This chapter covers Microsoft's Insider Risk Management (IRM) solution, a key topic under Compliance Solutions (Objective 4.3) in the SC-900 exam. IRM helps organizations detect, investigate, and act on malicious or inadvertent insider risks such as data theft, policy violations, and security breaches. Expect 5-10% of exam questions to touch this area, focusing on capabilities, deployment prerequisites, and integration with other Microsoft Purview compliance tools.
Jump to a section
Imagine a bank where tellers handle cash daily. The bank has security cameras, alarms, and guards at the door (external threats). But the bank also has an internal audit team that monitors tellers' transactions for unusual patterns—like a teller who suddenly processes many large withdrawals or accesses vault logs without reason. This audit team doesn't watch every keystroke; instead, it uses rules: if a teller accesses more than 10 vault logs in a day, a flag is raised. If a teller processes a transaction over $10,000 without a manager, a second flag. When flags accumulate, an alert is sent to the risk officer for investigation. The bank also has a policy that tellers must not access their own accounts; if they do, it's a violation. The internal audit team can escalate findings to HR or law enforcement. In Microsoft's Insider Risk Management, the 'bank' is your Microsoft 365 tenant, 'tellers' are users, 'transactions' are actions like downloading files or sending emails, and 'audit team' is the IRM solution that uses indicators (e.g., downloading >100 files) and policies (e.g., no access to competitor data) to generate alerts. The 'risk officer' is the compliance analyst who reviews cases in the Microsoft 365 Compliance Center.
What is Insider Risk Management?
Insider Risk Management (IRM) is a Microsoft Purview solution that uses machine learning and behavioral analytics to identify, triage, and remediate insider risks. It is designed to address three primary scenarios: data theft by departing employees, accidental data leaks (e.g., oversharing sensitive files), and security policy violations (e.g., accessing unauthorized resources). IRM is not a DLP solution—it focuses on user behavior patterns rather than content inspection, though it integrates with DLP policies to enrich alerts.
How IRM Works: The Mechanism
IRM operates through a pipeline of: data ingestion → baseline establishment → indicator scoring → policy evaluation → alert generation → case management. Here's the detailed step-by-step:
1. Data Ingestion: IRM ingests signals from various Microsoft 365 sources: - Audit Logs: Office 365 audit logs (e.g., file downloads, SharePoint access, email sends). - Microsoft 365 Defender: Alert signals from Defender for Endpoint (e.g., malware detection, suspicious process execution). - Microsoft Entra ID: Identity signals (e.g., failed sign-ins, risky sign-ins from Entra ID Protection). - HR Connector: Optional integration with HR systems (e.g., Workday, SAP SuccessFactors) to ingest employee status changes (resignation, termination) and performance data. - Physical Badging: Optional integration with physical access systems (e.g., badge-in/out logs).
All signals are stored in the Microsoft 365 Compliance Center's unified audit log.
Baseline Establishment: IRM uses machine learning to establish a baseline of normal behavior for each user over a 30-day period. This baseline includes:
Typical file download volume per day.
Common email recipients and attachment sizes.
Regular access times (e.g., 9 AM – 5 PM).
Typical devices and locations.
Deviations from this baseline are scored as anomalies.
Indicator Scoring: Each signal is mapped to one or more indicators (e.g., "Download from SharePoint > 100 files"). Each indicator has a default threshold (e.g., 100 files in 24 hours) and a risk weight (low, medium, high). When a user's action triggers an indicator, IRM calculates a risk score based on:
The number of triggered indicators.
The severity of each indicator.
The user's risk profile (e.g., if the user is flagged by Entra ID Protection).
The context (e.g., if the user is resigning, the risk score is multiplied).
Risk scores range from 0 to 100. Scores above a configurable threshold (default 75) generate an alert.
4. Policy Evaluation: An insider risk policy defines the conditions that trigger an alert. Policies consist of: - Triggers: Events that start evaluating a user (e.g., "User is terminated", "User downloads >50 files in 1 hour"). - Indicators: Specific behaviors to monitor (e.g., "Email attachment sent to external domain"). - Thresholds: Customizable values (e.g., "Download >100 files in 24 hours"). - Actions: What happens when a threshold is exceeded (e.g., "Generate alert", "Notify compliance officer").
Policies can be scoped to specific users (via user groups) or all users. Out-of-the-box templates include: - Data theft by departing users - Data leaks - Security policy violations - Offensive language
Alert Generation: When a policy condition is met and the risk score exceeds the threshold, an alert is created in the Insider Risk Management dashboard. Alerts have two states: Active and Dismissed. The compliance analyst reviews alerts and can escalate to a case.
6. Case Management: A case is a container for investigation. It includes: - Activity Explorer: A timeline of user actions with detailed audit log entries. - User Activity Reports: Summaries of risk-related actions. - Forensic Evidence: (Requires add-on) Recorded screen captures of user activity. - Remediation Actions: Options to send a notification, escalate to eDiscovery, or trigger a DLP policy.
Cases can be assigned to investigators, and notes can be added. The case can be closed as Resolved, Dismissed, or Escalated.
Key Components, Values, and Defaults
Risk Score Threshold: Default 75 (range 0-100). Alerts generated when exceeded.
Indicator Thresholds: Vary by indicator. Example: "Download from SharePoint" default is 100 files in 24 hours.
Baseline Period: 30 days of historical data required before IRM becomes effective.
Data Retention: Audit logs are retained for 90 days (default) to 10 years (with add-on).
HR Connector: Requires a CSV file upload or API integration. Data retention is 30 days.
Forensic Evidence: Requires E5 license and additional configuration. Captures 15-second video clips of user activity.
Roles: IRM requires the Insider Risk Management role group (e.g., Insider Risk Analysts, Insider Risk Investigators).
Configuration Steps
Prerequisites: One of the following licenses: Microsoft 365 E5/A5/G5, Microsoft 365 E3 + Compliance Add-on, or Microsoft 365 E3 + Insider Risk Management add-on. Also, enable Office 365 audit logging (default on for tenants created after 2017).
Enable Permissions: Add users to the Insider Risk Management role group in Microsoft Purview compliance portal.
Set Up Connectors: (Optional) Configure HR connector, physical badging connector, or custom indicators via PowerShell.
Create Policies: Use templates or custom policy. Define triggers, indicators, thresholds, and actions.
Review Alerts: In Compliance Center > Insider Risk Management > Alerts.
Investigate Cases: Use Activity Explorer to drill into user actions.
Remediate: Take actions such as notifying user, escalating to eDiscovery, or removing access.
Interaction with Related Technologies
Microsoft Purview Data Loss Prevention (DLP): IRM alerts can be enriched with DLP policy matches. If a user sends a sensitive file externally, DLP triggers an incident that IRM can use as an indicator.
Microsoft Entra ID Protection: High-risk sign-ins from Entra ID Protection can be used as a trigger in IRM policies.
Microsoft Defender for Cloud Apps: Anomalous behavior detected by Defender for Cloud Apps (e.g., impossible travel) can be fed into IRM.
eDiscovery: Cases can be escalated to eDiscovery (Premium) for legal hold and advanced search.
Communication Compliance: Offensive language detection in Communication Compliance can trigger IRM policies.
Command Examples
While IRM is primarily GUI-based, some configurations use PowerShell:
# Enable audit logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
# Get insider risk policies
Get-InsiderRiskPolicy
# Create a custom indicator via compliance center (no direct cmdlet)Exam-Relevant Details
IRM is included in Microsoft 365 E5 or E3 + Insider Risk Management add-on.
The HR Connector is optional but recommended for data theft scenarios.
Forensic evidence is an add-on feature that records screen captures.
Activity Explorer is the primary investigation tool.
IRM policies can be based on built-in templates (Data theft, Data leaks, Security violations, Offensive language).
The default risk score threshold is 75.
Audit logs must be enabled for IRM to function.
Enable Audit Logging
Before IRM can collect signals, Office 365 audit logging must be enabled. This is on by default for tenants created after January 2017. For older tenants, enable it via Compliance Center > Audit > Start recording. Audit logs capture user actions like file downloads, email sends, and SharePoint access. If audit logging is off, IRM will not detect any user activity and no alerts will be generated. This is a common exam pitfall: candidates forget that IRM requires audit logging.
Set Up HR Connector
The HR connector imports employee status changes (e.g., resignation, termination) from HR systems. This is optional but critical for data theft scenarios. The connector can accept CSV files or integrate with APIs from Workday, SAP SuccessFactors, etc. Once imported, IRM uses this data to trigger policies (e.g., if a user is resigning, start monitoring). Data is retained for 30 days. Without this connector, IRM cannot automatically detect departing users.
Create Insider Risk Policy
In Compliance Center > Insider Risk Management > Policies, click Create policy. Choose a template (e.g., Data theft by departing users). Define triggers: e.g., 'User is terminated or resigns' (requires HR connector). Select indicators: e.g., 'Download from SharePoint > 100 files in 24 hours'. Set threshold: e.g., 100. Configure action: e.g., 'Generate alert'. The policy is scoped to all users or specific groups. Once created, it starts evaluating user behavior.
Review Alerts
When a policy threshold is exceeded and the risk score exceeds 75 (default), an alert appears in the Alerts dashboard. Alerts are grouped by severity (low, medium, high). The compliance analyst reviews the alert details: which user, which indicators triggered, and the risk score. Alerts can be dismissed (false positive) or escalated to a case.
Investigate Case
If the alert is valid, a case is created. The investigator uses Activity Explorer to see a timeline of the user's actions. For example, if the user downloaded 150 files from SharePoint, the explorer shows each file name, download time, and IP address. The investigator can also view user activity reports and, if forensic evidence is enabled, watch screen recordings. The case can be assigned to another analyst or escalated to eDiscovery.
Remediate and Close
Based on investigation, the analyst can take remediation actions: send a notification to the user, remove access, or escalate to legal. The case is then closed with a status: Resolved (no further action needed), Dismissed (false positive), or Escalated (sent to eDiscovery or legal). All case notes and evidence are retained for compliance purposes.
Insider Risk Management is deployed in enterprises to detect data exfiltration by departing employees. For example, a large financial institution uses IRM with the HR connector integrated with Workday. When an employee submits a resignation, IRM automatically starts monitoring that user for 30 days. The policy triggers if the user downloads more than 50 files from SharePoint within 24 hours. In one case, a departing employee downloaded 200 files containing customer PII. IRM generated an alert, the case was escalated to eDiscovery, and legal placed a hold on the employee's account. The company prevented a data breach.
Another common scenario is accidental data leaks. A healthcare organization uses IRM to monitor for users who send large attachments to external domains. The policy triggers if a user sends more than 5 emails with attachments >10 MB to external recipients in one hour. This caught a nurse who accidentally emailed patient records to the wrong address. The analyst sent an alert to the nurse and initiated a DLP policy to block future occurrences.
Misconfiguration can lead to false positives or missed threats. For instance, if the threshold for 'Download from SharePoint' is set too low (e.g., 10 files), it generates alerts for normal work activities, overwhelming analysts. Conversely, if the threshold is too high (e.g., 500 files), actual data theft may go undetected. Also, if the HR connector is not configured, IRM cannot detect departing users, leaving the organization blind to data theft by resigning employees. Performance-wise, IRM scales well up to 50,000 users; beyond that, consider using custom indicators to reduce noise.
The SC-900 exam tests Insider Risk Management under Objective 4.3: 'Describe the compliance management capabilities of Microsoft Purview.' Specifically, you need to know: (1) What IRM is and its purpose (detect and remediate insider risks). (2) Licensing requirements: Microsoft 365 E5 or E3 + add-on. (3) Key features: policies, alerts, cases, Activity Explorer, HR connector, forensic evidence. (4) Integration with DLP, Entra ID Protection, and eDiscovery.
Common wrong answers: - 'IRM is a DLP solution' – No, DLP focuses on content inspection; IRM focuses on user behavior. - 'IRM requires no additional licensing' – False; it requires E5 or add-on. - 'IRM works without audit logs' – False; audit logs must be enabled. - 'The HR connector is mandatory' – It's optional but recommended.
Specific numbers: Default risk score threshold = 75. Baseline period = 30 days. HR connector data retention = 30 days. Forensic evidence captures 15-second clips.
Edge cases:
IRM can monitor only users with Exchange Online mailboxes and SharePoint Online licenses.
Guest users are not monitored by default.
Policies can be applied to distribution groups.
Alerts are retained for 90 days.
Elimination strategy: If an answer mentions 'content inspection' or 'machine learning on email content,' it's likely DLP, not IRM. If it mentions 'user behavior analytics' or 'anomaly detection,' it's IRM.
Insider Risk Management is a Microsoft Purview solution for detecting, investigating, and remediating insider risks.
Licensing: Microsoft 365 E5 or E3 + Insider Risk Management add-on.
IRM requires Office 365 audit logging to be enabled.
A 30-day baseline period is needed before accurate risk scoring.
Default risk score threshold for alerts is 75.
HR connector (optional) imports employee status changes for data theft detection.
Forensic evidence is an add-on that records 15-second screen captures.
Activity Explorer is the primary tool for investigating user actions.
IRM integrates with DLP, Entra ID Protection, and eDiscovery.
Policies can be based on built-in templates: Data theft, Data leaks, Security violations, Offensive language.
These come up on the exam all the time. Here's how to tell them apart.
Insider Risk Management (IRM)
Focuses on user behavior patterns (e.g., downloading many files, accessing unusual resources).
Uses machine learning to establish baselines and detect anomalies.
Generates alerts based on risk scores calculated from multiple indicators.
Integrates with HR systems to detect departing employees.
Requires Microsoft 365 E5 or add-on license.
Microsoft Purview Data Loss Prevention (DLP)
Focuses on content inspection (e.g., credit card numbers, sensitive labels).
Uses policy rules based on content type and context (e.g., send to external domain).
Generates alerts when a policy rule is matched (e.g., 'Block when credit card detected').
Integrates with Microsoft Information Protection (MIP) labels.
Included in Microsoft 365 E3 and higher.
Mistake
Insider Risk Management is a Data Loss Prevention (DLP) solution.
Correct
IRM is not DLP. DLP focuses on protecting sensitive data through content inspection (e.g., credit card numbers). IRM focuses on user behavior patterns (e.g., downloading many files) to detect risky actions. They complement each other but are different solutions.
Mistake
IRM works immediately after enabling the license.
Correct
IRM requires a 30-day baseline period to establish normal user behavior. Without this baseline, risk scores are unreliable. Also, audit logging must be enabled.
Mistake
The HR connector is mandatory for IRM policies.
Correct
The HR connector is optional. You can create policies based on other triggers like DLP alerts or Defender signals. However, for data theft by departing users, the HR connector is highly recommended.
Mistake
Forensic evidence is included in the E5 license.
Correct
Forensic evidence is an add-on feature that requires an additional license (Microsoft 365 E5 Compliance add-on or separate purchase). It is not included in base E5.
Mistake
IRM can monitor all user actions in real time.
Correct
IRM is not real-time. It ingests audit logs with a delay (typically 30 minutes to 2 hours). Alerts are generated based on historical data, not instantaneous actions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Insider Risk Management requires Microsoft 365 E5, A5, G5, or Microsoft 365 E3 with the Insider Risk Management add-on. It is not included in E3 alone. Forensic evidence requires an additional add-on license. For exam purposes, remember that E5 includes IRM, but E3 does not.
No. IRM relies on Office 365 audit logs to collect user activity signals. If audit logging is disabled, IRM cannot detect any actions and will not generate alerts. Ensure audit logging is enabled in the Compliance Center. This is a common exam gotcha.
The HR connector imports employee status data (e.g., resignation date, termination date) from HR systems like Workday or SAP SuccessFactors. This data is used to trigger policies for departing users. It is optional but critical for data theft scenarios. Data is retained for 30 days.
After enabling IRM, it takes 30 days to establish a baseline of normal user behavior. During this period, risk scoring may be inaccurate. After 30 days, IRM becomes effective. Also, audit logs have a delay of 30 minutes to 2 hours before appearing in IRM.
No, by default IRM monitors only internal users with Exchange Online mailboxes and SharePoint Online licenses. Guest users (B2B) are not monitored. To monitor guests, you would need to assign them appropriate licenses and ensure they are included in the policy scope.
An alert is a notification that a risk score threshold has been exceeded. It appears in the Alerts dashboard. A case is a container for investigation that is created from an alert. Cases include detailed activity logs, user reports, and remediation actions. Alerts can be dismissed; cases require resolution.
Forensic evidence is an add-on feature that captures 15-second video clips of user activity on their device. It requires additional licensing and configuration. It is used for high-risk scenarios where detailed visual evidence is needed. Not all E5 tenants have this feature by default.
You've just covered Insider Risk Management — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?