SC-401 Administering Information Security in Microsoft 365 Questions and Answers

Step 1 – Scenario

The requirement is to ensure Microsoft Purview Insider Risk Management can collect signals when a user copies files to a USB device using their default browser. The devices differ by browser type:

Device1 → Default browser = Microsoft Edge

Device2 → Default browser = Google Chrome

Step 2 – Signal collection methods in Insider Risk Management

Insider Risk Management uses Microsoft Purview Information Protection client and Purview browser extensions to collect activity signals.

For Microsoft Edge (Chromium-based), insider risk signals are collected via the Microsoft Purview Information Protection client.

For Google Chrome, signals are collected through the Microsoft Purview extension (available in the Chrome Web Store).

The Microsoft Defender Browser Protection extension is for web protection against malicious sites, not for insider risk activity signals, so it is irrelevant here.

Step 3 – Microsoft Reference

Microsoft documentation:

“For insider risk signals collection in Microsoft Edge, the Microsoft Purview client must be deployed. For Google Chrome, the Microsoft Purview extension is required.”

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT ) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT ) → Copilot cannot summarize.

Since File2 is labeled Label2 , it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

Step 1 – Scenario

You are creating an Exact Data Match (EDM) classifier in Microsoft Purview.

EDM requires preparing a sensitive information source table (such as employee IDs, customer account numbers).

This table must be hashed and uploaded into Microsoft Purview.

Only authorized users can perform this sensitive upload operation.

Step 2 – Required permissions for EDM upload

Microsoft’s documented process states:

To hash and upload EDM source data, you must assign users to the EDM Data Uploaders security group.

This group is a security group created in Microsoft Entra ID (formerly Azure AD).

Membership in this security group grants permission to perform the upload.

???? Reference: Configure Exact Data Match (EDM) in Microsoft Purview

“To upload the hashed data file to Microsoft Purview, you must add users to a security group named EDM_DataUploaders. This group is required to give permissions for EDM uploads.”

Step 3 – Why not the other options?

A. Microsoft Entra enterprise application → Used for app integration, not EDM uploads.

B. Purview role group → Provides compliance portal permissions but not EDM upload rights.

D. Microsoft Entra app registration → Used for API access, not relevant here.

E. Microsoft 365 group → Collaboration group, not for secure upload rights.

Step 1 – Review of Preservation Lock

Preservation Lock in Microsoft 365 retention policies ensures that once a policy is locked, no one (including administrators) can turn it off, delete it, or make it less restrictive.

Preservation Lock is only available for static retention policies and not supported for adaptive scopes .

???? Reference: Preservation Lock in Microsoft 365 retention policies

From Microsoft docs:

“Preservation Lock can only be applied to retention policies configured with static scopes. Adaptive scopes do not currently support Preservation Lock.”

Step 2 – Analyzing the Case Data

RPolicy1 → Adaptive scope (Scope1: Users). ❌ Not eligible for Preservation Lock.

RPolicy2 → Adaptive scope (Scope2: SharePoint Online sites). ❌ Not eligible for Preservation Lock.

RPolicy3 → Static scope (Microsoft 365 groups). ✅ Eligible for Preservation Lock.

Step 3 – Conclusion

Only RPolicy3 qualifies for Preservation Lock.

Step 1 – Scenario

You need to create a Microsoft Purview Insider Risk Management policy that detects data theft from SharePoint Online by users who have submitted their resignation or are close to termination.

Step 2 – Understanding how insider risk management works

Insider Risk policies rely on signals that identify potential risk events. These signals include:

HR data (resignation dates, termination notices).

Office activity indicators (file downloads, sharing, printing).

Device indicators (file copy to USB, printing).

Physical access (badge-in/badge-out).

Step 3 – Why HR signals are required here

To detect resignation or termination risk events, Microsoft Purview must first know which users are flagged by HR.

This is done by configuring an HR data connector, which imports employee termination/resignation data from HR systems (Workday, SAP SuccessFactors, or CSV import).

Without this HR data connector, Purview has no knowledge of employees’ resignation or termination timelines, and the policy cannot function.

Step 4 – Why not the other options

B. Configure Office indicators: These detect risky activity (downloads, sharing), but cannot determine resignation status. They are used after HR signals identify at-risk users.

C. Configure a Physical badging connector: Useful for detecting anomalous physical access, but irrelevant to resignation-based detection.

D. Onboard devices to Microsoft Defender for Endpoint: Required for device activity signals, not for HR resignation detection.

Step 5 – Microsoft Reference

Microsoft documentation states: “To use HR resignation/termination triggers, you must configure an HR connector to import resignation and termination data into insider risk management.”

Box 1: Insider Risk Management policies in Microsoft Purview can be configured to detect risky behavior, such as accessing phishing websites. These policies monitor user activity, generate alerts, and help organizations investigate potential security threats.

Box 2: Microsoft Defender Browser Protection extension helps in detecting unsafe or phishing websites and integrating this detection with Insider Risk Management policies. This extension works with Microsoft Edge and Google Chrome to identify risky browsing activity and trigger alerts.

