Microsoft 365 Message Center Archive

MC1006621 - Microsoft Purview | Insider Risk Management: New compromised user context in Microsoft Entra

Message ID

MC1006621

View in Message Center

Service

Microsoft Purview

Last Updated

Mar 25, 2025

Published Feb 15, 2025

Tag

Updated message
New feature
Admin impact

Roadmap ID

420938

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview's Insider Risk Management will soon include compromised user alerts from Microsoft Entra, aiding analysts in identifying and responding to risks. The rollout begins in early April 2025 and completes by late April 2025. No admin action is required, but reviewing configurations and notifying users is recommended.

More information

Updated March 25, 2025: We have updated the rollout timeline below. Thank you for your patience.

Coming soon to Microsoft Purview | Insider Risk Management: IRM analysts will be able to identify if a user being investigated has any compromised user alerts in Microsoft Entra. The new visibility will help the analyst formulate the right response action, such as escalating the Incident to SOC teams for quick remediation.

This message is associated with Microsoft 365 Roadmap ID 420938.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early April 2025 (previously mid-March) and expect to complete by late April 2025 (previously late March).

How this will affect your organization:

Microsoft Entra offers two types of compromised user detections:

  • Sign-in risk detections: Compromise risk associated with a specific sign-in
  • User risk detections: Compromise risk associated with a specific user

After this rollout:

  • Risk detections will be available in the indicator timeline in the alert investigation experience.
  • Risk detections will not impact the risk score or severity of Insider Risk Management alerts.

To access the new risk detections, go to Microsoft Purview portal > Settings > Insider Risk Management > Policy indicators > Built-in Indicators. Scroll down to Microsoft Entra ID Protection indicators, open the dropdown menu and select the applicable indicators:

admin controls

When you create a policy, you will find Microsoft Entra ID Protection indicators on the Indicators page:

admin controls

This change will be available by default.

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your users about this change and update any relevant documentation.

  • Insider risk management admins can opt into risk detections from Insider Risk Management global settings.
  • Insider risk management admins need to opt into risk detection in Insider Risk Management policies.

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Learn more