Merge pull request #12455 from MicrosoftDocs/DLP-chrisda

chrisda · web-flow · commit 038283015394 · 2025-01-13T16:30:01.000-08:00
DLP-chrisda to Main
diff --git a/exchange/exchange-ps/exchange/New-DlpCompliancePolicy.md b/exchange/exchange-ps/exchange/New-DlpCompliancePolicy.md
@@ -88,13 +88,67 @@ New-DlpCompliancePolicy -Name "GlobalPolicy" -Comment "Primary policy" -SharePoi
 This example creates a DLP policy named GlobalPolicy for the specified SharePoint Online and OneDrive for Business locations. The new policy has a descriptive comment and will be enabled on creation.
 
 ### Example 3
-
 ```powershell
 New-DlpCompliancePolicy -Name "PowerBIPolicy" -Comment "Primary policy" -PowerBIDlpLocation "All" -PowerBIDlpLocationException "workspaceID1","workspaceID2","workspaceID3" -Mode Enable
 ```
 
 This example creates a DLP policy named PowerBIPolicy for all qualifying Power BI workspaces (that is, those hosted on Premium Gen2 capacities) except for the specified workspaces. The new policy has a descriptive comment and will be enabled on creation.
 
+### Example 4
+```powershell
+Get-Label | Format-List Priority,ContentType,Name,DisplayName,Identity,Guid
+
+$guidVar = "e222b65a-b3a8-46ec-ae12-00c2c91b71c0"
+
+$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{Type:"Tenant", Identity:"All"}]}]"
+
+New-DLPCompliancePolicy -Name "Copilot Policy" -Locations $loc
+
+$advRule = @{
+ "Version" = "1.0"
+ "Condition" = @{
+  "Operator" = "And"
+   "SubConditions" = @(
+    @{
+    "ConditionName" = "ContentContainsSensitiveInformation"
+    "Value" = @(
+     @{
+     "groups" = @(
+       @{
+       "Operator" = "Or"
+       "labels" = @(
+         @{
+         "name" = $guidVar
+         "type" = "Sensitivity"
+        }
+       )
+       "name" = "Default"
+       }
+      )
+     }
+    )
+   }
+  )
+ }
+} | ConvertTo-Json -Depth 100
+
+New-DLPComplianceRule -Name "Copilot Rule" -Policy "Copilot Policy" -AdvancedRule $advrule -RestrictAccess @(@{setting="ExcludeContentProcessing";value="Block"})
+```
+
+This example creates a DLP policy for Microsoft 365 Copilot (Preview) in several steps:
+
+- The first command returns information about all sensitivity labels. Select the GUID value of the sensitivity label that you want to use. For example, `e222b65a-b3a8-46ec-ae12-00c2c91b71c0`.
+
+- The second command stores the GUID value of the sensitivity label in the variable named `$guidVar`.
+
+- The third command stores the Microsoft 365 Copilot location (`470f2276-e011-4e9d-a6ec-20768be3a4b0`) in the variable named `$loc`. Update the `$loc` value based on the Inclusions/Exclusions scoping that you want to provide.
+
+- The fourth command creates the DLP policy using the `$loc` variable for the value of the Locations parameter, and "Copilot Policy" as the name of the policy (use any unique name).
+
+- The fifth command creates the variable named `$advRule`. The advanced rule needs to be updated depending on the grouping of labels you want to provide as input.
+
+- The last command creates the DLP rule with the name "Copilot Rule" (use any unique name). Use the name of the DLP policy from step four as the value of the Policy parameter.
+
 ## PARAMETERS
 
 ### -Name
@@ -427,7 +481,28 @@ Accept wildcard characters: False
 ```
 
 ### -Locations
-{{ Fill Locations Description }}
+The Locations parameter specifies to whom, what, and where the DLP policy applies. This parameter uses the following properties:
+
+- Workload: What the DLP policy applies to. Use the value `Applications`.
+- Location: Where the DLP policy applies. For Microsoft 365 Copilot, (Preview), use the value `470f2276-e011-4e9d-a6ec-20768be3a4b0`.
+- Inclusions: Who the DLP policy applies to. For users, use the email address in this syntax: `{Type:IndividualResource,Identity:<EmailAddress>}`. For security groups or distribution groups, use the ObjectId value of the group from the Microsoft Entra portal in this syntax: `{Type:Group,Identity:<ObjectId>}`. For the entire tenant, use this value: `{Type:"Tenant",Identity:"All"}`.
+- Exclusions: Exclude security groups, distribution groups, or users from the scope of this DLP policy. For users, use the email address in this syntax: `{Type:IndividualResource,Identity:<EmailAddress>}`. For groups, use the ObjectId value of the group from the Microsoft Entra portal in this syntax: `{Type:Group, Identity:<ObjectId>}`.
+
+You create and store the properties in a variable as shown in the following examples:
+
+DLP policy scoped to all users in the tenant:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{Type:"Tenant",Identity:"All"}]}]"`
+
+DLP policy scoped to the specified user and groups:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{"Type":"Group","Identity":"fef0dead-5668-4bfb-9fc2-9879a47f9bdb"},{"Type":"Group","Identity":"b4dc1e1d-8193-4525-b59c-6d6e0f1718d2"},{"Type":"IndividualResource","Identity":"yibing@contoso.com"}]}]"`
+
+DLP policy scoped to all users in the tenant except for members of the specified group:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{Type:"Tenant",Identity:"All"}]}],"Exclusions":[{"Type":"Group","Identity":"fef0dead-5668-4bfb-9fc2-9879a47f9bdb"}]}]"`
+
+After you create the `$loc` variable as shown in the previous examples, use the value `$loc` for this parameter.
 
 ```yaml
 Type: String
diff --git a/exchange/exchange-ps/exchange/Set-DlpCompliancePolicy.md b/exchange/exchange-ps/exchange/Set-DlpCompliancePolicy.md
@@ -743,7 +743,26 @@ Accept wildcard characters: False
 ```
 
 ### -Locations
-{{ Fill Locations Description }}
+The Locations parameter specifies to whom, what, and where the DLP policy applies. This parameter uses the following properties:
+
+- AddInclusions or RemoveInclusions: Add or remove security groups, distribution groups, or users to or from the scope of this DLP policy. For users, use the email address in this syntax: `{Type:IndividualResource,Identity:<EmailAddress>}`. For security groups or distribution groups, use the ObjectId value of the group from the Microsoft Entra portal in this syntax: `{Type:Group,Identity:<ObjectId>}`.
+- AddExclusions or RemoveExclusions: Add or remove security groups, distribution groups, or users to or from exclusions to the scope of this DLP policy. For users, use the email address in this syntax: `{Type:IndividualResource,Identity:<EmailAddress>}`. For security groups or distribution groups, use the ObjectId value of the group from the Microsoft Entra portal in this syntax: `{Type:Group,Identity:<ObjectId>}`.
+
+You create and store the properties in a variable as shown in the following examples:
+
+DLP policy scoped to all users in the tenant:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","AddInclusions":[{Type:"Tenant",Identity:"All"}]}]"`
+
+DLP policy scoped to the specified user and groups:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","AddInclusions":[{"Type":"Group","Identity":"fef0dead-5668-4bfb-9fc2-9879a47f9bdb"},{"Type":"Group","Identity":"b4dc1e1d-8193-4525-b59c-6d6e0f1718d2"},{"Type":"IndividualResource","Identity":"yibing@contoso.com"}]}]"`
+
+DLP policy scoped to all users in the tenant except for members of the specified group:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","AddInclusions":[{Type:"Tenant",Identity:"All"}],"AddExclusions": [{"Type":"Group","Identity":"fef0dead-5668-4bfb-9fc2-9879a47f9bdb"},{"Type":"Group","Identity":"b4dc1e1d-8193-4525-b59c-6d6e0f1718d2"}]}]`
+
+After you create the `$loc` variable as shown in the previous examples, use the value `$loc` for this parameter.
 
 ```yaml
 Type: String
