Limits in insider risk management
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Insider risk management uses the following built-in limits to optimize the user experience.
Item limits
The following tables provide limits by product area.
Global settings
| Item | Limit |
|---|---|
| Lookback period limits (Exchange Online) | 10 days |
| Lookback period limits for all other signals | 90 days |
| Maximum number of items in each global exclusion list (Domains, SharePoint sites, File paths, Keywords, and File types) | 500 for each list |
| Maximum number of items in a detection group | 200 |
| Maximum number of custom indicators | 10 |
| Maximum number of fields per custom indicator | 20 |
| Maximum number of variants per indicator | 3 |
| Maximum number of users that can be added to a priority user group | 10K |
Triggers (per UTC calendar day)
| Item | Limit |
|---|---|
| User account deleted from Microsoft Entra ID | 15K |
| All signals collected through the HR connector | 15K |
| Custom indicators | 15K |
| All other triggers | 5K |
| Maximum trigger volume for an organization | 50K |
Note
Limitations are per individual trigger type.
Maximum number of users in scope of a policy template
Note
There's no limit to the maximum number of users that you can add to a policy. The limit is for users in scope of a policy template (users brought in scope after a triggering event).
Other policy limits
| Item | Limit |
|---|---|
| Maximum number of policies that can be created per template type | 20 |
| Maximum number of priority sites | 50 |
| Maximum number of priority sensitivity labels | 50 |
| Maximum number of priority sensitive info types | 50 |
| Maximum number of priority file extensions | 50 |
| Maximum number of priority trainable classifiers | 5 |
Adaptive protection
|Maximum number of users that can be scoped into a DLP policy for each risk level|10,000|
Manual user scoring
| Item | Limit |
|---|---|
| Maximum number of users that can be scored manually | 4K |
Cases
| Item | Limit |
|---|---|
| Maximum number of active cases | 100 |
Exporting
| Item | Limit |
|---|---|
| Maximum number of users that can be exported from the Users page | 1000 |
| Maximum number of alerts that can be exported from the Alerts page | 1000 |
| Maximum number of logs that can be exported to a CSV file from Activity explorer | 100K |
Retention limits for alerts, cases, and associated artifacts
As insider risk management alerts age, their value to minimize potentially risky activity diminishes for most organizations. Conversely, active cases and associated artifacts (alerts, insights, activities) are always valuable to organizations and shouldn't have an automatic expiration date. This includes all future alerts and artifacts in an active status for any user associated with an active case.
To help minimize the number of older items that provide limited current value, the following retention limits apply for insider risk management alerts, cases, and user reports:
| Item | Retention period |
|---|---|
| Alerts with Needs review status | 120 days from alert creation, then automatically deleted |
| Active cases (and associated artifacts) | Indefinite retention, never expire |
| Resolved cases (and associated artifacts) | 120 days from case resolution, then automatically deleted |
| User activities reports | 120 days from report creation, then automatically deleted |
Connectors
| Item | Limit |
|---|---|
| Maximum number of records in the JSON file that can be processed by the API | 50K |