Microsoft Purview · Insider Risk Management
Insider Risk Management Auditors
View and export audit logs for IRM activities to ensure proper program governance, compliance, and ethical oversight.
Scope: Read-only audit log access for oversight and compliance
Permissions
- Audit Logs - View and export insider risk management audit logs
- Audit Export - Export audit records for compliance reporting
- Access Tracking - Review who accessed which cases and when
- Change Monitoring - Monitor policy changes and configuration updates
- Evidence Tracking - Track evidence viewing and export activities
- Governance Reports - Generate governance and compliance reports
- Access Patterns - Audit alert and case access patterns
- Approval Monitoring - Monitor forensic evidence capture approvals and denials
Common use cases
- Internal audit teams reviewing IRM program
- Privacy officers ensuring proper data handling
- Compliance reporting for regulatory requirements
- Executive oversight of insider threat program
- External auditors assessing program controls
Best practices
- Regular audit log reviews to ensure proper usage
- Monitor for unauthorized access to sensitive cases
- Generate quarterly compliance reports for leadership
- Alert on unusual patterns (e.g., after-hours evidence access)
- Coordinate with Privacy Office on data handling reviews
Security considerations
- Cannot access cases or evidence - minimal privacy risk
- Audit logs may reveal investigation targets (still sensitive)
- Safe role for external auditors and oversight
- Ensures accountability and proper program governance
- Critical for demonstrating RBAC controls to regulators
- Helps prevent insider threat within the insider risk team