SCInsiderRiskPolicy¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Name | Key | String | Name of the insider risk policy. | |
| InsiderRiskScenario | Key | String | Name of the scenario supported by the policy. | |
| IRASettingsEnabled | Write | Boolean | When turned on, data is aggregated at tenant level and is shown as insights in Analytics reports. | |
| EmailSignatureExclusionSettingsEnabled | Write | Boolean | When turned on, if an email containing only a signature as attachment is sent to someone outside your org, your policies will attempt to ignore the activity when assigning risk scores, thereby helping reduce inessential alerts. | |
| UserAnalyticsSettingsEnabled | Write | Boolean | When turned on, data is aggregated at user level and is shown as insights in user activity summary of Data Loss Prevention, Communication Compliance and Microsoft Defender along with Advanced Hunting tables. Data sharing needs to be turned on along with this. | |
| Anonymization | Write | Boolean | For users who perform activities matching your insider risk policies, decide whether to show their actual names or use pseudonymized versions to mask their identities. | |
| DLPUserRiskSync | Write | Boolean | When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender. | |
| OptInIRMDataExport | Write | Boolean | When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender. | |
| RaiseAuditAlert | Write | Boolean | Insider risk management alert information is exportable to security information and event management (SIEM) services by using Office 365 Management Activity APIs. Turn this on to use these APIs to export insider risk alert details to other applications your organization might use to manage or aggregate insider risk data. | |
| InlineAlertPolicyCustomization | Write | Boolean | Enable inline alert customization for all alert reviewers. | |
| FileVolCutoffLimits | Write | String | Minimum number of daily events to boost score for unusual activity. | |
| AlertVolume | Write | String | Alert volume. | |
| AnomalyDetections | Write | Boolean | Risk score boosters indicator. | |
| AIAppRiskyPrompt | Write | Boolean | Policy indicators > Entering risky prompt in other AI apps | |
| CCPromptShields | Write | Boolean | Policy indicators > Entering prompt attacks in AI apps | |
| CCProtectedMaterialDetection | Write | Boolean | Policy indicators > Receiving AI app responses containing protected materials | |
| CCSensitiveInformationType | Write | Boolean | Policy indicators > Sending messages that contain specific sesitive info types | |
| CCSupervisionRuleMatch | Write | Boolean | Policy indicators > Detect messages matched by specific Communication Compliance policies | |
| CompromisedSignInAlerts | Write | Boolean | Policy indicators > Potentially risky sign-in activity | |
| CompromisedUserAlerts | Write | Boolean | Policy indicators > User account potentially compromised | |
| ConnectedAIAppRiskyPrompt | Write | Boolean | Policy indicators > Entering risky prompt in enterprise AI apps | |
| ConnectedAIAppSensitiveResponse | Write | Boolean | Policy indicators > Receiving sensitive response from enterprise AI apps | |
| CopilotRiskyPrompt | Write | Boolean | Policy indicators > Entering risky prompt in Copilot | |
| CopilotSensitiveResponse | Write | Boolean | Policy indicators > Receiving sensitive response from Copilot | |
| FabricExternalDataSharingSwitchEnabled | Write | Boolean | Policy indicators > Enabling external sharing of Microsoft Fabric data | |
| HighSeverityDlpRuleMatch | Write | Boolean | Policy indicators > Generating alerts from selected DLP policies | |
| LakehouseArtifactDeleted | Write | Boolean | Policy indicators > Deleting Microsoft Fabric lakehouses | |
| LakehouseExternalDataShareCreated | Write | Boolean | Policy indicators > Sharing lakehouse data with people outside the organization | |
| LakehouseFileOrBlobDeleted | Write | Boolean | Policy indicators > Deleted lakehouse files or tables | |
| LakehouseSensitivityLabelDowngraded | Write | Boolean | Policy indicators > Downgrading sensitivity labels of lakehouses | |
| LakehouseSensitivityLabelRemoved | Write | Boolean | Policy indicators > Removing sensitivity labels of lakehouses | |
| NetworkDownloadFile | Write | Boolean | Policy indicators > Files downloaded from the web | |
| NetworkDownloadText | Write | Boolean | Policy indicators > Sensitive text downloaded from the web | |
| NetworkUploadFile | Write | Boolean | Policy indicators > Files uploaded to the web | |
| NetworkUploadText | Write | Boolean | Policy indicators > Sensitive text uploaded to the web | |
