Merge pull request #53402 from riswinto/main

update dlp module

Author: prmerger-automator[bot]

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/adaptive-protection-data-loss-prevention.md

@@ -40,9 +40,11 @@ Rather than enforcing a fixed action in all cases, policies can:
 
 For example, a low-risk user might receive a warning for an action, while the same action performed by a higher-risk user results in blocking.
 
+A safe first use of risk-based behavior is to vary guidance rather than blocking. Starting with warnings for lower-risk users and stronger actions only at higher risk levels helps validate assumptions without introducing unnecessary disruption.
+
 ## Understand how adaptive protection fits into DLP
 
-Adaptive Protection doesn't replace DLP policies. It extends them by adjusting enforcement based on user risk.
+Adaptive Protection extends DLP policies by adjusting enforcement based on user risk.
 
 At a high level:
 
@@ -54,6 +56,8 @@ The image shows where Adaptive Protection settings appear within a DLP rule. The
 
 :::image type="content" source="../media/adaptive-protection-conditions.png" alt-text="Screenshot showing the DLP rule conditions pane with Insider risk level for Adaptive Protection and selectable risk levels." lightbox="../media/adaptive-protection-conditions.png":::
 
+A common misuse of adaptive behavior is applying it broadly before static policies are stable, which makes enforcement outcomes harder to interpret.
+
 User risk can change over time as behavior changes. When risk increases or decreases, the same rule can produce different enforcement outcomes without redefining detection or scope.
 
 This is why a policy might warn a user in one situation and block the same action later, even though the rule itself hasn't changed.
@@ -68,4 +72,6 @@ Extending DLP with adaptive behavior makes sense when:
 - User context meaningfully alters risk
 - Static policies no longer scale with real usage patterns
 
-When applied intentionally, risk-based behavior extends DLP capabilities without sacrificing clarity or control.
+If enforcement outcomes can't be clearly explained based on risk signals, adaptive behavior is adding complexity without value and should be reconsidered.
+
+When applied intentionally, risk-based behavior extends DLP capabilities without sacrificing clarity.

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/define-policy-detection.md

@@ -36,15 +36,15 @@ For example, combining content-based detection with:
 
 Can significantly reduce unnecessary triggers.
 
-The goal isn't complexity for its own sake. It's clarity. Each condition should contribute meaningfully to the scenario you're trying to address.
+Detection should favor clarity over complexity. If adding conditions makes results harder to explain, refinement has likely gone too far.
 
 ## Balance coverage with precision
 
 Broad detection increases coverage, but it also increases the chance of false positives. Narrow detection improves precision, but it can miss edge cases.
 
 Early in policy creation, it's often better to favor clarity over completeness. A policy that triggers reliably in fewer scenarios is easier to validate and refine than one that fires constantly with mixed results.
 
-Detection can always be expanded later. Noise is harder to undo.
+Refinement stops helping when additional conditions reduce understanding more than they reduce noise. Detection can always be expanded later. Noise is harder to undo.
 
 ## Define what "good enough" detection looks like
 
@@ -56,7 +56,7 @@ Detection doesn't have to be perfect on day one. What matters is whether it reli
 - Results are understandable
 - False positives are limited and explainable
 
-This creates a strong foundation for validation and tuning.
+When detection consistently highlights the same types of activity considered risky, further refinement is unlikely to add value. This provides a strong foundation for validation and tuning.
 
 ## Account for how detection choices affect false positives
 
@@ -66,14 +66,14 @@ Being intentional about detection upfront reduces the need for heavy tuning afte
 
 ## Consider scenarios where data is reused or transformed
 
-Some scenarios are more complex than simple sharing or copying. When sensitive data is reused or transformed, detection becomes more important.
+Some scenarios are more complex than simple sharing or copying. When sensitive data is reused or transformed, detection plays a larger role in distinguishing real risk from incidental use.
 
 This includes workflows where:
 
 - Content is rewritten or summarized
 - Data is combined with other inputs
 - Sensitive information appears in generated responses
 
-In these cases, detection quality matters more than aggressive enforcement. Clear, accurate detection helps ensure policies respond to real risk instead of incidental use.
+In these scenarios, adding contextual conditions is often more effective than tightening content patterns. Clear, accurate detection helps ensure policies respond to meaningful risk without over-enforcing acceptable use.
 
 With detection defined, scope becomes the deciding factor for whether those signals create insight or noise.

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/policy-actions.md

@@ -33,6 +33,8 @@ Higher-risk scenarios might justify:
 
 For many scenarios, starting with nonenforcing actions and validating behavior through simulation helps confirm assumptions before stronger enforcement is applied.
 
+Warning actions are often more effective than blocking when the goal is behavior change rather than prevention. If users consistently adjust their behavior after seeing guidance, stronger enforcement may not be necessary.
+
 ## Use policy tips and notifications as guidance
 
 Policy tips and notifications play an important role in shaping behavior. They explain why an action is risky and what users can do instead.
@@ -57,7 +59,7 @@ Overrides are most effective when:
 - Justification is required and reviewed
 - Override patterns are used to refine detection and scope
 
-If most users override a policy, it's often a signal that the policy doesn't align with real workflows.
+If most users override a policy, it's often a signal that the policy doesn't align with real workflows. Isolated overrides, by contrast, are usually expected. Repeated overrides tied to the same workflow are a stronger signal that action choice needs adjustment.
 
 ## Pay attention to what override justifications reveal
 
@@ -69,6 +71,8 @@ Patterns in justifications can help answer questions like:
 - Is the policy triggering in unexpected scenarios?
 - Does the action match the actual level of risk?
 
+Override justifications that repeat the same explanation often point to legitimate work being interrupted. Varied or unclear justifications are more likely to indicate detection or scope issues rather than action choice.
+
 Using this feedback helps improve policy quality over time.
 
 Any action choice carries assumptions, and those assumptions need to be tested before enforcement.

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/policy-scope.md

@@ -31,6 +31,8 @@ Effective scoping starts by asking:
 
 Scoping to the locations that matter most reduces noise and makes results easier to interpret.
 
+In practice, overly broad scope often shows up as alerts across many unrelated workflows or locations. When results span activities that don't share a common risk pattern, scope is usually too wide to interpret meaningfully.
+
 ## Scope users, groups, and workloads intentionally
 
 Who a policy applies to matters as much as where it applies. Broad user scope can make policies difficult to validate and harder to tune.
@@ -45,14 +47,14 @@ Starting with a narrower scope makes it easier to understand policy behavior bef
 
 ## Use pilot scopes to validate assumptions
 
-Pilot scoping isn't just a rollout tactic. It's a design tool.
-
-Applying a policy to a limited group allows you to:
+Pilot scoping helps shape policy design. Applying a policy to a limited group allows you to:
 
 - Confirm detection behaves as expected
 - Observe real usage patterns
 - Identify unexpected enforcement outcomes
 
+A pilot scope has usually done its job when results are predictable and understandable, even if they aren't perfect. If alerts consistently reflect the scenarios you expected, expanding scope becomes a design choice rather than a guess.
+
 Pilot scopes are most effective when paired with simulation, allowing you to evaluate results before enforcing restrictions more broadly.
 
 ## Use inclusion and exclusion patterns to reduce noise
@@ -65,6 +67,8 @@ Exclusions can help:
 - Prevent duplicate alerts
 - Reduce friction in low-risk scenarios
 
+Exclusions that repeat across multiple policies often indicate a shared low-risk workflow rather than a detection problem.
+
 Clear inclusion and exclusion patterns keep policies focused on the behavior you actually want to address.
 
 ## Avoid overly broad scope
@@ -77,6 +81,8 @@ When a policy applies everywhere and to everyone:
 - False positives increase
 - User trust in enforcement decreases
 
+Broad scope isn't always a mistake. Scope can be intentionally broad when enforcement outcomes are consistent and well understood. Problems arise when scope is broad by default rather than by design.
+
 Effective policies balance coverage with precision. Expanding scope should be a deliberate decision, not a default.
 
 ## Scope policies for AI-assisted workflows thoughtfully

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/policy-validation.md

@@ -18,6 +18,8 @@ Simulation helps you:
 - Observe how scope affects real users and workflows
 - Evaluate whether selected actions are appropriate
 
+In practice, simulation results are easier to interpret when patterns repeat. Repeated matches tied to the same action or workflow often point to scoping constraints. Scattered, one-off matches across unrelated activity might suggest detection is too broad.
+
 While simulation doesn't enforce restrictions, users might still see policy tips or guidance. This allows organizations to observe not only how policies would trigger, but also how users respond to messaging before enforcement is enabled.
 
 Treating simulation as feedback encourages deliberate refinement before enforcement.
@@ -46,8 +48,12 @@ When reviewing results, look for:
 - Whether activity aligns with expected risk scenarios
 - Patterns that suggest legitimate work are being affected
 
+Repeated alerts tied to the same users or workflows often indicate scope issues. Alerts spread across unrelated activity usually point to detection that needs refinement. High override rates tend to indicate action mismatch rather than user disregard.
+
 The goal isn't zero activity. It's predictable, understandable activity.
 
+If results are surprising or difficult to explain, enforcement should wait. If an alert can't be clearly explained, users are unlikely to understand it once enforcement begins.
+
 ## Make targeted tuning adjustments
 
 Simulation often reveals small adjustments that improve policy quality.
@@ -58,7 +64,7 @@ Common tuning changes include:
 - Refining detection conditions
 - Adjusting actions to better match observed risk
 
-These changes are easier to make before enforcement, when users aren't yet affected.
+Isolated events are rarely a strong signal. Tuning decisions are more reliable when patterns persist over time.
 
 ## Identify when a policy is ready for enforcement
 
@@ -69,7 +75,7 @@ A policy is typically ready for enforcement when:
 - Actions match the organization's risk tolerance
 - Users can understand why enforcement occurs
 
-Readiness is about confidence, not perfection. Policies can continue to evolve after enforcement begins.
+Readiness is about confidence, not perfection. Some noise is expected, as long as it's predictable and understood.
 
 ## Recognize validation as the start of the policy lifecycle