Microsoft Purview · Insider Risk Management

Insider Risk Management Investigators

Full investigation access including forensic evidence, Content Explorer, and detailed user activity review without policy configuration.

Scope: Deep investigation with full evidence access for assigned cases - no policy configuration

Permissions

  • Analyst Permissions - All Analyst permissions (access and investigate alerts and cases)
  • Forensic Evidence - Access and view forensic evidence captures
  • Content Explorer - Access and view Content Explorer to view file content
  • Notice Templates - Configure notice templates
  • Users Tab - View Adaptive Protection users tab
  • Reports - View alert and case reports
  • Risk Graphs - View data risk graphs for alerts
  • Activity Logs - View detailed user activity logs
  • Content Access - Access file and email content related to cases
  • Export - Export comprehensive investigation packages
  • Collaboration - Add contributors to cases for collaboration
  • Threshold Editing - Optionally edit policy thresholds (if inline alert customization enabled)

Common use cases

  • Senior security analysts conducting thorough investigations
  • Legal team reviewing evidence for potential litigation
  • HR conducting serious misconduct investigations
  • Forensic analysts examining suspected data theft
  • Incident response team analyzing complex insider threats
  • Reviewing forensic evidence captures of user device activity

Best practices

  • Document every step of investigation process
  • Maintain strict confidentiality of investigations
  • Preserve evidence integrity and chain of custody
  • Coordinate with legal before accessing forensic evidence
  • Use just-in-time access for sensitive investigations via PIM
  • Export and secure evidence before case closure
  • Follow established investigation playbooks
  • Forensic evidence viewing requires approval from IRM Approvers
  • Add case contributors for collaborative investigations
  • Review Adaptive Protection risk levels to prioritize cases
  • **Note:** Forensic evidence requires device onboarding and Microsoft Purview Client

Security considerations

  • Extremely sensitive - can view user files and communications via Content Explorer
  • Forensic evidence captures show visual screenshots of user device activity
  • Must comply with privacy laws and employment regulations (GDPR, local laws)
  • All evidence access logged and auditable
  • Forensic evidence viewing requires strong justification and approval
  • Should be limited to most trusted personnel only
  • Consider using PIM for time-limited activation
  • Cannot create forensic evidence capture requests (only Admins can)
  • Usernames pseudonymized by default for privacy protection

Official Microsoft Learn documentation →

Open the interactive RBACMap →