This chapter covers Microsoft 365 Insider Risk Management, a key topic under Domain 3.4 (M365 Security) of the MS-900 exam. Insider Risk Management is part of Microsoft Purview and addresses threats posed by users within an organization, such as data leaks, policy violations, and malicious insiders. Expect 2-3 questions on the exam related to this topic, focusing on its purpose, licensing requirements, key components (policies, indicators, alerts, cases), and how it differs from other security solutions like Data Loss Prevention (DLP) and Audit Logs.
Jump to a section
Imagine a large corporate building with a sophisticated security system. The building has employees, contractors, and visitors. The security system monitors for suspicious behavior: an employee entering a restricted area at 3 AM, a contractor copying sensitive documents, or someone accessing files they never touched before. The system does not stop all activity but logs everything and flags anomalies. A security team reviews these flags and decides whether to investigate. If a pattern emerges—like an employee emailing large volumes of data to a personal account just before resigning—the system escalates. The building also has policies: certain areas require badge and PIN, and data rooms log every access. The system learns normal patterns: an accountant accessing HR files is unusual, but a manager accessing team performance data is not. This is exactly how Microsoft 365 Insider Risk Management works: it uses pre-built and custom policies to detect risky user activities, correlates signals across Exchange, SharePoint, Teams, and other workloads, and provides a case management interface for analysts to investigate and remediate. The building analogy maps directly: policies are the security rules, signals are the logs and cameras, and the case management is the investigation team.
What is Insider Risk Management and Why Does It Exist?
Microsoft 365 Insider Risk Management (IRM) is a compliance solution in Microsoft Purview that helps organizations detect, investigate, and act on risky user activities from internal users. Unlike external threat protection (e.g., Microsoft Defender for Office 365), IRM focuses on the insider threat: employees, contractors, or partners who have authorized access but may misuse it—intentionally or accidentally. The solution correlates signals across Microsoft 365 services (Exchange Online, SharePoint Online, Teams, Microsoft 365 Defender, etc.) to identify patterns indicative of data theft, policy violations, or security incidents.
IRM was introduced in 2021 as part of Microsoft's broader compliance portfolio. It is designed to address scenarios like: a departing employee exfiltrating data, a user sharing sensitive files with external parties, or a user repeatedly accessing confidential information outside of business hours. The solution is built on a risk-based approach: it does not block everything but surfaces anomalies for investigation.
How It Works Internally
IRM operates through a pipeline: policy configuration → signal ingestion → indicator scoring → alert generation → case management.
1. Policy Configuration: Administrators create policies in the Microsoft Purview compliance portal (https://compliance.microsoft.com/insiderriskmgmt). Each policy defines: - Triggers: Events that start scoring user activity (e.g., user leaves the organization, user is flagged by Microsoft 365 Defender, user triggers a DLP policy). - Indicators: Specific activities to monitor, such as downloading files, emailing external recipients, or accessing sensitive SharePoint sites. Indicators are organized into categories: Data leaks, Security policy violations, Data theft by departing users, etc. - Thresholds: How many occurrences or what severity triggers an alert. Default thresholds are pre-configured but can be customized.
2. Signal Ingestion: IRM ingests signals from multiple sources: - Exchange Online: Email send/receive events, especially to external domains. - SharePoint Online and OneDrive for Business: File download, upload, share, and delete events. - Teams: Chat messages and file sharing. - Microsoft 365 Defender: Alerts from Defender for Endpoint or Defender for Office 365 (e.g., malware detections). - Azure Active Directory: User attribute changes, account deletions. - Human Resources (HR) connector: Optional connector to import resignation dates, performance warnings, etc.
3. Indicator Scoring: Each indicator has a risk score based on historical baselines. For example, downloading 100 files in an hour from a SharePoint site may score higher than downloading 10 files. The system uses machine learning to establish normal behavior for each user and department. Scores accumulate over a rolling window (default 30 days) for each policy.
4. Alert Generation: When a user's cumulative risk score exceeds a threshold (default: moderate or high), an alert is created in the IRM dashboard. Alerts have severity levels: Low, Medium, High. Administrators can review alerts and decide to escalate to a case.
5. Case Management: A case is a container for investigation. Analysts can:
View user activity timeline (all relevant events with details).
Use the Activity explorer to drill down into specific events.
Send email notifications to the user or manager.
Escalate to Microsoft 365 eDiscovery for legal hold.
Resolve the case (dismiss, confirm as policy violation, etc.).
