Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
This article describes the limits in Microsoft Purview Insider Risk Management.
Global settings
| Item | Limit |
|---|---|
| Lookback period limits (Exchange Online). | 10 days |
| Lookback period limits for all other signals. | 90 days |
| Maximum number of items in each global exclusion list (Domains, SharePoint sites, File paths, Keywords, and File types). | 500 for each list |
| Maximum number of items in a detection group | 200 |
| Maximum number of custom indicators. | 10 |
| Maximum number of fields per custom indicator. | 20 |
| Maximum number of variants per indicator. | 3 |
| Maximum number of users that can be added to a priority user group. | 10,000 |
Triggers (per UTC calendar day)
| Item | Limit |
|---|---|
| User account deleted from Microsoft Entra ID | 15,000 |
| All signals collected through the HR connector | 15,000 |
| Custom indicators | 15,000 |
| All other triggers | 5,000 |
| Maximum trigger volume for an organization | 50,000 |
Note
Limitations are per individual trigger type.
Maximum number of users in scope for a policy template
| Template name | Limit |
|---|---|
| Data theft by departing users | 20,000 |
| Data leaks | 15,000 |
| Data leaks by priority users | 1,000 |
| Data leaks by risky users | 7,500 |
| Security policy violations | 1,000 |
| Patient data misuse (preview) | 5,000 |
| Risky AI usage | 10,000 |
| Risky browser usage (preview) | 7,000 |
| Security policy violations by departing users | 15,000 |
| Security policy violations by priority users | 1,000 |
| Security policy violations by risky users | 7,500 |
| Forensic evidence | Unlimited |
Note
There's no limit to the maximum number of users that you can add to a policy. The limit is for users in scope of a policy template (users brought in scope after a triggering event).
Other policy limits
| Item | Limit |
|---|---|
| Maximum number of policies that can be created per template type. | 100 |
| Maximum number of priority sites. | 50 |
| Maximum number of priority sensitivity labels. | 50 |
| Maximum number of priority sensitive info types. | 50 |
| Maximum number of priority file extensions. | 50 |
| Maximum number of priority trainable classifiers. | 5 |
Note
The number of in-scope users for a policy is displayed in the Users in scope column on the Policies tab.
Adaptive protection
| Item | Limit |
|---|---|
| Maximum number of users that can be scoped into a Data Loss Prevention (DLP) policy for each risk level. | 10,000 |
Manual user scoring
| Item | Limit |
|---|---|
| Maximum number of users that can be scored manually. | 4,000 |
Cases
| Item | Limit |
|---|---|
| Maximum number of active cases. | 100 |
Exporting
| Item | Limit |
|---|---|
| Maximum number of users that can be exported from the Users page. | 1,000 |
| Maximum number of alerts that can be exported from the Alerts page. | 1,000 |
| Maximum number of logs that can be exported to a CSV file from Activity explorer. | 100,000 |
Retention limits for alerts, cases, and associated artifacts
As Insider Risk Management alerts age, their value to minimize potentially risky activity diminishes for most organizations. Conversely, active cases and associated artifacts (alerts, insights, activities) are always valuable to organizations and shouldn't have an automatic expiration date. This includes all future alerts and artifacts in an active status for any user associated with an active case.
To help minimize the number of older items that provide limited current value, the following retention limits apply for Insider Risk Management alerts, cases, and user reports:
| Item | Retention period |
|---|---|
| Alerts with Needs review or Dismissed status | 120 days from alert creation, then automatically deleted. |
| Active cases (and associated artifacts) | Indefinite retention, never expire. |
| Resolved cases (and associated artifacts) | 120 days from case resolution, then automatically deleted. |
| User activities reports | 120 days from report creation, then automatically deleted. |
Connectors
| Item | Limit |
|---|---|
| Maximum number of records in the JSON file processed by the API | 50,000 |