Microsoft 365 Message Center Archive

MC1006621 - Microsoft Purview | Insider Risk Management: New compromised user context in Microsoft Entra

Message ID

MC1006621

View in Message Center

Service

Microsoft Purview

Published

Feb 15, 2025

Tag

New feature
Admin impact

Roadmap ID

420938

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview Insider Risk Management will soon allow analysts to identify compromised user alerts in Microsoft Entra, aiding in appropriate response actions. This feature will roll out globally in March 2025. Admins need to review configurations and notify users, but no immediate action is required.

More information

Coming soon to Microsoft Purview | Insider Risk Management: IRM analysts will be able to identify if a user being investigated has any compromised user alerts in Microsoft Entra. The new visibility will help the analyst formulate the right response action, such as escalating the Incident to SOC teams for quick remediation.

This message is associated with Microsoft 365 Roadmap ID 420938.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out mid-March 2025 and expect to complete by late March 2025.

How this will affect your organization:

Microsoft Entra offers two types of compromised user detections:

  • Sign-in risk detections: Compromise risk associated with a specific sign-in
  • User risk detections: Compromise risk associated with a specific user

After this rollout:

  • Risk detections will be available in the indicator timeline in the alert investigation experience.
  • Risk detections will not impact the risk score or severity of Insider Risk Management alerts.

To access the new risk detections, go to Microsoft Purview portal > Settings > Insider Risk Management > Policy indicators > Built-in Indicators. Scroll down to Microsoft Entra ID Protection indicators, open the dropdown menu and select the applicable indicators:

admin controls

When you create a policy, you will find Microsoft Entra ID Protection indicators on the Indicators page:

admin controls

This change will be available by default.

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your users about this change and update any relevant documentation.

  • Insider risk management admins can opt into risk detections from Insider Risk Management global settings.
  • Insider risk management admins need to opt into risk detection in Insider Risk Management policies.

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Learn more