Merge pull request #53251 from MicrosoftDocs/NEW-purview-data-loss-prevention-create-manage-policies

New purview data loss prevention create manage policies

Author: Stacyrch140

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/adaptive-protection-data-loss-prevention.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-loss-prevention-create-manage-policies.adaptive-protection-data-loss-prevention
+title: Adjust enforcement dynamically based on risk
+metadata:
+  title: Adjust enforcement dynamically based on risk
+  description: "Adjust enforcement dynamically based on risk"
+  ms.date: 01/27/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/adaptive-protection-data-loss-prevention.md)]

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/define-policy-detection.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-loss-prevention-create-manage-policies.define-policy-detection
+title: Define what the policy detects
+metadata:
+  title: Define what the policy detects
+  description: "Define what the policy detects"
+  ms.date: 01/27/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/define-policy-detection.md)]

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/guided-walkthrough-create-policy.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-loss-prevention-create-manage-policies.guided-walkthrough-create-policy
+title: "Guided walkthrough: Create a DLP policy"
+metadata:
+  title: "Guided Walkthrough: Create a DLP policy"
+  description: "Guided Walkthrough: Create a DLP policy"
+  ms.date: 01/27/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 15
+content: |
+  [!include[](includes/guided-walkthrough-create-policy.md)]

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/adaptive-protection-data-loss-prevention.md

@@ -0,0 +1,61 @@
+Up to this point, policy design has focused on defining detection, scope, actions, and validation. That model works well when risk is clear and usage patterns are predictable.
+
+In some environments, risk isn't static. The same action can carry different levels of risk depending on who performs it, how often it occurs, or what other signals are present. Risk-based behavior allows data loss prevention (DLP) enforcement to adapt based on context rather than relying only on fixed rules.
+
+## Know when content-based controls are sufficient
+
+For many scenarios, content-based policies provide the right level of protection.
+
+They work well when:
+
+- Risk scenarios are clearly defined
+- Usage patterns are consistent
+- Enforcement decisions don't need additional context
+
+In these cases, adding risk-based behavior doesn't improve outcomes. It increases complexity without addressing a real need.
+
+Before extending policies, confirm that simpler controls can't already meet the requirement.
+
+## Identify scenarios where added context improves decisions
+
+Risk-based behavior becomes useful when context changes how risk should be evaluated.
+
+This includes scenarios where:
+
+- The same action is acceptable for some users but risky for others
+- Behavior escalates gradually rather than occurring as a single event
+- Repeated activity signals increasing risk over time
+
+In these situations, static rules often feel either too permissive or too restrictive.
+
+## Use risk signals to adjust enforcement dynamically
+
+Risk-based DLP behavior incorporates signals beyond content alone. These signals allow enforcement to respond differently as conditions change.
+
+Rather than enforcing a fixed action in all cases, policies can:
+
+- Apply stricter controls as risk increases
+- Reduce enforcement when risk is low
+- Focus protection where it's most needed
+
+For example, a low-risk user might receive a warning for an action, while the same action performed by a higher-risk user results in blocking.
+
+## Understand how adaptive protection fits into DLP
+
+Adaptive protection doesn't replace DLP policies. It builds on existing detection, scope, and actions by adjusting enforcement based on user risk.
+
+User risk can change over time as behavior changes. This allows enforcement outcomes to adapt without redefining the policy itself.
+
+This connection helps explain why enforcement results might vary even when policy rules remain the same.
+
+## Keep complexity aligned with actual risk
+
+Risk-based behavior should solve a specific problem. If risk can be addressed with clear, static rules, those rules are usually the better choice.
+
+Extending DLP with adaptive behavior makes sense when:
+
+- Enforcement decisions need to change over time
+- User context meaningfully alters risk
+- Static policies no longer scale with real usage patterns
+
+When applied intentionally, risk-based behavior extends DLP capabilities without sacrificing clarity or control.

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/define-policy-detection.md

@@ -0,0 +1,77 @@
+Once you decide how to start a policy, the next step is defining what the policy should detect. Detection choices shape how accurate a policy is, how often it triggers, and how much noise it generates over time.
+
+Good detection isn't about catching everything. It's about identifying the situations that matter most and responding consistently when they occur.
+
+## Ensure detection matches the risk
+
+In Microsoft Purview, detection isn't based on a single signal. Policies evaluate different kinds of signals that describe what the data is, how it's classified, and how it's being used.
+
+These signals generally fall into three categories:
+
+- **Content-based signals** focus on what the data contains, like identifying specific patterns or content types.
+
+  These signals are useful when detection needs to be driven by the data itself rather than prior classification. They work well when patterns, keywords, or content structure matter more than how the data was labeled.
+
+- **Classification-based signals** rely on prior classification decisions, like labels applied by users or automation.
+
+  These signals are useful when protection should follow the data consistently, regardless of where it appears or how it's used.
+
+- **Context-based signals** describe how data is handled, like the action being taken or where the data is sent.
+
+  These signals focus on actions, destinations, and user context, and they help narrow enforcement to situations that actually represent risk.
+
+Effective policies often combine signals from more than one category. Choosing the right mix depends on how reliably data is classified and what behavior the policy is meant to address.
+
+## Combine conditions to improve accuracy
+
+Single detection conditions can work for simple scenarios, but they often lack context. Combining conditions helps narrow enforcement to situations that actually represent risk.
+
+For example, combining content-based detection with:
+
+- A specific action
+- A destination or location
+- A user or group scope
+
+Can significantly reduce unnecessary triggers.
+
+The goal isn't complexity for its own sake. It's clarity. Each condition should contribute meaningfully to the scenario you're trying to address.
+
+## Balance coverage with precision
+
+Broad detection increases coverage, but it also increases the chance of false positives. Narrow detection improves precision, but it can miss edge cases.
+
+Early in policy creation, it's often better to favor clarity over completeness. A policy that triggers reliably in fewer scenarios is easier to validate and refine than one that fires constantly with mixed results.
+
+Detection can always be expanded later. Noise is harder to undo.
+
+## Define what "good enough" detection looks like
+
+Detection doesn't have to be perfect on day one. What matters is whether it reliably identifies the behavior you care about without disrupting normal work.
+
+"Good enough" detection usually means:
+
+- The policy triggers when expected
+- Results are understandable
+- False positives are limited and explainable
+
+This creates a strong foundation for validation and tuning.
+
+## Account for how detection choices affect false positives
+
+Detection decisions made early often determine where false positives appear later. Overly broad conditions, weak context, or reliance on unreliable signals can all contribute to unnecessary enforcement.
+
+Being intentional about detection upfront reduces the need for heavy tuning after deployment.
+
+## Consider scenarios where data is reused or transformed
+
+Some scenarios are more complex than simple sharing or copying. When sensitive data is reused or transformed, detection becomes more important.
+
+This includes workflows where:
+
+- Content is rewritten or summarized
+- Data is combined with other inputs
+- Sensitive information appears in generated responses
+
+In these cases, detection quality matters more than aggressive enforcement. Clear, accurate detection helps ensure policies respond to real risk instead of incidental use.
+
+With detection defined, the next step is deciding where the policy should apply and who it should affect.