Browse all topics
All guidesGlossary

Purview Insider Risk Management

Insider Risk Management detects risky internal behaviour — data theft, IP leakage, policy violations — with built-in privacy controls.

Microsoft Purview Insider Risk Management (IRM) detects risky behaviour by users inside the tenant — data theft, intellectual-property leakage, policy violations, security incidents — using built-in policy templates, machine learning, and privacy-preserving design.

What IRM looks for

Out-of-the-box policy templates cover the most common scenarios:

  • Data theft by departing users — unusual download or copy activity by someone who's resigning.
  • General data leaks — large outbound transfers, sensitive content to unmanaged destinations.
  • Healthcare data misuse — patterns specific to healthcare regulatory regimes.
  • Security policy violations — repeated failed sign-ins, malware events, defender alerts.
  • Risky browser usage — unsanctioned cloud apps, anonymous file uploads.
  • Risky AI usage — sensitive content shared with non-corporate AI assistants.

Each template combines signals from across Microsoft 365 — sign-in events, email activity, file operations, Defender alerts, HR events — to surface unusual patterns.

How IRM preserves privacy

A common concern with insider-risk tooling is over-reach. IRM is designed to mitigate that:

  • Anonymised display — user identities are masked by default in the analyst surface (pseudonyms).
  • Tiered access — analysts can see redacted data; investigators with higher roles can de-anonymise after due process.
  • HR / Legal in the loop — policy templates assume HR and Legal sign-off before access escalation.
  • Configurable scope — choose which users are in scope (typically users with sensitive role flags from HR).

HR connector and event-driven signals

A HR data connector ingests events from HR systems — resignation dates, performance review states, change of role — that drive adaptive risk scoring. A user with a recent resignation date who suddenly starts copying customer data has a different risk profile from the same activity by a stable employee.

Investigation workflow

The analyst surface includes:

  • Alerts with severity scoring and contributing indicators.
  • Case management — investigations bundled with related alerts and notes.
  • Content explorer — the actual files and emails involved (with appropriate role gates).
  • User activity timeline — the sequence of events leading to the alert.
  • Defender XDR integration — IRM cases can correlate with broader incidents.

Operational realities

IRM is unlike most security tools because it involves the HR and Legal functions deeply:

  • Define policies with HR and Legal sign-off.
  • Train analysts on privacy-preserving investigation.
  • Establish escalation paths so de-anonymisation only happens with documented authorisation.
  • Communicate the existence of IRM to employees as part of acceptable-use policies.

Licensing

IRM requires Microsoft 365 E5, Microsoft 365 E5 Compliance, or the Purview Insider Risk Management standalone licence. Per-user licensing is typical.

For regulated industries — finance, pharma, intellectual-property-heavy sectors — IRM is rapidly becoming standard. For organisations with lighter obligations, it's a deliberate decision driven by risk appetite, not a default deployment.