SC-401 Questions and Answers

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

Step 1 – Understanding the requirement

You want to retain specific audit log record types and activities for 3 years:

CopilotInteraction → All activities (1/1)

Compliance DLP endpoint → All activities (2/2)

Azure Active Directory → Only 2 out of 25 activities selected (Reset user password, Changed user password)

The goal is to minimize the number of audit retention policies while meeting the requirement to store only the selected record types and activities.

Step 2 – Audit retention policies in Microsoft Purview

Audit retention policies let you define which activities and record types are retained and for how long.

A single retention policy can include multiple record types and multiple activities.

Limitation: Each policy can only define one set of retention settings per included record types/activities.

If you want to retain different subsets of activities (e.g., only 2 out of 25 in Azure AD), you must create a separate policy for that.

???? Reference: Set up audit (Premium) retention policies in Microsoft Purview

Step 3 – Applying to the scenario

CopilotInteraction: Since you need all activities, you can include them in one policy.

Compliance DLP endpoint: Since you also need all activities, they can be added to the same policy as CopilotInteraction.

✅ These two can be covered by 1 policy.

Azure Active Directory: You only need 2 out of 25 activities. Since this requires activity-level filtering, it must be placed in a separate policy.

Thus:

Policy 1 → CopilotInteraction (all) + Compliance DLP endpoint (all)

Policy 2 → Azure AD “Reset user password”

Policy 3 → Azure AD “Changed user password”

That equals 3 total policies.

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

Step 1 – Requirement

We need a custom sensitive information type (SIT) that detects:

An employee ID number in a specific format → hire date + three digits.

This is a pattern-based requirement.

Specific keywords within 300 characters of that ID → “Employee”, “ID”, or “Identification”.

This is a keyword proximity requirement.

Step 2 – Sensitive info type elements in Microsoft 365

When creating custom SITs, you define primary and secondary elements:

Primary element → The main pattern or data to detect (the most defining factor).

Secondary element → Supporting evidence that must be found near the primary element to increase confidence.

Available elements:

Regular expression → Used to define patterns such as date + digits (for employee ID).

Keyword list → Used for lists of words/phrases like "Employee", "ID", "Identification".

Functions → Used for built-in validators like credit card checksum, not relevant here.

???? Reference: Create a custom sensitive information type in Microsoft 365

Step 3 – Apply to scenario

Employee ID pattern (hire date + 3 digits) → Needs a regular expression → This must be the Primary element.

Keywords (“Employee”, “ID”, “Identification”) within 300 characters → A keyword list → This must be the Secondary element.

In Microsoft Purview Data Lifecycle Management, different Microsoft 365 locations require separate retention policies because they fall under different storage and compliance models.

Teams Chats & Teams Channel Messages (1 Policy) require a separate retention policy because Teams messages are stored differently than Exchange and SharePoint content. One policy can cover both Teams chats and Teams channel messages. Exchange Email (1 Policy) requires its own separate policy since emails are managed differently than Teams or SharePoint content. SharePoint Sites & Microsoft 365 Groups (1 Policy) are both stored in SharePoint Online, so they can be managed under one policy.

You need to prevent users from sharing sensitive information with third-party generative AI websites.

A. Information Protection → Classifies and labels data but does not block sharing with external AI sites.

B. Information Barriers → Restricts communication between groups of users (e.g., compliance walls), not web uploads.

C. Insider Risk Management → Detects risky behavior (like data exfiltration), but does not actively block data sharing.

D. Data Loss Prevention (DLP) → Detects and prevents sensitive data being copied to browsers, USBs, or uploaded to restricted domains (like ChatGPT, Bard, etc.).

Step 1 – Review scenario

You created a retention label policy Contoso_Policy.

Status shows Off (Error) with message: "It's taking longer than expected to deploy the policy."

Requirement: Reinitiate the policy.

Step 2 – Correct PowerShell cmdlet

To manage retention label policies in Microsoft Purview (compliance), the cmdlet is:

Set-RetentionCompliancePolicy

Other cmdlets:

Set-RetentionPolicy → Legacy Exchange Online retention policies, not Purview label policies.

Start-EdgeSynchronization → Sync for Edge Transport servers, not retention.

Start-RetentionAutoTagLearning → Used for auto-tagging learning, not relevant here.

Step 3 – Correct parameter

To force redistribution of a retention label policy when deployment fails, the parameter is:

-RetryDistribution

Other options:

-ForceFullSync and -FullCrawl → Apply to search/crawl, not retention.

-Train → Related to auto-tagging learning models, not retention.