| CopyToPersonalCloud | Write | Boolean | Official documentation to come. | |
| CopyToUSB | Write | Boolean | Device indicator. | |
| CumulativeExfiltrationDetector | Write | Boolean | Cumulative exfiltration detection indicator. | |
| EmailExternal | Write | Boolean | Official documentation to come. | |
| EmployeeAccessedEmployeePatientData | Write | Boolean | Health record access indicator. | |
| EmployeeAccessedFamilyData | Write | Boolean | Health record access indicator. | |
| EmployeeAccessedHighVolumePatientData | Write | Boolean | Health record access indicator. | |
| EmployeeAccessedNeighbourData | Write | Boolean | Health record access indicator. | |
| EmployeeAccessedRestrictedData | Write | Boolean | Health record access indicator. | |
| EpoBrowseToChildAbuseSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToCriminalActivitySites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToCultSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToGamblingSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToHackingSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToHateIntoleranceSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToIllegalSoftwareSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToKeyloggerSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToLlmSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToMalwareSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToPhishingSites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToPornographySites | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToUnallowedDomain | Write | Boolean | Risky browsing indicator. | |
| EpoBrowseToViolenceSites | Write | Boolean | Risky browsing indicator. | |
| EpoCopyToClipboardFromSensitiveFile | Write | Boolean | Device indicator. | |
| EpoCopyToNetworkShare | Write | Boolean | Device indicator. | |
| EpoFileArchived | Write | Boolean | Device indicator. | |
| EpoFileCopiedToRemoteDesktopSession | Write | Boolean | Device indicator. | |
| EpoFileDeleted | Write | Boolean | Device indicator. | |
| EpoFileDownloadedFromBlacklistedDomain | Write | Boolean | Device indicator. | |
| EpoFileDownloadedFromEnterpriseDomain | Write | Boolean | Device indicator. | |
| EpoFileRenamed | Write | Boolean | Device indicator. | |
| EpoFileStagedToCentralLocation | Write | Boolean | Device indicator. | |
| EpoHiddenFileCreated | Write | Boolean | Device indicator. | |
| EpoRemovableMediaMount | Write | Boolean | Device indicator. | |
| EpoSensitiveFileRead | Write | Boolean | Device indicator. | |
| Mcas3rdPartyAppDownload | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| Mcas3rdPartyAppFileDelete | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| Mcas3rdPartyAppFileSharing | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasActivityFromInfrequentCountry | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasImpossibleTravel | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasMultipleFailedLogins | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasMultipleStorageDeletion | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasMultipleVMCreation | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasMultipleVMDeletion | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasSuspiciousAdminActivities | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasSuspiciousCloudCreation | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasSuspiciousCloudTrailLoggingChange | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| McasTerminatedEmployeeActivity | Write | Boolean | Microsoft Defender for Cloud Apps indicator. | |
| OdbDownload | Write | Boolean | Office Indicator. | |
| OdbSyncDownload | Write | Boolean | Office Indicator. | |
| PeerCumulativeExfiltrationDetector | Write | Boolean | Cumulative exfiltration detection indicator. | |
| PhysicalAccess | Write | Boolean | Physical access indicator. | |
| PotentialHighImpactUser | Write | Boolean | Risk score boosters indicator. | |
| Write | Boolean | Official documentation to come. | ||
| PriorityUserGroupMember | Write | Boolean | Risk score boosters indicator. | |
| SecurityAlertDefenseEvasion | Write | Boolean | Microsoft Defender for Endpoint indicator. | |
| SecurityAlertUnwantedSoftware | Write | Boolean | Microsoft Defender for Endpoint indicator. | |
| SpoAccessRequest | Write | Boolean | Office Indicator. | |
| SpoApprovedAccess | Write | Boolean | Office Indicator. | |
| SpoDownload | Write | Boolean | Office Indicator. | |
| SpoDownloadV2 | Write | Boolean | Office Indicator. | |
| SpoFileAccessed | Write | Boolean | Office Indicator. | |
| SpoFileDeleted | Write | Boolean | Office Indicator. | |
| SpoFileDeletedFromFirstStageRecycleBin | Write | Boolean | Office Indicator. | |
| SpoFileDeletedFromSecondStageRecycleBin | Write | Boolean | Office Indicator. | |
| SpoFileLabelDowngraded | Write | Boolean | Office Indicator. | |
| SpoFileLabelRemoved | Write | Boolean | Office Indicator. | |
| SpoFileSharing | Write | Boolean | Office Indicator. | |
| SpoFolderDeleted | Write | Boolean | Office Indicator. | |
| SpoFolderDeletedFromFirstStageRecycleBin | Write | Boolean | Office Indicator. | |
| SpoFolderDeletedFromSecondStageRecycleBin | Write | Boolean | Office Indicator. | |
| SpoFolderSharing | Write | Boolean | Office Indicator. | |
| SpoSiteExternalUserAdded | Write | Boolean | Office Indicator. | |
| SpoSiteInternalUserAdded | Write | Boolean | Office Indicator. | |
| SpoSiteLabelRemoved | Write | Boolean | Office Indicator. | |
| SpoSiteSharing | Write | Boolean | Office Indicator. | |
| SpoSyncDownload | Write | Boolean | Office Indicator. | |
| TeamsChannelFileSharedExternal | Write | Boolean | Office Indicator. | |
| TeamsChannelMemberAddedExternal | Write | Boolean | Office Indicator. | |
| TeamsChatFileSharedExternal | Write | Boolean | Office Indicator. | |
| TeamsFileDownload | Write | Boolean | Office Indicator. | |
| TeamsFolderSharedExternal | Write | Boolean | Office Indicator. | |
| TeamsMemberAddedExternal | Write | Boolean | Office Indicator. | |
| TeamsSensitiveMessage | Write | Boolean | Office Indicator. | |
| UserHistory | Write | Boolean | Risk score boosters indicator. | |
| AWSS3BlockPublicAccessDisabled | Write | Boolean | AWS indicator. | |
| AWSS3BucketDeleted | Write | Boolean | AWS indicator. | |
| AWSS3PublicAccessEnabled | Write | Boolean | AWS indicator. | |
| AWSS3ServerLoggingDisabled | Write | Boolean | AWS indicator. | |
| AzureElevateAccessToAllSubscriptions | Write | Boolean | Azure indicator. | |
| AzureResourceThreatProtectionSettingsUpdated | Write | Boolean | Azure indicator. | |
| AzureSQLServerAuditingSettingsUpdated | Write | Boolean | Azure indicator. | |
| AzureSQLServerFirewallRuleDeleted | Write | Boolean | Azure indicator. | |
| AzureSQLServerFirewallRuleUpdated | Write | Boolean | Azure indicator. | |
| AzureStorageAccountOrContainerDeleted | Write | Boolean | Azure indicator. | |
| BoxContentAccess | Write | Boolean | Box indicator. | |
| BoxContentDelete | Write | Boolean | Box indicator. | |
| BoxContentDownload | Write | Boolean | Box indicator. | |
| BoxContentExternallyShared | Write | Boolean | Box indicator. | |
| CCFinancialRegulatoryRiskyTextSent | Write | Boolean | Detect messages matching specific trainable classifiers. | |
| CCInappropriateContentSent | Write | Boolean | Detect messages matching specific trainable classifiers. | |
| CCInappropriateImagesSent | Write | Boolean | Detect messages matching specific trainable classifiers. | |
| DropboxContentAccess | Write | Boolean | Dropbox indicator. | |
| DropboxContentDelete | Write | Boolean | Dropbox indicator. | |
| DropboxContentDownload | Write | Boolean | Dropbox indicator. | |
| DropboxContentExternallyShared | Write | Boolean | Dropbox indicator. | |
| GoogleDriveContentAccess | Write | Boolean | Google Drive indicator. | |
| GoogleDriveContentDelete | Write | Boolean | Google Drive indicator. | |
| GoogleDriveContentExternallyShared | Write | Boolean | Google Drive indicator. | |
| PowerBIDashboardsDeleted | Write | Boolean | Power BI indicator. | |
| PowerBIReportsDeleted | Write | Boolean | Power BI indicator. | |
| PowerBIReportsDownloaded | Write | Boolean | Power BI indicator. | |
| PowerBIReportsExported | Write | Boolean | Power BI indicator. | |
| PowerBIReportsViewed | Write | Boolean | Power BI indicator. | |
| PowerBISemanticModelsDeleted | Write | Boolean | Power BI indicator. | |
| PowerBISensitivityLabelDowngradedForArtifacts | Write | Boolean | Power BI indicator. | |
| PowerBISensitivityLabelRemovedFromArtifacts | Write | Boolean | Power BI indicator. | |
| HistoricTimeSpan | Write | String | Determines how far back a policy should go to detect user activity and is triggered when a user performs the first activity matching a policy. | |
| InScopeTimeSpan | Write | String | Determines how long policies will actively detect activity for users and is triggered when a user performs the first activity matching a policy. | |
| EnableTeam | Write | Boolean | Integrate Microsoft Teams capabilities with insider risk case management to enhance collaboration with stakeholders. | |
| AnalyticsNewInsightEnabled | Write | Boolean | Send a monthly email summarizing new analytics scan insights. | |
| AnalyticsTurnedOffEnabled | Write | Boolean | Send an email when analytics is turned off for your organization. | |
| HighSeverityAlertsEnabled | Write | Boolean | Send a daily email when new high severity alerts are generated. | |
| HighSeverityAlertsRoleGroups | Write | StringArray[] | Specifies the groups of high severity alerts to include. Possible values are: InsiderRiskManagement, InsiderRiskManagementAnalysts, and InsiderRiskManagementInvestigators. | |
| PoliciesHealthEnabled | Write | Boolean | Send a weekly email summarizing policies that have unresolved warnings. | |
| PoliciesHealthRoleGroups | Write | StringArray[] | Specifies the groups to notify with weekly email. Possible values are: InsiderRiskManagement and InsiderRiskManagementAdmins. | |
| NotificationDetailsEnabled | Write | Boolean | Send a notification email when the first alert is generated for a new policy. | |
| NotificationDetailsRoleGroups | Write | StringArray[] | Specifies the groups to notify when the first alert is generated. Possible values are: InsiderRiskManagement, InsiderRiskManagementAnalysts, and InsiderRiskManagementInvestigators. | |
| ClipDeletionEnabled | Write | Boolean | Official documentation to come. | |
| SessionRecordingEnabled | Write | Boolean | Official documentation to come. | |
| RecordingTimeframePreEventInSec | Write | String | Official documentation to come. | |
| RecordingTimeframePostEventInSec | Write | String | Official documentation to come. | |
| BandwidthCapInMb | Write | String | Official documentation to come. | |
| OfflineRecordingStorageLimitInMb | Write | String | Official documentation to come. | |
| AdaptiveProtectionEnabled | Write | Boolean | Determines if Adaptive Protection is enabled for Purview. | |
| AdaptiveProtectionHighProfileSourceType | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionHighProfileConfirmedIssueSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionHighProfileGeneratedIssueSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionHighProfileInsightSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionHighProfileInsightCount | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionHighProfileInsightTypes | Write | StringArray[] | Official documentation to come. | |
| AdaptiveProtectionHighProfileConfirmedIssue | Write | Boolean | Official documentation to come. | |
| AdaptiveProtectionMediumProfileSourceType | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionMediumProfileConfirmedIssueSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionMediumProfileGeneratedIssueSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionMediumProfileInsightSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionMediumProfileInsightCount | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionMediumProfileInsightTypes | Write | StringArray[] | Official documentation to come. | |
| AdaptiveProtectionMediumProfileConfirmedIssue | Write | Boolean | Official documentation to come. | |
| AdaptiveProtectionLowProfileSourceType | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionLowProfileConfirmedIssueSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionLowProfileGeneratedIssueSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionLowProfileInsightSeverity | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionLowProfileInsightCount | Write | UInt32 | Official documentation to come. | |
| AdaptiveProtectionLowProfileInsightTypes | Write | StringArray[] | Official documentation to come. | |
| AdaptiveProtectionLowProfileConfirmedIssue | Write | Boolean | Official documentation to come. | |
| RetainSeverityAfterTriage | Write | Boolean | Official documentation to come. | |
| LookbackTimeSpan | Write | UInt32 | Official documentation to come. | |
| ProfileInScopeTimeSpan | Write | UInt32 | Official documentation to come. | |
| GPUUtilizationLimit | Write | UInt32 | Official documentation to come. | |
| CPUUtilizationLimit | Write | UInt32 | Official documentation to come. | |
| MDATPTriageStatus | Write | StringArray[] | Microsoft Defender for Endpoint alert statuses. | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| CertificatePassword | Write | PSCredential | Username can be made up to anything but password will be used for CertificatePassword | |
| CertificatePath | Write | String | Path to certificate used in service principal usually a PFX file. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
Configures Insider Risk Policies in Purview.
Permissions¶
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SCInsiderRiskPolicy "SCInsiderRiskPolicy-IRM_Tenant_Setting"
{
Anonymization = $false
AlertVolume = "Medium";
AnalyticsNewInsightEnabled = $False;
AnalyticsTurnedOffEnabled = $False;
AnomalyDetections = $False;
ApplicationId = $ApplicationId;
AWSS3BlockPublicAccessDisabled = $False;
AWSS3BucketDeleted = $False;
AWSS3PublicAccessEnabled = $False;
AWSS3ServerLoggingDisabled = $False;
AzureElevateAccessToAllSubscriptions = $False;
AzureResourceThreatProtectionSettingsUpdated = $False;
AzureSQLServerAuditingSettingsUpdated = $False;
AzureSQLServerFirewallRuleDeleted = $False;
AzureSQLServerFirewallRuleUpdated = $False;
AzureStorageAccountOrContainerDeleted = $False;
BoxContentAccess = $False;
BoxContentDelete = $False;
BoxContentDownload = $False;
BoxContentExternallyShared = $False;
CCFinancialRegulatoryRiskyTextSent = $False;
CCInappropriateContentSent = $False;
CCInappropriateImagesSent = $False;
CertificateThumbprint = $CertificateThumbprint;
CopyToPersonalCloud = $False;
CopyToUSB = $False;
CumulativeExfiltrationDetector = $True;
DLPUserRiskSync = $True;
DropboxContentAccess = $False;
DropboxContentDelete = $False;
DropboxContentDownload = $False;
DropboxContentExternallyShared = $False;
EmailExternal = $False;
EmployeeAccessedEmployeePatientData = $False;
EmployeeAccessedFamilyData = $False;
EmployeeAccessedHighVolumePatientData = $False;
EmployeeAccessedNeighbourData = $False;
EmployeeAccessedRestrictedData = $False;
EnableTeam = $True;
Ensure = "Present";
EpoBrowseToChildAbuseSites = $False;
EpoBrowseToCriminalActivitySites = $False;
EpoBrowseToCultSites = $False;
EpoBrowseToGamblingSites = $False;
EpoBrowseToHackingSites = $False;
EpoBrowseToHateIntoleranceSites = $False;
EpoBrowseToIllegalSoftwareSites = $False;
EpoBrowseToKeyloggerSites = $False;
EpoBrowseToLlmSites = $False;
EpoBrowseToMalwareSites = $False;
EpoBrowseToPhishingSites = $False;
EpoBrowseToPornographySites = $False;
EpoBrowseToUnallowedDomain = $False;
EpoBrowseToViolenceSites = $False;
EpoCopyToClipboardFromSensitiveFile = $False;
EpoCopyToNetworkShare = $False;
EpoFileArchived = $False;
EpoFileCopiedToRemoteDesktopSession = $False;
EpoFileDeleted = $False;
EpoFileDownloadedFromBlacklistedDomain = $False;
EpoFileDownloadedFromEnterpriseDomain = $False;
EpoFileRenamed = $False;
EpoFileStagedToCentralLocation = $False;
EpoHiddenFileCreated = $False;
EpoRemovableMediaMount = $False;
EpoSensitiveFileRead = $False;
FileVolCutoffLimits = "59";
GoogleDriveContentAccess = $False;
GoogleDriveContentDelete = $False;
GoogleDriveContentExternallyShared = $False;
HistoricTimeSpan = "89";
InScopeTimeSpan = "30";
InsiderRiskScenario = "TenantSetting";
Mcas3rdPartyAppDownload = $False;
Mcas3rdPartyAppFileDelete = $False;
Mcas3rdPartyAppFileSharing = $False;
McasActivityFromInfrequentCountry = $False;
McasImpossibleTravel = $False;
McasMultipleFailedLogins = $False;
McasMultipleStorageDeletion = $False;
McasMultipleVMCreation = $True;
McasMultipleVMDeletion = $False;
McasSuspiciousAdminActivities = $False;
McasSuspiciousCloudCreation = $False;
McasSuspiciousCloudTrailLoggingChange = $False;
McasTerminatedEmployeeActivity = $False;
Name = "IRM_Tenant_Setting";
NotificationDetailsEnabled = $True;
OdbDownload = $False;
OdbSyncDownload = $False;
OptInIRMDataExport = $True;
PeerCumulativeExfiltrationDetector = $False;
PhysicalAccess = $False;
PotentialHighImpactUser = $False;
PowerBIDashboardsDeleted = $False;
PowerBIReportsDeleted = $False;
PowerBIReportsDownloaded = $False;
PowerBIReportsExported = $False;
PowerBIReportsViewed = $False;
PowerBISemanticModelsDeleted = $False;
PowerBISensitivityLabelDowngradedForArtifacts = $False;
PowerBISensitivityLabelRemovedFromArtifacts = $False;
Print = $False;
PriorityUserGroupMember = $False;
RaiseAuditAlert = $True;
SecurityAlertDefenseEvasion = $False;
SecurityAlertUnwantedSoftware = $False;
SpoAccessRequest = $False;
SpoApprovedAccess = $False;
SpoDownload = $False;
SpoDownloadV2 = $False;
SpoFileAccessed = $False;
SpoFileDeleted = $False;
SpoFileDeletedFromFirstStageRecycleBin = $False;
SpoFileDeletedFromSecondStageRecycleBin = $False;
SpoFileLabelDowngraded = $False;
SpoFileLabelRemoved = $False;
SpoFileSharing = $True;
SpoFolderDeleted = $False;
SpoFolderDeletedFromFirstStageRecycleBin = $False;
SpoFolderDeletedFromSecondStageRecycleBin = $False;
SpoFolderSharing = $False;
SpoSiteExternalUserAdded = $False;
SpoSiteInternalUserAdded = $False;
SpoSiteLabelRemoved = $False;
SpoSiteSharing = $False;
SpoSyncDownload = $False;
TeamsChannelFileSharedExternal = $False;
TeamsChannelMemberAddedExternal = $False;
TeamsChatFileSharedExternal = $False;
TeamsFileDownload = $False;
TeamsFolderSharedExternal = $False;
TeamsMemberAddedExternal = $False;
TeamsSensitiveMessage = $False;
TenantId = $TenantId;
UserHistory = $False;
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SCInsiderRiskPolicy "SCInsiderRiskPolicy-IRM_Tenant_Setting"
{
Anonymization = $false
AlertVolume = "Medium";
AnalyticsNewInsightEnabled = $False;
AnalyticsTurnedOffEnabled = $False;
AnomalyDetections = $False;
ApplicationId = $ApplicationId;
AWSS3BlockPublicAccessDisabled = $False;
AWSS3BucketDeleted = $False;
AWSS3PublicAccessEnabled = $False;
AWSS3ServerLoggingDisabled = $False;
AzureElevateAccessToAllSubscriptions = $False;
AzureResourceThreatProtectionSettingsUpdated = $False;
AzureSQLServerAuditingSettingsUpdated = $False;
AzureSQLServerFirewallRuleDeleted = $False;
AzureSQLServerFirewallRuleUpdated = $False;
AzureStorageAccountOrContainerDeleted = $False;
BoxContentAccess = $False;
BoxContentDelete = $False;
BoxContentDownload = $False;
BoxContentExternallyShared = $False;
CCFinancialRegulatoryRiskyTextSent = $False;
CCInappropriateContentSent = $False;
CCInappropriateImagesSent = $False;
CertificateThumbprint = $CertificateThumbprint;
CopyToPersonalCloud = $False;
CopyToUSB = $False;
CumulativeExfiltrationDetector = $True;
DLPUserRiskSync = $True;
DropboxContentAccess = $False;
DropboxContentDelete = $False;
DropboxContentDownload = $False;
DropboxContentExternallyShared = $False;
EmailExternal = $False;
EmployeeAccessedEmployeePatientData = $False;
EmployeeAccessedFamilyData = $False;
EmployeeAccessedHighVolumePatientData = $False;
EmployeeAccessedNeighbourData = $False;
EmployeeAccessedRestrictedData = $False;
EnableTeam = $True;
Ensure = "Present";
EpoBrowseToChildAbuseSites = $False;
EpoBrowseToCriminalActivitySites = $False;
EpoBrowseToCultSites = $False;
EpoBrowseToGamblingSites = $False;
EpoBrowseToHackingSites = $False;
EpoBrowseToHateIntoleranceSites = $False;
EpoBrowseToIllegalSoftwareSites = $False;
