πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 3
Domain 3 β€” Module 1 of 9 11%
17 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 3: Manage Risks, Alerts, and Activities Premium ⏱ ~14 min read

Insider Risk: Foundations & Setup

The biggest threats often come from inside. Set up Microsoft Purview Insider Risk Management β€” roles, connectors, Defender for Endpoint integration, and global settings that enable detection before damage happens.

What is Insider Risk Management?

β˜• Simple explanation

Every security system focuses on keeping bad people OUT. But what about the threat from people already INSIDE?

An employee who copies customer data before leaving. A contractor who emails trade secrets to a competitor. A frustrated worker who deletes critical files. These are insider threats β€” and traditional perimeter security cannot stop them because these people already have the keys.

Microsoft Purview Insider Risk Management watches for patterns of risky behaviour by correlating signals from across M365 β€” unusual file downloads, abnormal email patterns, data exfiltration attempts β€” and generates alerts for investigation. Crucially, it protects user privacy through pseudonymisation until an investigation is formally opened.

Insider Risk Management (IRM) in Microsoft Purview uses machine learning and signal correlation to detect potentially risky activities by users within your organisation. It ingests signals from Microsoft 365 activities, HR connectors, Microsoft Defender for Endpoint, and third-party systems to identify patterns indicating data theft, data leaks, security violations, or policy breaches.

IRM operates with a privacy-by-design approach: user identities are pseudonymised in alerts and reports by default, role-based access controls restrict who can view user details, and audit logs track all investigator actions. The system generates alerts, enables triage and investigation workflows, and supports case management for formal investigations.

Roles and permissions

Insider Risk Management uses strict role-based access to protect user privacy:

Role GroupWhat It Can Do
Insider Risk ManagementFull access β€” configure policies, view alerts, investigate cases, manage settings
Insider Risk Management AdminsConfigure settings and policies, but cannot view alerts or cases
Insider Risk Management AnalystsView and triage alerts, but cannot view user-identifying information (pseudonymised)
Insider Risk Management InvestigatorsView alerts AND user details, manage cases, take action
Insider Risk Management ApproversApprove forensic evidence capture requests

Separation of duties

The role structure enforces separation between administration and investigation:

  • Admins configure the system but cannot see investigation data
  • Analysts triage alerts but see pseudonymised names (User1, User2)
  • Investigators see real identities but only for escalated cases
  • Approvers are a separate check for invasive evidence collection
πŸ’‘ Exam tip: pseudonymisation by default

The exam tests privacy controls in Insider Risk Management. Key facts:

  • User identities are pseudonymised by default β€” analysts see β€œUser1” not β€œJohn Smith”
  • Only users in the Insider Risk Management Investigators role see real identities
  • Pseudonymisation can be turned off globally, but Microsoft recommends keeping it on
  • All investigator actions are logged in the audit log for accountability

Connectors β€” feeding signals into IRM

IRM needs data from multiple sources to detect patterns:

ConnectorWhat Signals It ProvidesWhy It Matters
HR connectorEmployee departure dates, performance plans, terminationsDeparting employees are the #1 data theft risk β€” the HR signal is critical for the β€œdeparting employee” policy template
Microsoft Defender for EndpointDevice activities β€” USB usage, printing, application accessEndpoint signals detect physical data exfiltration (USB copies, printing sensitive docs)
Healthcare connectorPatient record access patternsDetects inappropriate access to patient data (curiosity browsing)
Physical badging connectorBuilding access logsUnusual after-hours access to secure areas
Third-party connectorsCustom data sources via APIIntegrate with SIEM, HRIS, or other security tools

Setting up the HR connector

The HR connector is the most important for exam purposes:

  1. Prepare a CSV file with columns: EmailAddress, ResignationDate, LastWorkingDay, EffectiveDate
  2. Create the connector in the Purview portal β†’ Settings β†’ Connectors
  3. Schedule uploads β€” automate CSV delivery on a regular basis
  4. Validate β€” ensure the connector is receiving and processing data
πŸ’‘ Scenario: Zara sets up IRM at Atlas Global

Atlas Global has 15,000 employees across 40 countries. Zara’s setup:

  1. HR connector: Automated CSV from the HRIS system β€” resignation dates, performance plans
  2. Defender for Endpoint: Already deployed on managed devices β€” signals flow automatically
  3. Roles: Zara β†’ IRM Admin. Two compliance investigators β†’ IRM Investigators. Three HR analysts β†’ IRM Analysts (pseudonymised view)
  4. Privacy: Pseudonymisation ON. Investigators must request approval to view real identities.
  5. Settings: Analytics enabled in test mode for 30 days to establish baseline activity patterns before creating policies.

Global settings

Before creating policies, configure global IRM settings:

SettingWhat It Controls
PrivacyPseudonymisation on/off for usernames in alerts
Policy indicatorsWhich activities IRM monitors (configured globally, policies select which to use)
Policy timeframesHow far back to look (activation window: 5-30 days)
Intelligent detectionsFile type exclusions, volume thresholds, anomaly sensitivity
Export alertsIntegration with SIEM via Office 365 Management API
Priority user groupsUsers who receive extra scrutiny (executives, people with access to sensitive data)
Power Automate flowsAutomated workflows triggered by IRM alerts
AnalyticsPre-policy analytics that show potential risk patterns before any policy is created

Analytics (pre-policy scanning)

Before creating your first policy, enable analytics to scan your tenant for potential risk patterns. This 48-hour scan reveals:

  • How many users show departing employee patterns
  • Volume of abnormal file activity
  • Potential data theft indicators

This helps you prioritise which policies to create first and set realistic thresholds.

Question

What is the role difference between Insider Risk Management Analysts and Investigators?

Click or press Enter to reveal answer

Answer

Analysts can view and triage alerts but see pseudonymised user names (User1, User2). Investigators can view alerts AND real user identities, manage cases, and take action. This separation protects user privacy β€” only escalated cases reveal real identities.

Click to flip back
Question

Why is the HR connector the most important data source for Insider Risk Management?

Click or press Enter to reveal answer

Answer

The HR connector provides employee departure signals (resignation dates, termination dates, performance plans). Departing employees are the #1 data theft risk. Without the HR connector, the 'Departing employee data theft' policy template β€” the most commonly used template β€” cannot function effectively.

Click to flip back
Question

What does the IRM analytics feature do, and when should you use it?

Click or press Enter to reveal answer

Answer

Analytics runs a 48-hour pre-policy scan of your tenant to identify potential risk patterns β€” departing employees, abnormal file activity, data theft indicators. Use it BEFORE creating your first policy to understand your risk baseline and set realistic thresholds.

Click to flip back
Knowledge Check

Zara at Atlas Global wants an HR team member to triage Insider Risk alerts but not see the real names of flagged employees. Which role should she assign?
Knowledge Check

Dr. Liam wants to detect when departing employees at St. Harbour Health download patient records. He has configured an Insider Risk policy using the 'Data theft by departing users' template, but no alerts are being generated for employees who have submitted resignations. What is the most likely issue?

🎬 Video coming soon

Next up: Insider Risk: Policies & Indicators β€” choose the right policy template, configure indicators, and create policies that detect real threats.

← Previous

Retention: Policies, Precedence & Recovery

Next β†’

Insider Risk: Policies & Indicators

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.