Configure Adaptive Protection
Permissions for Adaptive Protection
If you're using built-in role groups for insider risk management and DLP, you might need to update permissions for administrators, analysts, and investigators in your organization.
Here's a table that describes the permissions required for Adaptive Protection tasks:
| Task | Required role group |
|---|---|
| Configure Adaptive Protection and update settings | Insider Risk Management or Insider Risk Management Admins |
| Create and manage DLP policies with the Adaptive Protection condition | Select either Compliance Administrator, Compliance Data Administrator, DLP Compliance Management, or Global Administrator |
| View details on users' assigned risk levels | Insider Risk Management, Insider Risk Management Analysts, or Insider Risk Management Investigators |
The three categories of role groups correspond to the following tabs on the Adaptive Protection page: Risk levels for Adaptive Protection, Users assigned risk levels, DLP policies. If you're not assigned to the appropriate role group, the tab doesn't appear on the Adaptive Protection page.
Configure Adaptive Protection
Depending on the needs of your organization or where you're currently configured with insider risk management and DLP, you have two options to get started with Adaptive Protection:
- Quick setup
- Custom setup
Quick setup
The quick setup option is the fastest way to get started with Adaptive Protection. With this option, you don't need any preexisting insider risk management or DLP policies. You also don't need to preconfigure any settings or features.
Select Turn on Adaptive Protection from the Adaptive Protection cards on the compliance portal home page or DLP overview pages to get started. You can also get started by going to Insider risk management > Adaptive Protection > Dashboard > Quick setup. If you're already a scoped admin for Microsoft Purview, you can't turn on quick setup.
Here's what is configured when you use the quick setup process for Adaptive Protection:
| Area | Configuration |
|---|---|
| Insider risk settings (if not already configured) | - Privacy: Show anonymized versions of user names - Policy timeframes: Defaults - Policy indicators: A subset of Office indicators (you can view in insider risk management settings) - Risk score boosters: All - Intelligent Detections: Alert Volume = Default volume - Analytics: On - Admin notifications: Send notification email when first alert is generated to all |
| Insider risk settings (if already configured) | - Policy indicators: Office indicators not already configured (you can view in insider risk management settings). - All other settings previously configured aren't updated or changed. - Analytics: On (thresholds for triggering events in policies are the default settings determined by Analytics recommendations.) |
| A new insider risk policy | - Policy template: Data leaks - Policy name: Adaptive Protection policy for Insider Risk Management - Policy scope for users and groups: All users and groups - Priority content: None - Triggering events: Selected exfiltration events (you can view in insider risk management settings) - Policy indicators: A subset of Office indicators (you can view in insider risk management settings) - Risk score boosters: Activity is above user's usual activity for that day |
| Adaptive Protection risk levels | - Elevated risk level: Users must have at least three high severity exfiltration sequences - Moderate risk level: Users must have at least two high severity activities (excluding some types of downloads) - Minor risk level: Users must have at least one high severity activity (excluding some types of downloads) |
| Two new DLP policies | Adaptive Protection policy for Endpoint DLP - Elevated risk level rule: Blocked - Moderate/Minor risk level rule: Audit - Policy starts in test mode (audit only) Adaptive Protection policy for Teams and Exchange DLP - Elevated risk level rule: Blocked - Moderate/Minor risk level rules: Audit - Policy starts in test mode (audit only) |
It might take up to 72 hours for the quick setup process to complete. This process includes the completion of analytics, creation of insider risk management policies and DLP policies. You can also expect to see Adaptive Protection risk level and DLP actions applied to applicable user activities. Administrators receive a notification email once the quick setup process is complete.
Custom setup
The custom setup option allows you to customize the insider risk management policy, the risk levels, and the DLP policies configured for Adaptive Protection. This option also allows you to configure these items before enabling the Adaptive Protection connections between insider risk management and DLP. Most organizations with existing insider risk management policies and/or DLP policies should use this option.
Complete the following steps to configure Adaptive Protection using the custom setup:
1. Create an insider risk management policy
If you don't want to use an existing insider risk management policy, you must create a new insider risk management policy. Your insider risk management policy for Adaptive Protection should include:
- Users whose activity you want to detect. Choose either all users and groups in your organization or just a subset for specific risk mitigation scenarios or testing purposes.
- Activities you consider risky and custom thresholds that influence an activity's risk score. Risky activities might include emailing people outside your organization or copying files to USB devices.
2. Configure risk level settings
Select the Risk levels for Adaptive Protection tab and select the insider risk management policy you want to use for Adaptive Protection. You can either select the new policy you created in Step 1 or an existing policy you've already configured.
3. Configure Adaptive Protection per solution
Adaptive Protection dynamically adjusts security controls across multiple solutions. Configure the solutions where you want risk-based enforcement:
To automatically adjust DLP policies based on risk levels:
- Navigate to Microsoft Purview > Solutions > Data Loss Prevention > Policies.
- Create or edit an existing DLP policy.
- Add the condition: User's risk level for Adaptive Protection.
- Define actions per risk level:
- Elevated risk: Block actions (for example, prevent file sharing).
- Moderate risk: Allow override with justification.
- Minor risk: Provide policy tips.
- Save the policy and monitor enforcement.
To enable Data Lifecycle Management retention for high-risk users:
Navigate to Microsoft Purview > Settings > Adaptive Protection, and turn on Adaptive Protection for Data Lifecycle Management to apply extended retention to high-risk users automatically.
To set up Conditional Access for high-risk users:
Navigate to Microsoft Entra > Protection > Conditional Access > Policies.
Create a New policy and name your policy appropriately (for example, "Block access for elevated risk users").
Configure the appropriate Users, Target resources, and Network configurations where necessary.
In the Conditions section, select Insider risk.
On the Insider risk panel on right, switch the Configure toggle to Yes and select the appropriate risk level for the policy.
Select the appropriate Access controls based on the risk level needs for the policy.
Configure the Session if necessary.
Select Report only, On, or Off mode for the policy, then select Create. to create Conditional Access policy.
4. Turn on adaptive protection
To enable Adaptive Protection, select the Adaptive Protection settings tab and toggle Enable Adaptive Protection to On. It might take up to 36 hours before you can expect to see Adaptive Protection risk levels and DLP actions applied to applicable user activities.
For more information on custom setup for Adaptive Protection, see Configure Adaptive Protection.