Microsoft Purview Insider Risk Management: A Setup Guide

Microsoft 365Security & ComplianceSMB SolutionsDefenderCloud Security
Written By Tiago Carvalho
🛡️ Security & Compliance

Microsoft Purview  ·  Insider Risk  ·  Compliance  ·  2026

Most security incidents involving data loss are not the result of external attacks. They come from inside — an employee copying files before resigning, a contractor with over-broad access, or a compromised account operating quietly for weeks. Traditional DLP catches the exfiltration event. Insider Risk Management catches the pattern that leads to it.

Microsoft Purview Insider Risk Management correlates signals from across Microsoft 365 — file activity in SharePoint, email behaviour, Teams messages, and browsing on managed devices (where indicators are configured and Defender for Endpoint is integrated) — and surfaces sequences that match known risk patterns. It does this without exposing individual activity to broad audiences, using pseudonymisation by design. This guide covers the full setup: licensing, prerequisites, the privacy model, policy creation, indicator configuration, and the alert-to-case workflow.

🔍
IRM detects patterns, not events. A single file download is noise. An employee who updated their LinkedIn profile, received a resignation acceptance, and copied 300 files to a USB in the same week is a pattern. IRM correlates these signals across time and surfaces the sequence as an alert — DLP alone cannot do this.
🔒
Pseudonymisation is on by default — and configurable. User identities are anonymised across all IRM views by default. Investigators see codenames (like "AnonymousUser1") until a specific reviewer with the right role explicitly reveals the identity. This setting can be changed in IRM Settings → Privacy, but disabling it means usernames are shown across alerts and cases rather than anonymised labels — so analysts see real identities at the alert triage stage, before a formal case is opened.
📋
Policies drive everything. IRM does not generate alerts until you create at least one policy. Each policy ties a set of users in scope to a policy template (the risk scenario) and a set of indicators (the signals that contribute to risk). No policy, no alerts.
⚖️
Licensing is the first gate. IRM is generally available through Microsoft 365 E5 or Microsoft 365 E5 Compliance (as an add-on to eligible base licensing). It is not included in E3, Business Premium, or F3 standalone. Always verify the current Microsoft licensing tables before rollout — and ensure the licence is assigned to the users in scope, not only to administrators.
In this article
How IRM works Licensing Prerequisites Privacy model Policy templates Creating a policy Indicators and thresholds Triage: alerts Escalation: cases Deployment checklist

How Insider Risk Management works

IRM operates as a correlation engine. It ingests activity signals from Microsoft 365 services, scores them against the indicators defined in your policies, and when the cumulative risk score for a user crosses a threshold, it generates an alert. The workflow runs left to right:

Signals
M365 activity
Policy
template + indicators
Risk score
cumulative
Alert
triage queue
Case
investigation

Signal sources

IRM pulls signals from multiple Microsoft 365 services. The primary sources are SharePoint Online and OneDrive (file downloads, sharing activity, deletions), Exchange Online (email forwarding rules, attachments sent externally), Microsoft Teams (message content in some scenarios), Microsoft Defender for Endpoint (browsing activity, USB device events), and HR data via the HR connector (resignation dates, performance improvement plans, disciplinary actions). The HR connector is optional but significantly improves the quality of departure-related policies.

Triggering events

Not all signals contribute to risk all the time. IRM uses triggering events to activate a user for scoring within a policy. For a data theft by departing employees policy, the triggering event is typically a resignation date from the HR connector, or a user manually added to the policy scope. Until the triggering event fires, IRM does not score the user's activity against that policy — this reduces noise from day-to-day normal behaviour.

Microsoft Purview — Insider Risk Management overview page showing active policies, recent alert counts by severity, and the navigation menu with Overview, Recommendations, Reports, Audit log, Policies, Users, and Agents.
The Insider Risk Management overview in Microsoft Purview. Once policies are active, this page surfaces alert counts by severity (High, Medium, Low), recent activity trends, and quick links to policy and alert management. Navigate here via Microsoft Purview → Insider Risk Management → Overview.

Licensing

IRM is a premium capability. It is not included in Microsoft 365 Business Premium, E1, E3, or F3. If your tenant does not have the required licence, navigating to Insider Risk Management in Microsoft Purview will show a trial activation page rather than the dashboard. Always verify the current Microsoft 365 compliance licensing guidance before rollout — licensing details change and the official tables are the authoritative source.

Licence IRM included? Notes
Microsoft 365 E5 Yes Full IRM included, no add-on required
Microsoft 365 E5 Compliance Yes Add-on to eligible base licensing — verify current Microsoft licensing guidance
Qualifying Purview compliance add-ons Yes Verify current eligibility in the Microsoft licensing guidance linked above
Microsoft 365 E3 No Requires M365 E5 Compliance or an equivalent qualifying add-on
Microsoft 365 Business Premium / F3 No IRM is an enterprise-tier capability, not available in Business or Frontline plans
ℹ️
Licences must be assigned to the users in scope. The licence needs to be assigned to the users being monitored by IRM policies, not only to the administrators configuring the solution. Unlicensed users in scope will not generate signals or alerts. For HR connector data (resignation dates), the HR connector service account also needs appropriate permissions but does not require an IRM user licence.

Prerequisites

Before creating any IRM policies, three prerequisites must be in place. Skipping them means policies will run but generate incomplete or no alerts.

1
Enable audit logging
IRM requires the Microsoft 365 unified audit log to be enabled. Navigate to Microsoft Purview → Audit and confirm that auditing is turned on. In most tenants this is already active, but in older tenants or development environments it may have been disabled. Without audit log data, IRM cannot ingest the signals it needs to score user activity.
2
Assign IRM roles to reviewers
IRM uses its own role groups in Microsoft Purview. The key roles are: Insider Risk Management (full access — configure policies, review alerts, manage cases), Insider Risk Management Analysts (triage alerts and manage cases but cannot configure policies), and Insider Risk Management Investigators (full case access including content review and eDiscovery export). Assign these via Microsoft Purview → Roles & scopes → Role groups. Do not use Global Admin for day-to-day IRM work — the separation of duties is intentional.
3
Configure the HR connector (recommended)
The HR connector imports resignation dates, performance data, and job change events from your HR system into Microsoft 365. This data is used as a triggering event for departure-related policies. Without it, you must manually add users to policies or rely on less precise triggering events. Set up the connector via Microsoft Purview → Data connectors → HR. The connector supports CSV-based imports and direct API connections to common HR platforms.
⚠️
Defender for Endpoint integration is required for device signals. If your IRM policies include indicators from managed devices — browsing activity, USB events, executable launches — Microsoft Defender for Endpoint must be deployed and the devices must be onboarded. Navigate to IRM Settings → Microsoft Defender for Endpoint to enable the integration. Without this, device-based indicators will produce no signals even if selected in the policy.

Privacy model: pseudonymisation by design

IRM is built with a deliberate privacy control that distinguishes it from most monitoring tools: user identities are pseudonymised by default across all views — alerts, cases, activity explorer, and reports. Investigators see anonymised labels like AnonymousUser1 instead of real names and email addresses.

Microsoft Purview Insider Risk Management Settings — Privacy page showing the option to show anonymised versions of usernames, with the toggle controlling whether pseudonymisation is enabled across all IRM views.
IRM Settings → Privacy. Pseudonymisation is enabled by default. When turned on, all user identities in IRM — across alerts, cases, activity explorer, and user activity reports — are replaced with anonymised labels. Investigators must have the Insider Risk Management Investigators role and explicitly reveal the identity on a per-case basis. Navigate to Insider Risk Management → Settings (gear icon) → Privacy.

To reveal a pseudonymised identity, an investigator with the Insider Risk Management Investigators role opens the relevant case and uses the Confirm identity action. This action is logged in the IRM audit log — every identity reveal is recorded with the reviewer's account, timestamp, and the case it was performed in. This creates an auditable chain of custody for sensitive identity disclosures.

ℹ️
Pseudonymisation can be disabled — but you should document the decision. The privacy toggle in IRM Settings controls whether anonymised names are used across the interface. Organisations that disable it should document the justification in their IRM governance policy, as it affects the sensitivity of what analysts can see at the alert triage stage — before a formal case has been opened.

Policy templates

IRM ships with a library of built-in policy templates, each representing a specific insider risk scenario. Templates determine which triggering events and indicators are pre-selected when you create a policy — you can customise from the template baseline but cannot start entirely from scratch. Choose the template that matches the risk scenario you want to address first.

Template Risk scenario Typical triggering event
Data theft by departing employees Files copied, downloaded, or shared in the period around a resignation or termination Resignation date from HR connector; manual user addition
Data leaks Sensitive content shared externally, uploaded to unapproved cloud services, or printed DLP policy match; high-risk SharePoint activity
Data leaks by priority users Same as data leaks but scoped to a defined group of high-value users (executives, finance, IP holders) Any risky activity — always-on for priority users
Security policy violations Disabling antivirus, installing unapproved software, removing security agents from managed devices Microsoft Defender for Endpoint alerts
Risky browser usage Browsing to sites associated with data exfiltration, hacking tools, or competitor intelligence Defender for Endpoint browsing signals (Edge/Chrome on managed devices)
Patient data misuse Healthcare-specific: access to patient records beyond normal scope, especially when combined with departure signals HR connector; EMR/EHR system connector
General data leaks Broad detection: any significant data movement that could indicate leakage, without requiring a specific trigger Volume-based thresholds on file activity
💡
Start with one template. A common mistake is activating multiple policies covering the same users before you have validated alert quality. Begin with the template most relevant to your immediate risk concern — typically Data theft by departing employees — tune its indicators and thresholds over 30–60 days, then expand. Running too many policies simultaneously generates alert volume that overwhelms analysts and leads to alert fatigue.

Creating a policy

Navigate to Insider Risk Management → Policies and click + Create policy. The wizard has five steps.

Microsoft Purview Insider Risk Management — Policies page showing the policy list with status, template type, and last modified date. The '+ Create policy' button is visible in the toolbar.
The Policies page in Insider Risk Management. Each policy shows its template, the number of users in scope, and its current status (active, inactive). You can have multiple policies active simultaneously. Navigate here via Insider Risk Management → Policies.

Step 1 — Choose a template

Select the policy template that matches your risk scenario. Each template shows a description of the risk pattern it detects and the types of signals it uses. Hover over each template to see the full description before selecting.

Insider Risk Management policy wizard — Choose a policy template page showing the template gallery with cards for Data theft by departing employees, Data leaks, Security policy violations, and other templates.
Step 1 — Choose a policy template. The template gallery shows all available IRM risk scenarios. Each card shows the template name and a short description. The template you choose determines the default set of triggering events and indicators pre-selected in the following steps.

Step 2 — Name and description

Give the policy a clear name that identifies the template and scope — for example, IRM-DepartingUsers-IT or IRM-DataLeaks-Finance. The name is visible to all IRM administrators and appears in alert and case details. A consistent naming convention is important when you have multiple policies active.

Step 3 — Users and groups

Define which users the policy monitors. You can scope to all users in the tenant, specific security groups, or a defined list of individual users. For departure-related policies, leave the scope broad if you have the HR connector providing triggering events — the policy only activates scoring for users who match the triggering event (resignation date), not all users in scope. For priority user policies, define the group explicitly.

Insider Risk Management policy wizard — Users and groups step showing options to include all users and groups or select specific users and groups, with a search field for adding specific groups.
Step 3 — Users and groups. Choose whether the policy covers all users in the tenant or a defined subset. For departure-related policies scoped to all users, the HR connector's resignation data acts as the gate — only users with an active triggering event are scored. Targeting all users does not mean all users generate risk scores simultaneously.

Step 4 — Policy indicators

Indicators are the individual signals that contribute to a user's risk score under this policy. Each template pre-selects a recommended set. You can add or remove indicators, but note that indicators from data sources you have not configured (for example, device indicators without Defender for Endpoint) will produce no signal even if selected.

Insider Risk Management policy wizard — Policy indicators page showing grouped indicator categories: Office indicators, Device indicators, Microsoft Defender for Endpoint indicators, and Physical access indicators. Each category shows individual indicators with checkboxes.
Step 4 — Policy indicators. Indicators are grouped by signal source. Office indicators cover SharePoint, OneDrive, and Exchange activity. Device indicators require Defender for Endpoint. Select only the indicators whose data sources are configured — inactive sources produce no signal and add no value. You can tune individual indicator thresholds after the policy is created.

Step 5 — Review and finish

Review the policy configuration and click Submit to create it. The policy enters an active state immediately, but allow 24–48 hours before expecting to see alerts — IRM needs time to build a baseline of normal activity before scoring deviations. Alerts will not appear for historical activity before the policy was created.

Indicators and thresholds

Indicators are configured at two levels: globally in IRM Settings (which determines which indicators are available for selection in policies) and per-policy (where you choose which of those available indicators to include and set thresholds). Before creating your first policy, navigate to Insider Risk Management → Settings → Policy indicators and enable all the indicator categories you intend to use across your policies.

⚠️
Indicators must be enabled globally before they appear in the policy wizard. If you open the policy wizard and an indicator category is greyed out or missing, it is because it has not been enabled in Settings → Policy indicators. This is a common cause of confusion — the wizard reflects your Settings configuration, not the full indicator library. Enable all relevant indicator categories in Settings before configuring policies.

Threshold types

Each indicator has a threshold that determines how much of that activity is required before it contributes meaningfully to a risk score. IRM offers two threshold models. Microsoft-recommended thresholds use data from across the Microsoft 365 ecosystem to set sensible defaults — these are a good starting point. Custom thresholds let you specify exact counts per day or per event window. If your organisation has atypically high file activity in a particular team (for example, a file migration in progress), custom thresholds can prevent that team from generating false positive alerts during the migration period.

Triage: the alert queue

When a user's cumulative risk score crosses the alert threshold defined by the policy, IRM generates an alert and places it in the alert queue. Navigate to Insider Risk Management → Alerts to review the queue.

Microsoft Purview Insider Risk Management — Alerts page showing the alert queue with columns for alert ID, anonymised user, policy name, severity (High/Medium/Low), status (Needs review / Confirmed / Dismissed), and date. Filter controls are visible at the top.
The Alerts page in Insider Risk Management. Alerts are listed with severity, policy, and status. Anonymised user identities appear unless pseudonymisation has been disabled in Settings. Analysts triage alerts here — confirming them to escalate to a case, or dismissing them with a reason. Use the severity and status filters to prioritise the queue.

Alert severity

Alert severity is calculated by IRM based on the type and volume of indicators that contributed to the risk score. High severity alerts represent sequences with a strong correlation to a known risk pattern — multiple high-weight indicators firing in a short time window. Medium severity indicates moderate risk signal that warrants review. Low severity alerts are informational and often the result of a single indicator threshold being crossed without supporting context. In the early weeks of a new policy, expect a higher proportion of low and medium alerts as baselines are being established.

Alert triage actions

Each alert can be acted on in three ways. Confirm alert escalates it to a case for formal investigation — use this when the alert represents a genuine risk pattern that requires deeper review or action. Dismiss alert closes it with a reason (false positive, expected activity, insufficient evidence) and records the dismissal in the audit log. Send for review allows the alert to be routed to another analyst or escalated to a manager without immediately confirming or dismissing it.

Escalation: case investigation

When an alert is confirmed, IRM creates a case. Cases are the formal investigation record — they capture all activity associated with the user during the risk window, allow investigators to add notes and evidence, and support escalation to legal, HR, or eDiscovery if required.

Microsoft Purview Insider Risk Management — Cases page showing a list of open and closed cases with columns for case name, anonymised user, policy, status (Active / Closed), severity, and date opened. The New case and Export buttons are visible.
The Cases page in Insider Risk Management. Each confirmed alert becomes a case entry here. Investigators can open a case to view the full activity timeline, see which indicators fired and when, reveal the pseudonymised user identity (with the Investigators role), add notes, and escalate to eDiscovery Premium or send a notice to the user.

What a case contains

A case provides a consolidated view of everything IRM has captured about the user during the risk window: the activity timeline with individual signal events, the risk score history showing how the score evolved, user activity summaries by content type, and any related alerts from the same or other policies. Investigators can also access Content explorer within the case to review the actual files that were involved — subject to having the appropriate role (Investigators, not Analysts).

Escalation paths from a case

IRM cases support several escalation paths without leaving the Purview portal. eDiscovery Premium allows you to export the case evidence into a formal legal hold and review set. Notice templates allow you to send a compliance notice directly to the user from within the case — useful for policy violation scenarios where the intent is corrective rather than punitive. Case sharing allows designated HR or Legal contacts to be given read access to specific cases without granting them access to the full IRM solution.

Deployment checklist

  • Verify IRM licence assignment Confirm that M365 E5, M365 E5 Compliance (with eligible base licensing), or a qualifying Purview compliance add-on is assigned to users in scope. Navigating to IRM without the licence shows the trial page — not the dashboard.
  • Confirm unified audit log is enabled Go to Microsoft Purview → Audit and verify auditing is active. Without it, IRM cannot ingest file, email, or Teams signals. Most production tenants have this enabled, but verify before proceeding.
  • Assign IRM role groups — do not use Global Admin Create at least two role group assignments: IRM Administrators for policy configuration, and IRM Analysts or Investigators for alert and case review. Keeping these separate is a deliberate privacy and compliance control.
  • Enable policy indicators in Settings before creating policies Navigate to IRM Settings → Policy indicators and enable every indicator category you plan to use. Indicators not enabled here will not appear in the policy wizard — a common source of missing signal coverage.
  • Configure the HR connector (for departure policies) Set up the HR data connector with resignation and termination date fields. This provides the triggering event that activates departure-related policies for specific users — without it, these policies must be manually triggered or rely on less precise proxies.
  • Integrate Defender for Endpoint (for device indicators) If your policies include browsing activity, USB device events, or executable launch indicators, Defender for Endpoint must be deployed and device onboarding must be complete. Enable the integration in IRM Settings → Microsoft Defender for Endpoint.
  • Review and document the privacy policy decision Decide whether pseudonymisation remains enabled (recommended) and document the decision. If disabled, ensure your organisation's privacy, HR, and legal teams have reviewed the implication — analysts will see real identities at the alert triage stage before a formal case is opened.
  • Start with one policy, tune for 30–60 days before expanding Begin with the policy template most relevant to your immediate risk concern. Review alert quality over 4–8 weeks, adjust thresholds to reduce false positives, and only then create additional policies. Alert fatigue from too many simultaneous policies is the most common failure mode in IRM deployments.
  • Establish an alert triage SLA Define how quickly alerts must be reviewed after generation — for example, High severity within 24 hours, Medium within 72 hours. Without a defined SLA, alert queues accumulate and the operational value of IRM degrades quickly. Assign clear ownership to the IRM Analysts role group.
Next in Security & Compliance
Microsoft Purview DLP + Power Automate
DLP detects the violation. Power Automate can act on it automatically — alerting, logging, or blocking without manual intervention.

Read the guide →
Related articles
In this series
Tiago Carvalho
Previous

Microsoft 365 Secure Score: What Matters and What to Ignore
Next

Microsoft Defender for Office 365 Plan 1 Is Now in E3: What You Actually Get