SCInsiderRiskPolicy¶
Parameters¶
Parameter | Attribute | DataType | Description | Allowed Values |
---|---|---|---|---|
Name | Key | String | Name of the insider risk policy. | |
InsiderRiskScenario | Key | String | Name of the scenario supported by the policy. | |
Anonymization | Write | Boolean | Official documentation to come. | |
DLPUserRiskSync | Write | Boolean | Official documentation to come. | |
OptInIRMDataExport | Write | Boolean | Official documentation to come. | |
RaiseAuditAlert | Write | Boolean | Official documentation to come. | |
FileVolCutoffLimits | Write | String | Official documentation to come. | |
AlertVolume | Write | String | Official documentation to come. | |
AnomalyDetections | Write | Boolean | Official documentation to come. | |
CopyToPersonalCloud | Write | Boolean | Official documentation to come. | |
CopyToUSB | Write | Boolean | Official documentation to come. | |
CumulativeExfiltrationDetector | Write | Boolean | Official documentation to come. | |
EmailExternal | Write | Boolean | Official documentation to come. | |
EmployeeAccessedEmployeePatientData | Write | Boolean | Official documentation to come. | |
EmployeeAccessedFamilyData | Write | Boolean | Official documentation to come. | |
EmployeeAccessedHighVolumePatientData | Write | Boolean | Official documentation to come. | |
EmployeeAccessedNeighbourData | Write | Boolean | Official documentation to come. | |
EmployeeAccessedRestrictedData | Write | Boolean | Official documentation to come. | |
EpoBrowseToChildAbuseSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToCriminalActivitySites | Write | Boolean | Official documentation to come. | |
EpoBrowseToCultSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToGamblingSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToHackingSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToHateIntoleranceSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToIllegalSoftwareSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToKeyloggerSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToLlmSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToMalwareSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToPhishingSites | Write | Boolean | Official documentation to come. | |
EpoBrowseToPornographySites | Write | Boolean | Official documentation to come. | |
EpoBrowseToUnallowedDomain | Write | Boolean | Official documentation to come. | |
EpoBrowseToViolenceSites | Write | Boolean | Official documentation to come. | |
EpoCopyToClipboardFromSensitiveFile | Write | Boolean | Official documentation to come. | |
EpoCopyToNetworkShare | Write | Boolean | Official documentation to come. | |
EpoFileArchived | Write | Boolean | Official documentation to come. | |
EpoFileCopiedToRemoteDesktopSession | Write | Boolean | Official documentation to come. | |
EpoFileDeleted | Write | Boolean | Official documentation to come. | |
EpoFileDownloadedFromBlacklistedDomain | Write | Boolean | Official documentation to come. | |
EpoFileDownloadedFromEnterpriseDomain | Write | Boolean | Official documentation to come. | |
EpoFileRenamed | Write | Boolean | Official documentation to come. | |
EpoFileStagedToCentralLocation | Write | Boolean | Official documentation to come. | |
EpoHiddenFileCreated | Write | Boolean | Official documentation to come. | |
EpoRemovableMediaMount | Write | Boolean | Official documentation to come. | |
EpoSensitiveFileRead | Write | Boolean | Official documentation to come. | |
Mcas3rdPartyAppDownload | Write | Boolean | Official documentation to come. | |
Mcas3rdPartyAppFileDelete | Write | Boolean | Official documentation to come. | |
Mcas3rdPartyAppFileSharing | Write | Boolean | Official documentation to come. | |
McasActivityFromInfrequentCountry | Write | Boolean | Official documentation to come. | |
McasImpossibleTravel | Write | Boolean | Official documentation to come. | |
McasMultipleFailedLogins | Write | Boolean | Official documentation to come. | |
McasMultipleStorageDeletion | Write | Boolean | Official documentation to come. | |
McasMultipleVMCreation | Write | Boolean | Official documentation to come. | |
McasMultipleVMDeletion | Write | Boolean | Official documentation to come. | |
McasSuspiciousAdminActivities | Write | Boolean | Official documentation to come. | |
McasSuspiciousCloudCreation | Write | Boolean | Official documentation to come. | |
McasSuspiciousCloudTrailLoggingChange | Write | Boolean | Official documentation to come. | |
McasTerminatedEmployeeActivity | Write | Boolean | Official documentation to come. | |
OdbDownload | Write | Boolean | Official documentation to come. | |
OdbSyncDownload | Write | Boolean | Official documentation to come. | |
PeerCumulativeExfiltrationDetector | Write | Boolean | Official documentation to come. | |
PhysicalAccess | Write | Boolean | Official documentation to come. | |
PotentialHighImpactUser | Write | Boolean | Official documentation to come. | |
Write | Boolean | Official documentation to come. | ||
PriorityUserGroupMember | Write | Boolean | Official documentation to come. | |
SecurityAlertDefenseEvasion | Write | Boolean | Official documentation to come. | |
SecurityAlertUnwantedSoftware | Write | Boolean | Official documentation to come. | |
SpoAccessRequest | Write | Boolean | Official documentation to come. | |
SpoApprovedAccess | Write | Boolean | Official documentation to come. | |
SpoDownload | Write | Boolean | Official documentation to come. | |
SpoDownloadV2 | Write | Boolean | Official documentation to come. | |
SpoFileAccessed | Write | Boolean | Official documentation to come. | |
SpoFileDeleted | Write | Boolean | Official documentation to come. | |
SpoFileDeletedFromFirstStageRecycleBin | Write | Boolean | Official documentation to come. | |
SpoFileDeletedFromSecondStageRecycleBin | Write | Boolean | Official documentation to come. | |
SpoFileLabelDowngraded | Write | Boolean | Official documentation to come. | |
SpoFileLabelRemoved | Write | Boolean | Official documentation to come. | |
SpoFileSharing | Write | Boolean | Official documentation to come. | |
SpoFolderDeleted | Write | Boolean | Official documentation to come. | |
SpoFolderDeletedFromFirstStageRecycleBin | Write | Boolean | Official documentation to come. | |
SpoFolderDeletedFromSecondStageRecycleBin | Write | Boolean | Official documentation to come. | |
SpoFolderSharing | Write | Boolean | Official documentation to come. | |
SpoSiteExternalUserAdded | Write | Boolean | Official documentation to come. | |
SpoSiteInternalUserAdded | Write | Boolean | Official documentation to come. | |
SpoSiteLabelRemoved | Write | Boolean | Official documentation to come. | |
SpoSiteSharing | Write | Boolean | Official documentation to come. | |
SpoSyncDownload | Write | Boolean | Official documentation to come. | |
TeamsChannelFileSharedExternal | Write | Boolean | Official documentation to come. | |
TeamsChannelMemberAddedExternal | Write | Boolean | Official documentation to come. | |
TeamsChatFileSharedExternal | Write | Boolean | Official documentation to come. | |
TeamsFileDownload | Write | Boolean | Official documentation to come. | |
TeamsFolderSharedExternal | Write | Boolean | Official documentation to come. | |
TeamsMemberAddedExternal | Write | Boolean | Official documentation to come. | |
TeamsSensitiveMessage | Write | Boolean | Official documentation to come. | |
UserHistory | Write | Boolean | Official documentation to come. | |
AWSS3BlockPublicAccessDisabled | Write | Boolean | Official documentation to come. | |
AWSS3BucketDeleted | Write | Boolean | Official documentation to come. | |
AWSS3PublicAccessEnabled | Write | Boolean | Official documentation to come. | |
AWSS3ServerLoggingDisabled | Write | Boolean | Official documentation to come. | |
AzureElevateAccessToAllSubscriptions | Write | Boolean | Official documentation to come. | |
AzureResourceThreatProtectionSettingsUpdated | Write | Boolean | Official documentation to come. | |
AzureSQLServerAuditingSettingsUpdated | Write | Boolean | Official documentation to come. | |
AzureSQLServerFirewallRuleDeleted | Write | Boolean | Official documentation to come. | |
AzureSQLServerFirewallRuleUpdated | Write | Boolean | Official documentation to come. | |
AzureStorageAccountOrContainerDeleted | Write | Boolean | Official documentation to come. | |
BoxContentAccess | Write | Boolean | Official documentation to come. | |
BoxContentDelete | Write | Boolean | Official documentation to come. | |
BoxContentDownload | Write | Boolean | Official documentation to come. | |
BoxContentExternallyShared | Write | Boolean | Official documentation to come. | |
CCFinancialRegulatoryRiskyTextSent | Write | Boolean | Official documentation to come. | |
CCInappropriateContentSent | Write | Boolean | Official documentation to come. | |
CCInappropriateImagesSent | Write | Boolean | Official documentation to come. | |
DropboxContentAccess | Write | Boolean | Official documentation to come. | |
DropboxContentDelete | Write | Boolean | Official documentation to come. | |
DropboxContentDownload | Write | Boolean | Official documentation to come. | |
DropboxContentExternallyShared | Write | Boolean | Official documentation to come. | |
GoogleDriveContentAccess | Write | Boolean | Official documentation to come. | |
GoogleDriveContentDelete | Write | Boolean | Official documentation to come. | |
GoogleDriveContentExternallyShared | Write | Boolean | Official documentation to come. | |
PowerBIDashboardsDeleted | Write | Boolean | Official documentation to come. | |
PowerBIReportsDeleted | Write | Boolean | Official documentation to come. | |
PowerBIReportsDownloaded | Write | Boolean | Official documentation to come. | |
PowerBIReportsExported | Write | Boolean | Official documentation to come. | |
PowerBIReportsViewed | Write | Boolean | Official documentation to come. | |
PowerBISemanticModelsDeleted | Write | Boolean | Official documentation to come. | |
PowerBISensitivityLabelDowngradedForArtifacts | Write | Boolean | Official documentation to come. | |
PowerBISensitivityLabelRemovedFromArtifacts | Write | Boolean | Official documentation to come. | |
HistoricTimeSpan | Write | String | Official documentation to come. | |
InScopeTimeSpan | Write | String | Official documentation to come. | |
EnableTeam | Write | Boolean | Official documentation to come. | |
AnalyticsNewInsightEnabled | Write | Boolean | Official documentation to come. | |
AnalyticsTurnedOffEnabled | Write | Boolean | Official documentation to come. | |
HighSeverityAlertsEnabled | Write | Boolean | Official documentation to come. | |
HighSeverityAlertsRoleGroups | Write | StringArray[] | Official documentation to come. | |
PoliciesHealthEnabled | Write | Boolean | Official documentation to come. | |
PoliciesHealthRoleGroups | Write | StringArray[] | Official documentation to come. | |
NotificationDetailsEnabled | Write | Boolean | Official documentation to come. | |
NotificationDetailsRoleGroups | Write | StringArray[] | Official documentation to come. | |
ClipDeletionEnabled | Write | Boolean | Official documentation to come. | |
SessionRecordingEnabled | Write | Boolean | Official documentation to come. | |
RecordingTimeframePreEventInSec | Write | String | Official documentation to come. | |
RecordingTimeframePostEventInSec | Write | String | Official documentation to come. | |
BandwidthCapInMb | Write | String | Official documentation to come. | |
OfflineRecordingStorageLimitInMb | Write | String | Official documentation to come. | |
AdaptiveProtectionEnabled | Write | Boolean | Determines if Adaptive Protection is enabled for Purview. | |
AdaptiveProtectionHighProfileSourceType | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionHighProfileConfirmedIssueSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionHighProfileGeneratedIssueSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionHighProfileInsightSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionHighProfileInsightCount | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionHighProfileInsightTypes | Write | StringArray[] | Official documentation to come. | |
AdaptiveProtectionHighProfileConfirmedIssue | Write | Boolean | Official documentation to come. | |
AdaptiveProtectionMediumProfileSourceType | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionMediumProfileConfirmedIssueSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionMediumProfileGeneratedIssueSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionMediumProfileInsightSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionMediumProfileInsightCount | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionMediumProfileInsightTypes | Write | StringArray[] | Official documentation to come. | |
AdaptiveProtectionMediumProfileConfirmedIssue | Write | Boolean | Official documentation to come. | |
AdaptiveProtectionLowProfileSourceType | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionLowProfileConfirmedIssueSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionLowProfileGeneratedIssueSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionLowProfileInsightSeverity | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionLowProfileInsightCount | Write | UInt32 | Official documentation to come. | |
AdaptiveProtectionLowProfileInsightTypes | Write | StringArray[] | Official documentation to come. | |
AdaptiveProtectionLowProfileConfirmedIssue | Write | Boolean | Official documentation to come. | |
RetainSeverityAfterTriage | Write | Boolean | Official documentation to come. | |
LookbackTimeSpan | Write | UInt32 | Official documentation to come. | |
ProfileInScopeTimeSpan | Write | UInt32 | Official documentation to come. | |
Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent , Present |
Credential | Write | PSCredential | Credentials of the workload's Admin | |
ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
Configures Insider Risk Policies in Purview.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- None
-
Update
- None
Application permissions¶
-
Read
- None
-
Update
- None
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SCInsiderRiskPolicy "SCInsiderRiskPolicy-IRM_Tenant_Setting"
{
Anonymization = $false
AlertVolume = "Medium";
AnalyticsNewInsightEnabled = $False;
AnalyticsTurnedOffEnabled = $False;
AnomalyDetections = $False;
ApplicationId = $ApplicationId;
AWSS3BlockPublicAccessDisabled = $False;
AWSS3BucketDeleted = $False;
AWSS3PublicAccessEnabled = $False;
AWSS3ServerLoggingDisabled = $False;
AzureElevateAccessToAllSubscriptions = $False;
AzureResourceThreatProtectionSettingsUpdated = $False;
AzureSQLServerAuditingSettingsUpdated = $False;
AzureSQLServerFirewallRuleDeleted = $False;
AzureSQLServerFirewallRuleUpdated = $False;
AzureStorageAccountOrContainerDeleted = $False;
BoxContentAccess = $False;
BoxContentDelete = $False;
BoxContentDownload = $False;
BoxContentExternallyShared = $False;
CCFinancialRegulatoryRiskyTextSent = $False;
CCInappropriateContentSent = $False;
CCInappropriateImagesSent = $False;
CertificateThumbprint = $CertificateThumbprint;
CopyToPersonalCloud = $False;
CopyToUSB = $False;
CumulativeExfiltrationDetector = $True;
DLPUserRiskSync = $True;
DropboxContentAccess = $False;
DropboxContentDelete = $False;
DropboxContentDownload = $False;
DropboxContentExternallyShared = $False;
EmailExternal = $False;
EmployeeAccessedEmployeePatientData = $False;
EmployeeAccessedFamilyData = $False;
EmployeeAccessedHighVolumePatientData = $False;
EmployeeAccessedNeighbourData = $False;
EmployeeAccessedRestrictedData = $False;
EnableTeam = $True;
Ensure = "Present";
EpoBrowseToChildAbuseSites = $False;
EpoBrowseToCriminalActivitySites = $False;
EpoBrowseToCultSites = $False;
EpoBrowseToGamblingSites = $False;
EpoBrowseToHackingSites = $False;
EpoBrowseToHateIntoleranceSites = $False;
EpoBrowseToIllegalSoftwareSites = $False;
EpoBrowseToKeyloggerSites = $False;
EpoBrowseToLlmSites = $False;
EpoBrowseToMalwareSites = $False;
EpoBrowseToPhishingSites = $False;
EpoBrowseToPornographySites = $False;
EpoBrowseToUnallowedDomain = $False;
EpoBrowseToViolenceSites = $False;
EpoCopyToClipboardFromSensitiveFile = $False;
EpoCopyToNetworkShare = $False;
EpoFileArchived = $False;
EpoFileCopiedToRemoteDesktopSession = $False;
EpoFileDeleted = $False;
EpoFileDownloadedFromBlacklistedDomain = $False;
EpoFileDownloadedFromEnterpriseDomain = $False;
EpoFileRenamed = $False;
EpoFileStagedToCentralLocation = $False;
EpoHiddenFileCreated = $False;
EpoRemovableMediaMount = $False;
EpoSensitiveFileRead = $False;
FileVolCutoffLimits = "59";
GoogleDriveContentAccess = $False;
GoogleDriveContentDelete = $False;
GoogleDriveContentExternallyShared = $False;
HistoricTimeSpan = "89";
InScopeTimeSpan = "30";
InsiderRiskScenario = "TenantSetting";
Mcas3rdPartyAppDownload = $False;
Mcas3rdPartyAppFileDelete = $False;
Mcas3rdPartyAppFileSharing = $False;
McasActivityFromInfrequentCountry = $False;
McasImpossibleTravel = $False;
McasMultipleFailedLogins = $False;
McasMultipleStorageDeletion = $False;
McasMultipleVMCreation = $True;
McasMultipleVMDeletion = $False;
McasSuspiciousAdminActivities = $False;
McasSuspiciousCloudCreation = $False;
McasSuspiciousCloudTrailLoggingChange = $False;
McasTerminatedEmployeeActivity = $False;
Name = "IRM_Tenant_Setting";
NotificationDetailsEnabled = $True;
OdbDownload = $False;
OdbSyncDownload = $False;
OptInIRMDataExport = $True;
PeerCumulativeExfiltrationDetector = $False;
PhysicalAccess = $False;
PotentialHighImpactUser = $False;
PowerBIDashboardsDeleted = $False;
PowerBIReportsDeleted = $False;
PowerBIReportsDownloaded = $False;
PowerBIReportsExported = $False;
PowerBIReportsViewed = $False;
PowerBISemanticModelsDeleted = $False;
PowerBISensitivityLabelDowngradedForArtifacts = $False;
PowerBISensitivityLabelRemovedFromArtifacts = $False;
Print = $False;
PriorityUserGroupMember = $False;
RaiseAuditAlert = $True;
SecurityAlertDefenseEvasion = $False;
SecurityAlertUnwantedSoftware = $False;
SpoAccessRequest = $False;
SpoApprovedAccess = $False;
SpoDownload = $False;
SpoDownloadV2 = $False;
SpoFileAccessed = $False;
SpoFileDeleted = $False;
SpoFileDeletedFromFirstStageRecycleBin = $False;
SpoFileDeletedFromSecondStageRecycleBin = $False;
SpoFileLabelDowngraded = $False;
SpoFileLabelRemoved = $False;
SpoFileSharing = $True;
SpoFolderDeleted = $False;
SpoFolderDeletedFromFirstStageRecycleBin = $False;
SpoFolderDeletedFromSecondStageRecycleBin = $False;
SpoFolderSharing = $False;
SpoSiteExternalUserAdded = $False;
SpoSiteInternalUserAdded = $False;
SpoSiteLabelRemoved = $False;
SpoSiteSharing = $False;
SpoSyncDownload = $False;
TeamsChannelFileSharedExternal = $False;
TeamsChannelMemberAddedExternal = $False;
TeamsChatFileSharedExternal = $False;
TeamsFileDownload = $False;
TeamsFolderSharedExternal = $False;
TeamsMemberAddedExternal = $False;
TeamsSensitiveMessage = $False;
TenantId = $TenantId;
UserHistory = $False;
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SCInsiderRiskPolicy "SCInsiderRiskPolicy-IRM_Tenant_Setting"
{
Anonymization = $false
AlertVolume = "Medium";
AnalyticsNewInsightEnabled = $False;
AnalyticsTurnedOffEnabled = $False;
AnomalyDetections = $False;
ApplicationId = $ApplicationId;
AWSS3BlockPublicAccessDisabled = $False;
AWSS3BucketDeleted = $False;
AWSS3PublicAccessEnabled = $False;
AWSS3ServerLoggingDisabled = $False;
AzureElevateAccessToAllSubscriptions = $False;
AzureResourceThreatProtectionSettingsUpdated = $False;
AzureSQLServerAuditingSettingsUpdated = $False;
AzureSQLServerFirewallRuleDeleted = $False;
AzureSQLServerFirewallRuleUpdated = $False;
AzureStorageAccountOrContainerDeleted = $False;
BoxContentAccess = $False;
BoxContentDelete = $False;
BoxContentDownload = $False;
BoxContentExternallyShared = $False;
CCFinancialRegulatoryRiskyTextSent = $False;
CCInappropriateContentSent = $False;
CCInappropriateImagesSent = $False;
CertificateThumbprint = $CertificateThumbprint;
CopyToPersonalCloud = $False;
CopyToUSB = $False;
CumulativeExfiltrationDetector = $True;
DLPUserRiskSync = $True;
DropboxContentAccess = $False;
DropboxContentDelete = $False;
DropboxContentDownload = $False;
DropboxContentExternallyShared = $False;
EmailExternal = $False;
EmployeeAccessedEmployeePatientData = $False;
EmployeeAccessedFamilyData = $False;
EmployeeAccessedHighVolumePatientData = $False;
EmployeeAccessedNeighbourData = $False;
EmployeeAccessedRestrictedData = $False;
EnableTeam = $True;
Ensure = "Present";
EpoBrowseToChildAbuseSites = $False;
EpoBrowseToCriminalActivitySites = $False;
EpoBrowseToCultSites = $False;
EpoBrowseToGamblingSites = $False;
EpoBrowseToHackingSites = $False;
EpoBrowseToHateIntoleranceSites = $False;
EpoBrowseToIllegalSoftwareSites = $False;
EpoBrowseToKeyloggerSites = $False;
EpoBrowseToLlmSites = $False;
EpoBrowseToMalwareSites = $False;
EpoBrowseToPhishingSites = $False;
EpoBrowseToPornographySites = $False;
EpoBrowseToUnallowedDomain = $False;
EpoBrowseToViolenceSites = $False;
EpoCopyToClipboardFromSensitiveFile = $False;
EpoCopyToNetworkShare = $False;
EpoFileArchived = $False;
EpoFileCopiedToRemoteDesktopSession = $False;
EpoFileDeleted = $False;
EpoFileDownloadedFromBlacklistedDomain = $False;
EpoFileDownloadedFromEnterpriseDomain = $False;
EpoFileRenamed = $False;
EpoFileStagedToCentralLocation = $False;
EpoHiddenFileCreated = $False;
EpoRemovableMediaMount = $False;
EpoSensitiveFileRead = $False;
FileVolCutoffLimits = "59";
GoogleDriveContentAccess = $False;
GoogleDriveContentDelete = $False;
GoogleDriveContentExternallyShared = $False;
HistoricTimeSpan = "89";
InScopeTimeSpan = "30";
InsiderRiskScenario = "TenantSetting";
Mcas3rdPartyAppDownload = $False;
Mcas3rdPartyAppFileDelete = $False;
Mcas3rdPartyAppFileSharing = $False;
McasActivityFromInfrequentCountry = $False;
McasImpossibleTravel = $False;
McasMultipleFailedLogins = $False;
McasMultipleStorageDeletion = $False;
McasMultipleVMCreation = $True;
McasMultipleVMDeletion = $False;
McasSuspiciousAdminActivities = $False;
McasSuspiciousCloudCreation = $False;
McasSuspiciousCloudTrailLoggingChange = $False;
McasTerminatedEmployeeActivity = $False;
Name = "IRM_Tenant_Setting";
NotificationDetailsEnabled = $True;
OdbDownload = $False;
OdbSyncDownload = $False;
OptInIRMDataExport = $True;
PeerCumulativeExfiltrationDetector = $False;
PhysicalAccess = $False;
PotentialHighImpactUser = $False;
PowerBIDashboardsDeleted = $False;
PowerBIReportsDeleted = $False;
PowerBIReportsDownloaded = $False;
PowerBIReportsExported = $False;
PowerBIReportsViewed = $False;
PowerBISemanticModelsDeleted = $False;
PowerBISensitivityLabelDowngradedForArtifacts = $False;
PowerBISensitivityLabelRemovedFromArtifacts = $False;
Print = $False;
PriorityUserGroupMember = $False;
RaiseAuditAlert = $True;
SecurityAlertDefenseEvasion = $False;
SecurityAlertUnwantedSoftware = $False;
SpoAccessRequest = $False;
SpoApprovedAccess = $False;
SpoDownload = $False;
SpoDownloadV2 = $False;
SpoFileAccessed = $False;
SpoFileDeleted = $False;
SpoFileDeletedFromFirstStageRecycleBin = $False;
SpoFileDeletedFromSecondStageRecycleBin = $False;
SpoFileLabelDowngraded = $False;
SpoFileLabelRemoved = $False;
SpoFileSharing = $True;
SpoFolderDeleted = $False;
SpoFolderDeletedFromFirstStageRecycleBin = $False;
SpoFolderDeletedFromSecondStageRecycleBin = $False;
SpoFolderSharing = $False;
SpoSiteExternalUserAdded = $False;
SpoSiteInternalUserAdded = $False;
SpoSiteLabelRemoved = $False;
SpoSiteSharing = $False;
SpoSyncDownload = $False;
TeamsChannelFileSharedExternal = $False;
TeamsChannelMemberAddedExternal = $False;
TeamsChatFileSharedExternal = $True; # Drift
TeamsFileDownload = $False;
TeamsFolderSharedExternal = $False;
TeamsMemberAddedExternal = $False;
TeamsSensitiveMessage = $False;
TenantId = $TenantId;
UserHistory = $False;
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SCInsiderRiskPolicy "SCInsiderRiskPolicy-IRM_Tenant_Setting"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
Ensure = "Absent";
InsiderRiskScenario = "TenantSetting";
Name = "IRM_Tenant_Setting";
TenantId = $TenantId;
}
}
}