Manage Adaptive Protection

  • 7 minutes

Adaptive Protection in Microsoft Purview dynamically applies security controls based on user risk levels. By integrating with Data Loss Prevention (DLP), Data Lifecycle Management (DLM), and Conditional Access, it ensures that security policies automatically adjust as user behavior changes. This helps organizations mitigate risks without imposing unnecessary restrictions on low-risk users.

Understand Adaptive Protection

Once Adaptive Protection is enabled and Insider Risk Management policies are configured, administrators can view risk levels and review policy assignments. They can also manage security controls dynamically. The Dashboard in Adaptive Protection provides a centralized view of assigned risk levels and the policies in effect.

Dashboard overview

The Dashboard tab offers insights into users and policies linked to risk-based security enforcement:

  • Users assigned risk levels: Displays the number of users categorized as Elevated, Moderate, or Minor risk. Selecting View all users provides a detailed breakdown.
  • Policies using risk levels: Summarizes active security policies:
    • Conditional Access policies: Shows whether risk-based Conditional Access policies are enabled and their enforcement status.
    • DLP policies: Lists the number of DLP policies dynamically adjusting protections based on risk levels.
    • DLM retention policies: Displays policies extending data retention for high-risk users.
  • Quick setup: Guides administrators through policy configuration if Adaptive Protection isn't fully set up.

Manage user risk levels

The Users assigned risk levels tab provides a deeper look into individual risk assignments and the policies applied to each user.

  • User name: Displays usernames or anonymized names if anonymization is enabled in insider risk management settings.

  • Insider risk level: Indicates the current risk classification assigned to the user.

  • Assigned to user: Shows how long the user has retained the assigned risk level.

  • Risk level resets: Specifies when the risk level will reset automatically. Administrators can manually reset a user's risk level by selecting Expire.

  • Active alerts: Displays ongoing insider risk alerts for the user.

  • Cases confirmed as violation: Lists cases where violations have been verified.

    Screenshot showing the Users assigned insider risk levels tab in Adaptive Protection.

View user details

Selecting a user opens the Adaptive protection summary, which provides a detailed view of:

  • Insider risk level: Displays the user's current risk level, assignment date, and reset schedule.

  • DLP policies in scope: Lists DLP policies dynamically assigned based on risk classification.

  • DLM retention policies in scope: Shows any extended retention policies applied to the user.

  • Conditional Access policies in scope: Displays access control policies restricting access based on risk level.

  • Insider risk policies: Lists insider risk management policies governing the user's activity.

    Screenshot showing the user details for a user in Adaptive Protection.

Manage Security Policies

Data Loss Prevention (DLP) Policies

The Data Loss Prevention tab lists all policies enforcing risk-based protections using Adaptive Protection. Each policy includes:

  • Policy name: The name of the DLP policy.
  • Policy state: Whether the policy is Active or Inactive.
  • Policy location: Locations covered, such as Exchange, Teams, or Devices.
  • Risk levels applied: The risk classifications that trigger the policy.
  • Policy status: Whether the policy is On or in Test with notifications mode.

Conditional Access policies

The Conditional Access tab provides an overview of policies enforcing access restrictions based on risk levels:

  • Policy name: The name of the Conditional Access policy.
  • Policy state: Indicates if the policy is Active or Inactive.
  • Insider risk levels: Lists which risk levels the policy applies to.
  • Policy status: Displays whether the policy is fully enforced or in test mode.

Data Lifecycle Management (DLM) policies

The Data Lifecycle Management tab tracks retention policies preserving data for high-risk users:

  • Policy name: Lists the name of the DLM policy.
  • Policy state: Indicates whether the policy is Active or Inactive.
  • Retention duration: Specifies how long deleted content is preserved for high-risk users.

Adjusting risk levels and policies

If too many or too few users are assigned risk levels, administrators can refine the policy settings:

  • Modify insider risk level settings: Adjust thresholds determining when a risk level is assigned based on activity severity and frequency.
  • Modify policy thresholds: Fine-tune policy settings to determine which activities contribute to risk classification.

Disabling Adaptive Protection

If necessary, Adaptive Protection can be disabled:

  1. Navigate to Adaptive Protection settings.
  2. Toggle Enable Adaptive Protection to Off.

Disabling Adaptive Protection halts risk level assignments and removes existing user risk levels within six hours. DLP, Conditional Access, and DLM policies remain configured but no longer apply risk-based actions.