Microsoft Purview · Insider Risk Management

Insider Risk Management Admins

Configure IRM policies, settings, integrations, and Adaptive Protection without access to investigate individual cases.

Scope: Configuration and policy management only - no access to individual cases or user alerts

Permissions

  • Policy Creation - Create and configure insider risk policies
  • Indicators - Manage policy indicators and scoring thresholds
  • Global Settings - Configure global settings and integrations
  • Adaptive Protection - Configure Adaptive Protection and insider risk levels
  • Evidence Requests - Create forensic evidence capturing requests
  • Analytics - Access analytics insights and reports
  • Reports - View alert and case reports
  • Priority Users - Manage priority user groups and exclusions
  • Reporting Settings - Configure analytics and reporting settings
  • Integration - Set up integration with DLP and Conditional Access
  • Alert Customization - Configure inline alert customization settings

Common use cases

  • Security engineers implementing insider risk policies
  • Compliance administrators configuring detection settings
  • IT administrators managing integrations and connectors
  • Policy owners who define but do not investigate violations
  • Configuring Adaptive Protection for DLP and Conditional Access
  • Setting up policy templates for data theft and security violations

Best practices

  • Separate policy configuration from investigation duties
  • Test policies in audit mode before enabling enforcement
  • Use this role for technical staff who configure but don't investigate
  • Document all policy changes with business justification
  • Review and update policies quarterly based on threat landscape
  • Configure Adaptive Protection to dynamically assign DLP policies
  • Ensure forensic evidence capturing requires dual authorization
  • Use policy templates (data theft, risky AI, browser usage) as starting points

Security considerations

  • Cannot view individual alerts or cases - maintains privacy boundaries
  • Can configure policies that affect entire organization
  • Adaptive Protection configuration impacts DLP and Conditional Access
  • Forensic evidence settings require careful legal and privacy review
  • Should coordinate with legal before enabling intrusive monitoring

Official Microsoft Learn documentation →

Open the interactive RBACMap →