Step 1 – Understanding the requirement

The task is about applying Microsoft Purview Information Protection sensitivity labels to sensitive images and documents using the Azure Information Protection (AIP) unified labeling client.

Sensitivity labels in Purview can be applied in Microsoft 365 apps (Word, Excel, Outlook, PowerPoint), but to label non-Office files like images, PDFs, and other documents, users must use the AIP unified labeling client.

With the AIP client installed, labels can be applied directly in File Explorer by right-clicking the file.

Step 2 – Device compatibility

The AIP unified labeling client runs on Windows devices only.

In the question’s context (based on the provided dropdowns), all listed devices (Device1, Device2, Device3) are compatible Windows endpoints.

Therefore, the AIP client can be deployed to all three devices.

Step 3 – How users apply labels

For Office documents → labels can be applied from the ribbon inside Word, Excel, PowerPoint.

For other file types (images, PDFs, text files, etc.) → labels must be applied using File Explorer via the AIP client.

???? Reference:

Install and use the Azure Information Protection unified labeling client

Apply sensitivity labels to files and emails in Microsoft Purview

User1 can delete File1 on March 10, 2023.

No - File1 has Retention1 applied, which retains it for 4 years with a " Retain only " action. This means it cannot be deleted during the retention period, which ends on March 1, 2027.

User2 can delete File1 on March 10, 2027.

No - User2 is a Member and does not have the Owner role, which is required to delete files under retention policies during the retention period. Additionally, the " Retain only " action prevents deletion until the retention period ends on March 1, 2027.

User2 can edit File2 on March 15, 2025.

No - File2 has Retention2 applied, which retains it for 2 years with a " Retain and delete " action. This means the file is protected from edits or deletions during the retention period, which ends on March 1, 2025. Since March 15, 2025, is after the retention period, the file would be eligible for deletion, but the question specifies editing, which is restricted during the retention period.

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages

To create a trainable classifier that can be used in an auto-apply retention label policy, you need to follow these key steps:

1. Create the trainable classifier

This is the first step where you define the classifier, specifying the types of content it should identify.

2. Test the trainable classifier

Before using the classifier in production, you need to validate its accuracy by testing it against sample documents to ensure it correctly classifies the intended data.

3. Publish the trainable classifier

Once testing is successful, you must publish the classifier so that it can be used in policies like auto-apply retention labels in Microsoft Purview.

You are creating a Data Loss Prevention (DLP) policy in Microsoft 365 with advanced rules . Advanced DLP rules provide more granular conditions and actions than standard DLP rules.

Conditions available in advanced DLP

According to Microsoft Docs on Conditions in DLP policies:

✅ Content contains → Used to detect sensitive information types , keywords, or exact data matches. This is one of the most common and fundamental DLP conditions.

✅ Content is shared from Microsoft 365 → Used to detect whether content has been shared externally or with specific domains/users. This is a modern advanced DLP condition .

Why the others are not correct:

A. Document property is → This condition applies to information governance retention policies/labels (not DLP). Not available in DLP rules.

B. Attachment ' s file extension is → This is supported in Exchange mail flow rules (transport rules) but not in advanced DLP rules.

C. Document size equals or is greater than → Also applies in Exchange transport rules and certain SharePoint restrictions, but not available as a DLP rule condition.

When configuring an advanced DLP rule in Microsoft Purview Data Loss Prevention (DLP), you can use a Sensitive Information Type (SIT) condition to detect and classify specific types of sensitive data, such as credit card numbers, Social Security numbers, or custom sensitive data patterns. This allows you to apply protection and trigger actions based on the identified content.

When implementing Microsoft Purview Insider Risk Management and using the HR data connector, you must prepare HR data in CSV (Comma-Separated Values) format. This format is required because Microsoft Purview supports CSV files for importing user employment details, termination dates, role changes, and other HR-related attributes.

Box 1: To include the sensitive info type detected for each DLP rule match, you need to add a custom column in Activity Explorer. This ensures that the exported file contains specific details about the detected sensitive information types.

Box 2: DLP activity exports from Activity Explorer are always in CSV (Comma-Separated Values) format. This format allows for easy data analysis and reporting in Excel or other data-processing tools.

The Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox* command is incorrect. This enables admin audit logging, which tracks changes to mailbox configurations (e.g., mailbox settings updates), not user activity inside the mailbox.

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

Mail flow rules (transport rules) can detect sensitive info, but they are limited in encryption capabilities.

DLP policies provide more advanced protection and integration with Microsoft Purview for sensitive info detection.

The Set-MailboxFolderPermission -Identity " User1 " -User User1@contoso.com -AccessRights Owner command is incorrect. This assigns folder permissions but does not enable auditing. It does not track who accessed the mailbox or deleted emails.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There ' s no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with " 999 " .

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding Site4 ' s Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states " Do nothing " ).

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does " nothing, " meaning the file is no longer recoverable after that period.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.