Understand and configure risk levels in Adaptive Protection

  • 10 minutes

With Adaptive Protection, you can configure the risk factors or activities for customizable risk levels based on your organization's needs. The risk levels for Adaptive Protection update continuously and automatically based on the users' risk factors and insights. If a user's data security risks become more or less risky, their risk levels are adjusted accordingly. Based on the risk levels, DLP policies automatically apply the right level of preventative controls (such as block, block with override, or warning). Similarly, Conditional Access policies can restrict or allow access to cloud resources based on a user's risk level, and Data Lifecycle Management can extend retention for high-risk users to support investigations.

In Adaptive Protection, the insider risk management policy assigned affects how risk levels are determined. Different criteria such as users, groups, indicators, thresholds, etc. are used as the determining factors for the policy. Risk levels are based on user insights and not just the number of instances of specific user activities. Insights are a calculation of the aggregate number of activities and the severity level of these activities.

For example, performing a potentially risky activity more than three times doesn't determine User A's risk levels. Instead, an insight into the aggregate number of activities and assigned risk scores based on configured thresholds in the selected policy determine User A's risk levels.

Risk levels

Risk levels in Adaptive Protection define how risky a user's activity is. Risk levels can be based on criteria such as how many exfiltration activities they performed or whether their activity generated a high severity insider risk alert. These risk levels have built-in risk level definitions, but these definitions can be customized as needed:

  • Elevated risk level: The highest risk level includes built-in definitions for users with high severity alerts, users with at least three sequence insights that each have a high severity alert for specific risk activities, or one or more confirmed high severity alerts.
  • Moderate risk level: The medium risk level includes built-in definitions for users with medium severity alerts or users with at least two data exfiltration activities with high severity scores.
  • Minor risk level: The lowest risk level includes built-in definitions for users with low severity alerts or users with at least one data exfiltration activity with a high severity score.

For a risk level to be assigned to a user, the number of insights and the severity assigned to the activity need to match the definition for the risk level. The number of activities for an insight can either be a single activity or multiple activities contributing to the single insight. The number of insights is evaluated for the risk level definition, not the number of activities included in an insight.

For example, let's consider an insider risk management policy that's assigned to Adaptive Protection. This policy is scoped for identifying downloads from a SharePoint site in your organization. If the policy detects that in a single day a user:

  • downloaded 10 files from a SharePoint site
  • the files downloaded are determined to be high severity

This sequence of actions would count as one single insight consisting of 10 activity events.

In order for this activity to qualify for assigning an Elevated risk level to the user, two more high severity insights would be required for the user. The other insights might or might not contain one or more activities.

Screenshot of Adaptive Protection risk levels in the Microsoft Purview compliance portal.

Customizing risk levels

Custom risk levels allow you to create risk levels based on your organization's needs. You can customize criteria that the risk level is based on, and then define conditions to control when the risk level is assigned to users.

For example, Adaptive Protection settings, DLP policies, Conditional Access, and Data Lifecycle Management can work together to enforce appropriate security measures. Users in the minor or medium risk level can receive policy tips and education on handling sensitive data, while high-risk users face stricter enforcement such as restricted cloud access and extended data retention. For users in the elevated risk level, administrators can use the strictest protection controls, such as blocking users from saving or sharing sensitive data. This approach minimizes the effect of potential data incidents.

Risk level criteria and conditions

Risk level criteria and conditions customization can be based on the following areas:

  • Alerts generated or confirmed for a user: This option lets you choose conditions based on the severity level for alerts that are either generated or confirmed for a user under the chosen insider risk management policy. Conditions for alerts aren't additive. If a user meets just one condition, a risk level is assigned.
  • Specific user activity: This option allows you to choose conditions for activity to detect, its severity, and the number of daily occurrences during the past activity detection window (optional). Conditions for user activity are additive. Users are assigned a risk level only if all the conditions are met.

Past activity detection

The past activity detection risk level setting specifies the number of days Adaptive Protection looks back to see if a user has met any of the defined risk level conditions. The default setting is 7 days, but you can choose between 5 and 30 days of previous activity to apply risk level conditions. This setting only applies to risk levels that are based on a user's daily activity and excludes risk levels based on alerts.

Let's see how past activity detection settings and risk levels work together to decide if a user's past actions are in-scope:

  • Elevated risk level setting: A user performs at least three sequences, each with a high severity risk score between 67 and 100.
  • Past activity detection setting: Three days.
User's actions Is the activity scoped for elevated risk?
One high-severity action each day for the past three days Yes
Three high-severity actions on a single day, three days ago Yes
One high-severity action four days ago and two high-severity actions three days ago No

Risk level timeframe

This risk level setting determines how long a risk level remains assigned to a user before it's automatically reset. The default setting is 7 days, but you can choose between 5 and 30 days before resetting the risk level for a user.

Risk levels also reset for a user when:

  • The associated alert for the user is dismissed
  • The associated case for the user is resolved
  • The risk level end date is manually expired