Overview of Insider Risk Management Policies
Overview of Insider Risk Management Policies

In this course, you will learn what Insider Risk Management policies are, what they do, and how to create and manage them.

Learning Objectives

  • Effectively create and manage Insider Risk Management policies in Microsoft 365

Intended Audience

  • IT professionals who are interested in earning Microsoft 365 certification
  • Those who may find themselves working with Insider Risk Management policies


  • Have at least a basic understanding of Microsoft 365 and Insider Risk Management

Hello and welcome to Insider Risk Management Policies. In this lesson here, I’m just gonna provide you with an overview of what insider risk management policies are used for and where they are managed. After we work through this lesson, we’ll dive into some demos.

So, as employees get more involved in creating, managing, and sharing data across multiple platforms and services, the risks of data theft by disgruntled employees and data leaks outside the organization grow.

Microsoft 365’s Insider risk management is designed to help organizations identify, triage, and act on risky user activity, through the use of Microsoft 365 logs and Microsoft Graph. It allows you to define specific policies to identify certain risk indicators – and once a risk has been identified, you can take action in order to mitigate the risk. 

Creating Insider risk management policies allows you to specify which users are in-scope and what kinds of risk indicators you want to be alerted on. For example, you can create a policy that applies to all users in the organization, or you can specify individual users or groups within in a policy. 

When you create policies, you can set content priorities to focus the policy conditions that you define on multiple Microsoft Teams, specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. 

You can even use templates to create policies. This allows you to choose specific risk indicators and to customize event thresholds for policy indicators, which, in turn, allows you to essentially customize risk scores, the levels of alerts, and the frequency of alerts. 

Risk score boosters and anomaly detections can help you identify user activity that is of higher importance or more unusual. 

The table on your screen shows the triggering events for policies created from each insider risk management policy template:

Notice here that policies created from the Data theft by departing users template are triggered by a resignation or termination date indicator from an HR connector or by an Azure Active Directory account deletion.

Policies created from the “General data leaks” template are triggered by data leak policy activity that creates a High severity alert or by built-in exfiltration event triggers.

Now, I’m not gonna read each of these off to you, but I do encourage you to read through the list to familiarize yourself with them.

I should also mention that once you’ve specified a policy’s settings to target the whos and the whats, you can configure policy windows. Policy windows are used to specify the time frame to apply the policy to alert activities, and they are used to determine the duration of a policy, once it’s been activated.

To manage your policies, you use the Policy dashboard. You can use it to view your policies, along with the health of those policies. You can also use the dashboard to manually add users to policies and view the status of alerts associated with each policy.

The Policy Dashboard displays several columns. For example, the Policy name column shows the names assigned to each policy. The Status column displays the health status for each policy, which includes the number of policy warnings and recommendations for each policy. Active alerts shows the number of active alerts for each policy, while Confirmed alerts shows the total number of alerts generated by the policy in the last 365 days. In the Actions taken on alerts column, you’ll see the total number of alerts that were confirmed or dismissed for the last 365 days. And then, lastly, the Policy alert effectiveness column shows a percentage for each policy. This percentage is determined by dividing the total confirmed alerts by the total actions taken on alerts over the past year.

The image on your screen shows how this information is presented:

Join me in the upcoming demos, where I’ll show you how to create an Insider Risk Management Policy, how to update a policy, and how to score user activity with the policy.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.