Microsoft Purview · Insider Risk Management

Insider Risk Management

Full access to all IRM features including policy creation, alert investigation, forensic evidence review, and Adaptive Protection.

Scope: Organization-wide access to all insider risk management features

Permissions

  • Policy Management - Create, edit, and delete insider risk policies
  • Alert Investigation - View and investigate all alerts and cases
  • Forensic Evidence - Access and view forensic evidence captures
  • Content Explorer - Access and view Content Explorer for file content
  • Global Settings - Configure global settings and integrations
  • Adaptive Protection - Configure Adaptive Protection and risk levels
  • Notice Templates - Configure notice templates
  • Evidence Requests - Create forensic evidence capturing requests
  • Evidence Approval - Approve forensic evidence capturing requests
  • Indicators - Manage policy indicators and thresholds
  • Analytics - Access analytics insights and reports
  • Audit Logs - View and export audit logs
  • Users Tab - View Adaptive Protection users tab
  • Reports - View alert and case reports
  • Risk Graphs - View data risk graphs for alerts
  • Export - Export case data and generate comprehensive reports

Common use cases

  • Chief Security Officer or Chief Compliance Officer oversight
  • Dedicated insider threat program managers
  • Senior security analysts handling sensitive investigations
  • Privacy officers overseeing data exfiltration risks

Best practices

  • Establish clear policies defining acceptable vs. risky behaviors
  • Start with policy templates and customize based on org needs
  • Use analytics dashboard to identify trends before investigating individuals
  • Coordinate with HR and legal before taking action on alerts
  • Implement the principle of least privilege - use more specific roles when possible
  • Regular training on privacy rights and ethical investigation practices
  • Document investigation procedures and maintain audit trails

Security considerations

  • Extremely sensitive role with access to employee behavior data
  • Must comply with workplace privacy laws and regulations
  • Can view user activities that may include personal information
  • Investigations must be conducted ethically and legally
  • High risk of insider threat if role is compromised
  • Coordinate with legal counsel and HR on all investigations
  • Be aware of works council or union notification requirements

Common questions

When should I assign the Insider Risk Management role?

Assign Insider Risk Management when you need to: Chief Security Officer or Chief Compliance Officer oversight; Dedicated insider threat program managers; Senior security analysts handling sensitive investigations; and Privacy officers overseeing data exfiltration risks. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Insider Risk Management role do?

The Insider Risk Management role grants permissions including: Policy Management - Create, edit, and delete insider risk policies; Alert Investigation - View and investigate all alerts and cases; Forensic Evidence - Access and view forensic evidence captures; Content Explorer - Access and view Content Explorer for file content; Global Settings - Configure global settings and integrations; and Adaptive Protection - Configure Adaptive Protection and risk levels. See the Permissions section above for the full list.

What are the security risks of the Insider Risk Management role?

Key considerations when assigning Insider Risk Management: Extremely sensitive role with access to employee behavior data; Must comply with workplace privacy laws and regulations; Can view user activities that may include personal information; and Investigations must be conducted ethically and legally. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →