Insider Risk & Communication Compliance

Two tools, two threats

Insider Risk Management

What it detects

Risk Category	Signals	Example
Data theft by departing employees	Resignation + unusual file downloads	Employee submits notice, then downloads 2,000 files over 3 days
Data leaks	Sensitive files shared externally or to personal accounts	Confidential spreadsheet shared to personal Gmail
Security policy violations	Circumventing DLP, disabling security features	User turns off device encryption to transfer files
Risky AI usage	Sensitive prompts to Copilot or external AI tools	Employee pastes customer PII into an external chatbot

How it works

1. Policies define what to watch for (data theft, leaks, security violations)
2. Signals are collected from M365 services (SharePoint, OneDrive, Teams, Exchange, endpoints)
3. Alerts fire when user activity matches risk patterns
4. Cases are created for investigation — with timeline of all related activities
5. Actions can be taken: escalate to HR, refer to legal, adjust permissions

ℹ️ Adaptive Protection — Insider Risk meets DLP

Adaptive Protection is a powerful integration between Insider Risk and DLP:

When a user is flagged as “elevated risk” by Insider Risk (e.g., they’ve been downloading unusual amounts of data), DLP policies automatically become stricter for that user — blocking actions that would normally just trigger a warning.

Example: Normal users get “warn” when emailing externally. High-risk users get “block.”

This means protection adapts to the user’s behaviour — no manual intervention needed.

Exam tip: If a question mentions “automatically adjusting DLP strictness based on user risk” → the answer is Adaptive Protection.

Communication Compliance

What it monitors

Policy Type	What It Catches	Example
Regulatory compliance	Financial or healthcare regulation violations	Insider trading language, HIPAA breaches
Code of conduct	Harassment, discrimination, threats	Bullying in Teams messages
Sensitive information	Confidential data shared in messages	Sharing passwords or account numbers in chat
Conflict of interest	Inappropriate communications	Employee discussing deals with a competitor

How it works

1. Policies define what to scan (Teams, Outlook, third-party) and what to look for
2. Detection uses keywords, regex, trainable classifiers, and sensitive info types
3. Alerts fire when content matches a policy
4. Review — compliance officers review flagged messages in context
5. Actions — resolve, escalate, tag for investigation, or remediate

💡 Scenario: Clearfield Council monitors workplace conduct

Officer Patel sets up Communication Compliance:

Policy 1: Anti-harassment

• Scans: Teams messages + Outlook emails
• Detects: Trainable classifier for “harassment” + keyword list for slurs
• Action: Alert Officer Patel for review

Policy 2: Sensitive data in chat

• Scans: Teams messages
• Detects: Credit card numbers, citizen ID patterns
• Action: Alert compliance reviewer for manual review and remediation

First month results: 12 alerts fired. 8 were genuine policy violations (staff sharing citizen IDs in Teams instead of secure channels). 4 were false positives (the word “discrimination” used in a policy discussion context → classifier tuned).

Insider Risk vs Communication Compliance

Insider Risk vs Communication Compliance

Feature	Insider Risk	Communication Compliance
What it watches	User BEHAVIOUR (actions, patterns)	Message CONTENT (words, data)
Detects	Unusual downloads, data theft, policy circumvention	Harassment, regulatory violations, sensitive data in messages
Signals from	SharePoint, OneDrive, Teams, Exchange, endpoints	Teams messages, Outlook emails, third-party platforms
Uses	Behavioural analytics, correlation, timelines	Keywords, classifiers, sensitive info types, regex
Investigated by	Security/HR team	Compliance/legal team

🎬 Video walkthrough

Flashcards

Question

What does Insider Risk Management detect?

Click or press Enter to reveal answer

Answer

Suspicious user BEHAVIOUR patterns: unusual file downloads, data theft by departing employees, security policy violations, and risky AI usage. It uses behavioural analytics across M365 signals.

Click to flip back

Show hint

Question

What does Communication Compliance detect?

Click or press Enter to reveal answer

Answer

Policy violations in MESSAGE CONTENT: harassment, discriminatory language, regulatory violations, and sensitive information shared in Teams/Outlook. It uses keywords, classifiers, and pattern matching.

Click to flip back

Show hint

Question

What is Adaptive Protection?

Click or press Enter to reveal answer

Answer

An integration between Insider Risk and DLP that automatically makes DLP policies stricter for users flagged as high-risk. Normal users get warnings; high-risk users get blocks — automatically adjusted based on behaviour.

Click to flip back

Knowledge Check

Knowledge Check

An employee at Northwave submitted their resignation last week. Over the following 5 days, they downloaded 3,000 files from the company SharePoint to their personal device. Which Purview tool would detect this?

ACommunication Compliance — it monitors all user activityBData Loss Prevention — it tracks file downloadsCInsider Risk Management — it correlates resignation signals with unusual download patternsDMicrosoft Defender XDR — it handles all security threats

Check Answer

Knowledge Check

Clearfield Council's compliance team discovers that multiple staff members have been using discriminatory language in Teams channels. Officer Patel needs to set up monitoring to detect and review these messages. Which Purview tool should she configure?

AInsider Risk Management — it detects policy violations in messagesBData Loss Prevention — it scans messages for inappropriate contentCCommunication Compliance — it monitors message content for conduct violations using trainable classifiersDInformation Protection — it classifies messages by sensitivity

Check Answer

---

Next up: DSPM for AI & Data Lifecycle — governing how AI tools use your data, and managing how long data lives.