Insider risk management in Microsoft 365

Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and take action on risky activities in your organization. Custom policies allow you to detect and take action on malicious and inadvertent risk activities in your organization, including escalating cases to Microsoft Advanced eDiscovery if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.

Watch the video below to learn how insider risk management can help your organization prevent, detect, and contain risks while prioritizing your organization values, culture, and employee experience:

Modern risk pain points

Managing and minimizing risk in your organization starts with understanding the types of risks found in the modern workplace. Some risks are driven by external events and factors and are outside direct control. Other risks are driven by internal events and employee activities that can be eliminated and avoided. Some examples are risks from illegal, inappropriate, unauthorized, or unethical behavior and actions by employees and managers. These behaviors include a broad range of internal risks from employees:

  • Leaks of sensitive data and data spillage
  • Confidentiality violations
  • Intellectual property (IP) theft
  • Fraud
  • Insider trading
  • Regulatory compliance violations

Employees in the modern workplace have access to create, manage, and share data across a broad spectrum of platforms and services. In most cases, organizations have limited resources and tools to identify and mitigate organization-wide risks while also meeting employee privacy standards.

Insider risk management in Microsoft 365 uses the full breadth of service and 3rd-party indicators to help you quickly identify, triage, and take action on risk activity. By using logs from Microsoft 365 and Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators. These policies allow you to identify risky activities and to take action to mitigate these risks.

Insider risk management is centered around the following principles:

  • Transparency: Balance employee privacy versus organization risk with privacy-by-design architecture.
  • Configurable: Configurable policies based on industry, geographical, and business groups.
  • Integrated: Integrated workflow across Microsoft 365 compliance solutions.
  • Actionable: Provides insights to enable employee notifications, data investigations, and employee investigations.


Insider risk management helps you identify, investigate, and take action to address internal risks in your organization. With focused policy templates, comprehensive activity signaling across the Microsoft 365 service, and a flexible workflow, you can use actionable insights to quickly identify and resolve risky behavior.

Identifying and resolving internal risk activities and compliance issues with insider risk management in Microsoft 365 uses the following workflow:

Insider risk management workflow


Insider risk management policies are created using pre-defined templates and policy conditions that define what risk indicators are examined in Microsoft 365 feature areas. These conditions include how indicators are used for alerts, what users are included in the policy, which services are prioritized, and the monitoring time period.

You can select from the following policy templates to quickly get started with insider risk management:

  • Departing employee data theft
  • Data leaks
  • Offensive language in email

For more information, see Insider risk management policies.

Insider risk management policy dashboard


Alerts are automatically generated by risk indicators that match policy conditions and are displayed in the Alerts dashboard. This dashboard enables a quick view of all alerts needing review, open alerts over time, and alert statistics for your organization. All policy alerts are displayed with associated information to help you quickly identify the current status of existing alerts and new alerts that need action:

  • Status
  • Severity
  • Time detected
  • Case
  • Case status

For more information, see Insider risk management alerts.

Insider risk management alert dashboard


New activities that need investigation automatically generate alerts that are assigned a Needs review status. Reviewers can quickly identify these alerts and scroll through each to evaluate and triage.

Alerts are resolved by opening a new case, assigning the alert to an existing case, or dismissing the alert. Using alert filters, it's easy to quickly identify alerts by status, severity, or time detected. As part of the triage process, reviewers can view alert details for the policy match, view user activity associated with the match, see the severity of the alert, and review user profile information.

Insider risk management triage


Cases are created for alerts that require deeper review and investigation of the details and circumstances around the policy match. The Case dashboard provides an all-up view of all active cases, open cases over time, and case statistics for your organization. Reviewers can quickly filter cases by status, the date the case was opened, and the date the case was last updated.

Selecting a case on the case dashboard opens the case for investigation and review. This step is the heart of the insider risk management workflow. This area is where risk activity indicators, policy conditions, alerts details, and employee details are synthesized into an integrated view for reviewers. The primary investigation tools in this area are:

  • User activity: User activity is automatically displayed in an interactive chart that plots risk activities over time and by risk level for current or past risk activities. Reviewers can quickly filter and view the entire risk history for the employee and drill into specific activities for more details.
  • Content Explorer: All data files and email messages associated with alert risk activities are automatically captured and displayed in the Content Explorer. Reviewers can filter and view files and messages by data source, file type, tags, conversation, and many more attributes.
  • Case notes: Reviewers provide notes for a case in the Case Notes section. This list consolidates all notes in a central view and include reviewer and date submitted information.

For more information, see Insider risk management cases.

Insider risk management investigation


After cases are investigated, reviewers can quickly take action to resolve the case or collaborate with other risk stakeholders in your organization. When employees accidentally or inadvertently violate policy conditions, a simple reminder notice can be sent to the employee from notice templates you can configure for your organization. These notices may serve as simple reminders or may direct the employee to refresher training or guidance to help prevent future risky behavior. For more information, see Insider risk management notice templates.

In the most serious situations, you may need to share the insider risk management case information with other reviewers in your organization. Insider risk management is tightly integrated with other Microsoft 365 compliance features to help you with end-to-end risk resolution. Escalating a case for investigation allows you to transfer data and management of the case to Advanced eDiscovery in Microsoft 365. Advanced eDiscovery provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It allows legal teams to manage the entire legal hold notification workflow. To learn more about Advanced eDiscovery cases, see Overview of Advanced eDiscovery in Microsoft 365.


Insider risk management can help you detect, investigate, and take action to mitigate internal risks in your organization in several common scenarios:

Data theft by departing employee

When employees leave an organization, either voluntarily or as the result of termination, there is often legitimate concerns that company, customer, and employee data are at risk. Employees may innocently assume that project data isn't proprietary or they may be tempted to take company data for personal gain and in violation of company policy and legal standards. Insider risk management policies that use the Departing employee data theft policy template automatically detect activities typically associated with this type of theft. With this policy, you'll automatically receive alerts for suspicious activities associated with departing employees theft so you can take appropriate investigative actions. Configuring a Microsoft 365 HR Connector for your organization is required for this policy template.

Intentional or unintentional leak of sensitive or confidential information

In most cases, employees try their best to properly handle sensitive or confidential information. But occasionally employees make mistakes and information is accidentally shared outside your organization or in violation of your information protection policies. Sometimes employees may intentionally leak or share sensitive and confidential information with malicious intent and for potential personal gain. Insider risk management policies created using the Data leaks policy template automatically detect activities typically associated with sharing sensitive or confidential information. Configuring at least one Microsoft 365 Data Loss Protection (DLP) policy for your organization is required for this policy template.

Actions and behaviors that violate corporate policies

Employee-to-employee communications are often a source of inadvertent or malicious violations of corporate policies. These violations can include offensive language, threats, and cyber-bullying between employees. This type of activity contributes to a hostile work environment and can result in legal actions against both employees and the larger organization. Insider risk management uses new built-in Microsoft 365 classifiers and the Offensive language in email policy template. These classifiers and templates enable the quick configuration of a policy to automatically detect and alert you of this kind of behavior.

Ready to get started?