SC-401 Sample Questions Answers

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

To add a new keyword dictionary in Microsoft Purview Data Loss Prevention (DLP), you must create a Sensitive Information Type (SIT).

Sensitive Info Types (SITs) allow you to define custom detection rules, including keyword dictionaries, regular expressions, and functions for identifying sensitive content in emails, documents, and other Microsoft 365 locations. A keyword dictionary is a list of predefined words/phrases that Microsoft Purview can use to identify and classify content for DLP policies.

Steps to add a keyword dictionary:

1. Go to Microsoft Purview compliance portal

2. Navigate to Data classification > Sensitive info types

3. Create a new sensitive info type

4. Add a keyword dictionary

5. Save and use it in a DLP policy

A screenshot of a computer AI-generated content may be incorrect.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

A screenshot of a computer AI-generated content may be incorrect.

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

A screenshot of a computer AI-generated content may be incorrect.

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

A white paper with black text AI-generated content may be incorrect.

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

A screenshot of a computer AI-generated content may be incorrect.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

A screenshot of a computer AI-generated content may be incorrect.

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

A screenshot of a questionnaire AI-generated content may be incorrect.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

The Set-MailboxFolderPermission -Identity "User1" -User User1@contoso.com -AccessRights Owner command is incorrect. This assigns folder permissions but does not enable auditing. It does not track who accessed the mailbox or deleted emails.

DLP policy tips are shown across all supported Outlook clients: Outlook on the web (OWA), Outlook desktop (Win32), and Outlook mobile apps (iOS and Android). This ensures users are informed when sending sensitive information across any supported client.

User1 can delete File1 on March 10, 2023.

No - File1 has Retention1 applied, which retains it for 4 years with a "Retain only" action. This means it cannot be deleted during the retention period, which ends on March 1, 2027.

User2 can delete File1 on March 10, 2027.

No - User2 is a Member and does not have the Owner role, which is required to delete files under retention policies during the retention period. Additionally, the "Retain only" action prevents deletion until the retention period ends on March 1, 2027.

User2 can edit File2 on March 15, 2025.

No - File2 has Retention2 applied, which retains it for 2 years with a "Retain and delete" action. This means the file is protected from edits or deletions during the retention period, which ends on March 1, 2025. Since March 15, 2025, is after the retention period, the file would be eligible for deletion, but the question specifies editing, which is restricted during the retention period.

Box 1: When creating a Microsoft Purview Insider Risk Management case, you must first select a risky user to investigate. The case will be built around this specific user’s activities, linking alerts and risk signals to the investigation.

Box 2: The Insider Risk Management role groups determine who can access and contribute to cases:

● Admin1 (Insider Risk Management Admins) → Full admin access.

● Admin2 (Insider Risk Management Analysts) → Analysts who review cases.

● Admin3 (Risk Management Investigators) → Investigators who work on cases.

● Admin4 (Insider Risk Management Auditors) → Auditors who oversee cases.

All these roles have default access to insider risk cases in Microsoft Purview, so all four admins are added as contributors.

Comprehensive Detailed Explanation with References

Custom Data Access Governance (DAG) data assessment scans in Microsoft Purview can be run on selected SharePoint Online or OneDrive locations to check for oversharing and exposure. Each custom assessment scan supports up to 200,000 items per location. This cap is documented in Microsoft’s guidance for custom data access governance assessments.

Box 1: Publishing a Sensitivity Label

Sensitivity labels can be published to Microsoft 365 groups, security groups, SharePoint Online sites, and Microsoft Teams. Since we have:

● Group1 (Microsoft 365 group) - Supported

● Group2 (Security group) - Supported

● Site1 (SharePoint Online site) - Supported

● Team1 (Microsoft Teams team) - Supported

This means we can publish Label1 to Group1, Group2, Site1, and Team1.

Box 2: Auto-Applying a Sensitivity Label

Auto-apply policies for sensitivity labels work on:

● SharePoint Online sites (documents)

● OneDrive (documents)

● Exchange email (messages)

However, labels cannot be auto-applied to Microsoft 365 groups or Teams directly because labels are applied to files and emails, not to groups or Teams as entities. Since Site1 (a SharePoint Online site) supports auto-apply, it is the correct option.

The question is asking what item types can be retained when implementing Microsoft Teams retention policies in Microsoft 365 E5.

Retention policies in Teams can apply to:

Teams chat messages (1:1 or group chats)

Teams channel messages

Items within those messages, including text, links, and supported embedded objects.

Step 2 – Supported Teams retention items

According to Microsoft documentation:

Retention policies support Teams messages (chats and channel posts) and their associated attachments or in-line content such as:

Embedded images

Code snippets

Tables, links, and reactions

Retention policies do not support certain Teams items, including:

Voicemails

Calls and meetings recordings

Whiteboards

Message reactions (stored separately in Azure services)

Step 1 – Scenario

You need to create a Microsoft Purview Insider Risk Management policy that detects data theft from SharePoint Online by users who have submitted their resignation or are close to termination.

Step 2 – Understanding how insider risk management works

Insider Risk policies rely on signals that identify potential risk events. These signals include:

HR data (resignation dates, termination notices).

Office activity indicators (file downloads, sharing, printing).

Device indicators (file copy to USB, printing).

Physical access (badge-in/badge-out).

Step 3 – Why HR signals are required here

To detect resignation or termination risk events, Microsoft Purview must first know which users are flagged by HR.

This is done by configuring an HR data connector, which imports employee termination/resignation data from HR systems (Workday, SAP SuccessFactors, or CSV import).

Without this HR data connector, Purview has no knowledge of employees’ resignation or termination timelines, and the policy cannot function.

Step 4 – Why not the other options

B. Configure Office indicators: These detect risky activity (downloads, sharing), but cannot determine resignation status. They are used after HR signals identify at-risk users.

C. Configure a Physical badging connector: Useful for detecting anomalous physical access, but irrelevant to resignation-based detection.

D. Onboard devices to Microsoft Defender for Endpoint: Required for device activity signals, not for HR resignation detection.

Step 5 – Microsoft Reference

Microsoft documentation states: “To use HR resignation/termination triggers, you must configure an HR connector to import resignation and termination data into insider risk management.”

Policy tips in DLP: Policy tips are messages shown to users when their action (such as sending sensitive content via email) conflicts with a DLP policy.

For Exchange email location, policy tips are supported in the following apps:

Outlook for Microsoft 365 (desktop client) ✅

Outlook on the web (OWA) ✅

Outlook Mobile (iOS/Android) ❌ Policy tips are not shown in mobile apps. Instead, DLP actions (block/restrict/send incident report) still apply, but the user does not see a policy tip notification.

Therefore:

Supported: Outlook for Microsoft 365, Outlook on the web.

Not supported: Outlook Mobile apps.

Forensic evidence in Microsoft Purview Insider Risk Management allows capturing screenshots/clips of user activity on endpoints.

Requirements for forensic evidence capture:

The device must be onboarded to Microsoft Purview (via Defender for Endpoint).

The Microsoft Purview client must be installed.

Supported platforms: Windows 10 and Windows 11 (macOS is not supported for forensic evidence).

Now check each device:

Device1 (Windows 11) → Client installed, but not onboarded → ❌ Not eligible.

Device2 (Windows 10) → Onboarded and client installed → ✅ Eligible.

Device3 (macOS) → Onboarded, but client not installed and macOS is not supported → ❌ Not eligible.

Therefore, only Device2 qualifies.

In Microsoft Purview Data Lifecycle Management, different Microsoft 365 locations require separate retention policies because they fall under different storage and compliance models.

Teams Chats & Teams Channel Messages (1 Policy) require a separate retention policy because Teams messages are stored differently than Exchange and SharePoint content. One policy can cover both Teams chats and Teams channel messages. Exchange Email (1 Policy) requires its own separate policy since emails are managed differently than Teams or SharePoint content. SharePoint Sites & Microsoft 365 Groups (1 Policy) are both stored in SharePoint Online, so they can be managed under one policy.

Sensitivity labels can be applied to modern Office file types that support protection:

Supported: .docx, .xlsx, .pptx, etc.

Not supported: Legacy formats like .doc or non-Office formats like .txt.

Therefore, only File2.docx and File3.xlsx can have Label1 applied.

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages