SC-401 Administering Information Security in Microsoft 365 Questions and Answers

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages

Requirement 1 – Encrypt all email to fabrikam.com automatically

To force encryption for mail sent to a specific external domain (fabrikam.com):

You configure a mail flow rule (transport rule) in the Exchange admin center (EAC).

This rule can apply Office Message Encryption (OME) automatically when messages match conditions such as recipient domain.

You are creating a Data Loss Prevention (DLP) policy in Microsoft 365 with advanced rules. Advanced DLP rules provide more granular conditions and actions than standard DLP rules.

Conditions available in advanced DLP

According to Microsoft Docs on Conditions in DLP policies:

✅ Content contains → Used to detect sensitive information types, keywords, or exact data matches. This is one of the most common and fundamental DLP conditions.

✅ Content is shared from Microsoft 365 → Used to detect whether content has been shared externally or with specific domains/users. This is a modern advanced DLP condition.

Why the others are not correct:

A. Document property is → This condition applies to information governance retention policies/labels (not DLP). Not available in DLP rules.

B. Attachment's file extension is → This is supported in Exchange mail flow rules (transport rules) but not in advanced DLP rules.

C. Document size equals or is greater than → Also applies in Exchange transport rules and certain SharePoint restrictions, but not available as a DLP rule condition.

Policy tips in DLP: Policy tips are messages shown to users when their action (such as sending sensitive content via email) conflicts with a DLP policy.

For Exchange email location, policy tips are supported in the following apps:

Outlook for Microsoft 365 (desktop client) ✅

Outlook on the web (OWA) ✅

Outlook Mobile (iOS/Android) ❌ Policy tips are not shown in mobile apps. Instead, DLP actions (block/restrict/send incident report) still apply, but the user does not see a policy tip notification.

Therefore:

Supported: Outlook for Microsoft 365, Outlook on the web.

Not supported: Outlook Mobile apps.

Activity Policy (MCAS): Monitors and alerts on specific user actions such as uploading files, downloads, or logins to cloud apps. Perfect for detecting “upload to third-party storage”.

Sensitivity label: Used for classifying and protecting content, not generating alerts.

File policy (MCAS): Inspects and governs files already stored in sanctioned apps, not upload activity.

Insider risk policy: Focuses on risky behavior like data exfiltration or security violations, not direct activity alerts in cloud apps.

Correct Answer: A. an activity policy

The mail flow rule is configured to apply OMEv2 protection (“Protect with OMEv2”) to messages. With OMEv2:

Recipients on consumer mail systems (such as Gmail) receive a link-protected message and must authenticate to the Office 365 Message Encryption portal to view the content.

Microsoft 365 recipients (even in external tenants) get a native reading experience in Outlook/OWA where protected messages are opened directly with automatic decryption using their Microsoft 365 identity—no separate OME portal workflow is required.

These behaviors are documented by Microsoft for OMEv2 user experiences for different recipient types and clients. See: Microsoft Purview Office 365 Message Encryption overview and user experiences for external Microsoft 365 and consumer email recipients.

Retention policy tags (MRM) for Exchange Online are applied by the Managed Folder Assistant (MFA). To apply a newly created Exchange retention policy to mailbox items immediately, you manually invoke MFA with Start-ManagedFolderAssistant for the mailbox or set of mailboxes. Creating DLP policies or label policies in Purview does not accelerate MRM processing.

Comprehensive Detailed Explanation with References

Step 1 – Review File2 contents

File2 contains 3 IP addresses.

Step 2 – Review DLP rules and priorities

RuleConditionPolicy TipStop Processing?Priority

Rule11 or more IP addressesTip1No0

Rule23 or more IP addressesTip2Yes1

Rule32 or more IP addressesTip3No2

Step 3 – Rule evaluation order

Advanced DLP rules are processed by priority order (lowest number first).

Rule1 (Priority 0) will trigger because File2 has at least 1 IP address.

This applies Tip1.

However, Rule1 has Stop Processing = No, so evaluation continues.

Rule2 (Priority 1) will also trigger because File2 has 3 IP addresses (≥3).

This applies Tip2.

Rule2 has Stop Processing = Yes, so evaluation stops after this.

Rule3 (Priority 2) will not be evaluated because Rule2 stopped processing.

Step 4 – Final outcome

File2 matches Rule1 (Tip1), but since Rule2 fires afterward with Stop Processing = Yes, only Tip2 is applied.

Step 5 – Microsoft Reference

From Microsoft docs: “When a rule is configured to stop processing, subsequent rules are not evaluated and only the policy tip from the last triggered rule with stop processing applies.”

To auto-apply a retention label to documents based on a specific file naming pattern (like abc_XX123.docx), you need to use a detection method that can recognize patterns.

Retention label: This is the outcome (what you apply), not the detection mechanism. It cannot itself identify files.

Trainable classifier: Used for identifying content based on text meaning/semantics (e.g., HR documents, contracts). It is not suitable for structured patterns like file names.

Sensitive info type (SIT): Best option. Custom SITs can be created with regular expressions to match naming formats (such as xxx_XX999). Once the SIT is defined, you can configure an auto-apply retention label policy to apply the “Project Documents” label when the SIT is detected.

The question is asking what item types can be retained when implementing Microsoft Teams retention policies in Microsoft 365 E5.

Retention policies in Teams can apply to:

Teams chat messages (1:1 or group chats)

Teams channel messages

Items within those messages, including text, links, and supported embedded objects.

Step 2 – Supported Teams retention items

According to Microsoft documentation:

Retention policies support Teams messages (chats and channel posts) and their associated attachments or in-line content such as:

Embedded images

Code snippets

Tables, links, and reactions

Retention policies do not support certain Teams items, including:

Voicemails

Calls and meetings recordings

Whiteboards

Message reactions (stored separately in Azure services)

Endpoint DLP builds on Microsoft Defender for Endpoint integration. Before enabling Endpoint DLP, you must turn on device onboarding in Microsoft Purview to allow devices (like Device1) to be enrolled. After onboarding, you can assign DLP policies to endpoints.

To test Microsoft Purview Advanced Message Encryption (which relies on Azure Information Rights Management), you use the Test-IRMConfiguration cmdlet. It verifies configuration, template availability, and encryption/decryption status.

Test-OAuthConnectivity → tests OAuth authentication.

Test-ClientAccessRule → tests client access rules.

Test-Mailflow → tests mail routing.

To add a new keyword dictionary in Microsoft Purview Data Loss Prevention (DLP), you must create a Sensitive Information Type (SIT).

Sensitive Info Types (SITs) allow you to define custom detection rules, including keyword dictionaries, regular expressions, and functions for identifying sensitive content in emails, documents, and other Microsoft 365 locations. A keyword dictionary is a list of predefined words/phrases that Microsoft Purview can use to identify and classify content for DLP policies.

Steps to add a keyword dictionary:

1. Go to Microsoft Purview compliance portal

2. Navigate to Data classification > Sensitive info types

3. Create a new sensitive info type

4. Add a keyword dictionary

5. Save and use it in a DLP policy

Since you need to automatically apply a sensitivity label to resumes based on their content and structure (work experience, education, accomplishments), a trainable classifier is the best choice.

Trainable classifiers use machine learning to identify unstructured data, such as resumes, contracts, or legal documents. Instead of relying on predefined patterns (like keywords or regular expressions), a trainable classifier learns from sample documents and can accurately identify resumes even if they are formatted differently.

Final Approach:

● Train a trainable classifier using sample resumes.

● Deploy the classifier in Microsoft Purview.

● Configure a sensitivity label to be automatically applied when a document matches the classifier.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.