Final Verified Answer

Set-RetentionCompliancePolicy –id Contoso_Policy –RetryDistribution

To automatically encrypt email messages using Microsoft Purview Message Encryption (OME), administrators must configure mail flow rules (also known as transport rules) in the Exchange admin center. These rules can be configured to check conditions, such as when a recipient is a specific user or when an email contains attachments, and then apply encryption automatically. Sharing policies, Safe Attachments policies, and retention label policies are not used for OME encryption.

Captures clips of key security-related user activities

This requirement refers to recording and surfacing evidence of risky user behavior (e.g., copying sensitive files to USB, uploading to cloud storage, or exfiltrating data).

In Microsoft Purview Insider Risk Management, this is achieved through Forensic evidence, which allows capturing screenshots/clips of user activities on endpoints when a policy is triggered.

Ref: Microsoft Learn – Insider risk forensic evidence

Integrates DLP capabilities with insider risk management

Microsoft introduced Adaptive Protection as part of Purview Insider Risk.

Adaptive Protection uses insider risk signals and DLP together, dynamically adjusting DLP controls (block, restrict, monitor) based on the user’s risk level.

This integration reduces false positives and ensures risky users are monitored more strictly while low-risk users are less impacted.

Ref: Microsoft Learn – Adaptive Protection in Microsoft Purview

Other options ruled out:

Adaptive scopes: Used for defining policy targeting groups dynamically, not capturing activities.

Classifiers/Trainable classifiers: Used for content classification, not exfiltration capture or DLP integration.

eDiscovery (Premium): For legal investigations, not insider risk + DLP integration.

Records management: Lifecycle retention, not related to insider risk.

To track who accesses User1’s mailbox, you need to enable mailbox auditing for User1. By default, Exchange mailbox auditing is not enabled per mailbox (even though it is enabled tenant-wide).

The Set-Mailbox -Identity "User1" -AuditEnabled $true command enables audit logging for mailbox actions like:

● Read emails

● Delete emails

● Send emails as User1

● Access by delegated users

Once enabled, you can search for future sign-ins and actions in the Microsoft Purview audit logs.

Retention policy tags (MRM) for Exchange Online are applied by the Managed Folder Assistant (MFA). To apply a newly created Exchange retention policy to mailbox items immediately, you manually invoke MFA with Start-ManagedFolderAssistant for the mailbox or set of mailboxes. Creating DLP policies or label policies in Purview does not accelerate MRM processing.

When you configure Microsoft Purview DLP policies for the Teams chat and channel messages location, the following entities are protected:

1:1 and n:n chats (private chats between two or more users).

Team channel messages (including the General channel and all standard channels).

Private channel messages.

This means that if a DLP policy is applied to User1 and User2, it will monitor and enforce rules across:

Chats between User1 and User2 (1:1 or group chats).

Any channel conversations they participate in (General or other channels).

Private channels they belong to.

Incorrect options:

A (1:1/n chats and general channels only) → Excludes private channels, but DLP supports them.

B (1:1/n chats and private channels only) → Excludes general channels, but DLP supports them too.

To create custom trainable classifiers in Microsoft Purview, the user must have rights in the compliance portal. The Compliance Administrator role provides the necessary permissions to create and manage trainable classifiers. Security roles focus on threat management, and Global Administrator is excessive (not least privilege).

To implement Microsoft Purview Data Lifecycle Management for SharePoint Online (Site1), you need to create a retention label first. Retention labels define how long content should be retained or deleted based on compliance requirements. Once a retention label is created, it can be manually or automatically applied to content in SharePoint Online, Exchange, OneDrive, and Teams. After creating a retention label, you can configure label policies to apply them to Site1 and other locations.

Box 1: Insider Risk Management policies in Microsoft Purview can be configured to detect risky behavior, such as accessing phishing websites. These policies monitor user activity, generate alerts, and help organizations investigate potential security threats.

Box 2: Microsoft Defender Browser Protection extension helps in detecting unsafe or phishing websites and integrating this detection with Insider Risk Management policies. This extension works with Microsoft Edge and Google Chrome to identify risky browsing activity and trigger alerts.

This question is about creating a one-click policy within Microsoft Purview's Data Security Posture Management for AI portal. These policies are designed to mitigate risks associated with sensitive data and AI websites. The correct configuration for this specific scenario is to select "Test it out first" and apply the policy to "Devices, Instances, and SharePoint sites." This configuration is based on Microsoft's recommended practices for deploying data loss prevention (DLP) and similar policies.

