Microsoft SC-401 Administering Information Security in Microsoft 365 Exam Practice Test

Since all employee assessments follow a specific template (AssessmentTemplate.docx), the best way to identify these documents for Data Loss Prevention (DLP) is to create a document fingerprint of that template.

Document fingerprinting allows Microsoft 365 DLP policies to recognize documents based on their structure and format, even when content inside varies (such as different employee names and results). By creating a fingerprint of AssessmentTemplate.docx, any copy derived from that template will be automatically detected by the DLP policy and blocked from being emailed externally.

Steps to implement:

● Create a document fingerprint of AssessmentTemplate.docx using PowerShell and the Microsoft Purview compliance portal.

● Apply a DLP policy to prevent external sharing of documents matching this fingerprint.

● Test the policy by attempting to email an assessment externally.

When you create an auto-labeling policy for sensitivity labels and start it in simulation mode using the default settings, Microsoft Purview will automatically turn on the policy after 14 days if you make no changes during simulation. A policy created on February 1 would therefore be turned on on February 15.

References used:

Microsoft Purview Data Access Governance custom assessments item limits.

Exchange Online Managed Folder Assistant and Start-ManagedFolderAssistant.

Auto-labeling simulation mode behavior and automatic enable timeline.

You need one Sensitive Information Type (SIT) per distinct information pattern. The minimum set that covers both SharePoint and Exchange is:

Credit Card Number (builtin) – used for documents and email.

UK National Health Service Number (builtin) – used for documents and email.

EU/UK Physical Address (builtin “EU PII: Physical address”).

User credentials (builtin “Credentials”/“User credentials”).

Custom keywordbased SIT for the sensitive project names (“Project Tailspin”, “Project Contoso”, “Project Falcon”) – can be one SIT using a keyword list.

SITs are reusable across locations, so you don’t count duplicates for email and documents.

To create custom trainable classifiers in Microsoft Purview, the user must have rights in the compliance portal. The Compliance Administrator role provides the necessary permissions to create and manage trainable classifiers. Security roles focus on threat management, and Global Administrator is excessive (not least privilege).

Step 1 – Review of Preservation Lock

Preservation Lock in Microsoft 365 retention policies ensures that once a policy is locked, no one (including administrators) can turn it off, delete it, or make it less restrictive.

Preservation Lock is only available for static retention policies and not supported for adaptive scopes.

???? Reference: Preservation Lock in Microsoft 365 retention policies

From Microsoft docs:

“Preservation Lock can only be applied to retention policies configured with static scopes. Adaptive scopes do not currently support Preservation Lock.”

Step 2 – Analyzing the Case Data

RPolicy1 → Adaptive scope (Scope1: Users). ❌ Not eligible for Preservation Lock.

RPolicy2 → Adaptive scope (Scope2: SharePoint Online sites). ❌ Not eligible for Preservation Lock.

RPolicy3 → Static scope (Microsoft 365 groups). ✅ Eligible for Preservation Lock.

Step 3 – Conclusion

Only RPolicy3 qualifies for Preservation Lock.

Retention policy tags (MRM) for Exchange Online are applied by the Managed Folder Assistant (MFA). To apply a newly created Exchange retention policy to mailbox items immediately, you manually invoke MFA with Start-ManagedFolderAssistant for the mailbox or set of mailboxes. Creating DLP policies or label policies in Purview does not accelerate MRM processing.

Step 1 – Problem statement

User1 has the Compliance Administrator role but cannot view the regular expression in the built-in IP Address sensitive info type.

This is expected because:

Microsoft provides a large set of built-in sensitive info types (SITs).

For these built-in SITs, the underlying regular expressions, keywords, or detection logic are not exposed to administrators for security reasons.

As a result, even with Compliance Administrator privileges, User1 cannot directly see or modify the regex in the built-in IP Address SIT.

Step 2 – Microsoft solution

To view or modify the regex:

You must create a copy of the built-in SIT.

Once copied, the new custom SIT allows you to edit and view the regex and supporting elements.

This is the only supported way to customize or examine the detection logic.

???? Reference: Create a custom sensitive information type

“You can't directly modify the definitions of built-in sensitive information types, but you can create a copy of an existing SIT and then edit it.”

Step 3 – Why not the other options?

A. Reviewer role group → Reviewers are for records management/discovery, not SIT regex visibility.

C. Test function → Allows you to test SIT detection but does not reveal the regex.

D. Global Reader role → Read-only access, does not expose regex definitions either.

Microsoft Purview browser extensions for Endpoint DLP are supported on:

● Windows 10/11 (Config1)

● macOS (Config2)

● Not supported on Android (Config3)

Since Microsoft Purview does not support browser extensions on Android, Config3 is excluded from both Google Chrome and Firefox.

To review a Microsoft 365 Copilot usage report, you need to use Data Security Posture Management for AI (DSPM for AI) in the Microsoft Purview portal. DSPM for AI provides insights into AI-related activities, including Copilot usage, risk assessments, and data security posture related to AI interactions within Microsoft 365.

The Set-MailboxFolderPermission -Identity "User1" -User User1@contoso.com -AccessRights Owner command is incorrect. This assigns folder permissions but does not enable auditing. It does not track who accessed the mailbox or deleted emails.

Step 1 – Where to configure Insider Risk Management notices

Insider risk management notices are part of the Microsoft Purview Insider Risk Management solution.

They are created and managed within the Microsoft Purview compliance portal.

The Microsoft 365 admin center, Microsoft Defender portal, or Microsoft Entra admin center are not used for notice templates.

Therefore, the correct choice for the portal is: Microsoft Purview portal.

Step 2 – Supported formats for notice templates

When creating an Insider Risk Management notice template, Microsoft Purview allows customization of the message body in HTML format.

HTML provides rich text formatting (fonts, colors, links, branding).

Markdown, RTF, and XML are not supported options for Purview notice templates.

Therefore, the correct format is: HTML.

Step 3 – Microsoft Reference

Microsoft documentation states:

“Notice templates are created and managed in the Microsoft Purview compliance portal. The body of the notice message is authored in HTML format to allow for full customization.”

Step 1 – Understand the scenario

We have a Microsoft 365 E5 subscription with Copilot available.

File1.docx has a sensitivity label applied.

The sensitivity label controls usage rights (Owner, Editor, Restricted Editor, Viewer).

The question: Which users can summarize File1 with Microsoft 365 Copilot?

Step 2 – Sensitivity labels and usage rights

When a sensitivity label is configured to apply encryption with usage rights, each role has different levels of access:

Owner: Full control (read, edit, reshare, extract, etc.).

Editor: Can read, edit, and copy content.

Restricted Editor: Can read and edit in place, but cannot copy, print, or extract content.

Viewer: Can only read (view) the content.

???? Reference: Rights included in usage rights for sensitivity labels

Step 3 – Copilot’s requirements for summarization

Microsoft 365 Copilot requires that the user has the ability to read and extract text from the document in order to generate a summary.

Owners and Editors: ✅ Can both read and extract → Copilot works.

Restricted Editors: ❌ Cannot copy/extract text → Copilot cannot summarize.

Viewers: ❌ Can only view → Copilot cannot process content for summarization.

???? Reference: Microsoft 365 Copilot and sensitivity labels

“Users must have extract and copy rights in order for Microsoft 365 Copilot to process and summarize labeled documents.”

Step 4 – Apply to the case

User1 (Owner) → Can summarize.

User2 (Editor) → Can summarize.

User3 (Restricted Editor) → Cannot summarize.

User4 (Viewer) → Cannot summarize.

The scenario is about retaining audit logs for User1 for 10 years in Microsoft 365. Admin1 is responsible for managing audit retention policies, but the requirement specifically applies to User1’s audit logs.

Key points:

Microsoft 365 E5 includes Audit (Premium) by default. This provides access to advanced auditing features and retention up to 1 year.

To retain audit logs for longer than 1 year (such as 10 years), Microsoft requires the 10-year Audit Log Retention Add-on license.

This license must be assigned to the user whose activities need to be retained (User1), not the administrator (Admin1).

Admin1 only needs permissions to configure and manage retention policies, but the actual long-term retention is tied to the licensed users’ activity.

