SC-401 Administering Information Security in Microsoft 365 Questions and Answers

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

Adding a folder path to the file path exclusions in Microsoft 365 Endpoint DLP does not prevent Tailspin_scanner.exe from accessing protected sensitive information. Instead, it would exclude those files from DLP protection, which is not the intended outcome.

To block Tailspin_scanner.exe from accessing sensitive documents while allowing it to access other files, the correct solution is to use Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) and add Tailspin_scanner.exe to the Restricted Apps list.

Endpoint DLP allows you to block specific applications from accessing sensitive files while keeping general access available. Restricted Apps List in Endpoint DLP ensures that Tailspin_scanner.exe cannot open, copy, or process protected documents, but it can still function normally for non-sensitive content.

You need to prevent users from sharing sensitive information with third-party generative AI websites.

A. Information Protection → Classifies and labels data but does not block sharing with external AI sites.

B. Information Barriers → Restricts communication between groups of users (e.g., compliance walls), not web uploads.

C. Insider Risk Management → Detects risky behavior (like data exfiltration), but does not actively block data sharing.

D. Data Loss Prevention (DLP) → Detects and prevents sensitive data being copied to browsers, USBs, or uploaded to restricted domains (like ChatGPT, Bard, etc.).

Microsoft 365 Endpoint data loss prevention (Endpoint DLP) is supported only on Windows 10 and Windows 11 devices. It does not support macOS or iOS at this time.

From the provided table:

● Device1 (Windows 11) - Supported

● Device2 (Windows 10) - Supported

● Device3 (iOS) - Not supported

● Device4 (macOS) - Not supported

Thus, only Device1 and Device2 support Endpoint DLP.

Comprehensive Detailed Explanation with References

We are given a sensitivity label with the following Access control settings:

Assign permissions now → meaning admins define permissions, not end users.

User access to content expires = Never.

Allow offline access = Always.

Permissions explicitly assigned:

LegalTeam@… → Co-Author

USSales@… → Reviewer

Dynamic watermarking and Double Key Encryption are not enabled.

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages

Create one service domain group (Allow list) containing Site1 and Site2 and configure the policy action “Allow upload only to sensitive service domains”.

Create a second service domain group (Block list) containing Search1 and Search2 and configure the policy action to block paste (clipboard) to these domains.

A single Endpoint DLP policy can enforce multiple activities (upload to cloud service domains + clipboard to specific domains), so only one policy is required.

Refs: Microsoft Learn – Endpoint DLP: Configure service domains and policy actions (upload/clipboard restrictions) (Purview > Data loss prevention > Endpoint DLP settings and policies).

Goal: maximize signin security for users who will test the AIP client (User1), install/configure the Microsoft Rights Management connector (User2), and act as the AIP scanner service account (User3).

Excluding users from MFA lowers security and is not recommended.

Passwordless with FIDO2 security keys (passkeys) provides strong phishingresistant authentication and is fully supported for Azure AD signins, including admin tasks and service scenarios that require interactive signin during setup.

Therefore, enabling all three for FIDO2 passkey authentication best meets the “maximize security” requirement.

Insider risk management policies in Microsoft Purview target users based on priority user groups.

If you want to monitor a specific project team, you must first define those users in a priority user group so that policies affect only them.

This approach:

Minimizes the impact on users not part of the project.

Reduces administrative effort since you don’t need to manage multiple security groups in Entra ID.

Step 1 – Scenario

Endpoint Data Loss Prevention (Endpoint DLP) is implemented in Microsoft 365.

Computers: Windows 11, joined to Microsoft Entra (Azure AD), with Microsoft 365 Apps installed.

Goal: Ensure Endpoint DLP policies can protect local content on these devices.

Step 2 – How Endpoint DLP works

Endpoint DLP builds on the same policy framework as Microsoft Purview DLP, but specifically extends coverage to Windows 10/11 devices.

Requirements:

Devices must be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint or via Purview device onboarding).

Endpoint DLP does not require the Microsoft Purview Information Protection (MIP) client.

The MIP client is only required for sensitivity labeling and AIP functionality, not for Endpoint DLP.

Step 3 – Why the proposed solution is incorrect

Deploying the Microsoft Purview Information Protection client does not enable Endpoint DLP.

Endpoint DLP requires device onboarding into Microsoft Purview compliance.

Therefore, this solution does not meet the goal.

Step 4 – Microsoft Reference

Microsoft Docs states:

“To use Endpoint data loss prevention (Endpoint DLP), devices must be onboarded to the Microsoft Purview compliance portal. Installing the Microsoft Information Protection client is not required.”

