Microsoft Purview · Insider Risk Management

Insider Risk Management

Full access to all IRM features including policy creation, alert investigation, forensic evidence review, and Adaptive Protection.

Scope: Organization-wide access to all insider risk management features

Permissions

  • Policy Management - Create, edit, and delete insider risk policies
  • Alert Investigation - View and investigate all alerts and cases
  • Forensic Evidence - Access and view forensic evidence captures
  • Content Explorer - Access and view Content Explorer for file content
  • Global Settings - Configure global settings and integrations
  • Adaptive Protection - Configure Adaptive Protection and risk levels
  • Notice Templates - Configure notice templates
  • Evidence Requests - Create forensic evidence capturing requests
  • Evidence Approval - Approve forensic evidence capturing requests
  • Indicators - Manage policy indicators and thresholds
  • Analytics - Access analytics insights and reports
  • Audit Logs - View and export audit logs
  • Users Tab - View Adaptive Protection users tab
  • Reports - View alert and case reports
  • Risk Graphs - View data risk graphs for alerts
  • Export - Export case data and generate comprehensive reports

Common use cases

  • Chief Security Officer or Chief Compliance Officer oversight
  • Dedicated insider threat program managers
  • Senior security analysts handling sensitive investigations
  • Privacy officers overseeing data exfiltration risks

Best practices

  • Establish clear policies defining acceptable vs. risky behaviors
  • Start with policy templates and customize based on org needs
  • Use analytics dashboard to identify trends before investigating individuals
  • Coordinate with HR and legal before taking action on alerts
  • Implement the principle of least privilege - use more specific roles when possible
  • Regular training on privacy rights and ethical investigation practices
  • Document investigation procedures and maintain audit trails

Security considerations

  • Extremely sensitive role with access to employee behavior data
  • Must comply with workplace privacy laws and regulations
  • Can view user activities that may include personal information
  • Investigations must be conducted ethically and legally
  • High risk of insider threat if role is compromised
  • Coordinate with legal counsel and HR on all investigations
  • Be aware of works council or union notification requirements

Official Microsoft Learn documentation →

Open the interactive RBACMap →