Key Components, Values, Defaults, and Timers
- Policies: Up to 20 policies can be active simultaneously (default). Each policy can target specific users or groups (e.g., all users, HR department, finance).
- Indicators: Over 30 built-in indicators. Examples:
- Downloading from SharePoint
- Emailing to external recipients
- Sharing files with external users
- Printing documents
- Deleting files
- Thresholds: Default alert threshold is 'Medium' (score > 50). Custom thresholds can be set per indicator.
- Retention: User activity data is retained for 30 days by default (configurable up to 90 days with additional licensing).
- Licensing: Insider Risk Management requires Microsoft 365 E5 Compliance add-on, Microsoft 365 E5, or Microsoft 365 E5 Security. Standalone licensing is not available.
- HR Connector: Optional; requires configuration in Microsoft Purview with HR system (e.g., Workday, SAP SuccessFactors).
Configuration and Verification Commands
While most configuration is GUI-based, administrators can use PowerShell with the Exchange Online PowerShell module. Example commands:
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Get list of Insider Risk Management policies
Get-InsiderRiskPolicy | Format-Table Name, Status
# Get alerts for a specific policy
Get-InsiderRiskAlert -PolicyId <PolicyId> | Format-Table Id, Severity, CreatedDateNo direct CLI commands exist for every action; the primary interface is the Purview compliance portal.
Interaction with Related Technologies
Data Loss Prevention (DLP): IRM can use DLP policy matches as triggers. For example, if a DLP policy detects a sensitive document being emailed externally, IRM can start monitoring that user for other risky activities.
Microsoft 365 Audit Log: IRM relies on audit logs for activity data. Unified Audit Logging must be enabled (default for E5 tenants).
Microsoft 365 Defender: Alerts from Defender (e.g., malware infection) can trigger IRM policies.
eDiscovery: Cases can be escalated to eDiscovery for legal hold and content search.
Communication Compliance: Both are part of Microsoft Purview but focus on different areas: IRM on user activities, Communication Compliance on inappropriate messages.
Exam-Relevant Details
MS-900 tests: You need to know WHAT Insider Risk Management is, its purpose (detect insider threats), and its licensing requirement (E5 or E5 Compliance). You do NOT need to configure policies or know every indicator.
Common trap: Confusing Insider Risk Management with Data Loss Prevention. DLP prevents data loss by blocking actions; IRM detects risky behavior and allows investigation.
Key phrase: "Insider Risk Management helps organizations identify, investigate, and act on risky user activities."
Integration with HR connector: Often tested as a way to bring in resignation dates to trigger policies.
Summary of Mechanism
In short, IRM is a risk-scoring engine that ingests signals from multiple Microsoft 365 workloads, applies machine learning to detect anomalies, and provides a case management interface for investigation. It does not block actions (unlike DLP) but alerts and enables manual or automated remediation.
Create an Insider Risk Policy
In the Microsoft Purview compliance portal, navigate to Insider Risk Management → Policies → Create policy. Choose a policy template (e.g., Data leaks, Data theft by departing users). Configure triggers: e.g., user leaves the organization (requires HR connector) or DLP policy match. Select indicators: e.g., download from SharePoint, email to external recipients. Set thresholds: default medium. Assign users or groups. The policy becomes active and starts scoring user activities.
User Activities Generate Signals
Users perform actions like downloading files from SharePoint, sending emails with attachments, or sharing OneDrive links. These actions are logged in the Unified Audit Log. Insider Risk Management continuously queries these logs for events matching the configured indicators. Each event is assigned a risk score based on the indicator weight and the user's historical baseline. For example, a user who rarely downloads files suddenly downloading 50 files in an hour gets a high score.
Risk Score Accumulation and Alert Creation
Scores accumulate over a rolling window (default 30 days). When a user's cumulative score exceeds the alert threshold (e.g., medium), an alert is generated. The alert includes a summary of suspicious activities, the policy name, and the user's risk level. Alerts appear in the Insider Risk Management dashboard with severity: Low, Medium, High. Administrators can view the alert and drill into the user's activity timeline.
Investigate with Activity Explorer
From the alert, click 'View activity' to open the Activity explorer. This shows a chronological list of all relevant events for that user, with details like file names, IP addresses, and timestamps. The explorer allows filtering by activity type, date range, and severity. Analysts can also view the user's communication (emails, Teams messages) if Communication Compliance is integrated. This step is crucial for determining whether the activity is benign or malicious.
