![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 84%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Purview
A unified data governance solution that helps manage, protect, and discover data across your organization
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 49%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Hi Nitin Jain,
Based on the screenshots, the Insider Risk Management policy configuration itself appears correct. Since no alerts were generated even after testing and waiting more than 24 hours, the issue is most likely related to IRM prerequisite configuration rather than the policy conditions.
In many cases, this happens when the required Insider Risk Management permissions or role assignments are missing, or when the IRM onboarding steps were not fully completed.
Please verify the following:
Unified Audit Logging is enabled
The test user is included within the policy scope
The required Insider Risk Management roles are assigned
Licensing requirements are satisfied
Sufficient time has been allowed for backend policy propagation and telemetry ingestion (sometimes 24–48 hours)
The required permissions and onboarding steps are documented here:
Configure Insider Risk Management prerequisites
After the permissions were configured correctly, this type of issue is typically resolved and alerts begin generating normally.
Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.