Forum Discussion
Confusion around Purview Definitions and Risk Scoring
I think the confusion comes from the fact that DLP can play three different roles in Insider Risk Management and Adaptive Protection.
- DLP as a triggering event – This is what you're referring to. The DLP policy doesn't require the user to already have an Insider Risk level. It behaves like a normal DLP policy. The only documented requirement is that it generates High severity alerts. When a user matches that DLP policy, it triggers the IRM policy and risk scoring begins.
https://learn.microsoft.com/en-us/purview/insider-risk-management-policies#notification-messages
- DLP as an indicator – Once the IRM policy has been triggered, DLP events can also be configured as Indicators that contribute to the user's risk score, alongside exfiltration activities, unusual file access, etc.
- Adaptive Protection DLP – This is a separate integration where the user's IRM risk level (Low/Medium/High) is used to dynamically change DLP enforcement. https://learn.microsoft.com/en-us/purview/dlp-adaptive-protection-learn
So there isn't actually a circular dependency. The DLP policy used as the trigger doesn't depend on an existing risk level—it is what starts the IRM evaluation. The resulting risk level can later influence Adaptive Protection, and subsequent DLP events can contribute to the user's risk score if DLP is enabled as an indicator.
If your goal is proactive detection of risky behavior before a DLP violation occurs, then using "User performs an exfiltration activity" as the trigger is likely the better fit. If you only want to start IRM investigations after a significant DLP event has occurred, then "User matches a DLP policy" is the appropriate trigger.