Purview Insider Risk Management (IRM) Now Integrated with ENTRA Conditional Access

A very interesting new feature announced in preview a few days ago is the integration of Purview IRM results with ENTRA conditional access.

Remembering Insider Risk Management

Purview IRM is a feature of Defender XDR to monitor activity across your organization at the individual and enterprise level.

It allows you to compare a user’s behavior in relation to your own traditional behavior or the behavior of the corporation as a whole and detect anomalies. For example, it is capable of detecting when an employee has sent a number of emails or copied files in a different curve than what they usually do on a daily basis. This behavior indicates that the user is exfiltrating data, whether internal or external.

For those who don’t know it, I discussed this feature at the 2022 Ignite After Party ( Marcelo Sincic | Avoiding data leaks with Microsoft Purview in pt-br ).

Integrating with Conditional Access

In this preview we can now use IRM metrics to detect and block a user who is exhibiting abnormal behavior.

This new feature will dynamically avoid two risk situations:

1. A user who is leaking or copying data continues to log into systems and services such as OneDrive, SharePoint and others will be blocked after their alert level reaches what you determine
2. A hacker or malicious actor is copying data to another location posing as a legitimate user who may have had credentials stolen

Configuring this integration is very simple, indicate this new access condition and the desired level of sensitivity:

Conclusion

Now you can take automatic and reactive action when anomaly is detected in a user’s behavior in IRM.

Technical reference:  Help dynamically mitigate risks with adaptive protection (preview) | Microsoft Learn