Policy Scoping & Targeting
Understanding the Concept
Policy scoping determines WHERE policies apply: which locations (Exchange, SharePoint, Teams, etc.), which users or groups, and which sites or channels.
Effective scoping starts broad and narrows down, or starts targeted and expands. Common approaches include: geographic scoping (EU data subjects), departmental scoping (HR, Finance), or data-type scoping (PCI data).
Exclusions are as important as inclusions: you need to exclude test environments, shared mailboxes, or specific roles that legitimately handle sensitive data (like fraud investigation teams).
Key Points
- Location Scoping: Select specific services to protect
- User/Group Scoping: Target specific users, groups, or distribution lists
- Site Scoping: Target specific SharePoint sites or OneDrive accounts
- Exclusions: Accounts, groups, or sites to exempt
- Adaptive Scopes: Dynamic scoping using user/site attributes
Scoping Hierarchy
Locations
Exchange, SharePoint, OneDrive, Teams, Endpoints, Power BI
Accounts/Groups
Include/exclude specific users, DLs, security groups
Sites/URLs
Specific SharePoint sites or OneDrive URLs
Adaptive Scopes
Dynamic queries based on user/site properties
Why This Matters in Real Organizations
Poor scoping leads to gaps (missing coverage) or overreach (blocking legitimate work). Proper scoping ensures protection without disrupting business operations and makes policy management maintainable.
Common Mistakes to Avoid
Interview Tips
- Discuss a phased rollout approach
- Explain adaptive scopes and their benefits
- Mention how to handle exceptions properly
Exam Tips (SC-401)
- Know the available scoping options per location
- Understand adaptive scope capabilities
- Know licensing requirements for advanced scoping
Course Complete!
You've finished all lessons