Microsoft Purview · Insider Risk Management

Insider Risk Management Analysts

Review and investigate alerts, access analytics and case data, configure notice templates without policy configuration or forensic evidence access.

Scope: Alert review and case management without forensic evidence or Content Explorer access

Permissions

  • Alert Access - Access and investigate alerts
  • Case Access - Access and investigate cases
  • Risk Scores - View risk score details and activity timeline
  • Analytics - Access analytics insights
  • Notice Templates - Configure notice templates
  • Users Tab - View Adaptive Protection users tab
  • Reports - View alert and case reports
  • Risk Graphs - View data risk graphs for alerts
  • Case Management - Create and manage cases from alerts
  • Report Generation - Generate investigation reports
  • Alert Classification - Tag and classify alerts
  • Escalation - Escalate cases to Investigators
  • Threshold Editing - Optionally edit policy thresholds (if inline alert customization enabled)

Common use cases

  • Security analysts performing initial alert triage
  • Compliance team members reviewing risk indicators
  • HR partners assessing employee risk patterns
  • Entry-level insider threat analysts
  • Reviewing Adaptive Protection user risk levels
  • Analyzing data risk graphs for alert prioritization

Best practices

  • Develop consistent triage criteria for alerts
  • Document justification for case creation
  • Escalate high-risk cases to Investigators promptly
  • Regular calibration meetings to ensure consistency
  • Monitor for alert fatigue and tune policies accordingly
  • Use inline alert customization to adjust policy thresholds if enabled
  • Review Adaptive Protection user risk levels to prioritize cases
  • Leverage data risk graphs to understand alert context

Security considerations

  • Cannot access Content Explorer or forensic evidence - reduced privacy risk
  • Still sees sensitive user activity patterns and risk scores
  • Can view Adaptive Protection risk levels for users
  • Case creation should require documented justification
  • Activities logged for audit purposes
  • If inline alert customization enabled, can modify policy indicators

Official Microsoft Learn documentation →

Open the interactive RBACMap →