Edit

Share via

Microsoft Entra recommendation: Enable Microsoft Purview Adaptive Protection and the Insider Risk condition in Conditional Access

  • Article

Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to protect your tenant by enabling the Insider Risk condition in Conditional Access paired with Microsoft Purview Adaptive Protection. This recommendation is called insiderRiskPolicy in the recommendations API in Microsoft Graph.

Description

Adaptive protection dynamically assigns appropriate Data Loss Prevention (DLP) policies to users based on the risk levels defined and analyzed by the machine learning models in insider risk management. With this new capability, static DLP policies become adaptive based on user context. The most effective policy, such as blocking data sharing, is applied only to high-risk users while low-risk users can maintain productivity.

These risk signals, when integrated with Conditional Access policies, allow Administrators to take appropriate actions for each risk level. Configuring Conditional Access policies with insider risk allows organizations to respond effectively to changing threat landscapes.

Value

Implementing a Conditional Access policy that blocks access to resources for high-risk internal users is of high priority due to its critical role in proactively enhancing security, mitigating insider threats, and safeguarding sensitive data in real-time.

Action plan

  1. Enable Adaptive Protection in Microsoft Purview.

    • You must be a member of the Insider Risk Management or Insider Risk Management Admins role group in Microsoft Purview to configure Adaptive Protection.
    • For information, see Roles and role groups for Microsoft Purview

  2. Create a Conditional Access policy that includes the Insider Risk condition.

Next steps