AB-900, AI Security, Microsoft Certification, security

Identify risks by using Microsoft Purview Insider Risk Management (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify risks by using Microsoft Purview Insider Risk Management

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft Purview Insider Risk Management (IRM) helps organizations detect, investigate, and respond to insider risks before they result in significant business damage. Unlike external cyberattacks, insider risks originate from individuals who already have authorized access to organizational resources. These individuals may intentionally misuse data or unintentionally expose sensitive information through careless actions.

For the AB-900 exam, you should understand:

  • What Insider Risk Management is
  • The types of risks it helps identify
  • The components used to detect insider risks
  • How risk indicators and policies work
  • How investigations are performed
  • How Insider Risk Management integrates with other Microsoft 365 security solutions
  • Common use cases

What Is Microsoft Purview Insider Risk Management?

Microsoft Purview Insider Risk Management is a Microsoft Purview solution that uses machine learning, analytics, user activity signals, and built-in privacy protections to identify potentially risky user behavior.

Its purpose is not to assume users are malicious. Instead, it identifies behaviors that could indicate:

  • Data theft
  • Intellectual property loss
  • Security violations
  • Compliance violations
  • Accidental data exposure
  • Policy violations

The solution helps security, compliance, HR, and legal teams investigate suspicious activities while respecting employee privacy.

What Is an Insider Risk?

An insider risk is any situation where someone with legitimate access to organizational systems creates risk for the organization.

Examples include:

  • An employee downloading thousands of confidential files before resigning
  • A contractor copying customer information to a USB drive
  • A user emailing sensitive documents to a personal email account
  • An employee sharing confidential information through unauthorized cloud storage
  • A user repeatedly accessing data unrelated to their job responsibilities

Not every insider risk is malicious.

Many incidents are accidental.

Examples include:

  • Sending confidential files to the wrong recipient
  • Uploading sensitive documents to public cloud storage
  • Accidentally sharing confidential Teams files

Types of Insider Risks

Microsoft categorizes insider risks into several common scenarios.

Data Theft

Occurs when users attempt to remove valuable organizational information.

Examples include:

  • Downloading confidential files
  • Copying files to USB devices
  • Printing sensitive documents
  • Emailing proprietary information externally

Data Leakage

Sensitive information leaves the organization unintentionally.

Examples include:

  • Uploading files to personal cloud storage
  • Sending confidential documents externally
  • Sharing protected files publicly

Security Policy Violations

Users violate established organizational security rules.

Examples include:

  • Disabling security controls
  • Using unauthorized applications
  • Circumventing compliance policies

Compliance Violations

Employees violate legal or regulatory requirements.

Examples include:

  • Sharing regulated financial records
  • Mishandling healthcare information
  • Improperly accessing customer records

Departing Employee Risks

A common scenario involves employees preparing to leave the organization.

Potential indicators include:

  • Large file downloads
  • Increased file copying
  • Unusual external sharing
  • Mass printing
  • Accessing previously unused repositories

How Insider Risk Management Works

Insider Risk Management follows a multi-stage process.

Step 1: Collect Activity Signals

Microsoft collects activity information from supported Microsoft 365 services.

Examples include:

  • SharePoint Online
  • OneDrive
  • Exchange Online
  • Microsoft Teams
  • Microsoft Defender
  • Microsoft Entra ID
  • Endpoint activity
  • Microsoft Defender for Endpoint

Step 2: Analyze User Activity

Machine learning compares current activity against:

  • Normal behavior
  • Organizational policies
  • Risk indicators
  • User context

This reduces false positives.

Step 3: Generate Risk Alerts

If suspicious behavior exceeds configured thresholds:

  • An alert is created.
  • The alert receives a severity level.
  • Investigators can review supporting evidence.

Step 4: Investigate

Compliance administrators review:

  • Timeline of events
  • User activities
  • File operations
  • Email actions
  • Device activities
  • Related alerts

Step 5: Respond

Possible actions include:

  • Escalating investigations
  • Assigning cases
  • Collecting evidence
  • Alerting management
  • Applying additional protections
  • Closing false positives

Risk Indicators

Risk indicators are behaviors that contribute to a user’s overall risk score.

Examples include:

File Activities

  • Downloading files
  • Deleting files
  • Printing documents
  • Copying files
  • Uploading files

Email Activities

  • Sending attachments externally
  • Forwarding confidential emails
  • Mass emailing sensitive information

Device Activities

  • USB device usage
  • File transfers
  • Printing
  • Local file copying

Collaboration Activities

  • Sharing Teams files externally
  • Creating anonymous sharing links
  • Public document sharing

User Behavior

Examples include:

  • Working unusual hours
  • Accessing unusual locations
  • Accessing excessive numbers of files
  • Sudden changes in behavior

Insider Risk Policies

Policies determine:

  • Which users are monitored
  • What behaviors are evaluated
  • Alert thresholds
  • Investigation rules

Policies are based on templates.

Common templates include:

  • Data leaks
  • Data theft
  • Security policy violations
  • Departing employees
  • Risky browser usage
  • Priority user monitoring

Policies allow organizations to customize detection based on their business needs.

Risk Scores

Each user activity contributes to a risk score.

Higher scores indicate more concerning activity.

Factors influencing scores include:

  • Number of risky actions
  • Severity of activities
  • Frequency
  • Historical behavior
  • Machine learning analysis

Risk scores help investigators prioritize the most serious incidents.

Alerts

When policy thresholds are exceeded, alerts are created.

Alerts typically include:

  • User involved
  • Policy triggered
  • Activity timeline
  • Risk level
  • Supporting evidence
  • Recommended investigation steps

Alert severity may include:

  • Low
  • Medium
  • High

Cases

Investigators can promote alerts into investigation cases.

Cases centralize:

  • Evidence
  • User activity
  • Timeline
  • Notes
  • Investigation status
  • Assigned investigators

This allows multiple reviewers to collaborate.

Privacy by Design

Microsoft designed Insider Risk Management with employee privacy in mind.

Privacy protections include:

  • Role-based access control
  • User pseudonymization (where supported)
  • Audit logging
  • Configurable privacy settings
  • Limited investigator access

Organizations control who can view personally identifiable information.

Integration with Microsoft 365 Services

Insider Risk Management integrates with many Microsoft security solutions.

Microsoft Purview Data Loss Prevention (DLP)

Provides sensitivity information about protected files.

Example:

A user emailing a document containing credit card numbers may trigger both DLP and Insider Risk Management.

Microsoft Purview Information Protection

Sensitivity labels provide additional context.

Example:

Downloading dozens of “Highly Confidential” documents creates greater risk than downloading public documents.

Microsoft Defender

Endpoint signals include:

  • USB usage
  • File copying
  • Application activity
  • Device events

These signals improve risk detection.

Microsoft Entra ID

Identity information provides context, including:

  • User identity
  • Sign-in behavior
  • Account changes
  • Risk signals

Microsoft 365 Audit Logs

User activities across Microsoft 365 workloads provide evidence for investigations.

AI and Machine Learning

Machine learning helps reduce false positives by:

  • Understanding normal behavior
  • Detecting unusual activity
  • Correlating multiple signals
  • Prioritizing serious incidents

This allows investigators to focus on the highest-risk alerts.

Common Use Cases

Protecting Intellectual Property

Identify employees copying engineering documents before leaving the company.

Detecting Insider Data Theft

Identify users downloading large numbers of confidential files.

Monitoring High-Risk Users

Monitor executives or privileged administrators who have access to sensitive information.

Investigating Data Leaks

Determine how confidential information left the organization.

Supporting HR Investigations

Provide evidence when investigating employee misconduct.

Benefits of Insider Risk Management

Organizations benefit by:

  • Detecting insider threats early
  • Protecting confidential information
  • Reducing compliance violations
  • Improving investigations
  • Prioritizing high-risk incidents
  • Using AI to reduce false positives
  • Integrating with Microsoft Purview and Microsoft Defender
  • Supporting regulatory compliance
  • Protecting intellectual property
  • Providing centralized case management

Exam Tips

For the AB-900 exam, remember these key points:

  • Insider Risk Management focuses on user behavior, not external attackers.
  • It detects both malicious and accidental risky activities.
  • Policies determine what activities are monitored.
  • Machine learning helps reduce false positives.
  • Alerts can be promoted into investigation cases.
  • Insider Risk Management integrates with DLP, Information Protection, Microsoft Defender, Microsoft Entra ID, and Microsoft 365 audit logs.
  • Risk scores help prioritize investigations.
  • Privacy protections are built into the solution.

