SC-401 Microsoft Administering Information Security in Microsoft 365 Free Practice Exam Questions (2025 Updated)

Microsoft Purview Insider Risk Management flags high-impact users based on various risk factors, including role, access to confidential data, and influence within an organization. Let's analyze each user:

User1 (Regional Manager, assigned Reader role, manages department managers)

Risk Factors:

● Holds a managerial position (regional manager).

● Manages multiple department managers, indicating organizational influence.

● Access to critical business information.

Flagged? -Yes (Managerial role and access to confidential data).

User2 (HR department manager, no Microsoft Entra roles, manages HR department users)

Risk Factors:

● Manages HR department users, meaning they likely handle sensitive employee data.

● HR roles are often considered high-risk due to access to personal and payroll data.

Flagged? -Yes (HR role and access to sensitive employee data).

User3 (Developer, reports to User2, only user in compliance, assigned Compliance Administrator role)

Risk Factors:

● Compliance Administrator role grants access to sensitive security and regulatory data.

● Only person in the compliance department, meaning they hold a critical role.

● Potentially high impact on compliance and security settings.

Flagged? -Yes (Privileged Compliance Administrator role).

User4 (Assistant to User1, no Entra roles, handles confidential data on behalf of User1)

Risk Factors:

● Handles a high volume of confidential data on behalf of a regional manager.

● Assistants with access to sensitive data are considered insider risk candidates.

Flagged? -Yes (High access to sensitive information).

Since all four users fit high-impact criteria (managerial roles, privileged compliance access, handling sensitive data), Microsoft Purview Insider Risk Management will flag all of them.

AutoApply1 is an auto-labeling policy that applies RLabel1 to Group1. Auto-labeling policies can apply retention labels across group mailboxes, SharePoint Online sites, and Teams channel messages if they are configured for group resources.

Retention1 is a retention policy applied to Group2. Retention policies for Microsoft 365 groups apply to all group resources, including group mailboxes, SharePoint Online teams sites, and Teams channel messages.

Since both AutoApply1 and Retention1 affect entire groups, they apply to all associated resources: group mailbox, SharePoint Online teams site, and Teams channel messages.

The issue where users sometimes can upload files to cloud services and sometimes cannot suggests inconsistent enforcement of Endpoint DLP policies. This can be caused by the unallowed browsers in the Microsoft 365 Endpoint DLP settings are NOT configured. Also, there are file path exclusions in the Microsoft 365 Endpoint DLP settings.

Endpoint DLP can block uploads only when using unallowed browsers. If unallowed browsers are not configured, users might be able to bypass restrictions by switching to a different browser. This could explain why uploads sometimes work and sometimes don’t, depending on which browser is used.

File path exclusions allow certain files or folders to be exempt from DLP restrictions. If a specific file location is excluded, files stored there won’t trigger DLP policies, leading to inconsistent behavior. This could result in some uploads being blocked while others are allowed.

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

Retention policy tags (MRM) for Exchange Online are applied by the Managed Folder Assistant (MFA). To apply a newly created Exchange retention policy to mailbox items immediately, you manually invoke MFA with Start-ManagedFolderAssistant for the mailbox or set of mailboxes. Creating DLP policies or label policies in Purview does not accelerate MRM processing.

A trainable classifier in Microsoft Purview is used to automatically identify and classify unstructured data based on content patterns. The classifier can be used in:

1. Retention Labels (Label2) → Supported

● Trainable classifiers can be linked to retention labels to automatically classify and apply retention policies to documents.

2. Retention Label Policies (Policy1) → Supported

● Retention label policies define how and where retention labels are applied, including automatically using trainable classifiers.

3. Data Loss Prevention (DLP) Policies (DLP1) → Supported

● Trainable classifiers can be used in DLP policies to detect and protect sensitive content automatically.

Create: → A sensitive info type

Element: → Keyword dictionary

You want to classify documents in SharePoint Online based on a list of customer names stored in Customer.csv (1,000 entries).

In Microsoft Purview, there are several options for custom classification:

Sensitive info type (SIT):

Designed to detect predefined or custom patterns such as credit cards, IDs, or custom lists.

You can build a custom SIT using elements like keyword dictionary, regular expressions, and functions.

In this case, since you have a large CSV with 1,000 customer names, you upload that list as a keyword dictionary element.

Trainable classifier:

Used when you want AI to classify documents by training on examples of positive/negative samples (like contracts, resumes).

Not relevant here because you already have a structured list of customer names rather than needing machine learning classification.

Adaptive scope:

Determines where (users, groups, sites) policies apply, not what content is classified.

Not relevant here.

Correct pairing:

Create: A sensitive info type (SIT).

Element: Keyword dictionary (upload the Customer.csv file).

Microsoft Purview browser extensions for Endpoint DLP are supported on:

● Windows 10/11 (Config1)

● macOS (Config2)

● Not supported on Android (Config3)

Since Microsoft Purview does not support browser extensions on Android, Config3 is excluded from both Google Chrome and Firefox.

The content search uses the KQL editor with the query -Author:USER1. In eDiscovery/Content search, the minus sign denotes NOT and KQL is case-insensitive for property values. Therefore, this query returns items whose Author is not ‘User1’.

File1.docx → Author = User1 → excluded

File2.docx → Author = User2 → included

File3.docx → Author = USER1 (same as User1, case-insensitive) → excluded

Result: File2.docx only.

The sensitivity label Label1 assigns permissions (User1 = Co-Author, User2 = Reviewer, User3 = Viewer) and enables Double Key Encryption (DKE). Microsoft 365 Copilot can summarize content only when the service can access the file using the user’s permissions. Content protected with Double Key Encryption is not accessible to Microsoft cloud services (including Copilot); as a result, Copilot cannot open or process DKE-protected files for any user, even if they can open the file themselves in Office apps.

Therefore, no user can use Microsoft 365 Copilot to summarize File1.

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

To create custom trainable classifiers in Microsoft Purview, the user must have rights in the compliance portal. The Compliance Administrator role provides the necessary permissions to create and manage trainable classifiers. Security roles focus on threat management, and Global Administrator is excessive (not least privilege).

Trainable classifiers in Microsoft Purview require a source of documents that can be labeled as examples of what the classifier should recognize. Supported sources include SharePoint Online and Exchange Online mailboxes. On-premises SharePoint Server sites, Azure File shares, and NFS file shares are not supported for classifier training.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).