SC-401 Microsoft Administering Information Security in Microsoft 365 Free Practice Exam Questions (2025 Updated)

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

To create custom trainable classifiers in Microsoft Purview, the user must have rights in the compliance portal. The Compliance Administrator role provides the necessary permissions to create and manage trainable classifiers. Security roles focus on threat management, and Global Administrator is excessive (not least privilege).

The Service domains setting in Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) allows administrators to block or allow specific domains for file uploads. The goal is to prevent users from uploading DLP-protected documents to web1.contoso.com and web2.contoso.com.

Setting the Service domains to "web1.contoso.com and web2.contoso.com" precisely targets the two specific third-party websites, minimizing administrative effort while ensuring strict control.

To meet the requirements, you need one DLP policy with two separate DLP rules to handle the different conditions:

1. First DLP Rule (For Group1 Members): If the user is a member of Group1 and attempts to copy a file with sensitive data to a USB storage device. Allow the file copy but log the event in the audit log.

2. Second DLP Rule (For All Other Users): If any user who is NOT in Group1 attempts to copy a file with sensitive data to a USB storage device. Block the file transfer.

In Microsoft Purview, when multiple alert policies trigger alerts, duplicate alerts within a short period (typically 5 minutes) may be suppressed to avoid redundancy.

Step-by-step Analysis:

● Policy1 at 10:00:04 is ignored because Policy1 already triggered at 10:00:00, and it's within 5 minutes.

● Policy2 at 10:00:31 is ignored because Policy2 already triggered at 10:00:03, and it's within 5 minutes.

● Policy1 at 10:01:01 is a new alert because it's over 1 minute after the previous Policy1 alert.

● Policy1 at 10:04:45 is a new alert because it's over 3 minutes after the previous Policy1 alert.

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages

Step 1 – Understanding the scenario

The screenshot shows multiple Sensitive Information Types (SITs) in Microsoft Purview, including:

ABA Routing Number (Microsoft-built)

ASP.NET Machine Key (Microsoft-built)

Adatum document patterns (custom, Fingerprint type)

Adatum numbers (custom, Entity type)

Bundled SITs (like All Credential Types, All Full Names)

The question is asking:

Which SITs can you copy to create a new SIT?

Which SITs can you edit directly without copying?

Step 2 – Microsoft rules for SITs

Built-in SITs (published by Microsoft Corporation):

These cannot be edited directly. To modify them, you must create a copy first.

Custom SITs (created in your tenant, e.g., Contoso):

These can be edited directly without making a copy.

The mail flow rule is configured to apply OMEv2 protection (“Protect with OMEv2”) to messages. With OMEv2:

Recipients on consumer mail systems (such as Gmail) receive a link-protected message and must authenticate to the Office 365 Message Encryption portal to view the content.

Microsoft 365 recipients (even in external tenants) get a native reading experience in Outlook/OWA where protected messages are opened directly with automatic decryption using their Microsoft 365 identity—no separate OME portal workflow is required.

These behaviors are documented by Microsoft for OMEv2 user experiences for different recipient types and clients. See: Microsoft Purview Office 365 Message Encryption overview and user experiences for external Microsoft 365 and consumer email recipients.

An activity policy in Microsoft Defender for Cloud Apps (Microsoft Defender portal) allows you to track and alert on specific user actions, such as sharing sensitive documents externally from OneDrive. This policy can detect file-sharing activities and send alerts when files are shared with external users, which meets the requirement.

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

The scenario is about retaining audit logs for User1 for 10 years in Microsoft 365. Admin1 is responsible for managing audit retention policies, but the requirement specifically applies to User1’s audit logs.

Key points:

Microsoft 365 E5 includes Audit (Premium) by default. This provides access to advanced auditing features and retention up to 1 year.

To retain audit logs for longer than 1 year (such as 10 years), Microsoft requires the 10-year Audit Log Retention Add-on license.

This license must be assigned to the user whose activities need to be retained (User1), not the administrator (Admin1).

Admin1 only needs permissions to configure and manage retention policies, but the actual long-term retention is tied to the licensed users’ activity.

Why other options are incorrect:

A. Assign a Microsoft Purview Audit (Premium) add-on license to User1: Not needed because E5 already includes Audit (Premium).

B. Assign a 10-year audit log retention add-on license to Admin1: Incorrect because Admin1 is not the user whose logs must be retained; the license applies to the user being audited, not the admin.

D. Assign a Microsoft Purview Audit (Premium) add-on license to Admin1: Again, unnecessary because E5 already includes Audit (Premium), and Admin1’s license does not affect User1’s log retention.

Step 1 – Understand the scenario

The security manager is receiving an email every time a Data Loss Prevention (DLP) policy match occurs. The requirement is to reduce the number of unnecessary alerts and only notify for meaningful or actionable violations.

Step 2 – Analyze each option

A. From the Microsoft Defender portal, apply a filter to the alerts.

This action would only filter what is displayed in the portal. It does not prevent the security manager from receiving email notifications each time a DLP match occurs. This does not solve the problem.

B. From the Microsoft Purview portal, modify the Policy Tips settings of a DLP policy.

Policy Tips are intended for end users inside Outlook, Word, Excel, or PowerPoint to guide them about sensitive information before they send or share content. They do not change how or when admin alert notifications are triggered.

C. From the Microsoft Purview portal, modify the matched activities threshold of an alert policy.

DLP alert policies allow configuration of thresholds such as the number of matches, severity levels, and repeated activity counts. By adjusting the matched activities threshold, alerts can be generated only when a violation reaches a significant level, which reduces unnecessary alerts and ensures that notifications are sent only for actionable events. This matches the requirement.

D. From the Microsoft Purview portal, modify the User overrides settings of a DLP policy.

User override settings allow end users to bypass a DLP restriction if they provide a justification, but this does not impact the number of alert notifications sent to the security manager.

Step 3 – Microsoft Reference

According to Microsoft documentation: “You can configure alert policies with thresholds to reduce the number of alert notifications and focus only on actionable DLP events.”

To prevent the contents of files stored in Channel1 from being included in Microsoft 365 Copilot responses and ensure unauthorized users cannot access them, you should use Microsoft Purview Sensitivity Labels.

Sensitivity labels allow you to classify, protect, and restrict access to sensitive files. You can configure label-based encryption and access control policies to ensure that only authorized users can access or interact with the files in Channel1. Microsoft 365 Copilot respects sensitivity labels, meaning if a file is labeled with restricted permissions, Copilot will not use it in generated responses for unauthorized users.

To customize encrypted email in Microsoft 365, including adding a company logo, you need to modify the Office Message Encryption (OME) branding settings. The Set-OMEConfiguration PowerShell cmdlet allows you to configure branding elements such as:

● Company logo

● Custom text

● Background color

This cmdlet is used to update existing OME branding settings, ensuring that encrypted emails sent from your organization include the required customizations.