Microsoft Purview: IRM RBAC Change (related to Data Security Investigations) Preview [MC1041756]

Microsoft Purview Insider Risk Management (IRM) will be adding a new role–Data Security Investigation Contributor–to the Insider Risk Management Investigators role group. This will allow members of the Insider Risk Management Investigators role group to launch a Data Security Investigation (DSI) from an IRM case.

DSI is a new AI-powered solution that enables data security teams to identify incident-related data, conduct deep content analysis, and mitigate risk within one unified solution. DSI enables data security admins to efficiently identify incident-relevant content by searching their Microsoft 365 data estate to locate emails, Teams messages, Copilot prompts and responses, and documents. Once the investigation is scoped, DSI’s generative AI capabilities allow admins to gain deeper insights into the impacted data, revealing critical security risks and sensitive information. Investigative capabilities include the ability to categorize evidence, perform vector searches, and examine impacted data for security and sensitive data risks. DSI visualizes correlations between investigation data, users, and their activities. To mitigate identified risks, DSI facilitates secure collaboration between partner teams. Post-investigation learnings can be used to refine existing policies to strengthen an organization’s security practices.

The integration between IRM and DSI allows an IRM investigator to identify when a risky user needs deeper investigation to launch a pre-scoped investigation directly from the user activity pane, allowing them to view content analysis related to that user and better assess post-incident data impact.

This message is associated with roadmap ID 485707. 

[When this will happen:]

Public Preview (Worldwide): We will begin rolling out early April 2025 and expect to complete by late April 2025.

General Availability (Worldwide): We will begin rolling out in mid-June 2025 and expect to complete by mid-July 2025.

[How this will affect your organization:]

With this update, members of the Insider Risk Management Investigators role group will be able to create Data Security Investigations from an Insider Risk Management case. Members of the Insider Risk Management Investigators role group will not be able to view the Data Security Investigation unless they are assigned the Data Security Investigation Investigator role.

[What you need to do to prepare:]

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

You can access the Insider Risk Management solution in the Microsoft Purview compliance portal.