Cloud Confidential

MS Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI tool usage and detect potential risks.

It automatically provisions two policies in Insider Risk Management (IRM) to track AI interactions.

Make sure that you have required permissions and open the Data Security Posture Management Solution in MS Purview:

Locate the DSPM for AI in the menu on the left and select it.

In the DSPM for AI Portal review all of the Actions that you you need to take care of:

And then, with one click of the button, we can create the DSPM for AI Policies:

DSPM for AI - Detect risky AI usage - helps calculate user risk by detecting risky prompts and responses in Microsoft 365 Copilot and other generative AI apps.

DSPM for AI - Detect when users visit AI sites - detects when users use a browser to visit AI sites. You can review the list of the sites supported by DSPM for AI following this link.

Detect sensitive info added to AI sites - discovers sensitive content pasted or uploaded in Microsoft Edge, Chrome, and Firefox to AI sites. This policy covers all users and groups in your org in audit mode only.

DSPM for AI - Unethical behavior in Copilot - detects sensitive information in prompts and responses in Microsoft 365 Copilot. This policy covers all users and groups in your organization.

These on-click policies are created in MS Purview Insider Risk Management (IRM).

Let's take a closer look at these policies.

Make sure you create the DSPM for AI Policies.

Navigate to the Insider Risk Management (IRM) Solution. Locate the DSPM for AI Policies.

In this example I am going to review the "DSPM for AI - Detect when users visit AI sites" IRM Policy.

Select the Policy. In the Policies details fly out panel click the "Edit policy" button.

Note the policy template - Risky browser usage:

Click through Policy Wizard screens right ahead until you hit the "Triggering event" screen. Note all the triggering events available for this policy. while this policy was provisioned with one click of the button, it only has "Browsed to generative AI websites" triggering event. And that was the original intend for this policy.

The same entries will appear in the Risk Indicators screen.

As you just observed, the MS Purview Data Security Posture Management (DSPM) for AI creates IRM Policies with a single click of the button. However, you can modify the policy to tune it to better suit your organization's needs.

MS Purview Insider Risk Management protects user identity by providing a pseudonymization option, which is enabled by default.

You can review or modify this setting in the Insider Risk Management settings under the Privacy section.

As you can see, I kept the default "Show pseudonymized versions of usernames" option enabled. This ensures that user identity remains hidden.

This setting protects user identity throughout the entire IRM solution, including Alerts

Users:

... and Cases:

At some point, however, user identity must be revealed if an Insider Risk threat is detected and confirmed.

Previously, I created an article and video showing how to reveal the pseudonymized user by creating an eDiscovery Case when escalating an IRM Case.

Now, investigators managing an IRM Case can view the user’s identity directly within the case.

Make sure you have an IRM Case created and the necessary permissions to manage it.

Open the case.

Under Case actions, select Manage pseudonymize.

When the Manage pseudonymize flyout panel opens, note that the Pseudonymize option is set to On by default. This follows your IRM Global Privacy Settings.

Toggle the option to set Pseudonymize to Off.

Close the panel.

In my example, the user’s identity is now revealed in the User details panel.

However, there’s still an issue—the User details flyout panel continues to show the pseudonymized username. Hopefully, Microsoft will fix this soon.

That said, you can still see the username in the details section.

Keep in mind that the username does not stay revealed for the case.

If you navigate away from IRM Cases, the user will be pseudonymized again.

If you open the case, you'd see that IRM no longer display previously revealed username.

Even refreshing the browser reverts the username back to pseudonymized.

This means the identity reveal using this method is temporary.

Now that you know how to reveal user identity, controlling access permissions to IRM Cases becomes even more critical—ensuring only authorized personnel can see which users are under investigation.

Intro

Insider Risk Management Global Settings allow you to configure Custom File Paths, which can be used to either include specific file paths in IRM policies or exclude them from monitoring.

This functionality is particularly useful in scenarios where a large number of files are routinely backed up to a designated network drive.

For example, Access to Information and Privacy (ATIP)-related files may be regularly copied or transferred as part of authorized activities. Without exclusions, these routine operations could trigger thousands of unnecessary alerts, overwhelming analysts and investigators with false positives.

By configuring file path paths, organizations can ensure that IRM policies focus on genuine risks while ignoring expected, low-risk activities.

Two Options

When deciding how to exclude network drives from Insider Risk Management (IRM) policies, you have two options:

1. File Paths in Detection Groups (Used with Indicators)

2. Global Exclusions (Completely excluded from all policies)

   
   

File Paths in Detection Groups

File Paths defined in Detection Groups can then be used as part of indicators in IRM policies.

You can configure policies to either monitor or ignore activities based on these paths.

PROS of using Detection Groups

• Allows granular control by enabling specific risk indicators (e.g., downloads, sharing) while ignoring others.

• Can be policy-specific, meaning you can exclude network drives in one policy while monitoring them in another.

• More flexibility—you can modify detection logic rather than completely excluding the path from all IRM monitoring.

File Paths in Global Exclusions

• The Global Exclusion setting removes the specified file paths entirely from all IRM policies.

• Any activity occurring within an excluded network drive is not monitored at all.

PROS of using Global Exclusions

• Easy to configure—once added to Global Exclusions, no further adjustments are needed.

• Reduces noise completely for routine operations (e.g., backups to network drives) without impacting other IRM logic.

