AvePoint Learn
Request article
Contact support
Request article
Contact support
English

    Home > Policies > Tenant Level Policies > Create a Policy

    Export to PDF

    Create a Policy

    To create a tenant-level policy, complete the following steps:

    1. Click Policies > Tenant level on the left pane to enter the Tenant level page.

    2. Click Create policy. Choose how to create this new policy.

      • Start from scratch – If you want to create a brand-new policy, select Start from scratch. The Create policy page appears.

      • Create from a policy template – Policies for Microsoft 365 provides a pre-defined policy template for fully securing data within your Exchange Online. Clicking a policy template card will open the policy template window where you can find rules available for this template.

        If you want to create a policy from a policy template, click the policy template card and click Continue to open the Create policy page.

        On the Create policy page, the general information, rules, and settings of the selected policy template are displayed. You can make updates if necessary and then assign this new policy to a scope to monitor the objects.

    3. General information – Complete the general information as below. The icon of the selected object type and the policy name will be visible in this step to help you identify the policy as you proceed to the subsequent steps.

      • Policy name – Choose a policy creation option:

        • Copy from an existing policy – If you want to reuse rules and settings of an existing policy, select this option, and select a policy that you want to copy from.

          A suffix - Copy is added to the policy name and you can modify it. The general information, rules, and settings of the selected policy template are displayed. You can make updates if necessary and then assign this new policy to a scope to monitor the objects.

        • Create a new policy – If you want to create a policy from scratch, select this option, and enter a policy name.

      • Description – Enter an optional description for future reference.

    4. Click Next.

    5. Rules – Click Add rule. The Add rule window appears, displaying all rules available for tenant-level policies. For the supported rules for tenant-level policies, refer to Supported Rules.

      1. From the rules drop-down list, select a rule to add to the policy. The configuration page of this specific rule will appear.

        You can search for a specific rule by entering the rule name in the Search text box and then selecting it from the suggestion list.

      2. Configure rule settings. You can also update rule settings after adding the rule by clicking the Settings button next to the corresponding rule name.

        While detailed rule settings differ from one another, there are some common optional settings among rules:

        • Automatically fix violations – Most rules support the Auto Fix Violations feature, enabling automatic correction of out-of-policy settings when violations are identified. You can enable this feature by selecting the rule action checkbox.

          If you prefer to analyze a violation before fixing it, you can leave the rule action checkbox unselected to disable the Auto Fix Violations feature. All violations can be found on the violations report, where you can view details and manually fix violations by clicking the Fix button.

        • Send email notifications – You can choose whether to send email notifications to relevant parties when violations are identified.

          After enabling the setting, you need to designate recipients separately for admins and end users, and select the corresponding email templates. Refer to Notifications to prepare the email templates for admins and end users.

          Admins typically refer to the following users. Different rules may support different admin options.

          • Site collection administrators

          • Site owners

          • Group/Team owners

          • Primary or secondary site contacts (a site property deployed by Cloud Governance)

          • Other designated users or groups within the Microsoft 365 tenant

          End users usually refers to the users whose actions violate rule settings.

        • Independent scan interval – Depending on the size of your Microsoft 365 environment, the Enforce policy job for some rules may take a significant amount of time to complete. For rules that require a lower frequency, you can set independent scan intervals – the independent scan interval takes precedence over the general policy-level schedule. Note that this setting is only available for rules that require a lower frequency. For a full list of these rules, refer to Rules that Require Lower Frequency for Policy Schedule.

      3. Click Add to policy.

      4. Repeat the steps above to add more rules to the policy. All added rules are displayed in the Rules section.

        You can further manage these rules as below:

        • Activate or deactivate rules – You can activate or deactivate a rule by turning on or off the toggle. When a rule is deactivated, user activities and changes that should be controlled by this rule will not be monitored when running jobs to enforce this policy. Note that you must activate at least one rule for each policy.

        • Configure running order – If multiple rules are added to the policy, you can configure the running order for these rules.

    6. Assign policy – Assign this policy to one or more tenants. All Microsoft 365 tenants you have connected in AvePoint Online Services are displayed. Select one or more tenants. You can use the Search text box to search for tenants by name.

      To prevent conflicts, one tenant can be assigned only one policy. If a policy has already been assigned to one of the selected tenants, you need to select a conflict resolution to proceed, either Keep the existing policy or Assign new policy.

    7. Schedule – Configure additional settings as detailed below:

      • Configure a schedule for the Enforce policy job of the current policy, including the following settings:

        Depending on the scale of your Microsoft 365 environment, the Enforce policy job for some rules may take a significant amount of time to complete. For rules that require a lower frequency, you can set independent scan intervals. These independent scan intervals take precedence over the general schedule set at the policy level. For the related rules, refer to Rules that Require Lower Frequency for Policy Schedule.

        • Scan interval – Enter a positive integer and select a time unit (Hours, Days, Weeks, or Months). Policies for Microsoft 365 will start Enforce policy jobs of the current policy to scan your Microsoft 365 environment according to the configured interval. You can narrow down scan intervals to hours so that you can detect violations sooner than a day. The minimum scan interval is 2 Hours.

        • Scan start time – When the scan interval is set to Days, Weeks, or Months, the Scan start time setting will appear below for you to specify the exact timing of job executions.

          • For daily scans, you need to set a specific time. The job will start daily at the defined time.

          • For weekly scans, you need to select a weekday (Monday to Sunday) and set a specific time. The job will start weekly at the defined date and time.

          • For monthly scans, you need to select a calendar date and time. The job will start monthly at the defined date and time.

      • Retention period – Enter a positive integer to define how many days you would like to retain the data associated with the current policy. After the retention period, the violation details and job details will be removed from the Policy for Microsoft 365 system.

    8. Click Next.

    9. Review – Review the configured settings. If you want to update information in a step, click the Edit button and then make updates.

    10. Click Save draft to create the policy, and you can publish the policy once it is finalized; click Publish to publish the policy, and the policy will be waiting for the execution based on the configured schedule; click Publish and run now to publish the policy and run a job immediately. To exit without saving changes, click Cancel.