Create an Insider Risk Management Policy Demo
Start course

In this course, you will learn what Insider Risk Management policies are, what they do, and how to create and manage them.

Learning Objectives

  • Effectively create and manage Insider Risk Management policies in Microsoft 365

Intended Audience

  • IT professionals who are interested in earning Microsoft 365 certification
  • Those who may find themselves working with Insider Risk Management policies


  • Have at least a basic understanding of Microsoft 365 and Insider Risk Management

Hello and welcome back. What we're going to do in this demonstration here is walk through the process of creating a new Insider Risk Management Policy. Now, this is done through the Microsoft 365 compliance center and that's what I'm logged into here as the global admin for my organization. Now to create this policy, what we're going to do in the left pane here is browse into Insider Risk Management. Then from here, we can look at an overview of our Insider Risk Management environment or we can go into the policy section. Now from this policy section, this is where we'll actually create the policy. Notice it shows any existing policy warnings, any recommendations, and any healthy policies. We don't have any policies created yet, so let's go ahead and create a policy. And when we do that, we have an option here to select different templates from within different categories. Now, these templates will sometimes require certain prerequisites.

For example, this data theft by departing users within the data theft category requires some optional prerequisites. For example, we can have an optional prerequisite here to configure an HR data connector that's configured to import resignations and terminations for users within the organization. Because, again, we're looking for data theft by departing users so that HR data connector would allow Microsoft 365 to see those departing users. We can also detect activity on devices assuming we have those devices on-boarded into the compliance center or we can use like a physical badging connector. We don't have any of this here, it's just a lab environment. But if we scroll down, now notice, remember these are optional. Now, some of the triggering events here can be either the HR connector, which is actually recommended but we don't have a data connector, or user accounts being deleted from Azure AD, which that I do have.

So, we fit the prerequisites here for this particular policy template. Now, if I selected data leaks under categories, we'd see these other templates appear along with their prerequisites and triggering events. The triggering events obviously are those events that cause this to trigger an event or generate an alert based on our settings. If we select data leaks by priority users, this is in preview, or data leaks by disgruntled users, we can see all the information about these particular templates. Now, if we go to security policy violations, all of these templates here require Microsoft Defender for endpoint, which I don't have for this particular tenant. And the same thing here, we go into health record misuse, again it shows the available templates. In this case here, we have the general health record misuse. For this exercise here, we'll just go to data theft and we'll select the data theft by departing users template. So, what we'll do here is we'll click 'Next' and then we'll just give this a policy name, and I'm just going to call this MyPolicy. And the description here is optional, so I'll be lazy and just leave it blank.

Go ahead and next it. Now on this page here, we get to choose the users or groups within the organization we want to apply the policy to. We can either apply to all users and groups or we can include specific users and groups. What we'll do here, just so I can demonstrate its functionality, we'll add a user and we'll target Lester Murphy. So, now this policy will only apply to Lester Murphy, so go ahead and next it here. And this is where, and remember I mentioned that you can prioritize content, this is where you can do it. And you'll notice here, it tells you what's going on here. It says here that when you specify content as a priority, what it does is it increases the risk score for any associated activity, which in turn increases the chances of generating a high-severity alert. Now it also tells you here that some activities aren't going to generate an alert unless the related content contains built-in or custom-sensitive info types, or if it was specified as a priority on this page. What we're going to do here, we're going to turn off this priority content, we're not worried about specifying priority content at this point.

We'll go ahead and next it and then it triggers for the policy. Now you'll notice here, we get a notice for the HR data connector events that we don't have an HR connector which we already know that. So, that's why we can't select this first option. The second option though, the one about user accounts deleted from AD, we're not going to be able to use this one either because remember we only selected Lester Murphy. When using the user account deleted from Azure AD trigger, the policy has to have all users associated with the policy. You have to actually enable the policy for all users and all mail-enabled groups, and that's what this is telling me here. So, what we can do is we can click the link here to enable the policy for all users and mail-enabled groups, and what we're going to do is remove Lester Murphy and do all users and groups. And then we'll next it. Again, we'll keep the priority turned off and now you'll see we can enable this trigger for this policy. So, we'll go ahead and next it through.

And then on this page, we need to specify the policy indicators that are going to be used to generate alerts for the activity detected by this policy template. Now, you'll notice many of these indicators are greyed out; the office indicators, the device indicators, physical access, Microsoft Defender for Cloud indicators, all these are disabled. Now we do have sequence detection enabled, cumulative exfiltration detection, and then even our risk score boosters are disabled, and that's because if we scroll up here, we can see that we got a notice that if we are unable to select some of these indicators, it's because they're turned off in the organization. We can make them available for selection by turning them on. And we can either turn them all on or we can choose indicators to turn on. So, what I'll do is I'll choose indicators to turn on and we'll just enable sharing SharePoint files with people outside the organization. Then we'll leave the rest of these actually enabled. So, we'll save it and now we can select what we need to enable as our indicators for this policy.

So, now that we have our office indicators selected here, let's scroll down. And you'll notice here under sequence detection, to detect sequences that include download, obfuscate, exfiltrate, delete, archive, and downgrade requires us to also select the related indicators above. If we click 'Learn more' here, this tells us which indicators we also have to select if we're going to select these sequence detections. For this exercise here, we're just going to turn these off, because if we don't, we're going to get an error in the next page here. So, we'll go ahead and next this. We'll use the default thresholds for all indicators. Now we could specify custom thresholds, but for this exercise we'll use the defaults. We'll next through, and now we can review our settings. If we're happy with what we've got here, we can go ahead and click 'Submit', and what this does is create new policy. Now you'll notice here, you do get a warning here that tells us that it may take up to 24 hours before policy matches start showing up on the alerts tab, so keep that in mind. So, with that we'll click 'Done' and we now have our first Insider Risk Management policy created.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.