What are the differences in functionality between a MIP “Classification Profile” and a MIP “Decryption Profile” in Symantec Data Loss Prevention (DLP)?

Can you create "Decryption Profiles" for multiple independent O365/Email tenants?

Release: 15.8

MIP classification credential profile: 

Used by the Enforce Server and DLP Agents to synchronize classification labels with the MIP service. You can configure only one MIP classification credential profile.

MIP decryption credential profiles:

Used by detection servers to inspect documents and emails that have been encrypted by MIP. You can configure multiple MIP decryption credential profiles.

You can configure a MIP classification credential profile and one or more MIP decryption credential profiles on the System > Settings > MIP Credential Profiles screen of the Enforce Server administration console.

The Enforce Server uses the classification credentials to import the classification labels from the MIP portal. After classification synchronization is completed, you can use the available labels and sub-labels to configure response actions to recommend labels to endpoint users or automatically apply labels to supported file types. You can configure only one MIP classification credential profile.

You can configure more than one MIP decryption credential profile.
We support multiple unrelated decryption credentials of completely independent tenants.
The decryption credentials that you configure must have sufficient privileges to decrypt all documents and emails that flow through a specific control point.

• Network and Storage detection servers use the decryption credential to inspect files that are encrypted by Microsoft Information Protection.
• The Cloud detection service uses the decryption credential specified in the Cloud Management Portal.
• The DLP Agent prompts the end-user for decryption credentials on the Endpoint.