When you create a communication compliance policy in Microsoft Purview and select "Detect Microsoft Copilot interactions," certain trainable classifiers are automatically added to help detect sensitive or inappropriate AI usage.

The "Unauthorized disclosure" classifier helps detect cases where users might share confidential or sensitive information via Copilot interactions, preventing unintended data leaks. The "Protected Materials" classifier is used to identify sensitive or restricted content that should not be shared through Copilot, ensuring compliance with organizational policies.

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

The scenario is about retaining audit logs for User1 for 10 years in Microsoft 365. Admin1 is responsible for managing audit retention policies, but the requirement specifically applies to User1’s audit logs.

Key points:

Microsoft 365 E5 includes Audit (Premium) by default. This provides access to advanced auditing features and retention up to 1 year.

To retain audit logs for longer than 1 year (such as 10 years), Microsoft requires the 10-year Audit Log Retention Add-on license.

This license must be assigned to the user whose activities need to be retained (User1), not the administrator (Admin1).

Admin1 only needs permissions to configure and manage retention policies, but the actual long-term retention is tied to the licensed users’ activity.

Why other options are incorrect:

A. Assign a Microsoft Purview Audit (Premium) add-on license to User1: Not needed because E5 already includes Audit (Premium).

B. Assign a 10-year audit log retention add-on license to Admin1: Incorrect because Admin1 is not the user whose logs must be retained; the license applies to the user being audited, not the admin.

D. Assign a Microsoft Purview Audit (Premium) add-on license to Admin1: Again, unnecessary because E5 already includes Audit (Premium), and Admin1’s license does not affect User1’s log retention.

You need to define a custom sensitive information type that recognizes the unique 13-digit identifier format for customer records. Microsoft Purview DLP policies use these types to identify and protect sensitive data.

A Data Loss Prevention (DLP) policy is required to enforce the rules. It will allow emails with a single identifier but trigger an approval workflow when two or more identifiers are detected.

Step 1 – Scenario

Microsoft 365 E5 subscription with 100 users and a Microsoft 365 group (Group1).

A sensitivity label (Label1) is published as the default label for Group1.

Label1 contains two sublabels: Sublabel1 and Sublabel2.

Requirement: Ensure Sublabel1 settings are applied by default to Group1.

Step 2 – Understanding label hierarchy

In Microsoft Purview Information Protection, a parent label (Label1) is a container.

Sublabels (Sublabel1, Sublabel2) inherit the parent name but represent distinct configurations (encryption, watermarking, access, etc.).

A parent label itself cannot have a sublabel’s settings automatically applied unless policy configuration specifies which sublabel is used as the default publishing option.

Step 3 – Why "Modify the policy of Label1" is correct

To apply Sublabel1 by default, the published policy for Label1 must be modified so that Sublabel1 is the default label within the policy.

Simply reordering sublabels (Option A) does not change the default assignment.

Duplicating Sublabel1’s settings into Label1 (Option B) defeats the purpose of having sublabels and adds redundancy.

Deleting the policy of Label1 and publishing Sublabel1 (Option D) would remove flexibility and is unnecessary.

Step 4 – Microsoft Reference

Microsoft Docs: “If you want a sublabel to be applied by default, configure the label policy to select that sublabel as the default label for documents and emails.”

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

Mail flow rules (transport rules) can detect sensitive info, but they are limited in encryption capabilities.

DLP policies provide more advanced protection and integration with Microsoft Purview for sensitive info detection.

To allow users to apply retention labels to individual documents in Microsoft SharePoint libraries, you need to create a retention label and publish the label.

In Microsoft Purview, retention labels define how long content should be retained or deleted. You must first create a label that specifies the retention rules. After creating the label, you must publish it so that it becomes available for users in SharePoint document libraries. Once published, users can manually apply the retention label to individual documents.

Captures clips of key security-related user activities

This requirement refers to recording and surfacing evidence of risky user behavior (e.g., copying sensitive files to USB, uploading to cloud storage, or exfiltrating data).

In Microsoft Purview Insider Risk Management, this is achieved through Forensic evidence, which allows capturing screenshots/clips of user activities on endpoints when a policy is triggered.

Ref: Microsoft Learn – Insider risk forensic evidence

Integrates DLP capabilities with insider risk management

Microsoft introduced Adaptive Protection as part of Purview Insider Risk.

Adaptive Protection uses insider risk signals and DLP together, dynamically adjusting DLP controls (block, restrict, monitor) based on the user’s risk level.

This integration reduces false positives and ensures risky users are monitored more strictly while low-risk users are less impacted.

Ref: Microsoft Learn – Adaptive Protection in Microsoft Purview

Other options ruled out:

Adaptive scopes: Used for defining policy targeting groups dynamically, not capturing activities.

