Practice Free SC-401 Administering Information Security in Microsoft 365 Exam Questions Answers With Explanation

The action " SiteRenamed " for SharePoint is covered under the AuditRetention4 policy, which applies to User1 and retains logs for 9 months.

The action " Send " for ExchangeItem is covered under the AuditRetention2 policy, but this policy applies only to User1. Since User2 is not covered under a specific policy, the default retention period for audit logs in Microsoft Purview is 90 days.

Microsoft Purview Insider Risk Management flags high-impact users based on various risk factors, including role, access to confidential data, and influence within an organization. Let ' s analyze each user:

User1 (Regional Manager, assigned Reader role, manages department managers)

Risk Factors:

? Holds a managerial position (regional manager).

? Manages multiple department managers, indicating organizational influence.

? Access to critical business information.

Flagged? -Yes (Managerial role and access to confidential data).

User2 (HR department manager, no Microsoft Entra roles, manages HR department users)

Risk Factors:

? Manages HR department users, meaning they likely handle sensitive employee data.

? HR roles are often considered high-risk due to access to personal and payroll data.

Flagged? -Yes (HR role and access to sensitive employee data).

User3 (Developer, reports to User2, only user in compliance, assigned Compliance Administrator role)

Risk Factors:

? Compliance Administrator role grants access to sensitive security and regulatory data.

? Only person in the compliance department, meaning they hold a critical role.

? Potentially high impact on compliance and security settings.

Flagged? -Yes (Privileged Compliance Administrator role).

User4 (Assistant to User1, no Entra roles, handles confidential data on behalf of User1)

Risk Factors:

? Handles a high volume of confidential data on behalf of a regional manager.

? Assistants with access to sensitive data are considered insider risk candidates.

Flagged? -Yes (High access to sensitive information).

Since all four users fit high-impact criteria (managerial roles, privileged compliance access, handling sensitive data), Microsoft Purview Insider Risk Management will flag all of them.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with " 999 " .

Step 1 – Requirement

The scenario requires using Microsoft Purview Insider Risk Management to import HR data (such as employee hire dates, resignations, and department changes). HR data connectors allow insider risk policies to use workforce signals to detect risky user activities.

Step 2 – What to do first

Before importing HR data, you must configure Insider Risk Management settings in the Microsoft Purview compliance portal. This is a prerequisite step that enables HR data connectors and policies to be created.

Step 1 – Scenario

The alert in the exhibit is named Alert2.

Current status = Resolved.

The task is to identify which statuses you can change the alert to.

Step 2 – Microsoft 365 Alert Lifecycle

In Microsoft 365 compliance and security alerts, an alert can move between multiple statuses depending on investigation and remediation. The available statuses are:

Active – The alert is new and not yet acted upon.

Investigating – The alert is under review.

Resolved – The alert has been addressed.

Dismissed – The alert is ignored or deemed not relevant.

Step 3 – Status changes from " Resolved "

If an alert is in the Resolved state, administrators can reopen or reclassify it. According to Microsoft documentation, from Resolved, you can change it to:

Active

Investigating

Dismissed

This allows flexibility in continuing investigations if needed or dismissing false positives.

Step 4 – Microsoft Reference

From Microsoft Docs: “You can change the status of an alert between Active, Investigating, Resolved, and Dismissed to reflect its current stage in the triage process.”

To automatically encrypt email messages using Microsoft Purview Message Encryption (OME), administrators must configure mail flow rules (also known as transport rules) in the Exchange admin center. These rules can be configured to check conditions, such as when a recipient is a specific user or when an email contains attachments, and then apply encryption automatically. Sharing policies, Safe Attachments policies, and retention label policies are not used for OME encryption.

When you configure Microsoft Purview DLP policies for the Teams chat and channel messages location, the following entities are protected:

1:1 and n:n chats (private chats between two or more users).

Team channel messages (including the General channel and all standard channels).

Private channel messages.

This means that if a DLP policy is applied to User1 and User2, it will monitor and enforce rules across:

Chats between User1 and User2 (1:1 or group chats).

Any channel conversations they participate in (General or other channels).

Private channels they belong to.

Incorrect options:

A (1:1/n chats and general channels only) ? Excludes private channels, but DLP supports them.

B (1:1/n chats and private channels only) ? Excludes general channels, but DLP supports them too.

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 ? VIEW only (no EXTRACT ) ? Copilot cannot summarize.

Label2 ? VIEW and EXTRACT granted ? Copilot can summarize.

Label3 ? VIEW and EXPORT (no EXTRACT ) ? Copilot cannot summarize.

Since File2 is labeled Label2 , it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

? Content contains SWIFT Codes.

? Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

? File1.docx (Contains only 1 SWIFT Code ? Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

? Has higher privileges and can override DLP restrictions (through admin intervention).

? Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

? Has read-only access but DLP blocks access to restricted files.

? Can only access 1 file (File1.docx), since all others are restricted.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

? SharePoint Online sites

? OneDrive accounts

? Exchange email

? Exchange public folders

? Teams chats

? Teams channel messages

Since these locations fall under two broad categories:

? Microsoft Exchange data (Emails, Public folders)

? SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1?. A single retention policy can cover:

? SharePoint Online

? OneDrive

? Microsoft Teams

2. A second retention policy is required for:

? Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

? One for Exchange & Public Folders

? One for SharePoint, OneDrive, and Teams

There ' s no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

? A sensitive info type is needed to detect credit card numbers in documents.

? Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

? A sensitivity label is required to classify and protect documents containing sensitive information.

? This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

? An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

? This policy is configured to scan files and automatically apply the correct sensitivity label.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

? Create and manage sensitivity labels in Microsoft Purview.

? Publish and configure auto-labeling policies.

? Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

? Admin2 (Compliance Data Administrator)

? Admin3 (Compliance Administrator)

? Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding Site4 ' s Retention Policies:

? Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

? Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states " Do nothing " ).

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does " nothing, " meaning the file is no longer recoverable after that period.

Step 1 – Requirement

We need a custom sensitive information type (SIT) that detects:

An employee ID number in a specific format ? hire date + three digits.

This is a pattern-based requirement.

Specific keywords within 300 characters of that ID ? “Employee”, “ID”, or “Identification”.

This is a keyword proximity requirement.

Step 2 – Sensitive info type elements in Microsoft 365

When creating custom SITs, you define primary and secondary elements:

Primary element ? The main pattern or data to detect (the most defining factor).

Secondary element ? Supporting evidence that must be found near the primary element to increase confidence.

Available elements:

Regular expression ? Used to define patterns such as date + digits (for employee ID).

Keyword list ? Used for lists of words/phrases like " Employee " , " ID " , " Identification " .

Functions ? Used for built-in validators like credit card checksum, not relevant here.

???? Reference: Create a custom sensitive information type in Microsoft 365

Step 3 – Apply to scenario

Employee ID pattern (hire date + 3 digits) ? Needs a regular expression ? This must be the Primary element.

Keywords (“Employee”, “ID”, “Identification”) within 300 characters ? A keyword list ? This must be the Secondary element.

Let’s break it down:

File1.docx ? DLP action = None

No DLP restrictions, so it is fully accessible to both User1 (owner) and User2 (member).

File2.docx ? DLP action = Matched by DLP

“Matched” means the DLP policy detected sensitive content but has not blocked access. Instead, it may generate an alert or policy tip.

Both User1 and User2 can still open this file.

File3.docx ? DLP action = Blocked by DLP

“Blocked” means the DLP policy actively restricts access or sharing of the file.

User2 (member) cannot open this file.

However, User1 (site owner) can open it because site collection admins and owners always retain full control over content, even if a DLP rule applies.

Ref: Microsoft Purview DLP policy tips and enforcement

? DLP policies do not prevent SharePoint/OneDrive site collection admins (owners) from accessing content.

? Final Answer Table:

User1 (Site Owner): File1.docx, File2.docx, File3.docx

User2 (Site Member): File1.docx, File2.docx

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

A DLP policy with Exchange email as the only location meets this requirement because it identifies sensitive data in email messages and it applies protection actions, such as encryption, blocking, or alerts.

Trainable classifiers in Microsoft Purview require a source of documents that can be labeled as examples of what the classifier should recognize. Supported sources include SharePoint Online and Exchange Online mailboxes. On-premises SharePoint Server sites, Azure File shares, and NFS file shares are not supported for classifier training.

To create a custom trainable classifier in Microsoft Purview (formerly Microsoft Compliance Center), you must first opt into the trainable classifier feature.

Before using custom trainable classifiers, Microsoft requires manual opt-in through the Microsoft Purview compliance portal. Without this step, you cannot create a new classifier.

The Compliance Administrator role has the necessary permissions to configure data classification, DLP policies, and trainable classifiers. Global Administrator has higher privileges but is not required for this task, violating the principle of least privilege. Security Administrator is focused on security-related settings but does not manage compliance features like classifiers.

Box 1: Publishing a Sensitivity Label

Sensitivity labels can be published to Microsoft 365 groups, security groups, SharePoint Online sites, and Microsoft Teams. Since we have:

? Group1 (Microsoft 365 group) - Supported

? Group2 (Security group) - Supported

? Site1 (SharePoint Online site) - Supported

? Team1 (Microsoft Teams team) - Supported

This means we can publish Label1 to Group1, Group2, Site1, and Team1.

Box 2: Auto-Applying a Sensitivity Label

Auto-apply policies for sensitivity labels work on:

? SharePoint Online sites (documents)

? OneDrive (documents)

? Exchange email (messages)

However, labels cannot be auto-applied to Microsoft 365 groups or Teams directly because labels are applied to files and emails, not to groups or Teams as entities. Since Site1 (a SharePoint Online site) supports auto-apply, it is the correct option.

The question is about Insider Risk Management forensic evidence collection in Microsoft 365 E5 (Microsoft Purview).

???? Step 1 – Which devices are supported?

According to Microsoft documentation, forensic evidence collection for insider risk investigations is supported only on:

Windows 10

Windows 11

It is not supported on:

macOS

Android

iOS

???? Reference: Forensic evidence collection in Microsoft Purview Insider Risk Management

? So, only Device1 (Windows 11) and Device2 (Windows 10) qualify.

???? Step 2 – What preparation is needed?

For forensic evidence to be collected, supported devices must:

Be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint integration).

Have the Microsoft Purview client installed.

This enables capture of user actions such as file copies, USB transfers, printing, etc., to provide forensic evidence for insider risk alerts.

? Correct option: Onboard the devices to Microsoft Purview and install the Microsoft Purview client

Step 1 – Review scenario

You created a retention label policy Contoso_Policy.

Status shows Off (Error) with message: " It ' s taking longer than expected to deploy the policy. "

Requirement: Reinitiate the policy.

Step 2 – Correct PowerShell cmdlet

To manage retention label policies in Microsoft Purview (compliance), the cmdlet is:

Set-RetentionCompliancePolicy

Other cmdlets:

Set-RetentionPolicy ? Legacy Exchange Online retention policies, not Purview label policies.

Start-EdgeSynchronization ? Sync for Edge Transport servers, not retention.

Start-RetentionAutoTagLearning ? Used for auto-tagging learning, not relevant here.

Step 3 – Correct parameter

To force redistribution of a retention label policy when deployment fails, the parameter is:

-RetryDistribution

Other options:

-ForceFullSync and -FullCrawl ? Apply to search/crawl, not retention.

-Train ? Related to auto-tagging learning models, not retention.

Final Verified Answer

Set-RetentionCompliancePolicy –id Contoso_Policy –RetryDistribution