This chapter covers Microsoft 365 Insider Risk Management (IRM), a key topic in Domain 3 (Security Threats) under Objective 3.4. IRM is a high-value exam area, with approximately 5-8% of questions touching on insider threat detection, policies, and investigation workflows. You will learn the core components, configuration steps, and how IRM integrates with other Microsoft 365 security solutions. Mastery of this topic is critical for both the exam and real-world role as a security administrator.
Jump to a section
Imagine a bank with 200 tellers. The bank installs a monitoring system that watches every teller's actions: when they log in, which customer accounts they access, how much cash they handle, and whether they try to override limits. The system learns baseline behavior for each teller — typical transaction amounts, times of day, and types of customers. If a teller suddenly accesses 50 accounts in an hour (when they normally handle 10), or attempts to transfer funds to an external account they've never touched before, the system flags this as anomalous. But it doesn't just look at one teller in isolation — it also compares across tellers. If one teller consistently processes more refunds than peers, that pattern is flagged. The system also respects privacy: it doesn't record the content of conversations, only metadata (who, what, when). For severe cases (like a teller trying to steal), the system triggers an alert requiring manager review and possible escalation to law enforcement. This mirrors Microsoft's Insider Risk Management: it uses machine learning to baseline normal user behavior, detects risky patterns like data exfiltration or policy violations, respects privacy by focusing on actions not content, and provides a workflow for investigation and escalation.
What is Insider Risk Management?
Insider Risk Management (IRM) is a Microsoft 365 compliance solution that uses machine learning and behavioral analytics to detect, investigate, and act on malicious or accidental insider risks. It is part of the Microsoft 365 compliance center (purview) and is licensed under Microsoft 365 E5/A5/G5 or the Insider Risk Management add-on. IRM is designed to identify risky user activities such as data theft, data leaks, security policy violations, and other insider threats.
Why It Exists
Traditional perimeter security focuses on external threats, but studies show that insider threats cause significant damage — either through malicious intent (e.g., disgruntled employee) or accidental actions (e.g., misconfigured sharing). IRM addresses this by providing a framework to:
Detect anomalies in user behavior before data leaves the organization.
Prioritize alerts based on risk severity.
Enable privacy-preserving investigations (data is anonymized until escalated).
Provide built-in workflows for escalation to Microsoft Purview eDiscovery or Microsoft Defender for Cloud Apps.
How Insider Risk Management Works Internally
IRM operates through a pipeline of data ingestion, signal processing, machine learning scoring, and case creation.
1. Data Ingestion: IRM collects signals from multiple sources: - Microsoft 365 audit logs (Exchange Online, SharePoint Online, OneDrive for Business, Teams) - Microsoft Entra ID (Azure AD) sign-in logs (for risky user attributes) - Microsoft Defender for Cloud Apps (for anomalous app behavior) - Human Resources (HR) data (via custom connector: employment status, termination dates, performance warnings) - Physical security systems (via custom connector: badge-in/out data) - Microsoft Teams (for message content patterns, not content itself) - Device signals (via Microsoft Defender for Endpoint: file copy to USB, print activity)
2. Signal Processing and Anomaly Detection: - The system builds a baseline of normal behavior for each user over a rolling 30-day window. - It uses unsupervised machine learning models to detect deviations from baseline and peer groups. - Key indicators include: unusual file downloads, mass file deletion, excessive email forwarding, sharing with external domains, accessing sensitive data outside of business hours, and credential theft indicators.
3. Risk Scoring: - Each detected activity gets a risk score (0-100) based on severity, frequency, and context. - Scores are aggregated over time. A single low-score event may not trigger an alert, but a series of low-score events within a short period can accumulate to a higher score. - The system uses a concept of "risk boosters" — certain activities (e.g., user flagged by Microsoft Defender for Identity) multiply the base score.
4. Policy Triggers and Alerts: - Policies define the conditions that generate alerts. For example: "When a user downloads more than 50 files from SharePoint in one hour, create an alert." - Alerts are categorized as: - Low priority (informational) - Medium priority (requires review) - High priority (immediate investigation) - Each alert is assigned a unique case ID.
5. Case Management and Investigation: - When an alert is escalated, a case is created in the Insider Risk Management dashboard. - Investigators can:
View activity timeline (anonymized initially — user name is replaced with a pseudonym until explicitly revealed).
Add notes and tags.
Escalate to eDiscovery (for legal hold) or to Microsoft Defender for Cloud Apps (for app-level control).
Send a notification to the user (optional, via email).
Privacy protection: By default, user names are hidden until the investigator explicitly "reveal" them. This ensures that investigators can analyze patterns without bias.
Key Components, Defaults, and Timers
Default detection window: 30 days rolling baseline.
Risk score threshold for alert creation: Configurable per policy; default is 20 (medium).
Alert aggregation: Similar alerts from the same user within 24 hours are grouped into a single case.
Retention period: Alerts are kept for 30 days after closure (configurable).
Data anonymization: User names are replaced with pseudonyms for up to 90 days unless revealed.
HR connector sync frequency: Every 24 hours (default).
Policy templates: Microsoft provides 10+ built-in templates, including:
- Data theft by departing users - Data leaks (accidental or malicious) - Security policy violations - Unauthorized access to sensitive data - Offensive language in Teams/email (content-based, but only for specific keywords)
Configuration and Verification Commands
To configure IRM, you use the Microsoft 365 Purview compliance portal or PowerShell cmdlets from the Exchange Online V2 module.
Enable IRM (PowerShell):
Connect-IPPSSession
Enable-IRMCreate a policy using a template:
New-IRMPolicy -Name "Data Theft Departing Users" -Template "Data theft by departing users" -Enabled $trueAdd a user to a policy (scope):
Set-IRMPolicy -Identity "Data Theft Departing Users" -AddUser "user@contoso.com"View alerts:
Get-IRMAlert -Status ActiveCheck audit log for IRM-related events:
Search-UnifiedAuditLog -Operations "InsiderRiskManagementAlertGenerated"Interaction with Related Technologies
Microsoft Purview eDiscovery: Cases can be escalated to eDiscovery (Premium) for legal hold and advanced search.
Microsoft Defender for Cloud Apps: IRM can trigger an alert that Defender for Cloud Apps can act upon (e.g., block download).
Microsoft Defender for Identity: Compromised user signals (e.g., impossible travel) feed into IRM risk scores.
Microsoft Entra ID Protection: Risky sign-in events are ingested.
Microsoft 365 Compliance Center: All IRM management is within the Compliance portal.
Power Automate: IRM alerts can trigger automated workflows (e.g., notify manager, disable account).
Example Workflow
A user (Alice) resigns and is marked in HR system.
HR connector syncs termination date to IRM.
Over the next week, Alice downloads 200 files from SharePoint (baseline: 10/week).
IRM detects anomaly and assigns risk score of 78.
Policy "Data theft by departing users" triggers an alert.
Security analyst reviews the case, reveals Alice's identity, and escalates to eDiscovery for legal hold.
Analyst uses activity timeline to see all downloads and confirms data exfiltration.
Case is resolved with a recommendation to disable Alice's account immediately.
Identify and Prioritize Risk Scenarios
Begin by determining which insider risk scenarios are most relevant to your organization. Common scenarios include data theft by departing users, accidental data leaks, and security policy violations. Microsoft provides policy templates for these scenarios. For each scenario, define the specific behaviors to detect (e.g., mass file downloads, email forwarding to external domains). This step sets the scope for the IRM deployment and ensures alignment with organizational risk appetite.
Enable Audit Logging and Configure Data Sources
IRM relies on audit logs from Exchange, SharePoint, OneDrive, Teams, and Azure AD. Ensure that unified audit logging is enabled in the Microsoft 365 compliance center. Additionally, configure optional connectors for HR data (e.g., termination dates) and physical security systems (e.g., badge access). Without these signals, IRM will not detect context-based risks like departing employees. The HR connector syncs every 24 hours by default.
Define Roles and Permissions
Assign users to the appropriate role groups in the Microsoft 365 compliance center. Key roles include: - Insider Risk Management Admin: Full control over policies and settings. - Insider Risk Management Analysts: View and investigate alerts. - Insider Risk Management Investigators: Access advanced investigation features and reveal user identities. - Insider Risk Management Approvers: Authorize escalation actions. Permissions are managed via the Compliance center > Permissions > Role groups.
Create and Configure Insider Risk Policies
Using the Compliance center, create a new policy based on a template or from scratch. Define triggers (e.g., user added to a group, HR termination date), indicators (e.g., download count, file type), and thresholds (e.g., 50+ downloads in 1 hour). Set the risk score threshold for alert creation (default 20). Assign the policy to specific users or groups. Policies can be enabled immediately or scheduled.
Monitor Alerts and Investigate Cases
When an alert fires, it appears in the Insider Risk Management dashboard. Analysts review the alert details, including the activity timeline (anonymized). If the activity warrants further investigation, the analyst escalates it to a case. Within a case, they can reveal the user identity, add notes, and run deeper analysis (e.g., expand timeline to 90 days). Cases can be resolved, dismissed, or escalated to eDiscovery.
Respond and Remediate
Based on the investigation, take appropriate action. Options include: - Sending a notification to the user (via email). - Escalating to Microsoft Defender for Cloud Apps for app-level control (e.g., block download). - Escalating to eDiscovery for legal hold. - Creating a Power Automate flow to automate response (e.g., disable account). Document the outcome for compliance and audit purposes.
Enterprise Scenario 1: Data Theft by Departing Employee
A large financial services firm with 10,000 employees uses IRM to detect data exfiltration by departing employees. They integrate HR data via the HR connector, which syncs termination dates daily. When an employee submits resignation, the HR system flags them. IRM then monitors their activity for the next 30 days. In one case, a senior trader downloaded 1,200 files from a shared drive in one hour (baseline: 20/day). IRM generated a high-severity alert. The security team investigated, revealed the user, and confirmed he was copying trade secrets. They escalated to eDiscovery for legal hold and disabled his access immediately. Without IRM, the breach would have gone unnoticed until after departure.
Scenario 2: Accidental Data Leak via Email
A healthcare organization uses IRM to detect accidental sharing of protected health information (PHI). They configure a policy that triggers when a user sends an email with sensitive keywords (e.g., "diagnosis", "SSN") to an external domain. The policy uses content-based indicators (keyword matching) but does not read the full email body — only metadata and keyword hits. When a nurse accidentally emailed a patient list to a wrong address, IRM flagged the behavior. The analyst reviewed the case, confirmed the leak, and notified the nurse to recall the message and report the incident. The organization avoided a HIPAA violation because they detected it quickly.
Scenario 3: Security Policy Violation by Insider
A tech company uses IRM to detect users disabling security software on their devices. They integrate device signals from Microsoft Defender for Endpoint. When a user stops the Defender service, IRM receives a signal and correlates it with other activities (e.g., accessing sensitive code repositories). In one instance, a developer disabled antivirus and then attempted to copy source code to a USB drive. IRM created a case, which led to an investigation. The developer claimed it was for testing, but the policy violation was still documented. The company used the case to reinforce security training.
Common Pitfalls
Under-configuration of HR connector: Without HR data, departing employee scenarios are missed.
Overly aggressive thresholds: Setting too low thresholds results in alert fatigue; too high misses real risks.
Lack of investigator training: Analysts must understand how to use the activity timeline and when to reveal identities.
Ignoring privacy requirements: Some regions require data anonymization for longer periods — adjust settings accordingly.
MS-102 Exam Focus on Insider Risk Management (Objective 3.4)
The MS-102 exam tests your ability to plan, configure, and manage Insider Risk Management policies. Expect 2-3 questions directly on IRM, plus integrated questions that combine IRM with other security solutions.
What the Exam Tests: - Understanding of licensing requirements (E5/A5/G5 or add-on) - Ability to identify correct policy template for a given scenario (e.g., "data theft by departing users" vs. "data leaks") - Knowledge of data sources: which connectors are needed (HR, physical security) - Permissions: which role group can reveal user identities (Insider Risk Management Investigators) - Alert lifecycle: from signal to alert to case to escalation
Common Wrong Answers and Why Candidates Choose Them: 1. "IRM is part of Microsoft 365 E3" – Incorrect. IRM requires E5 or add-on. Candidates confuse it with basic auditing. 2. "IRM analyzes email content to detect leaks" – Partially true, but only for keyword matches, not full content analysis. Candidates overestimate content scanning. 3. "You need to manually enable audit logging" – While audit logging must be enabled, many candidates forget this prerequisite and assume IRM works automatically. 4. "All users are automatically included in IRM policies" – False. Policies must be scoped to specific users or groups. Candidates think it's like DLP which can apply to all.
Specific Values and Terms That Appear on the Exam: - Default risk score threshold: 20 - HR connector sync interval: 24 hours - Anonymization period: 90 days (unless revealed) - Policy templates: 10+ built-in - Role groups: Admin, Analyst, Investigator, Approver
Edge Cases and Exceptions: - If a user is not in scope of any policy, no alerts are generated even if risky activity occurs. - Content-based indicators only work for predefined keywords in supported languages (English, French, German, etc.). - IRM does not support on-premises Exchange or SharePoint — only cloud workloads. - When a user is deleted from Azure AD, their alerts remain for 30 days.