Classifiers/Trainable classifiers: Used for content classification, not exfiltration capture or DLP integration.

eDiscovery (Premium): For legal investigations, not insider risk + DLP integration.

Records management: Lifecycle retention, not related to insider risk.

To ensure that Microsoft Purview Insider Risk Management can detect file deletions, USB copies, and print actions on sensitive information, you must onboard the Windows 11 devices to Microsoft Purview.

Device onboarding enables endpoint activity monitoring, allowing Purview to track and log user activities such as file deletions, USB transfers, and printing of sensitive files. Once onboarded, the Insider Risk Management policy can analyze these activities and generate risk alerts when sensitive information types (SITs) are involved.

To create a trainable classifier that can be used in an auto-apply retention label policy, you need to follow these key steps:

1. Create the trainable classifier

This is the first step where you define the classifier, specifying the types of content it should identify.

2. Test the trainable classifier

Before using the classifier in production, you need to validate its accuracy by testing it against sample documents to ensure it correctly classifies the intended data.

3. Publish the trainable classifier

Once testing is successful, you must publish the classifier so that it can be used in policies like auto-apply retention labels in Microsoft Purview.

To validate whether an audit log retention policy will apply to the intended entries, you should configure the following fields:

● Date and time range (UTC) ensures that you are searching for audit logs within the time period when the policy should be applied. Audit logs are time-sensitive, and policies affect logs based on their timestamp.

● Record types allows you to filter and search for specific audit log categories (e.g., Exchange, SharePoint, Teams, etc.) that are affected by the retention policy. Selecting the correct record type ensures that the policy is evaluated against the relevant data.

Step 1 – Review of Preservation Lock

Preservation Lock in Microsoft 365 retention policies ensures that once a policy is locked, no one (including administrators) can turn it off, delete it, or make it less restrictive.

Preservation Lock is only available for static retention policies and not supported for adaptive scopes.

???? Reference: Preservation Lock in Microsoft 365 retention policies

From Microsoft docs:

“Preservation Lock can only be applied to retention policies configured with static scopes. Adaptive scopes do not currently support Preservation Lock.”

Step 2 – Analyzing the Case Data

RPolicy1 → Adaptive scope (Scope1: Users). ❌ Not eligible for Preservation Lock.

RPolicy2 → Adaptive scope (Scope2: SharePoint Online sites). ❌ Not eligible for Preservation Lock.

RPolicy3 → Static scope (Microsoft 365 groups). ✅ Eligible for Preservation Lock.

Step 3 – Conclusion

Only RPolicy3 qualifies for Preservation Lock.

Activity Policy (MCAS): Monitors and alerts on specific user actions such as uploading files, downloads, or logins to cloud apps. Perfect for detecting “upload to third-party storage”.

Sensitivity label: Used for classifying and protecting content, not generating alerts.

File policy (MCAS): Inspects and governs files already stored in sanctioned apps, not upload activity.

Insider risk policy: Focuses on risky behavior like data exfiltration or security violations, not direct activity alerts in cloud apps.

Correct Answer: A. an activity policy

The question asks about creating a Microsoft Defender for Cloud Apps (MCAS / MDA) policy that will detect Data Loss Prevention (DLP) violations.

Understanding the policy types in Defender for Cloud Apps:

File Policy

Used for monitoring and controlling files stored in cloud apps (e.g., SharePoint, OneDrive, Box, Google Drive).

Can detect sensitive information types (like credit cards, SSNs, SWIFT codes) and flag DLP violations.

Can apply governance actions (e.g., quarantine, remove sharing, notify user).

Correct for DLP violation detection.

Activity Policy

Monitors user activities (e.g., login attempts, mass downloads, suspicious behavior).

Not for file content DLP.

Session Policy

Applied through Conditional Access App Control for real-time monitoring/control during a user session.

Used for controlling actions (download, cut/paste) but not for broad DLP scanning of stored files.

Access Policy

Controls access to apps based on conditions (e.g., unmanaged device access).

Not designed for DLP content inspection.

Why File Policy is correct

Since the requirement is:

"detect DLP violations"

That means scanning file content for sensitive information. This is only possible with a File Policy in Microsoft Defender for Cloud Apps.

Step 1 – Label publishing and scope

The sensitivity label Label1 is published to User1 and Group1.

User1 → Directly included in label publishing.

User2 → Member of Group1, so also included indirectly.

This means both User1 and User2 are eligible to use Label1.

Step 2 – File vs Folder labeling with the Information Protection client

The Microsoft Purview Information Protection (AIP unified labeling) client can apply labels to files such as .docx, .png, .pdf, etc.

It cannot label folders directly. Labels are applied to items (files and emails), not folders.