Update New-DlpCompliancePolicy.md

chrisda · chrisda · commit e08c785dd24d · 2025-01-06T11:30:44.000-08:00
Locations parameter updates per TR
diff --git a/exchange/exchange-ps/exchange/New-DlpCompliancePolicy.md b/exchange/exchange-ps/exchange/New-DlpCompliancePolicy.md
@@ -139,13 +139,13 @@ This example creates a DLP policy for Microsoft 365 Copilot (Preview) in several
 
 - The first command returns information about all sensitivity labels. Select the GUID value of the sensitivity label that you want to use. For example, `e222b65a-b3a8-46ec-ae12-00c2c91b71c0`.
 
-- The second command stores the GUID value of the sensitivity label in the variable named $guidVar.
+- The second command stores the GUID value of the sensitivity label in the variable named `$guidVar`.
 
-- The third command stores the Microsoft 365 Copilot location (470f2276-e011-4e9d-a6ec-20768be3a4b0) in the variable named $loc. Update the $loc value based on the Inclusions/Exclusions scoping that you want to provide.
+- The third command stores the Microsoft 365 Copilot location (`470f2276-e011-4e9d-a6ec-20768be3a4b0`) in the variable named `$loc`. Update the `$loc` value based on the Inclusions/Exclusions scoping that you want to provide.
 
-- The fourth command creates the DLP policy using the $loc variable for the value of the Locations parameter, and "Copilot Policy" as the name of the policy (use any unique name).
+- The fourth command creates the DLP policy using the `$loc` variable for the value of the Locations parameter, and "Copilot Policy" as the name of the policy (use any unique name).
 
-- The fifth command creates the variable named $advRule. The advanced rule needs to be updated depending on the grouping of labels you want to provide as input.
+- The fifth command creates the variable named `$advRule`. The advanced rule needs to be updated depending on the grouping of labels you want to provide as input.
 
 - The last command creates the DLP rule with the name "Copilot Rule" (use any unique name). Use the name of the DLP policy from step four as the value of the Policy parameter.
 
@@ -481,17 +481,28 @@ Accept wildcard characters: False
 ```
 
 ### -Locations
-The Locations param specifies the workload, location, and security groups, distribution groups, or users that the DLP policy applies to. You can use this parameter with the following properties:
+The Locations parameter specifies to who, what, and where the DLP policy applies. This parameter uses the following properties:
 
-- Workload: Workloads where DLP policy should apply to. Set the value to Applications.
-- Location: Specific locations where DLP policy should apply to. For Microsoft 365 Copilot location (Preview), use the value 470f2276-e011-4e9d-a6ec-20768be3a4b0.
-- Inclusions: Add security groups, distribution list or individuals to the scope of this DLP policy.
+- Workload: What the DLP policy applies to. Use the value `Applications`.
+- Location: Where the DLP policy applies. For Microsoft 365 Copilot, (Preview), use the value `470f2276-e011-4e9d-a6ec-20768be3a4b0`.
+- Inclusions: Who the DLP policy applies to. For users, use the email address in this syntax: `{Type:IndividualResource,Identity:<EmailAddress>}`. For security groups or distribution groups, use the ObjectId value of the group from the Microsoft Entra portal in this syntax: `{Type:Group,Identity:<ObjectId>}`. For the entire tenant, use this value: `{Type:"Tenant",Identity:"All"}`.
+- Exclusions: Exclude security groups, distribution groups, or users from the scope of this DLP policy. For users, use the email address in this syntax: `{Type:IndividualResource,Identity:<EmailAddress>}`. For groups, use the ObjectId value of the group from the Microsoft Entra portal in this syntax: `{Type:Group, Identity:<ObjectId>}`.
 
-For example:
+You create and store the properties in a variable as shown in the following examples:
+
+DLP policy scoped to all users in the tenant:
 
 `$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{Type:"Tenant",Identity:"All"}]}]"`
 
-And then use the value $loc for this parameter.
+DLP policy scoped to the specified user and groups:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{"Type":"Group","Identity":"fef0dead-5668-4bfb-9fc2-9879a47f9bdb"},{"Type":"Group","Identity":"b4dc1e1d-8193-4525-b59c-6d6e0f1718d2"},{"Type":"IndividualResource","Identity":"yibing@contoso.com"}]}]"`
+
+DLP policy scoped to all users in the tenant except for members of the specified group:
+
+`$loc = "[{"Workload":"Applications","Location":"470f2276-e011-4e9d-a6ec-20768be3a4b0","Inclusions":[{Type:"Tenant",Identity:"All"}]}],"Exclusions":[{"Type":"Group","Identity":"fef0dead-5668-4bfb-9fc2-9879a47f9bdb"}]}]"`
+
+After you create the `$loc` variable, use the value `$loc` for this parameter.
 
 ```yaml
 Type: String
