Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
From defining risk levels to setting up mitigation actions in data loss prevention (DLP) or conditional access policies, Adaptive Protection is highly configurable. How you configure your risk levels and your policies that use the Adaptive Protection condition depends on your organization’s security posture and your willingness to disrupt the end user experience for users in your organization.
This configuration is our recommendation for organizations wanting minimize false positives and potential disruptions to users.
| Adaptive Protection settings | Elevated | Moderate | Minor |
|---|---|---|---|
| Risk level configuration | Confirmed alert of any severity for a user | High severity alert generated for a user | Low or medium severity alert generated for a user |
Data loss prevention
Teams and Exchange configuration
With this configuration, your organization creates two DLP policies for Teams and Exchange locations. One is for elevated risk users and the other is for moderate and minor risk users.
Elevated users are blocked from sharing content on Teams and Exchange with people outside of your organization. Moderate and minor risk users have their attempts to share content externally on Teams and Exchange audited. Users of all risk levels receive an email notification that their attempt to share content externally conflicts with your organization’s policy.
These configurations can be modified to fit your organization’s security posture and policies. Policy tips aren't currently supported for Adaptive Protection in DLP.
| DLP policy element | Elevated | Moderate |
|---|---|---|
| Conditions | Insider risk level for Adaptive Protection is - Elevated Risk AND - Content is Shared from Microsoft 365 with people outside my organization |
Insider risk level for Adaptive Protection is - Moderate Risk AND - Content is Shared from Microsoft 365 with people outside my organization |
| Actions | Restrict access or encrypt the content in Microsoft 365 locations - Block only people outside your organization |
None |
| User notification | On - Notify the user who sent, shared, or last modified the content |
On - Notify the user who sent, shared, or last modified the content |
| User override | Off | Off |
| Incident reports | On - Severity Level-Low - Send an alert every time an activity matches the rule |
On - Severity Level-Low - Send an alert every time an activity matches the rule |
| Additional options | Off | Off |
| Status | Run the policy in simulation mode - Policy tips not selected |
Run the policy in simulation mode - Policy tips not selected |
Endpoint configuration
With this configuration, your organization creates two policies for devices. One is for elevated risk users and the other is for moderate and minor risk users.
Elevated users are blocked from uploading to restricted cloud service domains or accessing content from unallowed browsers. They're also blocked from copying content to clipboard, removable USB devices, and network share. They're also blocked from printing content that matches the policy conditions. They'll also be unable to access content with restricted apps. For Moderate and Minor users, all of these activities are audited.
| DLP policy element | Elevated | Moderate |
|---|---|---|
| Conditions | Insider risk level for Adaptive Protection is - Elevated Risk AND - File Type is Word processing, Spreadsheet, Presentation, Archive, and Mail |
Insider risk level for Adaptive Protection is - Moderate Risk, Minor risk AND - Content is Shared from Microsoft 365 with people outside my organization |
| Actions | Audit or restrict activities on devices - Upload to a restricted cloud service domain or access from unallowed browsers (Block) File activities for all apps - Apply restrictions to specific activity - Copy to clipboard (Block) - Copy to removable USB device (Block) - Copy to network share (Block) - Print (Block) Restricted App activities - Access by restricted apps (Block) |
Audit or restrict activities on devices - Upload to a restricted cloud service domain or access from unallowed browsers (Audit) File activities for all apps - Apply restrictions to specific activity - Copy to clipboard (Audit) - Copy to removable USB device (Audit) - Copy to network share (Audit) - Print (Audit) Restricted App activities - Access by restricted apps (Audit) |
| User notification | Off | Off |
| User override | Off | Off |
| Incident reports | On - Severity Level-Low - Send an alert every time an activity matches the rule |
On - Severity Level-Low - Send an alert every time an activity matches the rule |
| Additional options | Off | Off |
| Status | Run the policy in simulation mode - Policy tips not selected |
Run the policy in simulation mode - Policy tips not selected |
Insider Risk Management
Conditional access policy configuration
We recommend creating the following Conditional access policies with the Insider risk condition when configuring Adaptive Protection to minimize disruption to user productivity while also providing protection from risky users.
Elevated
For elevated risk users, we recommend minimizing potential impact by taking a multipronged approach to limit how they can access sensitive data. Depending on your organization's risk posture, you might configure any combination of these policies.
- Block from Office 365 Apps: When used with the Insider risk condition, this configuration blocks elevated risk users from logging into Office 365 apps.
- Block from access to specific labeled sites: Not only does this configuration block elevated users from accessing those SharePoint sites when used with the Conditional Access Insider risk condition, it will prevents Copilot from generating content grounded on these sites. Using the authentication context in Conditional Access, this configuration helps limit how risky users can exploit access to sensitive information using generative AI.
- Block downloads using Conditional Access application control: Prevent data exfiltration by using the Insider risk condition with this configuration to block elevated risks users from downloading from specific cloud applications. This configuration might be useful for organizations that do not want to block access from cloud apps entirely, but still want to apply additional controls to elevated users.
Moderate
- Require Terms of Use at sign-in to Microsoft Admin Portals: Use the Insider risk condition in Conditional Access with a Terms of Use requirement to remind moderate risk users of their security and privacy commitments while preserving productivity.
Minor
Get Conditional Access insights for minor risk users while protecting their productivity. Using a policy with the Insider risk condition in Report-Only mode provides increased visibility on minor risk users while preserving their productivity.