Microsoft SC-401 Administering Information Security in Microsoft 365 Exam Practice Test

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

The question asks about creating a Microsoft Defender for Cloud Apps (MCAS / MDA) policy that will detect Data Loss Prevention (DLP) violations.

Understanding the policy types in Defender for Cloud Apps:

File Policy

Used for monitoring and controlling files stored in cloud apps (e.g., SharePoint, OneDrive, Box, Google Drive).

Can detect sensitive information types (like credit cards, SSNs, SWIFT codes) and flag DLP violations.

Can apply governance actions (e.g., quarantine, remove sharing, notify user).

Correct for DLP violation detection.

Activity Policy

Monitors user activities (e.g., login attempts, mass downloads, suspicious behavior).

Not for file content DLP.

Session Policy

Applied through Conditional Access App Control for real-time monitoring/control during a user session.

Used for controlling actions (download, cut/paste) but not for broad DLP scanning of stored files.

Access Policy

Controls access to apps based on conditions (e.g., unmanaged device access).

Not designed for DLP content inspection.

Why File Policy is correct

Since the requirement is:

"detect DLP violations"

That means scanning file content for sensitive information. This is only possible with a File Policy in Microsoft Defender for Cloud Apps.

The Endpoint DLP “configuration package” approach was required before Microsoft fully integrated Endpoint DLP with Microsoft Defender for Endpoint.

Currently, the supported and required method is to onboard devices to Microsoft Defender for Endpoint. Deploying just a configuration package will not ensure Endpoint DLP policy enforcement.

The requirement is that User1 must be able to analyze prompts and responses for AI interaction events in Microsoft Purview DSPM for AI, while following the principle of least privilege.

Information Protection Analysts role group:

Members can review and analyze sensitive data activity, including AI interaction events collected by Purview DSPM. This role is specifically intended for analysts monitoring sensitive information and is therefore necessary for User1.

Content Explorer List Viewer role group:

Members can see metadata about items with sensitive information, such as file names, locations, sensitivity labels, and policy matches, without accessing the actual file content. This provides the required visibility for AI-related data classification and interaction analysis while adhering to the least privilege principle.

Roles not required:

Content Explorer Content Viewer would give the ability to view the actual content of files, which is more access than needed.

Security Reader is intended for reviewing alerts and incidents but not for analyzing AI prompts and responses.

Insider Risk Management Investigators focus on insider risk investigations, not AI event analysis.

Comprehensive Detailed Explanation with References

When multiple advanced DLP rules match content, Microsoft 365 DLP evaluates based on:

Rule priority

Lower number = higher priority (0 highest).

Among Rule2 (priority 1), Rule3 (priority 2), and Rule4 (priority 3), Rule2 has the highest priority.

Conflict resolution (single vs multiple rules applied)

By default, only the highest-priority rule applies if multiple rules match. → That’s why in the first dropdown, the correct answer is Only Rule2 takes effect.

However, you can configure advanced DLP to allow multiple matching rules to take effect simultaneously. If this setting is enabled, then Rule2, Rule3, and Rule4 all apply. → That’s why in the second dropdown, the correct answer is Rule2, Rule3, and Rule4 take effect.

Yes , Yes, No

To determine whether each statement is true or false, let's analyze the provided information step by step based on the sensitivity label settings and the user permissions associated with the files.

Given Information:

Users and Subscriptions:

User1: Contoso subscription, email: user1@contoso.com

User2: Contoso subscription, email: user2@contoso.com

User3: Fabrikam subscription, email: user3@fabrikam.com

User4: Fabrikam subscription, email: user4@fabrikam.com

Files and Sensitivity Label Application:

File1: Automatically applied Sensitivity1 using an auto-labeling policy

File2: Applied by User2

File3: Applied by User1

Sensitivity Label (Sensitivity1) Assumptions: Since the exhibit for the sensitivity label is not fully detailed, we need to make reasonable assumptions based on typical Microsoft 365 sensitivity label behavior. Sensitivity labels can restrict access based on user permissions, subscription boundaries, or specific configurations (e.g., allowing only users within the same organization to edit or view). Given the context of two separate subscriptions (Contoso and Fabrikam), it’s likely that Sensitivity1 restricts access to users within the same subscription unless explicitly configured otherwise. A common default for such labels is to allow editing and other rights only to users within the applying user's organization, with possible restrictions for cross-subscription access.

Key Assumptions:

Sensitivity1 likely encrypts the files and restricts editing rights to users within the same subscription as the user who applied the label or where the auto-labeling policy is configured.

File1 (auto-applied) would inherit permissions based on the policy, likely restricting access to Contoso users if the policy is set up within the Contoso subscription.

File2 (applied by User2 from Contoso) would restrict access to Contoso users.

File3 (applied by User1 from Contoso) would also restrict access to Contoso users.

Users from Fabrikam (User3, User4) would not have edit rights unless explicitly granted, which is unlikely given the separation of subscriptions.

Statement Analysis:

User1 can edit rights for File1.

File1 was automatically applied with Sensitivity1 using an auto-labeling policy. Since the policy is likely configured within the Contoso subscription (where User1 resides), User1, as a Contoso user, should have edit rights unless the policy explicitly restricts this. Given User1's affiliation with Contoso, this is typically allowed.