Create a Case and Take Action
If the activity warrants further investigation, the analyst creates a case from the alert. The case becomes a container for evidence, notes, and remediation actions. Within the case, the analyst can send a notification to the user via email, escalate to eDiscovery for legal hold, or forward to Microsoft 365 Defender for automated response (e.g., disable user account). The case can be resolved as 'Confirmed activity' (policy violation) or 'Dismissed' (false positive).
Enterprise Scenario 1: Departing Employee Data Theft
A large financial services company with 10,000 employees uses Insider Risk Management to detect data theft by departing employees. They configure a policy using the 'Data theft by departing users' template, which triggers when an HR connector imports a resignation date. The policy monitors indicators like downloading files from SharePoint, emailing to personal addresses, and printing confidential documents. In one case, an employee resigned and immediately started downloading hundreds of files from a confidential M&A SharePoint site. The system generated a high-severity alert within hours. The security team investigated via Activity explorer, saw the downloads, and created a case. They contacted the employee's manager, who confirmed the employee had no legitimate reason for the downloads. The team then blocked the employee's access and initiated eDiscovery for legal hold. A common misconfiguration is not enabling the HR connector, which means the policy relies on other triggers (like DLP matches) and may miss departing users who haven't triggered other alerts. Also, thresholds must be tuned to avoid false positives from users who legitimately download large files for work.
Scenario 2: Accidental Data Exposure
A healthcare organization uses a 'Data leaks' policy triggered by DLP policy matches for patient health information (PHI). A nurse accidentally shares a OneDrive folder containing patient records with an external email address. The DLP policy blocks the share and logs the event. Insider Risk Management picks up the DLP match as a trigger and starts monitoring the nurse's activities for 30 days. The nurse has no other risky activities, so the risk score remains low and no alert is generated. However, if the nurse had also emailed files to personal accounts or accessed unusual systems, an alert would fire. The security team reviews the initial DLP incident and determines it was accidental, so they provide training. This scenario shows how IRM works with DLP to detect patterns, not just single events. A pitfall is that DLP policies must be properly configured to detect the sensitive data; otherwise, IRM may not trigger.
Scenario 3: Security Policy Violations
A technology company uses a 'Security policy violations' policy that triggers on alerts from Microsoft 365 Defender (e.g., malware detected on a user's device). When a user's device is infected, Defender sends an alert to IRM. IRM then monitors the user for data exfiltration activities that might indicate the malware is stealing data. In one case, a user's device had a keylogger; IRM detected unusual file uploads to a cloud storage service. The combined signals led to a high-severity alert. The security team investigated and confirmed the malware, then isolated the device using Microsoft 365 Defender. This integration shows how IRM broadens the context of security incidents. A common misconfiguration is not enabling the Defender connector, which requires appropriate licensing (E5 Security) and permissions.
What MS-900 Tests
MS-900 objective 3.4 covers "Describe the capabilities of Microsoft 365 security and compliance solutions." Within this, Insider Risk Management is one of several solutions. The exam expects you to:
Identify the purpose of Insider Risk Management: detect, investigate, and act on risky user activities from internal users.
Know the licensing requirement: Microsoft 365 E5, E5 Compliance, or E5 Security.
Recognize that it is part of Microsoft Purview.
Understand that it uses policies, indicators, alerts, and cases.
Differentiate from DLP: DLP prevents data loss; IRM detects insider threats.
Know that it can integrate with HR systems via a connector.
Common Wrong Answers and Why Candidates Choose Them
"Insider Risk Management blocks data exfiltration." This is wrong because IRM is detective, not preventive. It generates alerts and cases but does not block actions. DLP blocks. Candidates confuse the two because both deal with data security.
"Insider Risk Management requires a Microsoft 365 E3 license." Wrong; it requires E5 or add-on. Candidates may think E3 is enough because E3 includes basic compliance features, but IRM is an advanced feature.
"Insider Risk Management monitors external threats." Wrong; it focuses on internal users (insiders). External threats are handled by Microsoft Defender for Office 365 or Azure AD Identity Protection.
"Insider Risk Management can automatically delete suspicious emails." Wrong; it does not take automatic remediation actions. It provides case management for manual action.
Specific Numbers and Terms on the Exam
Licensing: E5, E5 Compliance, E5 Security.
Portal: Microsoft Purview compliance portal (not the Microsoft 365 Defender portal).
Components: Policies, indicators, alerts, cases.
HR connector: Used to import resignation dates.
Integration with: DLP, Microsoft 365 Defender, eDiscovery.
Edge Cases and Exceptions
If audit logging is disabled, IRM cannot function because it relies on audit logs for signals. The exam may test that Unified Audit Logging must be enabled.
Policies can target specific users or groups; they can also exclude users.
The default retention of activity data is 30 days; longer retention requires additional licensing.
IRM is not available in GCC High or DoD environments by default; check documentation.
How to Eliminate Wrong Answers
If an answer says "blocks" or "prevents," it's likely describing DLP, not IRM.
If an answer mentions external threat actors, it's wrong.
If an answer says "included with E3," it's wrong.
If an answer says "automatically remediates," it's wrong (IRM is manual investigation).
Insider Risk Management is a detective solution for insider threats, part of Microsoft Purview.
Requires Microsoft 365 E5, E5 Compliance, or E5 Security license.
Uses policies with triggers (e.g., HR departure, DLP match) and indicators (e.g., download, email).
Generates alerts when risk score exceeds threshold; analysts investigate via cases.
Does not block actions; integrates with DLP, Defender, and eDiscovery.
Unified Audit Logging must be enabled for IRM to function.
HR connector can import resignation dates to trigger policies.
These come up on the exam all the time. Here's how to tell them apart.
Insider Risk Management
Detective control – identifies risky behavior patterns
Uses policies, indicators, alerts, and cases
Does not block actions automatically
Requires E5 license
Integrates with HR connector for departure triggers
Data Loss Prevention (DLP)
Preventive control – blocks or warns on sensitive data sharing
Uses rules with conditions and actions (block, notify, allow)
Can block email, SharePoint sharing, and Teams chats
Available in E3 and higher (basic DLP) and E5 for advanced
Triggers Insider Risk Management policies when matched
Mistake
Insider Risk Management is the same as Data Loss Prevention.
Correct
No. DLP is a preventive control that blocks or warns users when they try to share sensitive data. IRM is a detective control that identifies risky user behavior patterns and provides a case management interface for investigation. They integrate but are different solutions.
Mistake
Insider Risk Management is included in Microsoft 365 E3.
Correct
False. IRM requires Microsoft 365 E5, E5 Compliance, or E5 Security. E3 includes basic compliance features like audit log search but not IRM.
Mistake
Insider Risk Management automatically remediates threats like disabling user accounts.
Correct
No. IRM does not take automatic actions. It generates alerts and cases for manual investigation. Remediation steps (e.g., blocking user, legal hold) are initiated by analysts through the case or by integrating with other tools like Microsoft 365 Defender.
Mistake
Insider Risk Management only monitors departing employees.
Correct
False. While one template is for data theft by departing users, other templates cover data leaks, security policy violations, and general risky behavior. Policies can be configured for any user or group.
Mistake
Insider Risk Management works without audit logging enabled.
Correct
False. IRM relies on the Unified Audit Log to collect user activity signals. If audit logging is disabled, no activities are captured, and IRM cannot generate alerts. Unified Audit Logging is enabled by default in E5 tenants but must be verified.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Insider Risk Management requires Microsoft 365 E5, E5 Compliance, or E5 Security. It is not available in E3 or lower. Standalone licensing is not available; it must be part of these suites. The HR connector and advanced features also require E5.
DLP is preventive: it blocks or warns users when they try to share sensitive data (e.g., credit card numbers). Insider Risk Management is detective: it identifies patterns of risky user behavior (e.g., downloading many files before resignation) and provides a case investigation interface. They integrate: DLP policy matches can trigger IRM policies.
No. IRM does not take automatic remediation actions. It generates alerts and cases for manual investigation. However, analysts can take actions such as sending a notification, escalating to eDiscovery, or forwarding the case to Microsoft 365 Defender for automated response (e.g., disabling account) if configured.
The HR connector is an optional integration that allows you to import human resources data such as resignation dates, performance warnings, and termination status from systems like Workday or SAP SuccessFactors. This data can be used as a trigger for policies like 'Data theft by departing users' to start monitoring users who are leaving.
Availability in GCC High and DoD environments is limited. As of the latest documentation, Insider Risk Management is available in GCC but not in GCC High or DoD by default. Check Microsoft documentation for the most current status, as it may change.
By default, user activity data is retained for 30 days. This can be extended up to 90 days with additional licensing (e.g., Microsoft 365 E5 Compliance). After the retention period, data is purged and cannot be used for scoring.
The default alert threshold is 'Medium'. This means when a user's cumulative risk score exceeds the medium threshold (score > 50), an alert is generated. Administrators can customize thresholds per indicator or policy.
You've just covered Insider Risk Management in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?