Microsoft 365 E5 Insider Risk Management

Introduction:

Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and act on risky activities in your organization. Custom policies allow you to detect and act on malicious and inadvertent risk activities in your organization, including escalating cases to Microsoft Advanced eDiscovery if needed. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards.

Insider risk management is centered around the following principles:

  • Transparency: Balance employee privacy versus organization risk with privacy-by-design architecture.
  • Configurable: Configurable policies based on industry, geographical, and business groups.
  • Integrated: Integrated workflow across Microsoft 365 compliance solutions.
  • Actionable: Provides insights to enable employee notifications, data investigations, and employee investigations.

Requirements for Insider Risk Management:

To access and use insider risk management, one’s organization must have one of the following subscriptions or add-ons:

  • Microsoft 365 E5 subscription (paid or trial version)
  • Microsoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on
  • Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on
  • Microsoft 365 A5 subscription (paid or trial version)
  • Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on
  • Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on

If one doesn't have an existing Microsoft 365 Enterprise E5 plan and want to try insider risk management, one can add Microsoft 365 to your existing subscription or sign up for a trial of Microsoft 365 Enterprise E5.

Role group Vs. Role permission

Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. Choose from these role group options when configuring insider risk management:

Role group

Role permissions

Insider Risk Management

Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.

Insider Risk Management Admin

Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.

Insider Risk Management Analysts

Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access to all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.

Insider Risk Management Investigators

Use this group to assign permissions to users that will act as insider risk data investigators. Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content Explorer for all cases.


Step 1 (required): Enable permissions for insider risk management

Add users to an insider risk management role group

Complete the following steps to add users to an insider risk management role group:

  1. Sign into https://protection.office.com/permissions using credentials for an admin account in your Microsoft 365 organization.
  2. In the Security & Compliance Center, go to Permissions. Select the link to view and manage roles in Office 365.
  3. Select the insider risk management role group you want to add users to, then select Edit role group.
  4. Select Choose members from the left navigation pane, then select Edit.
  5. Select Add and then select the checkbox for all users you want to add to the role group.
  6. Select Add, then select Done.
  7. Select Save to add the users to the role group. Select Close to complete the steps

Step 2 (required): Enable the audit log

Use the Security & Compliance Center to turn on audit log search

  1. Go to the Security & Compliance Center and sign in.
  2. In the Security & Compliance Center, go to Search > Audit log search.

A banner is displayed saying that auditing has to be turned on to record user and admin activity.

  1. Click Turn on auditing.

Click Turn on auditing

The banner is updated to say the audit log is being prepared and that you can search for user and admin activity in a few hours.

Step 3 (optional): Configure prerequisites for templates

Set up a connector to import HR data

Step 1: Create an app in Azure Active Directory

Step 2: Prepare a CSV file with your HR data

Step 3: Create the HR connector

Step 4: Run the sample script to upload your HR data

Step 5: Monitor the HR connector

(Optional) Step 6: Schedule the script to run automatically

Step 4 (required): Configure insider risk settings

Before configuring a policy, define the following insider risk settings:

  1. In the Microsoft 365 compliance center, go to Insider risk management and select Insider risk settings from the top-right corner of any page.
  2. On the Privacy page, select a privacy setting for displaying usernames for policy alerts.
  3. On the Indicators page, select the alert indicators you want to apply to all insider risk policies

  4. On the Policy timeframes page, select the policy timeframes to go into effect for a user when they trigger a match for an insider risk policy.

  5. On the Intelligent detection page, configure the anomaly detection, offensive language detection, and alert volume level for insider risk policies.

  6. Select Save to enable these settings for your insider risk policies.

Step 5 (required): Create an insider risk management policy

Insider risk management policies include assigned users and define which types of risk indicators are configured for alerts. Before activities can trigger alerts, a policy must be configured.

  1. In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.
  2. Select Create policy to open the policy wizard
  3. On the New insider risk policy page, complete the following fields:
    • Name (required): Enter a friendly name for the policy.
    • Description (optional): Enter a description for the policy.
    • Choose policy template (required): Select one of the policy templates to define the types of risk indicators are monitored by the policy.
  4. Select Next to continue.

  5. On the Users page, select Add user or group to define which users are included in the policy or select All users and mail-enabled groups checkbox. Select Next to continue.

  6. On the Specify what content to prioritize (optional) page, you can assign the sources to prioritize for risky user activities:

    • SharePoint sites: Select Add SharePoint site and select the SharePoint organizations you want to prioritize. For example, "group1@contoso.sharepoint.com/sites/group1".

    • Sensitive info type: Select Add sensitive info type and select the sensitivity types you want to prioritize. For example, "U.S. Bank Account Number" and "Credit Card Number".

    • Sensitivity labels: Select Add sensitivity label and select the labels you want to prioritize. For example, "Confidential" and "Secret".

  7. Select Next to continue.
  8. On the Alert indicators page, you'll see the indicators that you've defined on the Insider risk settings > Indicators page. If you selected the Data leaks template at the beginning of the wizard, you must select a DLP policy from the DLP policy drop down list.
  9. On the Select monitoring window page, you'll see the monitoring window conditions for the policy that on the Insider risk settings > Policy time frames page. If you've selected the Departing employee data theft policy template, you can select the Check for activity post termination checkbox to detect activity after the termination date imported from the Microsoft 365 HR Connector.

  10. Select Next to continue.

  11. On the Review page, review the settings you've chosen for the policy. Select Edit to change any of the policy values or select Submit to create and activate the policy.

.