SC-401 Administering Information Security in Microsoft 365 Questions and Answers

Comprehensive Detailed Explanation with References

Custom Data Access Governance (DAG) data assessment scans in Microsoft Purview can be run on selected SharePoint Online or OneDrive locations to check for oversharing and exposure. Each custom assessment scan supports up to 200,000 items per location. This cap is documented in Microsoft’s guidance for custom data access governance assessments.

In Microsoft Purview Exact Data Match (EDM) classifiers, a primary element is a unique, identifying field used for data matching. EDM allows up to two primary elements per schema.

From the provided table, the Match mode indicates how data is analyzed:

● PP (EU Passport Number) → Likely a primary element because it ' s unique.

● Name (All Full Names) → Typically not a primary element as names are common.

● DateOfBirth (Single-token) → Usually a secondary element, not unique.

● AccountNumber (Multi-token) → Can be a primary element, as it ' s a unique identifier.

● Since EDM supports a maximum of two primary elements, the correct answer is 2.

To create a keyword dictionary for a sensitive information type in Microsoft Purview Data Loss Prevention (DLP), you must use a plain text (.txt) file where each keyword is on a separate line.

Format Example (TXT file):

confidential

sensitive

classified

top secret

This format is simple, efficient, and directly compatible with Microsoft 365 DLP policies for keyword dictionaries.

How to use the keyword dictionary?

● Create a text file with one keyword per line.

● Upload it to Microsoft Purview under Data Classification > Sensitive Info Types.

● Use the dictionary in a DLP policy to identify and protect sensitive information.

To meet the requirements, you need one DLP policy with two separate DLP rules to handle the different conditions:

1. First DLP Rule (For Group1 Members): If the user is a member of Group1 and attempts to copy a file with sensitive data to a USB storage device. Allow the file copy but log the event in the audit log.

2. Second DLP Rule (For All Other Users): If any user who is NOT in Group1 attempts to copy a file with sensitive data to a USB storage device. Block the file transfer.

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT ) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT ) → Copilot cannot summarize.

Since File2 is labeled Label2 , it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

Policy1 monitors printing of files by users that submitted their resignation. In Insider Risk Management, the Data theft by departing users template is designed for users marked as leaving and watches for exfiltration indicators such as printing, USB copy, or uploads to cloud services.

Ref: Microsoft Purview Insider Risk Management – Policy templates: Data theft by departing users (monitors exfiltration activities for departing users).

Policy2 monitors accidental sharing of data outside the organization by users in a priority user group. The template for this is Data leaks by priority users, which targets a defined priority user group and focuses on oversharing/leak indicators (external sharing, email to external, cloud uploads, etc.).

Ref: Insider Risk Management – Data leaks by priority users template.

Policy3 monitors downloading of files from SharePoint Online to personal cloud storage services. This is a classic data leak/exfiltration scenario without a departing/priority qualifier, so the general Data leaks template is appropriate (covers uploads to personal cloud services and other exfiltration vectors).

Ref: Insider Risk Management – Data leaks template (monitors exfiltration such as uploads to personal cloud services).

These mappings align with Microsoft’s template purposes: Departing user exfiltration → Data theft by departing users; Priority users oversharing → Data leaks by priority users; Generic exfiltration → Data leaks.

The question asks about creating a Microsoft Defender for Cloud Apps (MCAS / MDA) policy that will detect Data Loss Prevention (DLP) violations.

Understanding the policy types in Defender for Cloud Apps:

File Policy

Used for monitoring and controlling files stored in cloud apps (e.g., SharePoint, OneDrive, Box, Google Drive).

Can detect sensitive information types (like credit cards, SSNs, SWIFT codes) and flag DLP violations.

Can apply governance actions (e.g., quarantine, remove sharing, notify user).

Correct for DLP violation detection.

Activity Policy

Monitors user activities (e.g., login attempts, mass downloads, suspicious behavior).

Not for file content DLP.

Session Policy

Applied through Conditional Access App Control for real-time monitoring/control during a user session.

Used for controlling actions (download, cut/paste) but not for broad DLP scanning of stored files.

Access Policy

Controls access to apps based on conditions (e.g., unmanaged device access).

Not designed for DLP content inspection.

Why File Policy is correct

Since the requirement is:

" detect DLP violations "

That means scanning file content for sensitive information. This is only possible with a File Policy in Microsoft Defender for Cloud Apps.

To track who accesses User1’s mailbox, you need to enable mailbox auditing for User1. By default, Exchange mailbox auditing is not enabled per mailbox (even though it is enabled tenant-wide).

The Set-Mailbox -Identity " User1 " -AuditEnabled $true command enables audit logging for mailbox actions like:

● Read emails

● Delete emails

● Send emails as User1

● Access by delegated users

Once enabled, you can search for future sign-ins and actions in the Microsoft Purview audit logs.

Yes , Yes, No

To determine whether each statement is true or false, let ' s analyze the provided information step by step based on the sensitivity label settings and the user permissions associated with the files.

Given Information:

Users and Subscriptions:

User1: Contoso subscription, email: user1@contoso.com

User2: Contoso subscription, email: user2@contoso.com

User3: Fabrikam subscription, email: user3@fabrikam.com

User4: Fabrikam subscription, email: user4@fabrikam.com

Files and Sensitivity Label Application:

File1: Automatically applied Sensitivity1 using an auto-labeling policy

File2: Applied by User2

File3: Applied by User1

Sensitivity Label (Sensitivity1) Assumptions: Since the exhibit for the sensitivity label is not fully detailed, we need to make reasonable assumptions based on typical Microsoft 365 sensitivity label behavior. Sensitivity labels can restrict access based on user permissions, subscription boundaries, or specific configurations (e.g., allowing only users within the same organization to edit or view). Given the context of two separate subscriptions (Contoso and Fabrikam), it’s likely that Sensitivity1 restricts access to users within the same subscription unless explicitly configured otherwise. A common default for such labels is to allow editing and other rights only to users within the applying user ' s organization, with possible restrictions for cross-subscription access.

