SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Insider Risk Management Coverage Review
description: Audit Microsoft Purview Insider Risk Management policy and indicator coverage to surface gaps and tuning opportunities, read-only.
---
# Insider Risk Management Coverage Review
> **TL;DR:** This skill inspects your Microsoft Purview Insider Risk Management policies, indicators and triggers, then produces a prioritised coverage and tuning report so risky activity such as data theft or leaks does not go undetected.
## What is Microsoft Purview Insider Risk Management coverage?
Microsoft Purview Insider Risk Management uses policies, signals and machine learning to detect, investigate and act on potentially risky activity by users across Microsoft 365, including data theft by departing users, data leaks and security policy violations. Coverage describes which insider risk scenarios are watched, which indicators and triggering events are enabled, and how those signals connect to sources such as Microsoft Entra, DLP, Microsoft Defender and Microsoft 365 audit logs. This skill reviews that coverage so blind spots and noisy indicators are made visible before they become incidents.
## When should you run this skill?
- "Show me which Insider Risk Management policies are actually configured and active."
- "Are we covering departing-user data theft and accidental data leaks?"
- "Which insider risk indicators are switched off and leaving us exposed?"
- "Review our Purview insider risk coverage before the next audit."
- "Why are our insider risk alerts so noisy and how do we tune them?"
- "Map our insider risk policies to Essential Eight and ISM expectations."
- "Has anyone reviewed Insider Risk Management since we onboarded new connectors?"
## How this skill works, step by step
1. Connect read-only to Microsoft Purview and enumerate every Insider Risk Management policy, its template, scope and status.
2. Inspect the indicators and triggering events enabled for each policy, noting which indicator categories are disabled.
3. Review connected signal sources, including Microsoft Entra leavers, DLP policies, Microsoft Defender alerts and HR connectors, to confirm triggers can fire.
4. Check policy scoping against user and group membership to find users or departments with no insider risk coverage.
5. Assess alert volume, severity thresholds and the indicator weighting that drives each policy.
6. Compare the configured estate against the standard insider risk scenarios such as data theft, data leaks and security violations to identify missing scenarios.
7. Derive a risk score for each finding by weighting scenario severity, the share of in-scope users covered and whether triggering signals are connected.
8. Rank findings from highest to lowest residual risk and attach a concise remediation recommendation to each.
## Output format
The skill returns a structured coverage report. The table below lists each finding with its area, observation, derived risk and recommended action.
| Coverage Area | Observation | Risk | Recommendation |
| --- | --- | --- | --- |
| Departing user data theft | No policy uses the data theft by departing users template; Entra leaver signal not connected | High | Create the departing-user policy and connect the HR or Entra leaver trigger |
| Data leak indicators | Policy active but cloud egress and USB indicators disabled | Medium | Enable the disabled indicators and re-baseline alert thresholds |
| Policy scoping | 240 finance users out of scope of any insider risk policy | High | Extend policy scope to the finance group and review weekly |
A short summary accompanies the table:
- Total policies reviewed and how many are active versus disabled.
- Count of standard insider risk scenarios covered against the full set.
- Percentage of in-scope users with at least one active policy.
- The three highest residual-risk findings to prioritise first.
## Scope and safety
This skill is read-only by default and makes no changes to your tenant, policies, indicators or user scoping. It only reads configuration and reports on it.
This skill does NOT:
- Create, edit, enable or disable any Insider Risk Management policy or indicator.
- Open, resolve or alter insider risk cases, alerts or investigations.
- Read the content of user files, messages or the detailed activity of named individuals.
- Change scoping, role assignments, connectors or signal sources.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Insider Risk Management policies and indicators | Microsoft 365 E5 or E5 Compliance (or the Insider Risk Management add-on) |
| Connected DLP and Microsoft 365 audit signals | Microsoft 365 E5 or E5 Compliance |
### Least-privilege roles
- Insider Risk Management Readers, or Insider Risk Management Analysts, for read-only review of policies and indicators.
- Global Reader or Compliance Data Administrator for broad read access to compliance configuration.
### Microsoft Graph permissions (read-only)
- Insider Risk Management is administered through the Microsoft Purview portal and the Security and Compliance PowerShell module rather than Microsoft Graph, so this skill reads configuration via those interfaces and does not require app-level Graph scopes.
- Where audit context is also reviewed, `AuditLog.Read.All` may apply to read Microsoft 365 unified audit log entries.
## Sources and compliance
- [Insider risk management](https://learn.microsoft.com/en-us/purview/insider-risk-management)
- [Insider risk management policies](https://learn.microsoft.com/en-us/purview/insider-risk-management-policies)
- Supports the ASD Essential Eight by strengthening monitoring and detection that underpins data exfiltration defence; see the [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model).