10 Practice Exam Questions

Question 1

An employee uploads several confidential engineering documents to a personal cloud storage account shortly before resigning.

Which Microsoft Purview solution is specifically designed to investigate this type of behavior?

A. Microsoft Purview eDiscovery

B. Microsoft Purview Insider Risk Management

C. Microsoft Defender for Cloud Apps

D. Microsoft Intune

Correct Answer: B

Explanation: Insider Risk Management is specifically designed to identify potentially risky insider behavior such as data theft, data leakage, and activities performed by departing employees.

Question 2

Which activity is most likely to increase a user’s insider risk score?

A. Viewing the company homepage

B. Logging into Microsoft Teams during normal working hours

C. Downloading hundreds of confidential files before leaving the company

D. Changing a desktop wallpaper

Correct Answer: C

Explanation: Large-scale downloads of sensitive information—especially by departing employees—are common indicators of insider risk.

Question 3

What is the primary purpose of Insider Risk Management policies?

A. Encrypt all Microsoft 365 data

B. Replace antivirus software

C. Control Microsoft licensing

D. Define which users, activities, and risk indicators should be monitored

Correct Answer: D

Explanation: Policies specify monitored users, monitored activities, thresholds, and investigation settings.

Question 4

Which Microsoft technology helps Insider Risk Management reduce false positives?

A. Static firewall rules

B. Manual investigations only

C. Machine learning and behavioral analytics

D. Network packet inspection

Correct Answer: C

Explanation: Machine learning evaluates user behavior patterns and distinguishes normal activity from potentially risky behavior.

Question 5

What happens after Insider Risk Management determines that user activity exceeds a configured policy threshold?

A. The user account is automatically deleted.

B. The organization’s Microsoft 365 subscription is suspended.

C. All user devices are immediately wiped.

D. An insider risk alert is generated for investigation.

Correct Answer: D

Explanation: Alerts are created when monitored activities exceed policy thresholds and can later be investigated or promoted into cases.

Question 6

Which Microsoft solution provides endpoint signals such as USB usage and local file copying to Insider Risk Management?

A. Microsoft Defender for Endpoint

B. Microsoft Outlook

C. Microsoft Planner

D. Microsoft Bookings

Correct Answer: A

Explanation: Microsoft Defender for Endpoint supplies valuable endpoint telemetry that strengthens insider risk detection.

Question 7

Which statement best describes Microsoft’s approach to employee privacy within Insider Risk Management?

A. Every administrator automatically sees all employee information.

B. Employee privacy protections such as role-based access and pseudonymization are built into the solution.

C. All investigations are anonymous and cannot identify users.

D. Privacy settings cannot be customized.

Correct Answer: B

Explanation: Insider Risk Management incorporates privacy-by-design principles, including role-based access, pseudonymization where supported, and configurable privacy controls.

Question 8

Which scenario is an example of an accidental insider risk?

A. A hacker exploits an internet-facing server.

B. An attacker launches a ransomware attack.

C. An employee mistakenly emails confidential information to the wrong external recipient.

D. A distributed denial-of-service (DDoS) attack targets a website.

Correct Answer: C

Explanation: Insider risks include accidental actions, such as unintentionally sharing sensitive information with unauthorized recipients.

Question 9

What information helps investigators prioritize which alerts should be reviewed first?

A. The user’s mailbox size

B. Microsoft licensing level

C. The user’s department name

D. The insider risk score and alert severity

Correct Answer: D

Explanation: Risk scores and alert severity help investigators focus on the most significant potential threats first.

Question 10

Which Microsoft Purview capability most directly complements Insider Risk Management by identifying and protecting sensitive content through labeling?

A. Microsoft Purview Information Protection

B. Microsoft Exchange Online Protection

C. Microsoft Intune

D. Windows Firewall

Correct Answer: A

Explanation: Microsoft Purview Information Protection classifies and labels sensitive information. Those labels provide valuable context that Insider Risk Management can use when assessing the risk associated with user activities.

Go to the AB-900 Exam Prep Hub main page

Leave a comment