• Less maintenance—no need to modify individual policies.

Policy-Specific File Path Exclusions: Why a Dedicated Policy Matters

While Global Exclusions apply across all Insider Risk Management (IRM) policies, using File Paths in Detection Groups allows for policy-specific configuration, meaning you can monitor network drives in some policies while excluding them in others.

This flexibility is particularly important when dealing with users who are authorized to transfer data to network drives as part of their regular workflow. If these users operate under the same policies as other employees, their routine activities could generate thousands of unnecessary alerts, overwhelming analysts and making real risks harder to detect.

To manage this, a dedicated policy should be created specifically for these users, ensuring:

• Network drive activities are monitored only for authorized users under controlled thresholds.

• Other policies remain unaffected, allowing IRM to detect unauthorized users attempting to move files to network drives.

This targeted approach ensures that authorized activities do not flood IRM with false positives, while still keeping unauthorized movements visible in other policies for security monitoring.

Creating File Paths

Creating File Path Groups and Adding File Paths is a straightforward process. In the screenshots provided above, I am using paths to my local folders since this computer is not connected to the network. However, in a production environment, you would enter network paths relevant to your organization's setup.

Create File group in Detection Groups

Add File Path to File Path Group

Create File Paths Exclusions

You can add Individual File Paths by manually entering them.

For the "File Path Groups" option, you can only exclude the File Paths Groups that you configured in the Detection Groups section.

Creating Custom Indicator

If you’re not familiar with Custom Indicators, the setup process can be tricky. To ensure clarity, here is a detailed walkthrough on how to set this up.

In the IRM Global Settings, locate the Policy Indicators menu item and select it.

Select "New indicator variant" option:

In the "New Indicator Variant" flyout panel, expand the "Base Indicator" dropdown list to view all available indicators that can be used with File Paths. These indicators define how Insider Risk Management tracks and analyzes file activities related to the specified paths.

For this example, I am selecting "Creating or transferring files to a network share" as the Base Indicator, which will allow monitoring of file movements to designated network locations.

Name your indicator and provide brief description.

Note the "Define Activity to Detect" options (See the image below). You can choose to either:

1. Ignore activity involving items in the selected File Path Groups, ensuring that routine or authorized actions don’t trigger unnecessary alerts.

2. Only detect activity involving items in the selected File Path Groups, allowing the policy to focus specifically on these paths while ignoring all others.
   

This selection controls whether the policy excludes or prioritizes monitoring for the specified file paths.

Since we want to exclude this file path, we will select the "Ignore activity" option. This ensures that any activity involving items in the selected File Path Group will not trigger alerts, preventing unnecessary noise in the policy.

Expand the "Select detection groups" options. You will notice that the panel contains File type groups, keyword groups and sensitive info type groups. Disregard these options and select the File Path group that you configured.

Using Custom Indicator

The File Path Group will only be ignored if the custom indicator is explicitly included in the policy.

Simply configuring the File Path Group in Detection Groups does not automatically exclude it—it must be referenced within a policy using a custom indicator variant where the "Ignore activity" option is selected. Without adding this custom indicator to a policy, the exclusion will not take effect.

I created an IRM Policy based on the "Data Leaks" Policy Template:

When you reach the "Indicators" screen in the Policy Creation Wizard, expand the Device Indicator section. If only one custom indicator was configured, the selection will display as "(2/2 selected)" by default, as the base and custom indicators are both counted. In my case, I have been experimenting with multiple indicators, so the number is higher.

Whenever a custom indicator is created, the number displayed next to the indicator reflects both the base and any custom variants. If multiple custom indicators exist for the same category, the count will increase accordingly.

To ensure the policy effectively applies the exclusion, the Base Indicator should be removed, and only the custom indicator created for the exclusion should be selected. The Base Indicator follows Microsoft's default logic, which does not account for custom exclusions, meaning the policy may still generate alerts for activities in the excluded file paths if it remains enabled. Removing the Base Indicator ensures that the policy follows the custom-defined rules, including ignoring activities in the specified File Path Group.

Deleting Indicators

You can delete indicators in the Policy Indicators section within IRM Global Settings.

To do this, expand the applicable indicator section and locate the Base Indicator that was used to create the indicator variants.

In IRM Global Settings, it will be labeled as "variants". When configuring the policy, all variants, along with the base indicator, were displayed, which is why the policy showed four indicators instead of just the three custom variants.

Since the Base Indicator cannot be modified, only the variants can be edited or deleted.

Click on "variants" to open the Indicator Variants flyout panel, where you can manage your custom indicators. Here, you have the option to either edit or delete any of the variants as needed.

What Happens When You Delete a Custom Indicator Variant Used in a Policy?

If a Policy is using a custom indicator, you might assume that the Base Indicator would take over, ensuring that the policy continues to function—but that’s not the case.

If a custom indicator variant is deleted while it is actively used in a policy, and you return to that policy, the indicator will be unchecked—not replaced by the Base Indicator.

This means the policy will no longer monitor the activity associated with that variant unless another indicator is manually selected.

This is a critical detail for IRM policy management. Before deleting any custom indicator variant, always check which policies it is applied to, or you might unintentionally disable monitoring for key activities. It is important that you document your existing IRM Policies and their settings to know which custom indicators it uses.