SC-401 Administering Information Security in Microsoft 365 Questions and Answers

To ensure User1 can perform insider risk management tasks only for the users and devices in Office1, the first step is to create an administrative unit in Microsoft Entra ID (formerly Azure AD).

Administrative units allow you to scope permissions to specific users, devices, and locations. By creating an administrative unit for Office1 and assigning User1 to the Insider Risk Management Admins role group within that unit, User1 will only have access to users and devices in Office1.

A trainable classifier in Microsoft Purview is used to automatically identify and classify unstructured data based on content patterns. The classifier can be used in:

1. Retention Labels (Label2) → Supported

● Trainable classifiers can be linked to retention labels to automatically classify and apply retention policies to documents.

2. Retention Label Policies (Policy1) → Supported

● Retention label policies define how and where retention labels are applied, including automatically using trainable classifiers.

3. Data Loss Prevention (DLP) Policies (DLP1) → Supported

● Trainable classifiers can be used in DLP policies to detect and protect sensitive content automatically.

Step 1 – Summarization in Copilot

For Microsoft 365 Copilot to summarize a file:

The user needs at least View permission.

Summarization does not require editing, copying, or ownership rights.

Looking at the exhibit:

User1 (Co-Owner) → has full access including view.

User2 (Co-Author) → has edit and view.

User3 (Reviewer) → has read-only rights.

User4 (Viewer) → has read rights.

All four users can view the document. Therefore, Copilot can summarize File1 for User1, User2, User3, and User4.

Step 2 – Referencing a file by link in Copilot

For Copilot to reference a file by link (i.e., cite or share within generated content):

The user must have rights that include resharing or exporting.

Only the Co-Owner has full rights to manage access and allow referencing by link.

From the exhibit:

User1 (Co-Owner) → Can reference by link.

User2 (Co-Author), User3 (Reviewer), User4 (Viewer) → Do not have reshare or link rights.

So, only User1 can reference File1 by link.

AutoApply1 is an auto-labeling policy that applies RLabel1 to Group1. Auto-labeling policies can apply retention labels across group mailboxes, SharePoint Online sites, and Teams channel messages if they are configured for group resources.

Retention1 is a retention policy applied to Group2. Retention policies for Microsoft 365 groups apply to all group resources, including group mailboxes, SharePoint Online teams sites, and Teams channel messages.

Since both AutoApply1 and Retention1 affect entire groups, they apply to all associated resources: group mailbox, SharePoint Online teams site, and Teams channel messages.

An activity policy in Microsoft Defender for Cloud Apps (Microsoft Defender portal) allows you to track and alert on specific user actions, such as sharing sensitive documents externally from OneDrive. This policy can detect file-sharing activities and send alerts when files are shared with external users, which meets the requirement.

The issue: Users cannot upload documents with U.S. passport numbers to a legitimate travel management website because Endpoint DLP is blocking it.

Solution: Configure Service domains in Endpoint DLP → this allows defining specific trusted domains where uploads of sensitive information are permitted while still blocking uploads to other, non-approved domains.

Why not others?

Unallowed browsers: Restricts/blocklists browsers, not the issue here.

File path exclusions: Excludes local folders/paths from monitoring, irrelevant to web uploads.

Unallowed apps: Restricts desktop apps, not browser-based sites.

In Microsoft Purview, when multiple alert policies trigger alerts, duplicate alerts within a short period (typically 5 minutes) may be suppressed to avoid redundancy.

Step-by-step Analysis:

● Policy1 at 10:00:04 is ignored because Policy1 already triggered at 10:00:00, and it's within 5 minutes.

● Policy2 at 10:00:31 is ignored because Policy2 already triggered at 10:00:03, and it's within 5 minutes.

● Policy1 at 10:01:01 is a new alert because it's over 1 minute after the previous Policy1 alert.

● Policy1 at 10:04:45 is a new alert because it's over 3 minutes after the previous Policy1 alert.

DLP policy tips are shown across all supported Outlook clients: Outlook on the web (OWA), Outlook desktop (Win32), and Outlook mobile apps (iOS and Android). This ensures users are informed when sending sensitive information across any supported client.

