Insider Risk Management: the Australian mid-market starter playbook

Insider Risk Management is the Microsoft Purview workload that most AU mid-market tenants own (it is included in M365 E5 and available as a Purview add-on) but very few have actually turned on. The reasons are usually procedural rather than technical — the policy requires HR awareness, the reviewer workflow requires a defined investigator role, and the data sensitivity calls for a documented governance step before any user behaviour is scored. None of those are blockers. They are simply checkpoints that distinguish a defensible IRM rollout from a surveillance program that creates Fair Work, Privacy Act and OAIC exposure of its own.

The four policy templates worth starting with

1. 1Data leaks — surfaces unusual sharing, downloading and emailing patterns across SharePoint, OneDrive, Teams and Exchange. The highest-signal starter policy for AU mid-market.
2. 2Data leaks by priority users — same indicators but scoped to users on a priority list (executives, sales engineers, anyone with access to material non-public information). Adds investigator confidence by reducing noise.
3. 3Data theft by departing users — triggers when a user is flagged as departing (manually via HR or via the HR connector) and increases sensitivity on data-handling indicators for that user during the notice window.
4. 4Risky browser usage — surfaces users browsing inappropriate sites in scope of Communication Compliance topics; usually paired rather than standalone.

Signal sources

• Exchange Online — large outbound emails, attachments to personal domains, forwarding rules.
• SharePoint Online and OneDrive for Business — bulk downloads, downloads after the user leaves a site, sharing outside the organisation.
• Microsoft Teams — file sharing outside, channel deletions for content of sensitivity.
• Defender for Endpoint — print events, USB writes, clipboard actions for sensitivity-labelled content.
• HR connector (optional but recommended) — termination notices, performance flags, resignation dates feed the departing-user score.
• Physical badge connector (optional) — surfaces unusual building access in the period leading up to departure.

The reviewer workflow

IRM operates on a triage queue. Alerts surface in the Insider Risk Management workload in the Purview portal. A reviewer (typically a small team of two or three named investigators with the Insider Risk Investigators role) reviews each alert with a clearly scoped set of evidence: the user's recent activity, the matched indicators, and (with Insider Risk Investigator role) the underlying content of the flagged file or email. The investigator's options are: dismiss, escalate to a case, share with another reviewer. Cases drive a documented investigation with full evidence chain, ready for HR, Legal, or external counsel if it goes that far.

The AU governance preconditions

1. 1Acceptable use and monitoring clauses in employment contracts that disclose insider-risk monitoring without naming the specific tool. Most AU contracts already cover this in standard form; check.
2. 2Privacy impact assessment for the IRM workload — IRM processes employee personal information at scale, which engages the Privacy Act 1988 and APP 11. The OAIC's reasonable steps guidance is the reference.
3. 3Documented investigator role assignment — IRM access is highly privileged. Use PIM to make Insider Risk Investigator an eligible (just-in-time) role assignment.
4. 4Defined alert thresholds — the default templates ship with reasonable thresholds, but each tenant should tune in audit mode for two weeks before promoting to active.
5. 5Communication plan — when an alert leads to an HR action, document the decision rationale separately. Adverse-action protections under the Fair Work Act apply.

The 90-day rollout sequence

The Frontrow IRM rollout sequence is: weeks 1-2 governance preconditions; weeks 3-4 enable Data leaks and Data leaks by priority users in audit mode; weeks 5-6 tune thresholds, build a watchlist of priority users (executives, M&A team, key sales engineers); week 7 promote to active; weeks 8-10 enable Data theft by departing users with the HR connector; weeks 11-13 reviewer training, first quarterly review and report to the executive sponsor. The deliverable at week 13 is a board-defensible IRM program, not a perfect detection engine — that is a multi-year journey.