Scoring User Activity with an Insider Risk Management Policy Demo
Start course

In this course, you will learn what Insider Risk Management policies are, what they do, and how to create and manage them.

Learning Objectives

  • Effectively create and manage Insider Risk Management policies in Microsoft 365

Intended Audience

  • IT professionals who are interested in earning Microsoft 365 certification
  • Those who may find themselves working with Insider Risk Management policies


  • Have at least a basic understanding of Microsoft 365 and Insider Risk Management

Hello and welcome back. So, what we're going do in this quick demo here is just walk through the process of manually scoring activity for users using our new Insider risk management policy. Now, on the screen here I'm logged into my Microsoft 365 compliance center. And I'm in Insider risk management and I'm looking at my policies here. We can see we have MyPolicy, and basically, to begin the scoring process, we just select  'start scoring activity for users' here. Now if we unselect MyPolicy, we can see that this option greys out. So, we'll select the policy, we'll close our warning here because we're not doing any badging. And we'll go ahead and start scoring activity. Now when we do this, what this is going to do is assign risk scores to our users based on the activity detected by our policy called MyPolicy. Since we're manually doing this, what this is going to do is bypass any of our triggering events.

So, on the scoring page here we have to provide some information. We have to specify the reason we're performing this scoring activity, we need to select the number of days we want to score the activity for, and we need to select the users we want to score the activity for. Now for the reason here I'm just going to put in your testing. And what we'll do, you should go from five all way up to 30. We'll leave this at five and what we're going to do is score this for Lester Murphy. He's a user in our environment here. And once we provide this information, we simply click 'Start scoring activity'. And you'll notice here we get the green checkbox telling us that it's underway, but it does warn us here that it could take a few hours for the users to appear in the users tab. Now, once that happens, we can select the users from the tab and review the detected activities. Now we're not going to have anything happening here because Lester is not doing anything.

What we'll do here is we'll pause the video and we'll wait for Lester Murphy to show up so I can show you what it looks like once we've scored his activity. Okay, so welcome back. If you take a look on the screen now, you'll see some things changed. We see we no longer have any policy warnings and we now have two recommendations and we have three users in scope. Now what this means is the policy is updated or Microsoft 365 is updated to include our users from our Active Directory in our policy. So, all of our users in Azure AD are now in scope. Now we don't have a users tab showing up because we don't have any users that have generated any alerts. And to verify this, what we can do is select our policy, and if we look at the highlights here for the policy, we actually have two notices here. The first is that the policy hasn't generated any alerts and the second is still another reminder that physical badging data isn't being uploaded.

Again, this is because the badging is an optional prerequisite and we're not using badging here in our environment. Now, what I want to pay attention to here is this first notice though. It's telling us that the policy hasn't generated any alerts. It's telling us that the prerequisites for the policy have indeed been met and that the policy is assigning risk scores to user activity. However, there are no alerts being generated, and this is because if you go back to the actual policy, and we'll edit the policy here. An error there. Okay, this. What we're going to do is forward through to our triggers here. We have user accounts deleted, but we don't have any users trying to share SharePoint files or folders with people outside the organization. So, none of these triggers are going to generate any kind of alerts because that's not happening.

But what I wanted to do is just show you how you could begin the process of scoring users using a policy and doing that manually. And let's just cancel here. And that's what we did here. So, we can see that the policy now has our users from Azure AD in scope and we can see that it is meeting prerequisites, it is assigning risk scores. However, it's not generating any alerts because we don't have any users trying to steal any data. So, that's how you manually score activity for users.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.