Microsoft Purview · Purview Agents (Preview)
Data Security IRM Triage Agent
Role group intended exclusively for the non-interactive Insider Risk Management Triage Agent identity to triage and remediate insider risk alerts.
Scope: Insider risk alert triage automation for all IRM policy types
Permissions
- Insider Risk Management Analysis - Access insider risk alerts, cases, and notice templates
- Insider Risk Management Investigation - Access alerts, cases, notice templates, and Content Explorer
- Purview Copilot Workspace Contributor - Access the Purview Copilot workspace
Common use cases
- Automating initial insider risk alert triage to reduce analyst workload
- Prioritizing high-severity insider threats for immediate investigation
- Reducing false positive fatigue for insider risk reviewers
- Providing consistent risk categorization across IRM policies
- Accelerating insider risk incident response and case creation
Best practices
- Use an agent identity when that option is available for the deployment
- Do not add human analysts to this role group
- Review triage accuracy regularly and adjust agent configuration
- Ensure investigators still review high-priority alerts manually
- Coordinate with IRM team for triage rule customization
- Monitor SCU consumption — high alert volumes increase costs
- Start with a subset of IRM policies before expanding scope
Security considerations
- Agent accesses insider risk alert data which may contain sensitive behavioral information
- IRM data is among the most sensitive in the organization — limit access carefully
- Triage categorizations should be verified by human analysts before escalation
- Monitor agent activity through audit logs for compliance
- Ensure IRM privacy settings align with agent data access
Common questions
When should I assign the Data Security IRM Triage Agent role?
Assign Data Security IRM Triage Agent when you need to: Automating initial insider risk alert triage to reduce analyst workload; Prioritizing high-severity insider threats for immediate investigation; Reducing false positive fatigue for insider risk reviewers; Providing consistent risk categorization across IRM policies; and Accelerating insider risk incident response and case creation. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Data Security IRM Triage Agent role do?
The Data Security IRM Triage Agent role grants permissions including: Insider Risk Management Analysis - Access insider risk alerts, cases, and notice templates; Insider Risk Management Investigation - Access alerts, cases, notice templates, and Content Explorer; and Purview Copilot Workspace Contributor - Access the Purview Copilot workspace. See the Permissions section above for the full list.
What are the security risks of the Data Security IRM Triage Agent role?
Key considerations when assigning Data Security IRM Triage Agent: Agent accesses insider risk alert data which may contain sensitive behavioral information; IRM data is among the most sensitive in the organization — limit access carefully; Triage categorizations should be verified by human analysts before escalation; and Monitor agent activity through audit logs for compliance. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.