update for more exam mechanics

Author: riswinto

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/adaptive-protection-data-loss-prevention.md

@@ -42,11 +42,21 @@ For example, a low-risk user might receive a warning for an action, while the sa
 
 ## Understand how adaptive protection fits into DLP
 
-Adaptive protection doesn't replace DLP policies. It builds on existing detection, scope, and actions by adjusting enforcement based on user risk.
+Adaptive Protection doesn't replace DLP policies. It extends them by adjusting enforcement based on user risk.
 
-User risk can change over time as behavior changes. This allows enforcement outcomes to adapt without redefining the policy itself.
+At a high level:
 
-This connection helps explain why enforcement results might vary even when policy rules remain the same.
+- Adaptive Protection is configured **within DLP rules**
+- Detection conditions remain unchanged
+- Enforcement behavior adjusts based on user risk signals
+
+The image shows where Adaptive Protection settings appear within a DLP rule. These settings control how enforcement changes based on user risk, while detection conditions remain the same.
+
+:::image type="content" source="../media/adaptive-protection-conditions.png" alt-text="Screenshot showing the DLP rule conditions pane with Insider risk level for Adaptive Protection and selectable risk levels." lightbox="../media/adaptive-protection-conditions.png":::
+
+User risk can change over time as behavior changes. When risk increases or decreases, the same rule can produce different enforcement outcomes without redefining detection or scope.
+
+This is why a policy might warn a user in one situation and block the same action later, even though the rule itself hasn't changed.
 
 ## Keep complexity aligned with actual risk
 
@@ -59,4 +69,3 @@ Extending DLP with adaptive behavior makes sense when:
 - Static policies no longer scale with real usage patterns
 
 When applied intentionally, risk-based behavior extends DLP capabilities without sacrificing clarity or control.
-

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/define-policy-detection.md

@@ -4,7 +4,9 @@ Good detection isn't about catching everything. It's about identifying the situa
 
 ## Ensure detection matches the risk
 
-In Microsoft Purview, detection isn't based on a single signal. Policies evaluate different kinds of signals that describe what the data is, how it's classified, and how it's being used.
+In Microsoft Purview, detection is defined at the **rule level**, not at the policy level. A data loss prevention (DLP) policy can contain one or more rules, and each rule defines its own detection conditions and response behavior.
+
+When a policy includes multiple rules, those rules are evaluated independently. Each rule determines whether its conditions are met and what action to take when they are.
 
 These signals generally fall into three categories:
 

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/guided-walkthrough-create-policy.md

@@ -8,6 +8,19 @@ An organization stores sensitive business documents in Microsoft 365 and collabo
 
 The security team wants visibility into risky sharing activity before enforcing restrictions. The goal is to reduce accidental data exposure without disrupting normal work.
 
+### Before creating or managing DLP policies
+
+Creating and managing data loss prevention (DLP) policies depends on having the appropriate Microsoft Purview roles assigned. Role assignment affects which policy options are visible, who can review simulation results and alerts, and who can change enforcement behavior or policy priority. Confirming roles up front helps avoid confusion during policy creation and clarifies administrative responsibilities.
+
+**DLP administration requires one of these roles:**
+
+- **Compliance Administrator**, which provides full administrative access to create, configure, enforce, and manage DLP policies across supported locations
+- **Compliance Data Administrator**, which provides the ability to create and manage DLP policies and review policy results without broader compliance administration permissions
+
+These roles are required to create, edit, and enforce DLP policies. They also allow administrators to review simulation results and alerts, and to manage policy mode, enforcement behavior, and policy priority.
+
+Once the appropriate roles are assigned, policy creation and management decisions can be made consistently in the Microsoft Purview portal.
+
 ### Start a new data loss prevention (DLP) policy
 
 Start by creating a new Data Loss Prevention policy in the Microsoft Purview portal.

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/manage-policies.md

@@ -4,31 +4,31 @@ Effective policy management focuses on understanding how policies interact, know
 
 ## Understand how multiple DLP policies interact
 
-In Microsoft Purview, DLP policies are evaluated in priority order. When activity matches a policy, the evaluation process starts at the highest-priority policy and works downward.
+In Microsoft Purview, DLP policies are evaluated in **priority order**, starting with the highest-priority policy and moving downward.
 
-In some cases, the **first matching policy determines the enforcement outcome**. If that policy applies an action, lower-priority policies might never be evaluated for the same activity.
+When activity matches a policy, the **first matching policy can determine the enforcement outcome**. If that policy applies an action, lower-priority policies might never be evaluated for the same activity.
 
 This means that:
 
-- Policy order can affect enforcement results
-- Later policies might not apply if an earlier policy already matches
-- The same data can be treated differently depending on which policy is evaluated first
+- Higher-priority policies are evaluated before lower-priority policies
+- The first matching policy can control enforcement
+- Lower-priority policies might not apply, even if they also match the data
 
 For example, a high-priority policy that audits sensitive data sharing might prevent a lower-priority policy from blocking the same action, even if both policies target similar data. Understanding this interaction helps explain why enforcement outcomes don't always align with expectations when multiple policies exist.
 
 ## Know when policy priority matters
 
 Policy priority doesn't always affect outcomes, but when it does, the impact can be significant.
 
-Priority matters most when:
+Policy priority matters most when::
 
 - Multiple policies apply to the same location
 - Policies target overlapping users or similar data
 - Actions differ across policies, such as audit versus block
 
 In these cases, changing priority can alter which policy controls enforcement without changing detection or scope.
 
-Priority usually matters less when:
+Policy priority usually matters less when:
 
 - Policies are scoped to different locations
 - Policies apply to separate user groups

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/policy-actions.md

@@ -6,14 +6,14 @@ Choosing the right action is about aligning protection with business tolerance.
 
 Data loss prevention (DLP) policies can take different actions when conditions are met. Each action represents a different balance between visibility, guidance, and restriction.
 
-Common action patterns include:
+In Microsoft Purview, these actions generally fall into a few enforcement categories:
 
-- Auditing activity to understand behavior without interruption
-- Warning users when an action might introduce risk
-- Blocking actions while allowing users to override with justification
-- Blocking actions outright when risk is unacceptable
+- **Audit**, where activity is logged without interrupting users
+- **Warn**, where users receive guidance but can continue their action
+- **Block with override**, where users can proceed with justification
+- **Block**, where the action is prevented entirely
 
-No single action is correct for every scenario. The right choice depends on the likelihood of risk and the consequences of disruption.
+Not every enforcement category is available in every location. Available actions depend on where the policy applies and the type of activity being evaluated. Actions are configured at the **rule level**, not at the policy level, so each rule defines its own enforcement behavior.
 
 ## Match actions to business tolerance
 

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/policy-scope.md

@@ -8,7 +8,18 @@ It's tempting to scope policies broadly across all locations to ensure coverage.
 
 Different locations support different kinds of data movement. Email, collaboration sites, file storage, and endpoints often expose data in different ways.
 
-This view highlights how many locations a single policy can cover, which is why scoping decisions should be intentional.
+In Microsoft Purview, DLP policies can be scoped to locations like:
+
+- Exchange email
+- SharePoint sites
+- OneDrive accounts
+- Microsoft Teams messages
+- Devices through Endpoint DLP
+- Browser-based activity in supported browsers
+
+Available conditions and enforcement actions vary by location, which is why scoping decisions directly affect how a policy behaves.
+
+This page shows how those locations appear during policy creation, with each location scoped independently.
 
 :::image type="content" source="../media/policy-scope-page.png" alt-text="Screenshot of the Microsoft Purview DLP policy location selection page with multiple locations selected." lightbox="../media/policy-scope-page.png":::
 

learn-pr/wwl-sci/purview-data-loss-prevention-create-manage-policies/includes/policy-validation.md

@@ -6,6 +6,10 @@ Validation helps ensure policies reduce risk without disrupting normal work. It
 
 Simulation mode allows a policy to evaluate activity without taking enforcement actions. Instead of blocking activity, the policy records what _would_ have happened.
 
+A DLP policy can be **off**, run in **simulation**, or run in **enforcement**, and the selected mode applies at the policy level, not per rule.
+
+All rules within a policy run under the same mode. You can't simulate one rule while enforcing another.
+
 This makes simulation a design tool, not just a safety check.
 
 Simulation helps you: