Microsoft SC-401 Dumps

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There's no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

DLP policy tips are shown across all supported Outlook clients: Outlook on the web (OWA), Outlook desktop (Win32), and Outlook mobile apps (iOS and Android). This ensures users are informed when sending sensitive information across any supported client.

Step 1 – Requirement

We need a custom sensitive information type (SIT) that detects:

An employee ID number in a specific format → hire date + three digits.

This is a pattern-based requirement.

Specific keywords within 300 characters of that ID → “Employee”, “ID”, or “Identification”.

This is a keyword proximity requirement.

Step 2 – Sensitive info type elements in Microsoft 365

When creating custom SITs, you define primary and secondary elements:

Primary element → The main pattern or data to detect (the most defining factor).

Secondary element → Supporting evidence that must be found near the primary element to increase confidence.

Available elements:

Regular expression → Used to define patterns such as date + digits (for employee ID).

Keyword list → Used for lists of words/phrases like "Employee", "ID", "Identification".

Functions → Used for built-in validators like credit card checksum, not relevant here.

???? Reference: Create a custom sensitive information type in Microsoft 365

Step 3 – Apply to scenario

Employee ID pattern (hire date + 3 digits) → Needs a regular expression → This must be the Primary element.

Keywords (“Employee”, “ID”, “Identification”) within 300 characters → A keyword list → This must be the Secondary element.

Step 1 – Review what’s configured

Labels: Public, General, Confidential, Internal, External.

Also shown in policy: Confidential/Internal and Confidential/External.

Policy setting: Users must provide justification to remove a label or lower its classification.

Confidential/External → encrypts content when applied.

Step 2 – Analyze each statement

Statement 1: The Internal sensitivity label inherits all the settings from the Confidential label.

Sub-labels (e.g., Confidential/Internal, Confidential/External) do not inherit settings from the parent.

They are independent labels grouped under a parent for organization, but each sub-label must have its own protection settings defined.

Answer: No

Statement 2: Users must provide justification if they change the label of content from Confidential/Internal to Confidential/External.

The policy requires justification only when removing a label or downgrading classification (lowering).

Changing between two sub-labels of the same parent (Confidential/Internal → Confidential/External) is considered a lateral move (not a downgrade).

Answer: No

Statement 3: Content that has the Confidential/External label applied will retain the encryption settings if the sensitivity label is removed from the label policy.

If a label is removed from a published policy, content already labeled retains its protection settings (such as encryption).

The label metadata stays applied to the file/email, even if unpublished.

Answer: Yes

Activity Explorer logs a DLP rule match event each time any DLP rule condition is met on a file.

File1 matches Rule11 and Rule12 → 2 events

File2 matches Rule21 and Rule22 → 2 events

File3 matches Rule11 and Rule22 → 2 events

Total events in Activity Explorer = 2 + 2 + 2 = 6.

Microsoft notes that Activity explorer shows granular DLP activities such as policy rule matches per item.

The DLP incidents report aggregates by policy match per item, not by each rule in that policy. Multiple rules from the same policy on the same item count as one incident; if different policies match the same item, each policy creates its own incident.

File1: Rules from DLP1 only → 1 incident

File2: Rules from DLP2 only → 1 incident

File3: One rule from DLP1 and one from DLP2 → 2 incidents

Total incidents = 1 + 1 + 2 = 4.

Step 1 – Requirement

You want to create a custom sensitive info type named Sensitive1.

This SIT will be created from a document fingerprint of Template1.docx.

You then want to use Sensitive1 in DLP policies.

Step 2 – Where do you create custom Sensitive Info Types?

Custom SITs (including document fingerprinting) can only be created in the Microsoft Purview compliance portal.

They cannot be created in the Exchange admin center, SharePoint admin center, or directly in PowerShell.

Answer for creation: The Microsoft Purview portal

To implement Microsoft Purview Data Lifecycle Management for SharePoint Online (Site1), you need to create a retention label first. Retention labels define how long content should be retained or deleted based on compliance requirements. Once a retention label is created, it can be manually or automatically applied to content in SharePoint Online, Exchange, OneDrive, and Teams. After creating a retention label, you can configure label policies to apply them to Site1 and other locations.

When you configure Microsoft Purview DLP policies for the Teams chat and channel messages location, the following entities are protected:

1:1 and n:n chats (private chats between two or more users).

Team channel messages (including the General channel and all standard channels).

Private channel messages.

This means that if a DLP policy is applied to User1 and User2, it will monitor and enforce rules across:

Chats between User1 and User2 (1:1 or group chats).

Any channel conversations they participate in (General or other channels).

Private channels they belong to.

Incorrect options:

A (1:1/n chats and general channels only) → Excludes private channels, but DLP supports them.

B (1:1/n chats and private channels only) → Excludes general channels, but DLP supports them too.

A. Create a DLP policy → Needed to detect sensitive information being shared externally.

B. Turn on Indicators → Required for insider risk policies to detect risky activities like external sharing.

C. Configure adaptive protection → Optional for tailoring enforcement, not mandatory here.

D. Turn on analytics → Helps assess policy impact but not required to generate alerts.

E. Create an insider risk policy → Required to generate insider risk alerts.

Policy1 monitors printing of files by users that submitted their resignation. In Insider Risk Management, the Data theft by departing users template is designed for users marked as leaving and watches for exfiltration indicators such as printing, USB copy, or uploads to cloud services.

Ref: Microsoft Purview Insider Risk Management – Policy templates: Data theft by departing users (monitors exfiltration activities for departing users).

Policy2 monitors accidental sharing of data outside the organization by users in a priority user group. The template for this is Data leaks by priority users, which targets a defined priority user group and focuses on oversharing/leak indicators (external sharing, email to external, cloud uploads, etc.).

Ref: Insider Risk Management – Data leaks by priority users template.

Policy3 monitors downloading of files from SharePoint Online to personal cloud storage services. This is a classic data leak/exfiltration scenario without a departing/priority qualifier, so the general Data leaks template is appropriate (covers uploads to personal cloud services and other exfiltration vectors).

Ref: Insider Risk Management – Data leaks template (monitors exfiltration such as uploads to personal cloud services).

These mappings align with Microsoft’s template purposes: Departing user exfiltration → Data theft by departing users; Priority users oversharing → Data leaks by priority users; Generic exfiltration → Data leaks.

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT) → Copilot cannot summarize.

Since File2 is labeled Label2, it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

Step 1 – Scenario

The alert in the exhibit is named Alert2.

Current status = Resolved.

The task is to identify which statuses you can change the alert to.

Step 2 – Microsoft 365 Alert Lifecycle

In Microsoft 365 compliance and security alerts, an alert can move between multiple statuses depending on investigation and remediation. The available statuses are:

Active – The alert is new and not yet acted upon.

Investigating – The alert is under review.

Resolved – The alert has been addressed.

Dismissed – The alert is ignored or deemed not relevant.

Step 3 – Status changes from "Resolved"

If an alert is in the Resolved state, administrators can reopen or reclassify it. According to Microsoft documentation, from Resolved, you can change it to:

Active

Investigating

Dismissed

This allows flexibility in continuing investigations if needed or dismissing false positives.

Step 4 – Microsoft Reference

From Microsoft Docs: “You can change the status of an alert between Active, Investigating, Resolved, and Dismissed to reflect its current stage in the triage process.”

Forensic evidence in Microsoft Purview Insider Risk Management allows capturing screenshots/clips of user activity on endpoints.

Requirements for forensic evidence capture:

The device must be onboarded to Microsoft Purview (via Defender for Endpoint).

The Microsoft Purview client must be installed.

Supported platforms: Windows 10 and Windows 11 (macOS is not supported for forensic evidence).

Now check each device:

Device1 (Windows 11) → Client installed, but not onboarded → ❌ Not eligible.

Device2 (Windows 10) → Onboarded and client installed → ✅ Eligible.

Device3 (macOS) → Onboarded, but client not installed and macOS is not supported → ❌ Not eligible.

Therefore, only Device2 qualifies.

User1: Since the Microsoft Purview browser extension is installed on Device1, AI-related activity performed by User1 (generating an image using a generative AI website) can be reviewed in Activity explorer in DSPM for AI.

User2: Since Device2 does not have the Microsoft Purview browser extension installed, AI-related activity cannot be tracked in DSPM for AI. Instead, Audit log search should be used to review activity such as using Microsoft 365 Copilot.

User3: Since Device3 has the Microsoft Purview browser extension installed, AI-related activity (browsing sample content on a generative AI website) can be reviewed using Activity explorer in DSPM for AI.

If User1 sends an email externally with five credit card numbers, Policy1 applies. → Yes

If User1 sends an email externally with five credit card numbers, Policy2 also applies. → No (stopped by Policy1).

If User2 sends an email externally with five credit card numbers, Policy2 applies. → Yes

???? Policy1

Order: 0 (highest priority).

Scope: Exchange email for the Finance distribution group.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Encrypt with “Encrypt email” option.

Additional options: Stop processing additional DLP policies and rules.

???? Policy2

Order: 1 (lower priority).

Scope: All Exchange email.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Restrict/block OR encrypt depending on configuration, notify admin.

Additional options: None.

???? User-by-user Analysis

User1 (Finance group):

Policy1 applies first (priority 0).

If User1 sends email externally with ≥ 5 CCNs, Policy1 encrypts the email and stops further processing.

Therefore, Policy2 never applies to User1.

User2 (Sales group):

Not in Finance, so Policy1 does not apply.

Policy2 applies (all Exchange email).

If User2 sends email externally with ≥ 5 CCNs, Policy2 action is enforced (restrict/block or encrypt).

Activity Policy (MCAS): Monitors and alerts on specific user actions such as uploading files, downloads, or logins to cloud apps. Perfect for detecting “upload to third-party storage”.

Sensitivity label: Used for classifying and protecting content, not generating alerts.

File policy (MCAS): Inspects and governs files already stored in sanctioned apps, not upload activity.

Insider risk policy: Focuses on risky behavior like data exfiltration or security violations, not direct activity alerts in cloud apps.

Correct Answer: A. an activity policy

Trainable classifiers in Microsoft Purview learn from sample documents. When the initial results are unsatisfactory, retraining is done by reviewing and reclassifying items through Content explorer under the Data classification section of the Purview compliance portal. This allows you to give feedback by marking documents as “relevant” or “not relevant” to improve classifier accuracy.

The other options do not support retraining:

Labels from Information protection → Used to configure and manage sensitivity labels, not train classifiers.

Labels from Information governance → Used for retention labels, not classifiers.

Content search → Used for eDiscovery and searching content, not classifier training.

The Set-MailboxFolderPermission -Identity "User1" -User User1@contoso.com -AccessRights Owner command is incorrect. This assigns folder permissions but does not enable auditing. It does not track who accessed the mailbox or deleted emails.

To create a trainable classifier that can be used in an auto-apply retention label policy, you need to follow these key steps:

1. Create the trainable classifier

This is the first step where you define the classifier, specifying the types of content it should identify.

2. Test the trainable classifier

Before using the classifier in production, you need to validate its accuracy by testing it against sample documents to ensure it correctly classifies the intended data.

3. Publish the trainable classifier

Once testing is successful, you must publish the classifier so that it can be used in policies like auto-apply retention labels in Microsoft Purview.

In Microsoft Purview, when multiple alert policies trigger alerts, duplicate alerts within a short period (typically 5 minutes) may be suppressed to avoid redundancy.

Step-by-step Analysis:

● Policy1 at 10:00:04 is ignored because Policy1 already triggered at 10:00:00, and it's within 5 minutes.

● Policy2 at 10:00:31 is ignored because Policy2 already triggered at 10:00:03, and it's within 5 minutes.

● Policy1 at 10:01:01 is a new alert because it's over 1 minute after the previous Policy1 alert.

● Policy1 at 10:04:45 is a new alert because it's over 3 minutes after the previous Policy1 alert.

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages