Insider Risk Management

Microsoft Purview Insider Risk Management (IRM) detects risky behaviour by users inside the tenant — data theft by departing users, IP leakage, policy violations, security incidents — using built-in policy templates and machine learning across Microsoft 365 signals (sign-ins, email, file activity, Defender alerts, HR events). Designed with privacy preservation: anonymised display by default, tiered access (analysts see redacted data; investigators with higher roles can de-anonymise after due process), HR/Legal sign-off assumed. Common templates: data theft by departing users, general data leaks, security policy violations, risky AI usage, risky browser usage. Requires Microsoft 365 E5 or E5 Compliance licensing.