Answer: Yes

User2 can edit rights for File3.

File3 was applied by User1, who is from the Contoso subscription. Since User2 is also from the Contoso subscription, they should have edit rights unless the label configuration explicitly denies this for other users within the same subscription. Typically, users within the same organization can edit files labeled by another user from the same organization.

Answer: Yes

User3 can print File2.

File2 was applied by User2, who is from the Contoso subscription. Sensitivity1 likely restricts access to Contoso users only. User3 is from the Fabrikam subscription, which is a separate entity. Unless cross-sub

Answer : No

Step 1 – Requirement

You want to create a custom sensitive info type named Sensitive1.

This SIT will be created from a document fingerprint of Template1.docx.

You then want to use Sensitive1 in DLP policies.

Step 2 – Where do you create custom Sensitive Info Types?

Custom SITs (including document fingerprinting) can only be created in the Microsoft Purview compliance portal.

They cannot be created in the Exchange admin center, SharePoint admin center, or directly in PowerShell.

Answer for creation: The Microsoft Purview portal

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT) → Copilot cannot summarize.

Since File2 is labeled Label2, it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

To create a keyword dictionary for a sensitive information type in Microsoft Purview Data Loss Prevention (DLP), you must use a plain text (.txt) file where each keyword is on a separate line.

Format Example (TXT file):

confidential

sensitive

classified

top secret

This format is simple, efficient, and directly compatible with Microsoft 365 DLP policies for keyword dictionaries.

How to use the keyword dictionary?

● Create a text file with one keyword per line.

● Upload it to Microsoft Purview under Data Classification > Sensitive Info Types.

● Use the dictionary in a DLP policy to identify and protect sensitive information.

To allow users to apply retention labels to individual documents in Microsoft SharePoint libraries, you need to create a retention label and publish the label.

In Microsoft Purview, retention labels define how long content should be retained or deleted. You must first create a label that specifies the retention rules. After creating the label, you must publish it so that it becomes available for users in SharePoint document libraries. Once published, users can manually apply the retention label to individual documents.

The Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox* command is incorrect. This enables admin audit logging, which tracks changes to mailbox configurations (e.g., mailbox settings updates), not user activity inside the mailbox.

To add a new keyword dictionary in Microsoft Purview Data Loss Prevention (DLP), you must create a Sensitive Information Type (SIT).

Sensitive Info Types (SITs) allow you to define custom detection rules, including keyword dictionaries, regular expressions, and functions for identifying sensitive content in emails, documents, and other Microsoft 365 locations. A keyword dictionary is a list of predefined words/phrases that Microsoft Purview can use to identify and classify content for DLP policies.

Steps to add a keyword dictionary:

1. Go to Microsoft Purview compliance portal

2. Navigate to Data classification > Sensitive info types

3. Create a new sensitive info type

4. Add a keyword dictionary

5. Save and use it in a DLP policy

To create a document fingerprint in Microsoft 365 Data Loss Prevention (DLP), you need to use PowerShell for Microsoft Purview. The correct cmdlet to connect to the Microsoft 365 Security & Compliance Center (where DLP policies are managed) is Connect-IPPSSession. This cmdlet establishes a PowerShell session to manage DLP policies, compliance settings, and document fingerprinting.

Requirement 1 – Encrypt all email to fabrikam.com automatically

To force encryption for mail sent to a specific external domain (fabrikam.com):

You configure a mail flow rule (transport rule) in the Exchange admin center (EAC).

This rule can apply Office Message Encryption (OME) automatically when messages match conditions such as recipient domain.

When you configure Microsoft Purview DLP policies for the Teams chat and channel messages location, the following entities are protected:

1:1 and n:n chats (private chats between two or more users).

Team channel messages (including the General channel and all standard channels).

Private channel messages.

This means that if a DLP policy is applied to User1 and User2, it will monitor and enforce rules across:

Chats between User1 and User2 (1:1 or group chats).

Any channel conversations they participate in (General or other channels).

Private channels they belong to.

Incorrect options:

A (1:1/n chats and general channels only) → Excludes private channels, but DLP supports them.

B (1:1/n chats and private channels only) → Excludes general channels, but DLP supports them too.

Step 1 – Scenario

A user named User1 was a member of a dynamic security group (Group1).

User1 is no longer a member of that group.

You need to determine why User1 was removed by searching the audit log.

Step 2 – How group membership changes are logged in Microsoft 365 audit logs

Microsoft 365 audit logs record group membership activities in Azure AD. The most relevant activities for a user disappearing from a group are:

Removed member from group – Directly indicates that a user was removed from a group.

Updated group – Logged when group properties or membership rules (for dynamic groups) are modified. If Group1 is a dynamic group, changes to membership rules could have caused User1 to no longer qualify, and this would appear as an Updated group event.

Step 3 – Why not other options

Deleted user / Deleted group: Would mean the entire user or group object was deleted, not just removal.

Changed user password, Reset user password, Set license properties, Changed user license: These are account-related, not group membership-related.

Added member to group: The opposite action.

Step 4 – Microsoft Reference

From Microsoft documentation:

Audit logs include events such as when a member is added or removed from a group, and when group properties or membership rules are updated.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.