Why other options are incorrect:

A. Assign a Microsoft Purview Audit (Premium) add-on license to User1: Not needed because E5 already includes Audit (Premium).

B. Assign a 10-year audit log retention add-on license to Admin1: Incorrect because Admin1 is not the user whose logs must be retained; the license applies to the user being audited, not the admin.

D. Assign a Microsoft Purview Audit (Premium) add-on license to Admin1: Again, unnecessary because E5 already includes Audit (Premium), and Admin1’s license does not affect User1’s log retention.

To validate whether an audit log retention policy will apply to the intended entries, you should configure the following fields:

● Date and time range (UTC) ensures that you are searching for audit logs within the time period when the policy should be applied. Audit logs are time-sensitive, and policies affect logs based on their timestamp.

● Record types allows you to filter and search for specific audit log categories (e.g., Exchange, SharePoint, Teams, etc.) that are affected by the retention policy. Selecting the correct record type ensures that the policy is evaluated against the relevant data.

Step 1 – Review scenario

You created a retention label policy Contoso_Policy.

Status shows Off (Error) with message: "It's taking longer than expected to deploy the policy."

Requirement: Reinitiate the policy.

Step 2 – Correct PowerShell cmdlet

To manage retention label policies in Microsoft Purview (compliance), the cmdlet is:

Set-RetentionCompliancePolicy

Other cmdlets:

Set-RetentionPolicy → Legacy Exchange Online retention policies, not Purview label policies.

Start-EdgeSynchronization → Sync for Edge Transport servers, not retention.

Start-RetentionAutoTagLearning → Used for auto-tagging learning, not relevant here.

Step 3 – Correct parameter

To force redistribution of a retention label policy when deployment fails, the parameter is:

-RetryDistribution

Other options:

-ForceFullSync and -FullCrawl → Apply to search/crawl, not retention.

-Train → Related to auto-tagging learning models, not retention.

Final Verified Answer

Set-RetentionCompliancePolicy –id Contoso_Policy –RetryDistribution

Trainable classifiers in Microsoft Purview learn from sample documents. When the initial results are unsatisfactory, retraining is done by reviewing and reclassifying items through Content explorer under the Data classification section of the Purview compliance portal. This allows you to give feedback by marking documents as “relevant” or “not relevant” to improve classifier accuracy.

The other options do not support retraining:

Labels from Information protection → Used to configure and manage sensitivity labels, not train classifiers.

Labels from Information governance → Used for retention labels, not classifiers.

Content search → Used for eDiscovery and searching content, not classifier training.

Step 1 – Scenario

You need to grant User1 permission to search Microsoft 365 audit logs while following the principle of least privilege.

Step 2 – Roles that can search audit logs

Audit log search in Microsoft 365 is tied to Exchange Online role groups, because audit log data is stored in Exchange.

The following roles are relevant:

View-Only Audit Logs → Grants the ability to search and view audit logs, but not configure auditing or take other compliance actions. This is the least privilege role.

Audit Logs → Grants broader permissions, including turning auditing on/off.

Compliance Management → A broader role group that includes audit log search and many other compliance functions, violating least privilege.

Security Reader (Entra ID) → Grants read-only access to security features, but not audit logs.

Reviewer (Purview) → Used in eDiscovery, not audit logs.

Step 3 – Why "View-Only Audit Logs" is correct

According to Microsoft documentation:

“Users must be assigned the Audit Logs or View-Only Audit Logs role in Exchange Online to search the audit log. To minimize permissions, assign View-Only Audit Logs.”

???? Reference: Permissions required to search the audit log

Step 4 – Elimination of other options

A. Security Reader role → Allows reading security-related info in Microsoft 365 Defender, not Purview audit logs.

B. Compliance Management role → Includes more than just audit logs, not least privilege.

C. View-Only Audit Logs role → Correct and least privilege.

D. Reviewer role → For eDiscovery cases, not audit logs.

Comprehensive Detailed Explanation with References

When multiple advanced DLP rules match content, Microsoft 365 DLP evaluates based on:

Rule priority

Lower number = higher priority (0 highest).

Among Rule2 (priority 1), Rule3 (priority 2), and Rule4 (priority 3), Rule2 has the highest priority.

Conflict resolution (single vs multiple rules applied)

By default, only the highest-priority rule applies if multiple rules match. → That’s why in the first dropdown, the correct answer is Only Rule2 takes effect.

However, you can configure advanced DLP to allow multiple matching rules to take effect simultaneously. If this setting is enabled, then Rule2, Rule3, and Rule4 all apply. → That’s why in the second dropdown, the correct answer is Rule2, Rule3, and Rule4 take effect.

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT) → Copilot cannot summarize.

Since File2 is labeled Label2, it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

Goal: maximize signin security for users who will test the AIP client (User1), install/configure the Microsoft Rights Management connector (User2), and act as the AIP scanner service account (User3).

Excluding users from MFA lowers security and is not recommended.

Passwordless with FIDO2 security keys (passkeys) provides strong phishingresistant authentication and is fully supported for Azure AD signins, including admin tasks and service scenarios that require interactive signin during setup.

Therefore, enabling all three for FIDO2 passkey authentication best meets the “maximize security” requirement.

Step 1 – Scenario

Tenant domain = contoso.com

Encryption method = Microsoft Purview Advanced Message Encryption (AME) using branded, link-based emails.

Recipients:

Recipient1 → Contoso internal user (same tenant).

Recipient2 → External Microsoft 365 user (Fabrikam).

Recipient3 → Outlook.com consumer email.

Recipient4 → Gmail.com consumer email.

The question asks: For which recipients can User1 revoke the emails?

Step 2 – Revocation in Advanced Message Encryption

Microsoft Purview AME allows senders to:

Revoke sent encrypted emails.

Revoke applies to all recipients who receive a link-based branded encrypted message.

When revoked, the secure message link no longer works, regardless of whether the recipient is internal, external Microsoft 365, Outlook.com, Gmail, or another email provider.

This differs from traditional RMS-based encryption where revocation is tenant-specific. In AME, the revocation is possible because the recipient must open the message through a secure browser portal (Office 365 Message Encryption portal).

Step 3 – Evaluate each recipient

Recipient1 (contoso.com, internal) → Yes, message can be revoked.

Recipient2 (fabrikam.onmicrosoft.com, external Microsoft 365) → Yes, message can be revoked because AME link enforcement works across tenants.

Recipient3 (outlook.com, consumer) → Yes, message can be revoked, they use the secure OME portal.

Recipient4 (gmail.com, consumer) → Yes, message can be revoked, they also use the secure OME portal.

Step 4 – Microsoft Reference

From Microsoft Docs:

“With Advanced Message Encryption, admins can configure branding and revocation for encrypted email messages. Revocation applies to encrypted emails sent to both internal and external recipients, including those using Outlook.com, Gmail.com, and other email services.”

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

To create a trainable classifier that can be used in an auto-apply retention label policy, you need to follow these key steps:

1. Create the trainable classifier

This is the first step where you define the classifier, specifying the types of content it should identify.

2. Test the trainable classifier

Before using the classifier in production, you need to validate its accuracy by testing it against sample documents to ensure it correctly classifies the intended data.

3. Publish the trainable classifier

Once testing is successful, you must publish the classifier so that it can be used in policies like auto-apply retention labels in Microsoft Purview.

To track who accesses User1’s mailbox, you need to enable mailbox auditing for User1. By default, Exchange mailbox auditing is not enabled per mailbox (even though it is enabled tenant-wide).

The Set-Mailbox -Identity "User1" -AuditEnabled $true command enables audit logging for mailbox actions like:

● Read emails

● Delete emails

● Send emails as User1

● Access by delegated users

Once enabled, you can search for future sign-ins and actions in the Microsoft Purview audit logs.

The requirements are:

Detect credit card information → requires a sensitive info type (built-in: Credit Card Number).

Detect keywords “Project1” or “Project2” → can be handled in the same sensitive info type by using keyword matching.

Watermarks (“Confidential”, “Internal Use Only”) are label actions, not sensitive info types.

Therefore, only 2 sensitive info types are required: one for keywords, one for credit card data.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.