Key Assumptions:

Sensitivity1 likely encrypts the files and restricts editing rights to users within the same subscription as the user who applied the label or where the auto-labeling policy is configured.

File1 (auto-applied) would inherit permissions based on the policy, likely restricting access to Contoso users if the policy is set up within the Contoso subscription.

File2 (applied by User2 from Contoso) would restrict access to Contoso users.

File3 (applied by User1 from Contoso) would also restrict access to Contoso users.

Users from Fabrikam (User3, User4) would not have edit rights unless explicitly granted, which is unlikely given the separation of subscriptions.

Statement Analysis:

User1 can edit rights for File1.

File1 was automatically applied with Sensitivity1 using an auto-labeling policy. Since the policy is likely configured within the Contoso subscription (where User1 resides), User1, as a Contoso user, should have edit rights unless the policy explicitly restricts this. Given User1 ' s affiliation with Contoso, this is typically allowed.

Answer: Yes

User2 can edit rights for File3.

File3 was applied by User1, who is from the Contoso subscription. Since User2 is also from the Contoso subscription, they should have edit rights unless the label configuration explicitly denies this for other users within the same subscription. Typically, users within the same organization can edit files labeled by another user from the same organization.

Answer: Yes

User3 can print File2.

File2 was applied by User2, who is from the Contoso subscription. Sensitivity1 likely restricts access to Contoso users only. User3 is from the Fabrikam subscription, which is a separate entity. Unless cross-sub

Answer : No

Creating an app discovery policy in Microsoft Defender for Cloud Apps is used for detecting and monitoring cloud application usage, but it does not prevent a locally installed application (Tailspin_scanner.exe) from accessing sensitive files on Windows 11 devices.

To block Tailspin_scanner.exe from accessing sensitive documents while allowing it to access other files, the correct solution is to use Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) and add Tailspin_scanner.exe to the Restricted Apps list.

Endpoint DLP allows you to block specific applications from accessing sensitive files while keeping general access available. Restricted Apps List in Endpoint DLP ensures that Tailspin_scanner.exe cannot open, copy, or process protected documents, but it can still function normally for non-sensitive content.

Step 1 – Summarization in Copilot

For Microsoft 365 Copilot to summarize a file:

The user needs at least View permission.

Summarization does not require editing, copying, or ownership rights.

Looking at the exhibit:

User1 (Co-Owner) → has full access including view.

User2 (Co-Author) → has edit and view.

User3 (Reviewer) → has read-only rights.

User4 (Viewer) → has read rights.

All four users can view the document. Therefore, Copilot can summarize File1 for User1, User2, User3, and User4.

Step 2 – Referencing a file by link in Copilot

For Copilot to reference a file by link (i.e., cite or share within generated content):

The user must have rights that include resharing or exporting.

Only the Co-Owner has full rights to manage access and allow referencing by link.

From the exhibit:

User1 (Co-Owner) → Can reference by link.

User2 (Co-Author), User3 (Reviewer), User4 (Viewer) → Do not have reshare or link rights.

So, only User1 can reference File1 by link.

To auto-apply a retention label to documents based on a specific file naming pattern (like abc_XX123.docx), you need to use a detection method that can recognize patterns.

Retention label: This is the outcome (what you apply), not the detection mechanism. It cannot itself identify files.

Trainable classifier: Used for identifying content based on text meaning/semantics (e.g., HR documents, contracts). It is not suitable for structured patterns like file names.

Sensitive info type (SIT): Best option. Custom SITs can be created with regular expressions to match naming formats (such as xxx_XX999). Once the SIT is defined, you can configure an auto-apply retention label policy to apply the “Project Documents” label when the SIT is detected.

The requirements are:

Detect credit card information → requires a sensitive info type (built-in: Credit Card Number).

Detect keywords “Project1” or “Project2” → can be handled in the same sensitive info type by using keyword matching.

Watermarks (“Confidential”, “Internal Use Only”) are label actions, not sensitive info types.

Therefore, only 2 sensitive info types are required: one for keywords, one for credit card data.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

In Microsoft Purview, when multiple alert policies trigger alerts, duplicate alerts within a short period (typically 5 minutes) may be suppressed to avoid redundancy.

Step-by-step Analysis:

● Policy1 at 10:00:04 is ignored because Policy1 already triggered at 10:00:00, and it ' s within 5 minutes.

● Policy2 at 10:00:31 is ignored because Policy2 already triggered at 10:00:03, and it ' s within 5 minutes.

● Policy1 at 10:01:01 is a new alert because it ' s over 1 minute after the previous Policy1 alert.

● Policy1 at 10:04:45 is a new alert because it ' s over 3 minutes after the previous Policy1 alert.

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

When you configure Microsoft Purview DLP policies for the Teams chat and channel messages location, the following entities are protected:

1:1 and n:n chats (private chats between two or more users).

Team channel messages (including the General channel and all standard channels).

Private channel messages.

This means that if a DLP policy is applied to User1 and User2, it will monitor and enforce rules across:

Chats between User1 and User2 (1:1 or group chats).

Any channel conversations they participate in (General or other channels).

Private channels they belong to.

Incorrect options:

A (1:1/n chats and general channels only) → Excludes private channels, but DLP supports them.

B (1:1/n chats and private channels only) → Excludes general channels, but DLP supports them too.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with " 999 " .

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There ' s no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

Understanding Site4 ' s Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states " Do nothing " ).

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does " nothing, " meaning the file is no longer recoverable after that period.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).