Insider threats account for 34% of all data breaches (Verizon DBIR 2024), with an average cost of $4.9M per incident. Despite this, Purview Insider Risk Management (IRM) is one of the most widely purchased and least deployed Purview capabilities: purchased by 65% of E5 customers, actively operationalised by fewer than 35%. The gap between purchase and deployment is partly a resource issue, but it is also a licensing misunderstanding. Many organisations believe they have IRM coverage for their entire user population when their licence structure actually covers only a fraction. This guide resolves the ambiguity.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →IRM Licensing: The Per-Policy-User Requirement
The fundamental licensing rule for Purview IRM is: every user subject to an IRM policy must have an E5 Compliance licence. This rule is consistent across all IRM policy templates — Data Theft by Departing Users, Data Leaks, Security Policy Violations, Disgruntled Employee, Patient Data Misuse, and all custom policy configurations. The licence attaches to the monitored user, not to the investigation case, the alert, or the reviewer.
IRM Policy Templates and Applicable Scenarios
| Policy Template | Primary Use Case | Key Signal Sources | Typical Policy Scope |
|---|---|---|---|
| Departing Employee Data Theft | IP protection when employees resign or are terminated | HR connector resignation date + file/email activity | All employees in notice period (dynamic group) |
| Data Leaks by Priority Users | Sensitive data exfiltration by users with high-value data access | Sensitivity labels + file sharing + endpoint DLP | Executives, M&A team, R&D staff |
| General Data Leaks | Broad data exfiltration monitoring | File activity, email, Teams sharing patterns | All employees (highest licence impact) |
| Security Policy Violations | Users circumventing security controls | Defender for Endpoint alerts + M365 activity | IT staff, privileged access users |
| Disgruntled Employee | Detecting signs of workplace dissatisfaction correlated with data risk | HR satisfaction scores + Teams message sentiment | Targeted (needs HR connector + Communication Compliance) |
| Patient Data Misuse | HIPAA-regulated data access anomaly detection | SharePoint/Teams access to PHI + unusual patient access patterns | Clinical staff, healthcare administrators |
The Departing Employee Policy: Highest ROI
The Departing Employee Data Theft policy template is consistently the highest-ROI IRM deployment for organisations that can integrate the HR connector. The HR connector feeds resignation dates (and involuntary termination dates) from the HRIS into M365. When a resignation is received, the departing employee is automatically added to the IRM policy scope. The system begins elevated monitoring of that user's file download, email forwarding, Teams file sharing, and endpoint DLP events. Monitoring continues for a configurable period post-departure.
The business case is concrete. IP theft by departing employees represents an average loss of $1.2M per incident (Ponemon Institute). A single prevented IP theft or customer data exfiltration event recovers the cost of a year of E5 Compliance licences for the entire employee population. The challenge is that the value is invisible when incidents are prevented — the ROI only becomes visible when the programme catches something it would have missed without IRM.
Organisations that cannot or will not deploy the HR connector can use a manual approach: adding departing employees to the IRM policy scope as part of the offboarding process. This is less automated but achieves the same coverage for the highest-risk period. The limitation is that involuntary terminations — where the employee may not know they are being terminated until the moment of dismissal — cannot be proactively monitored under the manual approach.
IRM and Endpoint DLP: The Dependency
Many IRM policy templates achieve their highest signal quality when Endpoint DLP is also deployed. Endpoint DLP generates events for USB copy, browser upload, and print activity on managed Windows devices — signals that IRM correlates with other M365 activity to build a comprehensive risk score. Without Endpoint DLP, IRM's device-level visibility is limited to events recorded by Microsoft Defender for Endpoint (which is focused on security threats, not insider risk indicators).
This creates a dependency chain: effective IRM requires both E5 Compliance (for IRM itself and Endpoint DLP) and Intune-managed devices. For organisations that are not yet Intune-enrolled, the incremental investment to support IRM is not just licences but also the device management programme. The Endpoint DLP and Intune analysis is covered in the Purview DLP Licensing guide and the Intune BYOD and MAM licensing guide.
IRM Signal Sources: What Gets Monitored
IRM is a signal aggregation platform. It does not monitor communications content (that is Communication Compliance). It monitors behavioural patterns — what files are accessed, moved, shared, or downloaded; what emails are forwarded externally; what devices are connected. The signals IRM ingests include:
From SharePoint and OneDrive: file downloads (volume and rate), external sharing invitations, sensitivity label downgrade actions, file moves to personal folders, and access to restricted sites. From Exchange Online: external email forwarding rules, sending attachments to personal email addresses, email volume anomalies, and contact export events. From Teams: file sharing with external guests, screen capture events (where logging is enabled), meeting recording and export activity. From Endpoint DLP (when deployed): USB copy events, browser upload to unsanctioned sites, print events for sensitive documents. From Azure AD: impossible travel events (signing in from two geographically distant locations in short succession), anomalous sign-in times, and mass resource access anomalies. From the HR connector: resignation date, performance improvement plan status, disciplinary action status, and satisfaction survey responses.
Privacy Considerations in IRM Deployment
IRM has more significant privacy and employment law implications than any other Purview capability. In jurisdictions with strong worker privacy protections (Germany, France, Netherlands, and most of the EU), deploying IRM without prior consultation with works councils, employee representatives, or data protection authorities may violate local law. This is not a hypothetical risk — we have seen IRM deployments stalled or rolled back due to works council objections in Germany and the Netherlands.
Microsoft provides privacy-preserving configuration options including pseudonymisation (displaying anonymised user identifiers until an investigation is opened) and notice requirements documentation. Engaging legal counsel and HR on the IRM deployment programme before technical implementation is not optional for organisations operating in EU member states. The IRM Privacy Guide in the Microsoft Purview documentation provides the framework; legal sign-off on the deployment approach is the non-negotiable prerequisite.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →IRM Licensing Optimisation: Scoped Approach
The cost of universal IRM coverage (all employees on E5 Compliance) is $144/user/year. For a 5,000-user organisation, this is $720,000/year. The scoped approach — applying IRM only to the highest-risk population — can reduce this substantially while preserving the programme's value.
The highest-value IRM scope is typically four populations: departing employees (automated via HR connector — any user with a resignation date in the next 90 days); employees under disciplinary review (HR-flagged, typically 1–3% of headcount); privileged access users (IT administrators, finance system access, M&A team) — typically 5–15% of headcount; and priority users with access to the highest-sensitivity data (executives, R&D, competitive intelligence) — typically 5–10% of headcount.
Combining these populations, the required E5 Compliance licence count for a meaningful IRM programme may be 15–30% of total headcount rather than 100%. For 5,000 users, the difference between 30% E5 Compliance and 100% E5 Compliance is $504,000/year. This is a significant EA negotiation point when the IRM deployment plan is presented alongside the licence commitment.
EA Negotiation for IRM Licensing
Lever 1: Scoped Deployment Commitment
Present a documented IRM programme design to Microsoft during EA negotiation — specifying the user populations in scope and the policy templates to be deployed. This creates a justifiable basis for a mixed-licence EA (E5 Compliance for scoped populations, E3 for the remainder) and reduces the risk of Microsoft challenging the scope definition during audit. The programme design document also demonstrates to internal stakeholders that the E5 Compliance investment has a clear operational purpose.
Lever 2: IRM + Communication Compliance Bundle Leverage
IRM and Communication Compliance are frequently purchased together by regulated industries (financial services, healthcare, government). Both require E5 Compliance and both are most valuable when applied to the same population (the regulated employee segment). Negotiating these as a bundled programme — rather than as two separate licence decisions — creates a stronger commercial case for the E5 Compliance investment and gives Microsoft a larger overall commitment to price more aggressively.
For the full Purview suite analysis, see the Microsoft Purview Licensing Complete Guide. For the Communication Compliance complement to IRM, see Purview Communication Compliance Licensing.
📄 Free Guide: Microsoft Security Licensing Guide
Purview, Defender, Sentinel, and Entra — bundle optimisation and EA negotiation levers for the complete security suite.
Download Free Guide →Frequently Asked Questions
What licence is required for Purview Insider Risk Management?
Purview IRM requires M365 E5 or the M365 E5 Compliance add-on. Licences must be held by every user who is subject to an IRM policy. If a policy covers all 2,000 users in your organisation, all 2,000 require E5 Compliance. Selectively licensing only users who generate alerts — without reducing policy scope accordingly — is the most common IRM compliance violation discovered during Microsoft audits.
Can IRM policies be scoped to high-risk users only?
Yes. IRM policies can be scoped to specific users, groups, or role-based segments. Licence scope must match policy scope: 500 users in an IRM policy requires 500 E5 Compliance licences. Common scoping approaches include all employees in notice period (via HR connector), all employees under disciplinary review, all privileged access users, and all executives/R&D staff. A scoped deployment covering 15–30% of headcount can deliver a meaningful insider risk programme at 70–85% lower licence cost than universal deployment.
What signals does Insider Risk Management use for detection?
IRM correlates signals across M365: SharePoint/OneDrive file downloads and sharing, Exchange email forwarding and attachment activity, Teams file sharing and meeting recording, Azure AD sign-in anomalies, Endpoint DLP device events (USB copy, browser upload), and HR system signals via the HR data connector (resignation date, performance review outcome, disciplinary status). Pattern correlation across these signals builds the risk score — no single signal triggers an investigation.
How does Purview IRM differ from Microsoft Defender for Endpoint user behaviour monitoring?
Defender for Endpoint monitors device-level threats — malware, malicious processes, attack chain detection. Purview IRM monitors user behaviour patterns — data exfiltration, policy violations, IP theft by legitimate users. They are complementary: Defender catches compromised accounts; IRM detects legitimate users behaving anomalously. Both require E5 licensing from different add-on bundles: MDE from E5 Security; IRM from E5 Compliance.
What is the HR connector and is it required for IRM?
The HR data connector imports resignation dates, performance review outcomes, and disciplinary actions from the HRIS into M365 as IRM risk signals. It is not required for IRM to function, but it enables the 'Departing Employee' policy template — which automatically initiates heightened monitoring when resignation notices are submitted. Without the HR connector, IRM relies exclusively on M365 behavioural signals and cannot proactively elevate monitoring at the moment of highest risk.
Microsoft Purview Licensing — Related Guides
- Microsoft Purview Licensing Complete Guide — Full suite overview, tiers, and cost framework
- Purview Communication Compliance Licensing — Regulatory surveillance complementing IRM
- Purview DLP Licensing Tiers — Endpoint DLP dependency for IRM signal quality
- Purview Information Protection Licensing — Label-based signals that feed IRM risk scoring
- Microsoft Defender for Identity Licensing — Complementary identity-based threat detection
- Microsoft Entra ID P1 vs P2 Licensing — Identity risk signals that integrate with IRM
- Microsoft 365 Defender Licensing Comparison — Full security stack that complements Purview IRM