Permissions
Overview
This page describes the permissions and access model for the Insider Risk Profiler. The agent uses read-only access to Microsoft Purview Insider Risk Management, Microsoft Defender, and Microsoft Entra ID data through documented Microsoft Graph API and Security Copilot Plugins. It is designed to analyze insider risk alerts, user risk levels, device compliance, and DLP events without making any modifications to your environment.
How It Works
The agent connects securely to Microsoft Purview and Defender to collect Insider Risk Management (IRM) alerts, identity risk signals, and behavioral telemetry across multiple activity sources such as email, cloud applications, and file operations. It enriches alerts with contextual data from Defender and Entra ID, computes a composite risk score, and generates a prioritized queue with recommendations for investigation and remediation.
All operations follow these core principles:
Read-only access: The agent does not modify or delete any data.
Least privilege: Only the minimum permissions required for correlation and enrichment are requested.
Transparency: All access occurs through documented Microsoft Graph endpoints and can be fully audited through Microsoft Entra activity logs.
Required Entra ID and Purview Roles
Assign the following roles and permissions to the administrator account or managed identity that runs the agent:
Insider Risk Management Analyst
Provides direct read-only access to Insider Risk Management (IRM) alerts within Microsoft Purview.
Security Reader
Grants visibility into security alerts, incidents, and behavioral signals across Defender and Sentinel.
Directory Reader
Enables read-only access to Entra ID user and group metadata for alert correlation and reporting.
Intune Reader (optional)
Provides device compliance context when analyzing alerts linked to managed endpoints.
These roles adhere to the principle of least privilege and can be scoped to specific datasets or groups as needed.
Data Access Transparency
The table below outlines the data sources accessed by the agent and their purposes:
Insider Risk Management alerts
Read-only
To retrieve alert metadata and generate prioritized risk queues.
Security alerts and incidents
Read-only
To cross-reference Defender data for contextual enrichment.
Risky users and identity events
Read-only
To assess user-level identity risk indicators and compromise likelihood.
Advanced Hunting telemetry
Read-only
To analyze file, email, cloud, and authentication events for behavioral scoring.
DLP policy violations
Read-only
To detect sensitive data handling anomalies and exfiltration patterns.
Device posture and compliance
Read-only (optional)
To enrich user risk profiles with device state information.
Directory user and group data
Read-only
To normalize user identities, correlate assignments, and improve reporting clarity.
Data handling:
The agent never modifies, creates, or deletes records.
All processing and enrichment occur within your Microsoft 365 tenant boundary.
Data access is performed via Microsoft Graph and Security Copilot Plugins with delegated or approved application permissions.
Every access event is logged and traceable through Microsoft Entra audit logs for compliance.
Agent Settings
The agent supports configuration parameters that control the analysis depth, processing scope, and output structure:
Scope
alerts, users, devices, dlp
Defines which Insider Risk components are included in the analysis.
Mode
quick, standard, deep
Determines the depth of enrichment and correlation.
• quick – Basic triage of alerts using key identity and risk factors.
• standard – Balanced enrichment and scoring across identity, activity, and DLP data. (recommended)
• deep – Full multi-source enrichment including device posture and anomaly analysis.
Time Window
7, 14, 30 days
Defines how far back alerts and risk events are analyzed.
Ensure the assigned identity or administrator account has all required roles and data source permissions before initiating an analysis.
Security and Compliance Considerations
All communication between the agent, Microsoft Graph, and Defender APIs is secured using HTTPS and authenticated with Microsoft identity services.
The agent adheres to Microsoft’s Zero Trust and least privilege design principles.
Permissions can be reviewed, restricted, or revoked at any time through Microsoft Entra role assignments or application consent management.
No data is written or modified during analysis, ensuring complete operational safety and compliance integrity.
Next Steps
Confirm that the required roles (Insider Risk Management Analyst, Security Reader, and Directory Reader) are assigned to the account or identity executing the agent.
Verify Microsoft Purview and Defender data access via Microsoft Graph permissions.
Review your organization’s data governance and role assignment policies prior to enabling the agent in production.
Last updated
Was this helpful?