Revealing User Identity in IRM Case
- Tatiana Slepukhin-Zamachnaia
- Mar 3
- 2 min read

MS Purview Insider Risk Management protects user identity by providing a pseudonymization option, which is enabled by default.
You can review or modify this setting in the Insider Risk Management settings under the Privacy section.

As you can see, I kept the default "Show pseudonymized versions of usernames" option enabled. This ensures that user identity remains hidden.
This setting protects user identity throughout the entire IRM solution, including Alerts

Users:

... and Cases:

At some point, however, user identity must be revealed if an Insider Risk threat is detected and confirmed.
Previously, I created an article and video showing how to reveal the pseudonymized user by creating an eDiscovery Case when escalating an IRM Case.
Now, investigators managing an IRM Case can view the user’s identity directly within the case.
Make sure you have an IRM Case created and the necessary permissions to manage it.
Open the case.

Under Case actions, select Manage pseudonymize.

When the Manage pseudonymize flyout panel opens, note that the Pseudonymize option is set to On by default. This follows your IRM Global Privacy Settings.

Toggle the option to set Pseudonymize to Off.

Close the panel.
In my example, the user’s identity is now revealed in the User details panel.

However, there’s still an issue—the User details flyout panel continues to show the pseudonymized username. Hopefully, Microsoft will fix this soon.

That said, you can still see the username in the details section.
Keep in mind that the username does not stay revealed for the case.
If you navigate away from IRM Cases, the user will be pseudonymized again.

If you open the case, you'd see that IRM no longer display previously revealed username.

Even refreshing the browser reverts the username back to pseudonymized.
This means the identity reveal using this method is temporary.
Now that you know how to reveal user identity, controlling access permissions to IRM Cases becomes even more critical—ensuring only authorized personnel can see which users are under investigation.
Comentários