Services
Affected Platforms
Summary
Microsoft Purview Insider Risk Management will soon allow analysts to identify compromised user alerts in Microsoft Entra. The rollout starts mid-May 2025 (worldwide) and early-August 2025 (GCC, GCC High, DoD). Risk detections will be visible in the alert investigation experience but won't affect risk scores. No admin action is required.
Details
Updated April 24, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview | Insider Risk Management: IRM analysts will be able to identify if a user being investigated has any compromised user alerts in Microsoft Entra. The new visibility will help the analyst formulate the right response action, such as escalating the Incident to SOC teams for quick remediation.
This message is associated with Microsoft 365 Roadmap ID 420938.
When this will happen:
General Availability (Worldwide): We will begin rolling out mid-May 2025 (previously mid-April) and expect to complete by late May 2025 (previously late April).
General Availability (GCC, GCC High, DoD): We will begin rolling out early-August 2025 and expect to complete by late August 2025.
How this will affect your organization:
Microsoft Entra offers two types of compromised user detections:
- Sign-in risk detections: Compromise risk associated with a specific sign-in
- User risk detections: Compromise risk associated with a specific user
After this rollout:
- Risk detections will be available in the indicator timeline in the alert investigation experience.
- Risk detections will not impact the risk score or severity of Insider Risk Management alerts.
To access the new risk detections, go to Microsoft Purview portal > Settings > Insider Risk Management > Policy indicators > Built-in Indicators. Scroll down to Microsoft Entra ID Protection indicators, open the dropdown menu and select the applicable indicators:
When you create a policy, you will find Microsoft Entra ID Protection indicators on the Indicators page:
This change will be available by default.
What you need to do to prepare:
This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your users about this change and update any relevant documentation.
- Insider risk management admins can opt into risk detections from Insider Risk Management global settings.
- Insider risk management admins need to opt into risk detection in Insider Risk Management policies.
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Learn more