How to Eliminate Wrong Answers: - If a question mentions "analyzing email body for sensitive information," check whether it's IRM or DLP. IRM uses keyword matching only; DLP uses full content analysis. - If a question about "escalating to legal hold," the correct path is to eDiscovery, not Defender for Cloud Apps. - If a question asks who can reveal user identity, the answer is Investigator role, not Analyst. - If a question involves "departing employee," the required connector is HR data.
Insider Risk Management requires Microsoft 365 E5/A5/G5 or add-on license.
Policies must be scoped to specific users or groups; no default monitoring.
Unified audit logging must be enabled for IRM to work.
HR connector syncs every 24 hours; critical for departing employee scenarios.
Default risk score threshold for alerts is 20 (medium).
Only Insider Risk Management Investigators can reveal user identities.
Alerts are aggregated into cases; similar alerts within 24 hours are grouped.
IRM integrates with eDiscovery, Defender for Cloud Apps, and Power Automate.
Content-based indicators only match predefined keywords, not full content.
Data anonymization lasts up to 90 days unless identity is revealed.
These come up on the exam all the time. Here's how to tell them apart.
Insider Risk Management (IRM)
Focuses on user behavior patterns and anomalies.
Uses machine learning to detect unusual activity.
Does not read content; uses metadata and keywords.
Requires E5 license or add-on.
Generates alerts for investigation and case management.
Data Loss Prevention (DLP)
Focuses on protecting data at rest, in transit, and in use.
Uses content inspection (exact, pattern, machine learning).
Reads full content of emails and documents.
Available in E3 and higher (with advanced features in E5).
Can enforce actions (block, encrypt, warn) in real-time.
Mistake
Insider Risk Management is included in Microsoft 365 E3.
Correct
IRM requires Microsoft 365 E5/A5/G5 or the Insider Risk Management add-on. E3 includes basic auditing but not the machine learning and case management features.
Mistake
IRM reads the content of emails and files to detect risks.
Correct
IRM does not read full content. It uses metadata (e.g., file download count, email recipient domain) and keyword matching for specific sensitive terms. Full content analysis is done by Data Loss Prevention (DLP).
Mistake
Once enabled, IRM automatically monitors all users.
Correct
IRM requires explicit policy configuration and user scoping. Without assigning users to a policy, no monitoring occurs. You must create policies and assign user groups.
Mistake
IRM can block risky activities in real-time.
Correct
IRM is primarily detective and investigative. It does not block actions directly. However, it can trigger alerts that integrate with Microsoft Defender for Cloud Apps or Power Automate to take blocking actions.
Mistake
The HR connector is optional for all scenarios.
Correct
For scenarios like "data theft by departing users," the HR connector is essential. Without it, IRM cannot detect when an employee is about to leave, missing a key trigger.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft 365 E5/A5/G5 or the Insider Risk Management add-on. It is not included in E3. If your organization has E3, you can purchase the add-on separately. The exam often tests this licensing requirement, so remember: E5 or add-on.
Yes, if you integrate with Microsoft Defender for Endpoint. Device signals (like copying files to USB) are ingested into IRM and can trigger alerts. Without Defender for Endpoint, USB activity is not visible.
IRM anonymizes user identities by default. In the activity timeline, users are shown as a pseudonym. Only users with the Insider Risk Management Investigator role can reveal the actual identity. This prevents bias during initial review.
The alert appears in the Insider Risk Management dashboard. An analyst reviews it, and if needed, escalates it to a case. Within a case, they can investigate the activity timeline, add notes, and take actions like sending a notification or escalating to eDiscovery.
No, IRM is detective, not preventive. However, it can trigger a Power Automate flow or integrate with Microsoft Defender for Cloud Apps to block the user's session. For real-time blocking, use DLP or Conditional Access.
Alerts are retained for 30 days after closure by default. This is configurable. The underlying audit logs are retained per the audit retention policy (default 90 days for E5).
IRM uses signals from Microsoft 365 audit logs (Exchange, SharePoint, OneDrive, Teams), Azure AD sign-in logs, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, and custom connectors for HR and physical security systems.
You've just covered Insider Risk Management — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?