Using the view policy feature (select Policies > Data policies on the left pane), environment admins can view tenant-level policies—and policies within environments that the admin has access to—at an individual policy level. Non-admins can also view tenant-level policies by using this feature.
Policy scope
Data loss prevention (DLP) policies can be created at both the tenant and environment level. Tenant admins have the permissions to create tenant-level policies; environment admins have the permissions to create environment-level policies.
Tenant-level policies
Tenant admins can define three types of scopes for tenant-level data policies:
Option 1: Apply to all environments.
Option 2: Apply to multiple environments (but not all).
Option 3: Apply to all environments except certain specifically excluded ones.
It's typical for tenant admins to define data policies for their entire tenant but exclude certain environments, as described in option 3. For the excluded environments, tenant admins can define alternate data policies and apply them to multiple environments, as described in option 2. Option 1 is for data policy rules that must apply across the entire tenant, without exception.
Tenant admins can define more than one multiple-tenant–level policy for the environments in their tenant. These policies can be set for mutually exclusive or overlapping environment scopes.
Environment-level policies
Environment admins can define environment-level data policies for one environment at a time. Environment admins can't exclude their environments from tenant-level policies. Therefore, all the restrictions defined by the tenant admins scoped for their environment still apply, in addition to any environment-level policy that they have individually defined for their environment.
As is true of tenant admins with tenant-level policies, environment admins can define more than one environment-level policy for their environment.
Even though environment admins might manage more than one environment, they can't include more than one environment in the environment-level policy. They must define individual environment-level policies for each environment that they manage.
This module examines the data loss prevention features in Microsoft 365 that help organizations identify, monitor, report, and protect sensitive data through deep content analysis while helping users understand and manage data risks.