Insider Risk Management
Threats do not always come from outside. Insider Risk Management detects risky behaviour from employees, contractors, and partners — while protecting user privacy by design.
What is insider risk?
Imagine a hotel where you worry about break-ins from outside. But what about the staff member who copies room keys?
Insider risk is about the threat from people who already have the keys — employees, contractors, partners. They already have access. They already know where the valuable data lives. And if they decide to steal it, leak it, or misuse it, traditional perimeter security will not stop them because they are already inside.
It is not always malicious. Sometimes an employee accidentally shares a confidential file with the wrong person. The risk is real either way.
Types of insider risk
Not all insider threats look the same. Here are the most common patterns:
| Type | What it looks like | Example |
|---|---|---|
| Data theft by departing employees | An employee who has resigned starts downloading large volumes of files | A nurse at MedGuard copies patient lists to a USB drive during their notice period |
| Data leaks | Sensitive data is shared outside the organisation, accidentally or intentionally | A contractor emails a spreadsheet of patient data to a personal Gmail account |
| Security policy violations | Users bypass security controls or violate acceptable use policies | An employee disables encryption on their device to install unauthorised software |
| IP theft | Intellectual property is copied or transferred before departure | A researcher downloads proprietary clinical trial data before joining a competitor |
| Patient data misuse (healthcare) | Access to patient records without a legitimate medical reason | A staff member looks up a celebrity patient’s records out of curiosity |
How Insider Risk Management works
Microsoft Purview Insider Risk Management follows a pipeline: signals come in, the system detects patterns, and compliance teams investigate.
The five-stage workflow
| Stage | What happens | Example at MedGuard |
|---|---|---|
| 1. Policy configuration | Admins select a policy template and define triggers and thresholds | Nadia enables the “departing employee data theft” template |
| 2. Signal ingestion | The system collects signals from across the environment | HR connector sends a resignation notice; DLP detects unusual file downloads |
| 3. Alert generation | When signals match policy thresholds, the system generates an alert | Alert: “User downloaded 200 patient files in 2 hours after submitting resignation” |
| 4. Triage and investigation | Compliance analysts review alerts, confirm or dismiss, escalate to cases | Nadia’s team reviews the alert, sees the pattern is genuine, opens a case |
| 5. Action | Remediation steps — notify the user, restrict access, escalate to legal or HR | Nadia’s team restricts the user’s access and notifies HR and legal |
Where the signals come from
Insider Risk Management does not work alone. It ingests signals from multiple sources:
- Microsoft 365 activity — file downloads, email forwarding, SharePoint access patterns
- DLP policy matches — when Data Loss Prevention detects sensitive content being shared
- HR connector — resignation notifications, termination dates, performance improvement plans
- Defender for Endpoint — USB device usage, printing activity, access to sensitive file paths
- Microsoft Entra ID — sign-in anomalies, impossible travel, risky sign-ins
Scenario: departing employee at MedGuard
A senior nurse at MedGuard submits their resignation. The HR connector sends the departure signal to Insider Risk Management.
Over the next two weeks, the system notices:
- The nurse downloads 350 patient records from SharePoint (normally they access 10-15 per day)
- They copy files to a personal OneDrive (detected by DLP)
- They email a ZIP file to an external address
Each action alone might be normal. But the combination — triggered by the departure signal — generates a high-severity alert. Nadia’s team investigates and finds the nurse was copying patient lists to take to a competitor clinic.
Key point: Insider Risk detects patterns, not single events. The departure signal is what activated the policy and made the system pay attention.
Policy templates
Nadia does not build policies from scratch. Microsoft Purview provides templates designed for common scenarios:
| Template | What it detects |
|---|---|
| Departing employee data theft | Unusual data activity by users flagged as departing (requires HR connector) |
| Data leaks | Sensitive data shared outside the organisation or with unauthorised users |
| Security policy violations | Users bypassing security controls, disabling protections, or installing risky software |
| Patient data misuse | Unauthorised access to patient records (healthcare-specific template) |
| Data leaks by priority users | Focused monitoring on high-risk roles (executives, users with access to trade secrets) |
Exam tip: Insider Risk detects patterns, not content
A common exam trap: Insider Risk Management does not read the content of emails or messages by default. It does not scan what people write.
Instead, it detects patterns of behaviour — downloading unusual volumes of files, copying data to USB, emailing large attachments externally. The distinction matters:
- Insider Risk Management = behavioural patterns
- Communication Compliance = content scanning (harassment, regulatory language)
If the exam asks about monitoring communications for inappropriate language, the answer is Communication Compliance, not Insider Risk.
Privacy by design
Insider Risk Management is built with employee privacy in mind. This is critical for the exam — and for real-world trust.
| Privacy feature | What it does |
|---|---|
| Pseudonymisation | User names are anonymised by default. Investigators see “User A” and “User B,” not real names. Admins must explicitly enable name resolution. |
| Role-based access | Only users in the Insider Risk Management role group can view alerts and cases. IT admins, HR, and other teams cannot see this data unless granted specific access. |
| Audit logs | Every action taken in the Insider Risk Management portal is logged — who viewed what, who escalated what, who dismissed what. |
| Policy scoping | Policies can target specific user groups rather than the entire organisation, minimising surveillance scope. |
Communication Compliance: the related tool
Communication Compliance is separate from Insider Risk Management, but they are often tested together:
| Feature | Insider Risk Management | Communication Compliance |
|---|---|---|
| What it monitors | Behavioural patterns — file activity, data movement, access anomalies | Content of communications — emails, Teams messages, chats |
| What it detects | Data theft, data leaks, security violations, risky behaviour sequences | Harassment, discrimination, regulatory violations, insider trading language |
| How it works | Analyses activity signals and correlates patterns across time | Scans message content against policy rules and classifiers |
| Privacy approach | Pseudonymised users, does not read content by default | Reviews actual message content (with role-based access controls) |
| Primary audience | Compliance and security teams | Compliance, HR, and legal teams |
🎬 Video walkthrough
🎬 Video coming soon
Insider Risk Management — SC-900 Module 6
Insider Risk Management — SC-900 Module 6
~10 minFlashcards
Knowledge check
A senior employee at MedGuard submits their resignation. Over the next week, they download 500 patient records — far above their normal daily activity. Which Microsoft Purview solution would detect this pattern?
Nadia's compliance team investigates an insider risk alert. They see the user identified as 'User 7' rather than by name. Why?
Alex at SecureBank needs to monitor whether employees are using language that could indicate insider trading in their Teams messages. Which solution should Alex configure?