SC-401 Sample Questions Answers

Goal: maximize signin security for users who will test the AIP client (User1), install/configure the Microsoft Rights Management connector (User2), and act as the AIP scanner service account (User3).

Excluding users from MFA lowers security and is not recommended.

Passwordless with FIDO2 security keys (passkeys) provides strong phishingresistant authentication and is fully supported for Azure AD signins, including admin tasks and service scenarios that require interactive signin during setup.

Therefore, enabling all three for FIDO2 passkey authentication best meets the “maximize security” requirement.

Comprehensive Detailed Explanation with References

Exact Data Match (EDM) classifiers are designed to identify highly sensitive structured data (like customer IDs, account numbers) with higher accuracy.

EDM classifiers can only be used within Data Loss Prevention (DLP) policies in Microsoft Purview.

They cannot be used in Insider Risk Management or Retention policies.

Step 1 – Label publishing and scope

The sensitivity label Label1 is published to User1 and Group1.

User1 → Directly included in label publishing.

User2 → Member of Group1, so also included indirectly.

This means both User1 and User2 are eligible to use Label1.

Step 2 – File vs Folder labeling with the Information Protection client

The Microsoft Purview Information Protection (AIP unified labeling) client can apply labels to files such as .docx, .png, .pdf, etc.

It cannot label folders directly. Labels are applied to items (files and emails), not folders.

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

To validate whether an audit log retention policy will apply to the intended entries, you should configure the following fields:

● Date and time range (UTC) ensures that you are searching for audit logs within the time period when the policy should be applied. Audit logs are time-sensitive, and policies affect logs based on their timestamp.

● Record types allows you to filter and search for specific audit log categories (e.g., Exchange, SharePoint, Teams, etc.) that are affected by the retention policy. Selecting the correct record type ensures that the policy is evaluated against the relevant data.

To allow users to apply retention labels to individual documents in Microsoft SharePoint libraries, you need to create a retention label and publish the label.

In Microsoft Purview, retention labels define how long content should be retained or deleted. You must first create a label that specifies the retention rules. After creating the label, you must publish it so that it becomes available for users in SharePoint document libraries. Once published, users can manually apply the retention label to individual documents.

Box 1: When creating a Microsoft Purview Insider Risk Management case, you must first select a risky user to investigate. The case will be built around this specific user’s activities, linking alerts and risk signals to the investigation.

Box 2: The Insider Risk Management role groups determine who can access and contribute to cases:

● Admin1 (Insider Risk Management Admins) → Full admin access.

● Admin2 (Insider Risk Management Analysts) → Analysts who review cases.

● Admin3 (Risk Management Investigators) → Investigators who work on cases.

● Admin4 (Insider Risk Management Auditors) → Auditors who oversee cases.

All these roles have default access to insider risk cases in Microsoft Purview, so all four admins are added as contributors.

Endpoint DLP builds on Microsoft Defender for Endpoint integration. Before enabling Endpoint DLP, you must turn on device onboarding in Microsoft Purview to allow devices (like Device1) to be enrolled. After onboarding, you can assign DLP policies to endpoints.

Comprehensive Detailed Explanation with References

The command Set-AuditConfig -Workload Exchange is related to configuring auditing for workloads but does not enable mailbox auditing.

To capture and view who is accessing User1’s mailbox, mailbox auditing must be enabled at the mailbox level in Exchange Online.

Correct solution would be:

Set-Mailbox -Identity User1 -AuditEnabled $true

Mailbox auditing is enabled by default for all mailboxes in Microsoft 365 now, but if it is disabled, enabling auditing at the mailbox level is required. Running Set-AuditConfig -Workload Exchange alone does not accomplish this.

Step 1 – Understanding the scenario

The screenshot shows multiple Sensitive Information Types (SITs) in Microsoft Purview, including:

ABA Routing Number (Microsoft-built)

ASP.NET Machine Key (Microsoft-built)

Adatum document patterns (custom, Fingerprint type)

Adatum numbers (custom, Entity type)

Bundled SITs (like All Credential Types, All Full Names)

The question is asking:

Which SITs can you copy to create a new SIT?

