Insider Risk & Communication Compliance
Not all threats come from outside. Insider Risk catches suspicious behaviour patterns. Communication Compliance monitors messages for policy violations. Both are essential for Copilot-era governance.
Two tools, two threats
Think of an office with security cameras and a content moderator.
Insider Risk is the security camera system that watches BEHAVIOUR — “this person is downloading an unusual number of files” or “this person just copied 500 documents to USB the day before they resigned.” It primarily watches behaviour patterns and actions, often using content context like sensitivity labels to assess risk.
Communication Compliance is the content moderator — it reads MESSAGES in Teams and Outlook looking for policy violations: harassment, discriminatory language, sharing of confidential information in inappropriate channels, or regulatory breaches.
One watches what people DO. The other watches what people SAY.
Insider Risk Management
What it detects
| Risk Category | Signals | Example |
|---|---|---|
| Data theft by departing employees | Resignation + unusual file downloads | Employee submits notice, then downloads 2,000 files over 3 days |
| Data leaks | Sensitive files shared externally or to personal accounts | Confidential spreadsheet shared to personal Gmail |
| Security policy violations | Circumventing DLP, disabling security features | User turns off device encryption to transfer files |
| Risky AI usage | Sensitive prompts to Copilot or external AI tools | Employee pastes customer PII into an external chatbot |
How it works
- Policies define what to watch for (data theft, leaks, security violations)
- Signals are collected from M365 services (SharePoint, OneDrive, Teams, Exchange, endpoints)
- Alerts fire when user activity matches risk patterns
- Cases are created for investigation — with timeline of all related activities
- Actions can be taken: escalate to HR, refer to legal, adjust permissions
Adaptive Protection — Insider Risk meets DLP
Adaptive Protection is a powerful integration between Insider Risk and DLP:
When a user is flagged as “elevated risk” by Insider Risk (e.g., they’ve been downloading unusual amounts of data), DLP policies automatically become stricter for that user — blocking actions that would normally just trigger a warning.
Example: Normal users get “warn” when emailing externally. High-risk users get “block.”
This means protection adapts to the user’s behaviour — no manual intervention needed.
Exam tip: If a question mentions “automatically adjusting DLP strictness based on user risk” → the answer is Adaptive Protection.
Communication Compliance
What it monitors
| Policy Type | What It Catches | Example |
|---|---|---|
| Regulatory compliance | Financial or healthcare regulation violations | Insider trading language, HIPAA breaches |
| Code of conduct | Harassment, discrimination, threats | Bullying in Teams messages |
| Sensitive information | Confidential data shared in messages | Sharing passwords or account numbers in chat |
| Conflict of interest | Inappropriate communications | Employee discussing deals with a competitor |
How it works
- Policies define what to scan (Teams, Outlook, third-party) and what to look for
- Detection uses keywords, regex, trainable classifiers, and sensitive info types
- Alerts fire when content matches a policy
- Review — compliance officers review flagged messages in context
- Actions — resolve, escalate, tag for investigation, or remediate
Scenario: Clearfield Council monitors workplace conduct
Officer Patel sets up Communication Compliance:
Policy 1: Anti-harassment
- Scans: Teams messages + Outlook emails
- Detects: Trainable classifier for “harassment” + keyword list for slurs
- Action: Alert Officer Patel for review
Policy 2: Sensitive data in chat
- Scans: Teams messages
- Detects: Credit card numbers, citizen ID patterns
- Action: Alert compliance reviewer for manual review and remediation
First month results: 12 alerts fired. 8 were genuine policy violations (staff sharing citizen IDs in Teams instead of secure channels). 4 were false positives (the word “discrimination” used in a policy discussion context → classifier tuned).
Insider Risk vs Communication Compliance
| Feature | Insider Risk | Communication Compliance |
|---|---|---|
| What it watches | User BEHAVIOUR (actions, patterns) | Message CONTENT (words, data) |
| Detects | Unusual downloads, data theft, policy circumvention | Harassment, regulatory violations, sensitive data in messages |
| Signals from | SharePoint, OneDrive, Teams, Exchange, endpoints | Teams messages, Outlook emails, third-party platforms |
| Uses | Behavioural analytics, correlation, timelines | Keywords, classifiers, sensitive info types, regex |
| Investigated by | Security/HR team | Compliance/legal team |
🎬 Video walkthrough
🎬 Video coming soon
Insider Risk & Communication Compliance — AB-900 Module 14
Insider Risk & Communication Compliance — AB-900 Module 14
~11 minFlashcards
Knowledge Check
An employee at Northwave submitted their resignation last week. Over the following 5 days, they downloaded 3,000 files from the company SharePoint to their personal device. Which Purview tool would detect this?
Clearfield Council's compliance team discovers that multiple staff members have been using discriminatory language in Teams channels. Officer Patel needs to set up monitoring to detect and review these messages. Which Purview tool should she configure?
Next up: DSPM for AI & Data Lifecycle — governing how AI tools use your data, and managing how long data lives.