SC-401 Administering Information Security in Microsoft 365 Questions and Answers

A Preservation Lock in Microsoft Purview Retention Policies enforces strict compliance and prevents certain modifications to ensure data is retained according to compliance requirements.

When a Preservation Lock is applied:

1. You cannot disable or delete the policy.

2. You cannot remove locations from the policy.

3. You cannot decrease the retention period.

4. You can add locations to the policy.

5. You can increase the retention period.

You can expand the retention policy to cover additional locations (e.g., more Exchange mailboxes, SharePoint sites). You can extend the retention duration (e.g., increase from 5 years to 10 years) since this aligns with stricter compliance.

Step 1 – Scenario

You are creating an Exact Data Match (EDM) classifier in Microsoft Purview.

EDM requires preparing a sensitive information source table (such as employee IDs, customer account numbers).

This table must be hashed and uploaded into Microsoft Purview.

Only authorized users can perform this sensitive upload operation.

Step 2 – Required permissions for EDM upload

Microsoft’s documented process states:

To hash and upload EDM source data, you must assign users to the EDM Data Uploaders security group.

This group is a security group created in Microsoft Entra ID (formerly Azure AD).

Membership in this security group grants permission to perform the upload.

???? Reference: Configure Exact Data Match (EDM) in Microsoft Purview

“To upload the hashed data file to Microsoft Purview, you must add users to a security group named EDM_DataUploaders. This group is required to give permissions for EDM uploads.”

Step 3 – Why not the other options?

A. Microsoft Entra enterprise application → Used for app integration, not EDM uploads.

B. Purview role group → Provides compliance portal permissions but not EDM upload rights.

D. Microsoft Entra app registration → Used for API access, not relevant here.

E. Microsoft 365 group → Collaboration group, not for secure upload rights.

When you create an auto-labeling policy for sensitivity labels and start it in simulation mode using the default settings, Microsoft Purview will automatically turn on the policy after 14 days if you make no changes during simulation. A policy created on February 1 would therefore be turned on on February 15.

References used:

Microsoft Purview Data Access Governance custom assessments item limits.

Exchange Online Managed Folder Assistant and Start-ManagedFolderAssistant.

Auto-labeling simulation mode behavior and automatic enable timeline.

Forensic evidence in Microsoft Purview Insider Risk Management allows capturing screenshots/clips of user activity on endpoints.

Requirements for forensic evidence capture:

The device must be onboarded to Microsoft Purview (via Defender for Endpoint).

The Microsoft Purview client must be installed.

Supported platforms: Windows 10 and Windows 11 (macOS is not supported for forensic evidence).

Now check each device:

Device1 (Windows 11) → Client installed, but not onboarded → ❌ Not eligible.

Device2 (Windows 10) → Onboarded and client installed → ✅ Eligible.

Device3 (macOS) → Onboarded, but client not installed and macOS is not supported → ❌ Not eligible.

Therefore, only Device2 qualifies.

Sensitivity labels can be applied to modern Office file types that support protection:

Supported: .docx, .xlsx, .pptx, etc.

Not supported: Legacy formats like .doc or non-Office formats like .txt.

Therefore, only File2.docx and File3.xlsx can have Label1 applied.

The question is about Insider Risk Management forensic evidence collection in Microsoft 365 E5 (Microsoft Purview).

???? Step 1 – Which devices are supported?

According to Microsoft documentation, forensic evidence collection for insider risk investigations is supported only on:

Windows 10

Windows 11

It is not supported on:

macOS

Android

iOS

???? Reference: Forensic evidence collection in Microsoft Purview Insider Risk Management

➡ So, only Device1 (Windows 11) and Device2 (Windows 10) qualify.

???? Step 2 – What preparation is needed?

For forensic evidence to be collected, supported devices must:

Be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint integration).

Have the Microsoft Purview client installed.

This enables capture of user actions such as file copies, USB transfers, printing, etc., to provide forensic evidence for insider risk alerts.

➡ Correct option: Onboard the devices to Microsoft Purview and install the Microsoft Purview client

Trainable classifiers in Microsoft Purview learn from sample documents. When the initial results are unsatisfactory, retraining is done by reviewing and reclassifying items through Content explorer under the Data classification section of the Purview compliance portal. This allows you to give feedback by marking documents as “relevant” or “not relevant” to improve classifier accuracy.

The other options do not support retraining:

Labels from Information protection → Used to configure and manage sensitivity labels, not train classifiers.

Labels from Information governance → Used for retention labels, not classifiers.

Content search → Used for eDiscovery and searching content, not classifier training.

When implementing Microsoft Purview Insider Risk Management and using the HR data connector, you must prepare HR data in CSV (Comma-Separated Values) format. This format is required because Microsoft Purview supports CSV files for importing user employment details, termination dates, role changes, and other HR-related attributes.

Step 1 – Review what’s configured

Labels: Public, General, Confidential, Internal, External.

Also shown in policy: Confidential/Internal and Confidential/External.

Policy setting: Users must provide justification to remove a label or lower its classification.

Confidential/External → encrypts content when applied.

Step 2 – Analyze each statement

Statement 1: The Internal sensitivity label inherits all the settings from the Confidential label.

Sub-labels (e.g., Confidential/Internal, Confidential/External) do not inherit settings from the parent.

They are independent labels grouped under a parent for organization, but each sub-label must have its own protection settings defined.

Answer: No

Statement 2: Users must provide justification if they change the label of content from Confidential/Internal to Confidential/External.

The policy requires justification only when removing a label or downgrading classification (lowering).

Changing between two sub-labels of the same parent (Confidential/Internal → Confidential/External) is considered a lateral move (not a downgrade).

Answer: No

Statement 3: Content that has the Confidential/External label applied will retain the encryption settings if the sensitivity label is removed from the label policy.

If a label is removed from a published policy, content already labeled retains its protection settings (such as encryption).

The label metadata stays applied to the file/email, even if unpublished.

Answer: Yes

The Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox* command is incorrect. This enables admin audit logging, which tracks changes to mailbox configurations (e.g., mailbox settings updates), not user activity inside the mailbox.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There ' s no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with " 999 " .

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

Comprehensive Detailed Explanation with References

The command Set-AuditConfig -Workload Exchange is related to configuring auditing for workloads but does not enable mailbox auditing.

To capture and view who is accessing User1’s mailbox, mailbox auditing must be enabled at the mailbox level in Exchange Online.

Correct solution would be:

Set-Mailbox -Identity User1 -AuditEnabled $true

Mailbox auditing is enabled by default for all mailboxes in Microsoft 365 now, but if it is disabled, enabling auditing at the mailbox level is required. Running Set-AuditConfig -Workload Exchange alone does not accomplish this.

The issue: Users cannot upload documents with U.S. passport numbers to a legitimate travel management website because Endpoint DLP is blocking it.

Solution: Configure Service domains in Endpoint DLP → this allows defining specific trusted domains where uploads of sensitive information are permitted while still blocking uploads to other, non-approved domains.

Why not others?

Unallowed browsers: Restricts/blocklists browsers, not the issue here.

File path exclusions: Excludes local folders/paths from monitoring, irrelevant to web uploads.

Unallowed apps: Restricts desktop apps, not browser-based sites.

Comprehensive Detailed Explanation with References

Exact Data Match (EDM) classifiers are designed to identify highly sensitive structured data (like customer IDs, account numbers) with higher accuracy.

EDM classifiers can only be used within Data Loss Prevention (DLP) policies in Microsoft Purview.

They cannot be used in Insider Risk Management or Retention policies.

To ensure that encrypted email messages sent to external recipients can be revoked or expire within seven days, you need to configure a sensitivity label with encryption settings in Microsoft Purview Information Protection. A sensitivity label allows you to encrypt emails and documents, set expiration policies (e.g., emails expire after 7 days), and enable email revocation

How to configure it?

● Go to Microsoft Purview compliance portal → Information Protection

● Create a sensitivity label

● Enable encryption and configure the content expiration policy

● Publish the label to users