Policy Mode: "Test it out first"

Microsoft recommends using test mode for new policies to evaluate their impact and effectiveness before enforcing them. This approach prevents unintended disruptions to user workflows. In test mode, the policy monitors and audits the specified activities without blocking them. It generates alerts and reports, allowing administrators to review the policy's behavior and make necessary adjustments. This aligns with the principle of "start small, then scale," ensuring that a policy designed to block sensitive data transfers doesn't inadvertently prevent legitimate business activities.

Policy Scope: "Devices, Instances, and SharePoint sites"

The policy aims to block users from pasting or uploading sensitive data to AI websites. This requires a comprehensive scope to cover all potential data exfiltration points.

Devices: This covers the user's local device, preventing data from being uploaded or pasted from applications running on the machine. This is crucial for controlling data from endpoints.

Instances: This refers to SaaS (Software as a Service) instances, including AI websites. Applying the policy to instances ensures that data transfers to these external services are monitored and controlled.

SharePoint sites: Data residing in SharePoint is a common source of sensitive information. Including SharePoint sites in the policy scope ensures that data cannot be directly copied from these locations and uploaded to AI websites, providing a holistic security posture.

By selecting "Devices, Instances, and SharePoint sites," the policy is configured to monitor and protect data across the most common sources and destinations, providing a robust defense against data exfiltration to AI services. This comprehensive approach is a cornerstone of modern data security strategies in Microsoft 365.

This information is verifiable through Microsoft's official documentation for Microsoft Purview, particularly sections related to Data Loss Prevention (DLP) policies and Data Security Posture Management for AI. The best practice of "test first" and the broad scope for sensitive data protection are consistently recommended.

Create one service domain group (Allow list) containing Site1 and Site2 and configure the policy action “Allow upload only to sensitive service domains”.

Create a second service domain group (Block list) containing Search1 and Search2 and configure the policy action to block paste (clipboard) to these domains.

A single Endpoint DLP policy can enforce multiple activities (upload to cloud service domains + clipboard to specific domains), so only one policy is required.

Refs: Microsoft Learn – Endpoint DLP: Configure service domains and policy actions (upload/clipboard restrictions) (Purview > Data loss prevention > Endpoint DLP settings and policies).

EDM does not store raw data; instead, it requires hashed versions of sensitive data for privacy and security. To upload the hashed data, Microsoft provides the EDM upload agent. This ensures that the data is securely processed and recognized by the EDM service in Microsoft 365.

To create a keyword dictionary for a sensitive information type in Microsoft Purview Data Loss Prevention (DLP), you must use a plain text (.txt) file where each keyword is on a separate line.

Format Example (TXT file):

confidential

sensitive

classified

top secret

This format is simple, efficient, and directly compatible with Microsoft 365 DLP policies for keyword dictionaries.

How to use the keyword dictionary?

● Create a text file with one keyword per line.

● Upload it to Microsoft Purview under Data Classification > Sensitive Info Types.

● Use the dictionary in a DLP policy to identify and protect sensitive information.

Step 1 – Scenario

Microsoft 365 E5 subscription with 100 users and a Microsoft 365 group (Group1).

A sensitivity label (Label1) is published as the default label for Group1.

Label1 contains two sublabels: Sublabel1 and Sublabel2.

Requirement: Ensure Sublabel1 settings are applied by default to Group1.

Step 2 – Understanding label hierarchy

In Microsoft Purview Information Protection, a parent label (Label1) is a container.

Sublabels (Sublabel1, Sublabel2) inherit the parent name but represent distinct configurations (encryption, watermarking, access, etc.).

A parent label itself cannot have a sublabel’s settings automatically applied unless policy configuration specifies which sublabel is used as the default publishing option.

Step 3 – Why "Modify the policy of Label1" is correct

To apply Sublabel1 by default, the published policy for Label1 must be modified so that Sublabel1 is the default label within the policy.

Simply reordering sublabels (Option A) does not change the default assignment.

Duplicating Sublabel1’s settings into Label1 (Option B) defeats the purpose of having sublabels and adds redundancy.

Deleting the policy of Label1 and publishing Sublabel1 (Option D) would remove flexibility and is unnecessary.

Step 4 – Microsoft Reference

Microsoft Docs: “If you want a sublabel to be applied by default, configure the label policy to select that sublabel as the default label for documents and emails.”

The issue where users sometimes can upload files to cloud services and sometimes cannot suggests inconsistent enforcement of Endpoint DLP policies. This can be caused by the unallowed browsers in the Microsoft 365 Endpoint DLP settings are NOT configured. Also, there are file path exclusions in the Microsoft 365 Endpoint DLP settings.

