In a previous article, I demonstrated how to monitor risky users flagged by HR, even if your organization hasn’t implemented the HR Data Connector yet. That article laid the groundwork for using IRM policies effectively in this specific scenario.

This follow-up dives deeper into the reasoning behind my choice of the "Data Leaks by Priority Users" policy template over the seemingly more obvious "Data Leaks by Risky Users" policy template.

Microsoft Purview Insider Risk Management provides a "Data Leaks by Risky Users" policy template, which at first glance seems ideal for monitoring HR-flagged users. Even the name screams “risky users”! It offers options to add users or groups to monitor, even without the HR Data Connector.

However, in the absence of the HR Data Connector, I found that this template is not quite suitable for maintaining the compliance and confidentiality required in environments dealing with sensitive HR data.

The Limitations of the "Data Leaks by Risky Users" Template

The biggest concern here is that users flagged by HR should not be exposed to unauthorized individuals. This information is highly sensitive, and mishandling it could lead to compliance violations or overexposure of individuals’ details. Sharing details about flagged users to a broader-than-intended audience can erode privacy safeguards.

Limited Group Options: It relies exclusively on M365 Groups and does not allow the use of Azure AD Security Groups. While M365 Groups are fine for collaboration, Security Groups are better suited for scenarios requiring strict access control. For HR-flagged users, Security Groups offer a more secure “hiding place” to manage sensitive data.

Broad Analyst Access: Policies created using this template can be viewed by Analysts assigned to cases generated by alerts. This creates a risk of exposing sensitive information about flagged users. Additionally, Analysts knowing who the users are could unintentionally introduce bias when reviewing alerts and resolving cases.

Global Reader Visibility: The policy is visible to Global Readers, a role often assigned broadly within organizations. This significantly increases the risk of overexposure, as sensitive information might be accessible to individuals who do not need to see it.

Pseudonymization Issues: The visibility of user details undermines pseudonymization, a critical compliance requirement in many organizations. Revealing flagged users' identities directly goes against the principle of protecting their privacy until necessary.

Manual Maintenance: This template requires manual updates whenever users need to be added or removed. This inefficiency adds administrative overhead and increases the chance of errors.

Why the "Data Leaks by Priority Users" Template is more appropriate

The "Data Leaks by Priority Users" template resolves all the above issues, making it a much better choice for this use case:

Enhanced Confidentiality:I t leverages a globally configured Priority User Group, which is accessible only by highly privileged roles like IRM Administrators and Insider Risk Management roles. This ensures sensitive data remains confidential.

Multiple Group Support: It supports multiple Priority User Groups in a single policy, providing flexibility and scalability. The membership of this groups is not available to those who can view the policy.

Dynamic Group Updates: The policy dynamically updates as users are added or removed from the Priority User Group, eliminating the need for manual modifications.

Compliance Alignment: Pseudonymization is preserved by displaying only the Priority Group name, aligning with compliance requirements and protecting user identities.

This approach ensures flagged users are monitored effectively without risking exposure or creating unnecessary administrative overhead.