Which SITs can you edit directly without copying?

Step 2 – Microsoft rules for SITs

Built-in SITs (published by Microsoft Corporation):

These cannot be edited directly. To modify them, you must create a copy first.

Custom SITs (created in your tenant, e.g., Contoso):

These can be edited directly without making a copy.

Microsoft Endpoint DLP relies on Microsoft Defender for Endpoint (MDE) for its enforcement.

Onboarding Windows 10/11 devices to Defender for Endpoint ensures the Endpoint DLP policies can be applied, including monitoring and protecting content across apps and browsers.

Box 1: To include the sensitive info type detected for each DLP rule match, you need to add a custom column in Activity Explorer. This ensures that the exported file contains specific details about the detected sensitive information types.

Box 2: DLP activity exports from Activity Explorer are always in CSV (Comma-Separated Values) format. This format allows for easy data analysis and reporting in Excel or other data-processing tools.

Let’s break it down:

File1.docx → DLP action = None

No DLP restrictions, so it is fully accessible to both User1 (owner) and User2 (member).

File2.docx → DLP action = Matched by DLP

“Matched” means the DLP policy detected sensitive content but has not blocked access. Instead, it may generate an alert or policy tip.

Both User1 and User2 can still open this file.

File3.docx → DLP action = Blocked by DLP

“Blocked” means the DLP policy actively restricts access or sharing of the file.

User2 (member) cannot open this file.

However, User1 (site owner) can open it because site collection admins and owners always retain full control over content, even if a DLP rule applies.

Ref: Microsoft Purview DLP policy tips and enforcement

→ DLP policies do not prevent SharePoint/OneDrive site collection admins (owners) from accessing content.

✅ Final Answer Table:

User1 (Site Owner): File1.docx, File2.docx, File3.docx

User2 (Site Member): File1.docx, File2.docx

Requirement 1 – Encrypt all email to fabrikam.com automatically

To force encryption for mail sent to a specific external domain (fabrikam.com):

You configure a mail flow rule (transport rule) in the Exchange admin center (EAC).

This rule can apply Office Message Encryption (OME) automatically when messages match conditions such as recipient domain.

Step 1 – Scenario

The requirement is to ensure Microsoft Purview Insider Risk Management can collect signals when a user copies files to a USB device using their default browser. The devices differ by browser type:

Device1 → Default browser = Microsoft Edge

Device2 → Default browser = Google Chrome

Step 2 – Signal collection methods in Insider Risk Management

Insider Risk Management uses Microsoft Purview Information Protection client and Purview browser extensions to collect activity signals.

For Microsoft Edge (Chromium-based), insider risk signals are collected via the Microsoft Purview Information Protection client.

For Google Chrome, signals are collected through the Microsoft Purview extension (available in the Chrome Web Store).

The Microsoft Defender Browser Protection extension is for web protection against malicious sites, not for insider risk activity signals, so it is irrelevant here.

Step 3 – Microsoft Reference

Microsoft documentation:

“For insider risk signals collection in Microsoft Edge, the Microsoft Purview client must be deployed. For Google Chrome, the Microsoft Purview extension is required.”

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

Step 1 – Requirement

You need to configure a mail flow rule in Exchange Online to apply a Microsoft Purview Advanced Message Encryption (OME) branding template named OME1.

Step 2 – Mail Flow Rule Conditions

In Exchange Online, to trigger encryption based on sensitivity labels (classifications):

You use the condition "Apply this rule if: The sender … Includes the classification".

This lets the rule detect when the sender applies a particular sensitivity label (classification) to the email.

Step 3 – Mail Flow Rule Action

To apply a custom branding template (such as OME1), you configure the action:

"Modify the message security".

This is the action that allows applying encryption and assigning a specific OME template for branding.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.