Endpoint DLP can block uploads only when using unallowed browsers. If unallowed browsers are not configured, users might be able to bypass restrictions by switching to a different browser. This could explain why uploads sometimes work and sometimes don’t, depending on which browser is used.

File path exclusions allow certain files or folders to be exempt from DLP restrictions. If a specific file location is excluded, files stored there won’t trigger DLP policies, leading to inconsistent behavior. This could result in some uploads being blocked while others are allowed.

In Microsoft Purview, when multiple alert policies trigger alerts, duplicate alerts within a short period (typically 5 minutes) may be suppressed to avoid redundancy.

Step-by-step Analysis:

● Policy1 at 10:00:04 is ignored because Policy1 already triggered at 10:00:00, and it's within 5 minutes.

● Policy2 at 10:00:31 is ignored because Policy2 already triggered at 10:00:03, and it's within 5 minutes.

● Policy1 at 10:01:01 is a new alert because it's over 1 minute after the previous Policy1 alert.

● Policy1 at 10:04:45 is a new alert because it's over 3 minutes after the previous Policy1 alert.

Policy1 monitors printing of files by users that submitted their resignation. In Insider Risk Management, the Data theft by departing users template is designed for users marked as leaving and watches for exfiltration indicators such as printing, USB copy, or uploads to cloud services.

Ref: Microsoft Purview Insider Risk Management – Policy templates: Data theft by departing users (monitors exfiltration activities for departing users).

Policy2 monitors accidental sharing of data outside the organization by users in a priority user group. The template for this is Data leaks by priority users, which targets a defined priority user group and focuses on oversharing/leak indicators (external sharing, email to external, cloud uploads, etc.).

Ref: Insider Risk Management – Data leaks by priority users template.

Policy3 monitors downloading of files from SharePoint Online to personal cloud storage services. This is a classic data leak/exfiltration scenario without a departing/priority qualifier, so the general Data leaks template is appropriate (covers uploads to personal cloud services and other exfiltration vectors).

Ref: Insider Risk Management – Data leaks template (monitors exfiltration such as uploads to personal cloud services).

These mappings align with Microsoft’s template purposes: Departing user exfiltration → Data theft by departing users; Priority users oversharing → Data leaks by priority users; Generic exfiltration → Data leaks.

Step 1 – Review of Preservation Lock

Preservation Lock in Microsoft 365 retention policies ensures that once a policy is locked, no one (including administrators) can turn it off, delete it, or make it less restrictive.

Preservation Lock is only available for static retention policies and not supported for adaptive scopes.

???? Reference: Preservation Lock in Microsoft 365 retention policies

From Microsoft docs:

“Preservation Lock can only be applied to retention policies configured with static scopes. Adaptive scopes do not currently support Preservation Lock.”

Step 2 – Analyzing the Case Data

RPolicy1 → Adaptive scope (Scope1: Users). ❌ Not eligible for Preservation Lock.

RPolicy2 → Adaptive scope (Scope2: SharePoint Online sites). ❌ Not eligible for Preservation Lock.

RPolicy3 → Static scope (Microsoft 365 groups). ✅ Eligible for Preservation Lock.

Step 3 – Conclusion

Only RPolicy3 qualifies for Preservation Lock.

Step 1 – Scenario

Endpoint Data Loss Prevention (Endpoint DLP) is implemented in Microsoft 365.

Computers: Windows 11, joined to Microsoft Entra (Azure AD), with Microsoft 365 Apps installed.

Goal: Ensure Endpoint DLP policies can protect local content on these devices.

Step 2 – How Endpoint DLP works

Endpoint DLP builds on the same policy framework as Microsoft Purview DLP, but specifically extends coverage to Windows 10/11 devices.

Requirements:

Devices must be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint or via Purview device onboarding).

Endpoint DLP does not require the Microsoft Purview Information Protection (MIP) client.

The MIP client is only required for sensitivity labeling and AIP functionality, not for Endpoint DLP.

Step 3 – Why the proposed solution is incorrect

Deploying the Microsoft Purview Information Protection client does not enable Endpoint DLP.

Endpoint DLP requires device onboarding into Microsoft Purview compliance.

Therefore, this solution does not meet the goal.

Step 4 – Microsoft Reference

Microsoft Docs states:

“To use Endpoint data loss prevention (Endpoint DLP), devices must be onboarded to the Microsoft Purview compliance portal. Installing the Microsoft Information Protection client is not required.”