Explore adaptive protection in Microsoft Purview

Completed

Adaptive protection in Microsoft Purview uses machine learning to identify the most critical risks and proactively and dynamically apply protection controls from DLP and Conditional Access policies. Integration with DLP and Conditional Access can help organizations automate their response to insider risks and reduce the time required to identify and remediate potential threats. When organizations apply the capabilities of all three solutions, they can create a more comprehensive security framework that addresses both internal and external threats.

Adaptive protection helps mitigate potential risks by using:

  • Context-aware detection. Helps identify the most critical risks with machine learning-driven analysis of both content and user activities.
  • Dynamic controls. Helps enforce effective controls on high-risk users while others maintain productivity.
  • Automated mitigation. Helps to minimize the effect of potential data security incidents and reduce admin overhead.

Adaptive protection dynamically assigns appropriate Microsoft Purview DLP and Microsoft Entra Conditional Access policies to users based on the risk levels defined and analyzed by the machine learning models in insider risk management. Policies become adaptive based on user context. This design ensures two things:

  • Microsoft Purview only applies the most effective policy, such as blocking data sharing through DLP or blocking application access through Conditional Access, to high-risk users.
  • Low-risk users maintain productivity.

DLP and Conditional Access policy controls constantly adjust. As such, when a user's risk level changes, Microsoft Purview dynamically applies an appropriate policy to match the new risk level.

Important

Insider risk management is currently available in tenants hosted in geographical countries/regions supported by Azure service dependencies. To verify that the insider risk management solution is supported for your organization, see Azure dependency availability by country/region. Insider risk management is available for commercial clouds but isn't available for US Government cloud programs at this time.

Watch the following short video for a summary of how adaptive protection can help identify and mitigate the most critical risks in your organization:

Risk levels and preventive controls

With adaptive protection, administrators can configure the risk factors or activities for customizable risk levels based on your organization's needs. The risk levels for adaptive protection update continuously and automatically based on the users' risk factors and insights. As such, when users' data security risks increase or decrease, their risk levels are adjusted accordingly. Based on the risk levels, DLP policies and Conditional Access policies automatically apply the right level of preventative controls as configured by admins (such as block, block with override, or warning).

Depending on the insider risk management policy assigned in adaptive protection, different criteria (users, groups, indicators, thresholds, etc.) are used to determine applicable risk levels. Risk levels are based on user insights, not solely on the number of instances of specific user activities. Insights are a calculation of the aggregate number of activities and the severity level of these activities.

For example, risk levels for User A wouldn't be determined by User A performing a potentially risky activity more than three times. The risk levels for User A would be determined by an insight of the aggregate number of activities and risk scores would be assigned to the activity based on the thresholds configured in the selected policy.

Risk levels

Risk levels in adaptive protection define how risky a user's activity is and can be based on criteria such as how many exfiltration activities they performed or whether their activity generated a high severity insider risk alert. These risk levels have built-in risk level definitions, but these definitions can be customized as needed:

  • Elevated risk level. The elevated risk level is the highest risk level. It includes built-in definitions for users with high severity alerts, users with at least three sequence insights that each have a high severity alert for specific risk activities, or one or more confirmed high severity alerts.
  • Moderate risk level. The medium risk level includes built-in definitions for users with medium severity alerts or users with at least two data exfiltration activities with high severity scores.
  • Minor risk level. The lowest risk level includes built-in definitions for users with low severity alerts or users with at least one data exfiltration activity with a high severity score.

For a risk level to be assigned to a user, the number of insights and the severity assigned to the activity need to match the definition for the risk level. The number of activities for an insight might be a single activity or multiple activities accruing to the single insight. The number of insights are evaluated for the risk level definition, not the number of activities contained in an insight.

For example, suppose the conditions in the insider risk management policy assigned to adaptive protection is scoped for identifying downloads from SharePoint sites in your organization. If the policy detects that a user downloaded 10 files from a SharePoint site in a single day that are determined to be high severity, this action would count as a single insight that consists of 10 activity events. In order for this activity to qualify for assigning an Elevated risk level to the user, two other insights (with high severity) would be required for the user. The other insights might contain one or more activities.

Customizing risk levels

Custom risk levels allow you to create risk levels based on your organization's needs. You can customize criteria that the risk level is based on, and then define conditions to control when the risk level is assigned to users. Consider the following examples for using adaptive protection together with DLP and Conditional Access policies:

  • DLP policies:
    • Allow users with the Minor or Medium risk level to receive policy tips and education on best practices of handling sensitive data. In this way, you can influence positive behavior changes over time and reduce organizational data risks.
    • Block users with the Elevated risk level from saving or sharing sensitive data to minimize the effect of potential data incidents.
  • Conditional Access policies:

Adaptive protection integration with DLP

Adaptive Protection in Microsoft Purview integrates Microsoft Purview Insider Risk Management with Microsoft Purview Data Loss Prevention (DLP). When insider risk identifies a user who is engaging in risky behavior, they're dynamically assigned to an inside risk level. In turn, adaptive protection can automatically create a DLP policy to help protect the organization against the risky behavior that's associated with that inside risk level. As users’ insider risk levels change in insider risk management, the DLP policies applied to users can adjust.

Diagram showing how adaptive protection in DLP integrates Insider Risk Management with Microsoft Purview DLP.

Note

You can also manually create DLP policies that help protect against risky behaviors that insider risk identifies.

Additional reading. For more information about Adaptive Protection and how to configure it, see Help dynamically mitigate risks with Adaptive Protection (preview).

Configure adaptive protection

Depending on the needs of your organization or where you're currently configured with insider risk management, DLP, and Conditional Access, you have two options to get started with adaptive protection:

  • Quick setup
  • Custom setup

Quick setup

The Quick setup option is the fastest way to get started with adaptive protection. With this option, you don't need any pre-existing insider risk management, DLP, or Conditional Access policies, and you don't need to preconfigure any settings or features. If your organization doesn't have a current subscription or license that supports insider risk management or DLP, sign up for a Microsoft Purview risk and compliance solutions trial before starting the quick setup process. You can also sign up for a Microsoft Entra trial.

You can get started by selecting Turn on Adaptive Protection from the adaptive protection cards on the DLP Overview page. You can also get started with the quick setup process by going to Insider risk management > Adaptive Protection > Dashboard > Quick setup.

Note

If you're already a scoped admin for Microsoft Purview, you can't turn on quick setup.

The following table identifies what's configured when you use the quick setup process for adaptive protection:

Area Configuration
Insider risk settings (if not already configured) - Privacy: Show anonymized versions of user names. Note: User names aren't anonymized in Conditional Access or DLP
- Policy timeframes: Defaults
- Policy indicators: A subset of Office indicators (you can view them in Insider Risk Management settings)
- Risk score boosters: All
- Intelligent Detections: Alert Volume = Default volume
- Analytics: On
- Admin notifications: Send notification email when first alert is generated to all
Insider risk settings (if already configured) - Policy indicators: Office indicators not already configured (you can view them in Insider Risk Management settings).
- All other settings previously configured aren't updated or changed.
- Analytics: On (thresholds for triggering events in policies are the default settings determined by Analytics recommendations.)
A new insider risk policy - Policy template: Data leaks
- Policy name: Adaptive Protection policy for Insider Risk Management
- Policy scope for users and groups: All users and groups
- Priority content: None
- Triggering events: Selected exfiltration events (you can view them in Insider Risk Management settings)
- Policy indicators: A subset of Office indicators (you can view them in Insider Risk Management settings)
- Risk score boosters: Activity is greater than the user's usual activity for that day
Adaptive protection risk levels - Elevated risk level: Users must have at least three high severity exfiltration sequences
- Moderate risk level: Users must have at least two high severity activities (excluding some types of downloads)
- Minor risk level: Users must have at least one high severity activity (excluding some types of downloads)
Two new DLP policies Adaptive Protection policy for Endpoint DLP

- Elevated risk level rule: Blocked
- Moderate/Minor risk level rule: Audit
- Policy starts in test mode (audit only)

Adaptive Protection policy for Teams and Exchange DLP

- Elevated risk level rule: Blocked
- Moderate/Minor risk level rules: Audit
- Policy starts in test mode (audit only)
New Conditional Access policy (created in Report-only mode so users won't get blocked) 1-Block access for users with Insider Risk (Preview)

- Included users: All users
- Excluded guest or external users: B2bDirectConnect User; OtherExternalUser; ServiceProvider
- Cloud apps: All apps
- Insider risk levels: Elevated
- Block access: Selected

Administrators receive a notification email once the quick setup process is completed. However, once the setup is finished, it can take up to 72 hours before:

  • Analytics are completed.
  • The associated insider risk management, DLP, and Conditional Access policies are created.
  • Adaptive protection risk levels, DLP, and Conditional Access actions are applied to applicable user activities.

If quick setup is used to configure Adaptive Protection in insider risk, the setup process automatically creates the following two DLP policies:

  • A DLP policy for Teams and Exchange Online
  • A DLP policy for Devices

Both DLP policies include two rules: one for the elevated risk profile and one for the moderate and minor insider risk levels.

Insider risk presents a view of just the DLP policies that use the Insider risk level for adaptive protection is condition. Open Microsoft Purview compliance portal > Insider risk management > Adaptive protection (preview) to see the list. You must be assigned one of these roles to access the insider risk node:

  • Compliance administrator
  • Compliance Data administrator
  • Organization management (Users who aren't Global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365)
  • Global administrator
  • DLP compliance management
  • View-only DLP compliance management

Custom setup

The custom setup option allows you to customize the insider risk management policy, the risk levels, and the DLP and Conditional Access policies configured for adaptive protection. This option also allows you to configure these items before actually enabling the adaptive protection connections between insider risk management and DLP. In most cases, this option should be used by organizations that already have insider risk management and/or DLP policies in place. For more information on custom setup, see Help dynamically mitigate risks with adaptive protection (preview).