Sensitivity labels can be applied to modern Office file types that support protection:

Supported: .docx, .xlsx, .pptx, etc.

Not supported: Legacy formats like .doc or non-Office formats like .txt.

Therefore, only File2.docx and File3.xlsx can have Label1 applied.

When configuring an advanced DLP rule in Microsoft Purview Data Loss Prevention (DLP), you can use a Sensitive Information Type (SIT) condition to detect and classify specific types of sensitive data, such as credit card numbers, Social Security numbers, or custom sensitive data patterns. This allows you to apply protection and trigger actions based on the identified content.

Box 1: Since you are looking for a specific pattern (PA followed by eight digits, e.g., PA 12345678), the best classification method is Sensitive Info Type. Sensitive Info Types allow pattern-based matching to identify structured data. Exact Data Match (EDM) is not needed because you're not comparing against a fixed dataset. Trainable classifier is not appropriate because this is a structured pattern, not an unstructured document classification.

Box 2: Since PA 12345678 follows a structured pattern, the most effective method is Regular Expression (Regex). A Regular Expression (Regex) can be written to match "PA" followed by exactly eight digits (e.g., PA\s\d{8}). Keyword dictionary is not ideal because it works for predefined words, not number patterns. Function is unnecessary because there is no need for checksum validation or predefined validation rules.

Comprehensive Detailed Explanation with References

We are given a sensitivity label with the following Access control settings:

Assign permissions now → meaning admins define permissions, not end users.

User access to content expires = Never.

Allow offline access = Always.

Permissions explicitly assigned:

LegalTeam@… → Co-Author

USSales@… → Reviewer

Dynamic watermarking and Double Key Encryption are not enabled.

You want files in Site1 that are labeled with Label1 to automatically move to Site2 two years after creation.

In Microsoft Purview Retention Labels, under “Choose what happens after the retention period”, the available options are:

Deactivate retention settings – Ends retention but does not move files.

Start a disposition review – Sends items to reviewers for approval (manual process, not auto-move).

Change the label – Applies a new retention label (but does not move files to another site).

Run a Power Automate flow – Executes an automated workflow such as moving the file to another SharePoint library or site, notifying users, or applying custom business processes.

Since the requirement is automatic movement of files from Site1 to Site2 after 2 years, the only valid choice is Run a Power Automate flow.

A screenshot of a computer AI-generated content may be incorrect.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

A screenshot of a computer AI-generated content may be incorrect.

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

A screenshot of a computer AI-generated content may be incorrect.

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

The requirements are:

Detect credit card information → requires a sensitive info type (built-in: Credit Card Number).

Detect keywords “Project1” or “Project2” → can be handled in the same sensitive info type by using keyword matching.

Watermarks (“Confidential”, “Internal Use Only”) are label actions, not sensitive info types.

Therefore, only 2 sensitive info types are required: one for keywords, one for credit card data.

A screenshot of a computer AI-generated content may be incorrect.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

A white paper with black text AI-generated content may be incorrect.

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

A screenshot of a questionnaire AI-generated content may be incorrect.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

A screenshot of a computer AI-generated content may be incorrect.

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Step 1 – Scenario

You are creating an Exact Data Match (EDM) classifier in Microsoft Purview.

EDM requires preparing a sensitive information source table (such as employee IDs, customer account numbers).

This table must be hashed and uploaded into Microsoft Purview.

Only authorized users can perform this sensitive upload operation.

Step 2 – Required permissions for EDM upload

Microsoft’s documented process states:

To hash and upload EDM source data, you must assign users to the EDM Data Uploaders security group.

This group is a security group created in Microsoft Entra ID (formerly Azure AD).

Membership in this security group grants permission to perform the upload.

???? Reference: Configure Exact Data Match (EDM) in Microsoft Purview

“To upload the hashed data file to Microsoft Purview, you must add users to a security group named EDM_DataUploaders. This group is required to give permissions for EDM uploads.”

Step 3 – Why not the other options?

A. Microsoft Entra enterprise application → Used for app integration, not EDM uploads.

B. Purview role group → Provides compliance portal permissions but not EDM upload rights.

D. Microsoft Entra app registration → Used for API access, not relevant here.

E. Microsoft 365 group → Collaboration group, not for secure upload rights.