EpoBrowseToKeyloggerSites = $False;
EpoBrowseToLlmSites = $False;
EpoBrowseToMalwareSites = $False;
EpoBrowseToPhishingSites = $False;
EpoBrowseToPornographySites = $False;
EpoBrowseToUnallowedDomain = $False;
EpoBrowseToViolenceSites = $False;
EpoCopyToClipboardFromSensitiveFile = $False;
EpoCopyToNetworkShare = $False;
EpoFileArchived = $False;
EpoFileCopiedToRemoteDesktopSession = $False;
EpoFileDeleted = $False;
EpoFileDownloadedFromBlacklistedDomain = $False;
EpoFileDownloadedFromEnterpriseDomain = $False;
EpoFileRenamed = $False;
EpoFileStagedToCentralLocation = $False;
EpoHiddenFileCreated = $False;
EpoRemovableMediaMount = $False;
EpoSensitiveFileRead = $False;
FileVolCutoffLimits = "59";
GoogleDriveContentAccess = $False;
GoogleDriveContentDelete = $False;
GoogleDriveContentExternallyShared = $False;
HistoricTimeSpan = "89";
InScopeTimeSpan = "30";
InsiderRiskScenario = "TenantSetting";
Mcas3rdPartyAppDownload = $False;
Mcas3rdPartyAppFileDelete = $False;
Mcas3rdPartyAppFileSharing = $False;
McasActivityFromInfrequentCountry = $False;
McasImpossibleTravel = $False;
McasMultipleFailedLogins = $False;
McasMultipleStorageDeletion = $False;
McasMultipleVMCreation = $True;
McasMultipleVMDeletion = $False;
McasSuspiciousAdminActivities = $False;
McasSuspiciousCloudCreation = $False;
McasSuspiciousCloudTrailLoggingChange = $False;
McasTerminatedEmployeeActivity = $False;
Name = "IRM_Tenant_Setting";
NotificationDetailsEnabled = $True;
OdbDownload = $False;
OdbSyncDownload = $False;
OptInIRMDataExport = $True;
PeerCumulativeExfiltrationDetector = $False;
PhysicalAccess = $False;
PotentialHighImpactUser = $False;
PowerBIDashboardsDeleted = $False;
PowerBIReportsDeleted = $False;
PowerBIReportsDownloaded = $False;
PowerBIReportsExported = $False;
PowerBIReportsViewed = $False;
PowerBISemanticModelsDeleted = $False;
PowerBISensitivityLabelDowngradedForArtifacts = $False;
PowerBISensitivityLabelRemovedFromArtifacts = $False;
Print = $False;
PriorityUserGroupMember = $False;
RaiseAuditAlert = $True;
SecurityAlertDefenseEvasion = $False;
SecurityAlertUnwantedSoftware = $False;
SpoAccessRequest = $False;
SpoApprovedAccess = $False;
SpoDownload = $False;
SpoDownloadV2 = $False;
SpoFileAccessed = $False;
SpoFileDeleted = $False;
SpoFileDeletedFromFirstStageRecycleBin = $False;
SpoFileDeletedFromSecondStageRecycleBin = $False;
SpoFileLabelDowngraded = $False;
SpoFileLabelRemoved = $False;
SpoFileSharing = $True;
SpoFolderDeleted = $False;
SpoFolderDeletedFromFirstStageRecycleBin = $False;
SpoFolderDeletedFromSecondStageRecycleBin = $False;
SpoFolderSharing = $False;
SpoSiteExternalUserAdded = $False;
SpoSiteInternalUserAdded = $False;
SpoSiteLabelRemoved = $False;
SpoSiteSharing = $False;
SpoSyncDownload = $False;
TeamsChannelFileSharedExternal = $False;
TeamsChannelMemberAddedExternal = $False;
TeamsChatFileSharedExternal = $True; # Drift
TeamsFileDownload = $False;
TeamsFolderSharedExternal = $False;
TeamsMemberAddedExternal = $False;
TeamsSensitiveMessage = $False;
TenantId = $TenantId;
UserHistory = $False;
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SCInsiderRiskPolicy "SCInsiderRiskPolicy-IRM_Tenant_Setting"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
Ensure = "Absent";
InsiderRiskScenario = "TenantSetting";
Name = "IRM_Tenant_Setting";
TenantId = $TenantId;
}
}
}