Privacy Risk Management
Detect and investigate risky user activities that could compromise personal data and organizational privacy. Privacy risk management uses signals from across Microsoft 365 to identify potential data exposure, policy breaches, and regulatory violations.
Note: Insider Risk Management requires Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management add-on.
Dashboard Overview
| Metric | Example Value | Description |
|---|---|---|
| High Severity Alerts | 8 | Critical privacy risk alerts requiring immediate attention |
| Active Cases | 23 | Ongoing privacy investigations |
| Users in Scope | 156 | Users currently monitored by privacy policies |
| Active Policies | 4 | Privacy risk policies currently enabled |
Privacy Risk Categories
| Category | Risk Level | Description |
|---|---|---|
| Data Theft by Departing Users | High | Detect potential data exfiltration by employees who have resigned or been terminated. Correlates HR signals with data movement. |
| Data Leaks | Medium | Identify unintentional or intentional sharing of sensitive information outside the organization. Includes DLP policy matches. |
| Security Policy Violations | High | Detect violations like disabling security tools, accessing blocked sites, or installing prohibited software. |
| Patient Data Misuse | Healthcare | Healthcare-specific template for detecting unauthorized access to electronic health records (EHR) and HIPAA violations. |
| Risky Browser Usage | Medium | Detect potentially risky browsing activities like accessing competitor sites, job boards, or data storage services. |
| Cumulative Exfiltration | High | Detect gradual data exfiltration over time that might evade single-event detection thresholds. |
Signal Sources
Insider risk correlates signals from multiple sources:
Microsoft 365
- SharePoint file downloads
- Email to personal accounts
- Teams file sharing
- OneDrive sync activity
Endpoint (Defender)
- USB file copies
- Cloud storage uploads
- Print activity
- Browser activity
HR Connectors
- Resignation date
- Termination notice
- Performance issues
- Job level changes
Security Signals
- DLP policy matches
- Sensitivity label downgrades
- Defender alerts
Physical Access
- Badge reader data
- After-hours access
- Access to restricted areas
Healthcare Systems
- EHR access logs
- Patient record views
- Break-the-glass events
Privacy Controls
Built-in privacy protections balance security with employee privacy:
- Anonymization — User names pseudonymized until case is created
- Role-based access — Only designated investigators can view details
- Audit logging — All investigator actions are logged
- Data retention — Configure how long alert data is retained
- Notice requirements — Configure user notification policies
Alert Investigation Workflow
- Review Alert — Examine alert details: triggering activities, risk score, timeline, and user context.
- View Activity Explorer — See all user activities leading up to the alert. Filter by activity type, date, and risk level.
- Confirm or Dismiss — Determine if alert represents real risk. Dismiss false positives or escalate to case.
- Create Case (if needed) — Escalate to formal investigation. Add additional evidence, coordinate with HR/Legal.
Case Management
Case Actions
- Add related alerts to case
- Add case notes and findings
- Share with HR or Legal
- Send user notifications
- Export case for external review
Integration Actions
- Create ServiceNow ticket
- Escalate to eDiscovery case
- Trigger Power Automate workflow
- Send to SIEM (Sentinel)
Subject Rights Requests
Manage data subject access requests (DSARs) for GDPR and similar regulations:
- Automate discovery and collection of personal data across M365
- Track request progress and deadlines
- Generate response packages for data subjects
- Document compliance with regulatory timelines
Best Practices
- Connect HR data — HR connector dramatically improves detection of departing employee risks
- Start with templates — Use pre-built templates and tune thresholds based on your data
- Coordinate with HR and Legal — Involve stakeholders in policy design and investigation procedures
Warning: Review alerts promptly. Timely review prevents alert fatigue and ensures risks are addressed before data is lost.
API Reference
GET /api/compliance/insider-risk/alerts— List insider risk alertsGET /api/compliance/insider-risk/cases— List investigation casesGET /api/compliance/insider-risk/policies— List active policiesPUT /api/compliance/insider-risk/alerts/:id— Update alert statusGET /api/compliance/insider-risk/analytics— Get risk analytics summaryGET /api/compliance/privacy/risks— Get privacy risk overviewPOST /api/compliance/privacy/requests— Create subject rights request
Last updated on