- Aligns with ISM event logging and monitoring controls by validating that insider risk signals are collected and acted upon.
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Insider Risk Management Coverage Review
TL;DR: This skill inspects your Microsoft Purview Insider Risk Management policies, indicators and triggers, then produces a prioritised coverage and tuning report so risky activity such as data theft or leaks does not go undetected.
What is Microsoft Purview Insider Risk Management coverage?
Microsoft Purview Insider Risk Management uses policies, signals and machine learning to detect, investigate and act on potentially risky activity by users across Microsoft 365, including data theft by departing users, data leaks and security policy violations. Coverage describes which insider risk scenarios are watched, which indicators and triggering events are enabled, and how those signals connect to sources such as Microsoft Entra, DLP, Microsoft Defender and Microsoft 365 audit logs. This skill reviews that coverage so blind spots and noisy indicators are made visible before they become incidents.
When should you run this skill?
- “Show me which Insider Risk Management policies are actually configured and active.”
- “Are we covering departing-user data theft and accidental data leaks?”
- “Which insider risk indicators are switched off and leaving us exposed?”
- “Review our Purview insider risk coverage before the next audit.”
- “Why are our insider risk alerts so noisy and how do we tune them?”
- “Map our insider risk policies to Essential Eight and ISM expectations.”
- “Has anyone reviewed Insider Risk Management since we onboarded new connectors?”
How this skill works, step by step
- Connect read-only to Microsoft Purview and enumerate every Insider Risk Management policy, its template, scope and status.
- Inspect the indicators and triggering events enabled for each policy, noting which indicator categories are disabled.
- Review connected signal sources, including Microsoft Entra leavers, DLP policies, Microsoft Defender alerts and HR connectors, to confirm triggers can fire.
- Check policy scoping against user and group membership to find users or departments with no insider risk coverage.
- Assess alert volume, severity thresholds and the indicator weighting that drives each policy.
- Compare the configured estate against the standard insider risk scenarios such as data theft, data leaks and security violations to identify missing scenarios.
- Derive a risk score for each finding by weighting scenario severity, the share of in-scope users covered and whether triggering signals are connected.
- Rank findings from highest to lowest residual risk and attach a concise remediation recommendation to each.
Output format
The skill returns a structured coverage report. The table below lists each finding with its area, observation, derived risk and recommended action.
| Coverage Area | Observation | Risk | Recommendation |
|---|---|---|---|
| Departing user data theft | No policy uses the data theft by departing users template; Entra leaver signal not connected | High | Create the departing-user policy and connect the HR or Entra leaver trigger |
| Data leak indicators | Policy active but cloud egress and USB indicators disabled | Medium | Enable the disabled indicators and re-baseline alert thresholds |
| Policy scoping | 240 finance users out of scope of any insider risk policy | High | Extend policy scope to the finance group and review weekly |
A short summary accompanies the table:
- Total policies reviewed and how many are active versus disabled.
- Count of standard insider risk scenarios covered against the full set.
- Percentage of in-scope users with at least one active policy.
- The three highest residual-risk findings to prioritise first.
Scope and safety
This skill is read-only by default and makes no changes to your tenant, policies, indicators or user scoping. It only reads configuration and reports on it.
This skill does NOT:
- Create, edit, enable or disable any Insider Risk Management policy or indicator.
- Open, resolve or alter insider risk cases, alerts or investigations.
- Read the content of user files, messages or the detailed activity of named individuals.
- Change scoping, role assignments, connectors or signal sources.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Insider Risk Management policies and indicators | Microsoft 365 E5 or E5 Compliance (or the Insider Risk Management add-on) |
| Connected DLP and Microsoft 365 audit signals | Microsoft 365 E5 or E5 Compliance |
Least-privilege roles
- Insider Risk Management Readers, or Insider Risk Management Analysts, for read-only review of policies and indicators.
- Global Reader or Compliance Data Administrator for broad read access to compliance configuration.
Microsoft Graph permissions (read-only)
- Insider Risk Management is administered through the Microsoft Purview portal and the Security and Compliance PowerShell module rather than Microsoft Graph, so this skill reads configuration via those interfaces and does not require app-level Graph scopes.
- Where audit context is also reviewed,
AuditLog.Read.Allmay apply to read Microsoft 365 unified audit log entries.
Sources and compliance
- Insider risk management
- Insider risk management policies
- Supports the ASD Essential Eight by strengthening monitoring and detection that underpins data exfiltration defence; see the ASD Essential Eight Maturity Model .
- Aligns with ISM event logging and monitoring controls by validating that insider risk signals are collected and acted upon.
- Output in Australian English.
Last updated on