copies
  • Cloud storage uploads
  • Print activity
  • Browser activity

HR Connectors

  • Resignation date
  • Termination notice
  • Performance issues
  • Job level changes

Security Signals

  • DLP policy matches
  • Sensitivity label downgrades
  • Defender alerts

Physical Access

  • Badge reader data
  • After-hours access
  • Access to restricted areas

Healthcare Systems

  • EHR access logs
  • Patient record views
  • Break-the-glass events

Policy Configuration

1. Choose Template

Start with a pre-built template targeting specific risk scenarios: data theft, data leaks, security violations, or custom.

2. Define Users in Scope

  • All users (organization-wide)
  • Specific groups (e.g., Finance, Engineering)
  • Priority users (high-risk roles)
  • HR connector triggers (departing employees)

3. Configure Indicators

Select which activities to monitor and their risk weighting:

  • File Activities — Downloads, copies, prints
  • Email Activities — External sends, attachments
  • Cloud Activities — 3rd party cloud uploads
  • Device Activities — USB, removable media

4. Set Thresholds

Define when activities become alerts. Use defaults or customize based on your organization’s normal behavior patterns.

Alert Investigation

  1. Review Alert — Examine alert details: triggering activities, risk score, timeline, and user context.
  2. View Activity Explorer — See all user activities leading up to the alert. Filter by activity type, date, and risk level.
  3. Confirm or Dismiss — Determine if alert represents real risk. Dismiss false positives or escalate to case.
  4. Create Case (if needed) — Escalate to formal investigation. Add additional evidence, coordinate with HR/Legal.

Case Management

Case Actions

  • Add related alerts to case
  • Add case notes and findings
  • Share with HR or Legal
  • Send user notifications
  • Export case for external review

Integration Actions

  • Create ServiceNow ticket
  • Escalate to eDiscovery case
  • Trigger Power Automate workflow
  • Send to SIEM (Sentinel)

Privacy Controls

Built-in privacy protections balance security with employee privacy:

  • Anonymization — User names pseudonymized until case is created
  • Role-based access — Only designated investigators can view details
  • Audit logging — All investigator actions are logged
  • Data retention — Configure how long alert data is retained
  • Notice requirements — Configure user notification policies

Best Practices

  • Connect HR data — HR connector dramatically improves detection of departing employee risks
  • Start with templates — Use pre-built templates and tune thresholds based on your data
  • Coordinate with HR and Legal — Involve stakeholders in policy design and investigation procedures
  • Review alerts promptly — Timely review prevents alert fatigue and ensures risks are addressed

API Reference

  • GET /api/compliance/insider-risk/alerts — List insider risk alerts
  • GET /api/compliance/insider-risk/cases — List investigation cases
  • GET /api/compliance/insider-risk/policies — List active policies
  • PUT /api/compliance/insider-risk/alerts/:id — Update alert status
  • GET /api/compliance/insider-risk/analytics — Get risk analytics summary
Last updated on
Communication CompliancePrivacy Risk Management