SC-401 cheat sheet

A one-page reference for the Microsoft Information Security Administrator exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
Microsoft
Level
Associate
Questions
60
Time
100 min
Mock pass mark
70%
Domains
3
Practice Qs
84
Code
SC-401

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Microsoft Purview
Microsoft Purview is Microsoft's unified data security, governance, and compliance suite. SC-401 centers on using Purview to protect sensitive data across Microsoft 365 and AI services.
Sensitivity label
A sensitivity label is a Purview classification applied to items and containers to enforce protection such as encryption, content marking, and access limits. SC-401 covers creating, publishing, and auto-applying sensitivity labels.
Auto-labeling
Auto-labeling is a Purview capability that automatically applies sensitivity or retention labels to content that matches defined conditions. SC-401 covers configuring auto-labeling policies for sensitivity labels.
Sensitive information type
A sensitive information type (SIT) is a pattern-based classifier — built-in or custom — used to detect data like credit-card or ID numbers. SC-401 covers custom SITs, document fingerprinting, and exact data match.
Exact data match
Exact data match (EDM) is a classification method that identifies sensitive data by matching against a hashed copy of an organization's own data values. SC-401 covers creating and managing EDM-based sensitive info types.
Trainable classifier
A trainable classifier is a Purview machine-learning classifier trained on examples to recognize a category of content. SC-401 covers creating and managing trainable classifiers for data classification.
Data Loss Prevention
Data Loss Prevention (DLP) is a Purview capability that detects and restricts the sharing of sensitive data across Microsoft 365 workloads and endpoints. SC-401 covers designing, creating, and monitoring DLP policies.
Endpoint DLP
Endpoint DLP extends Purview data loss prevention to activities on managed devices, such as copying files to USB or printing. SC-401 covers device requirements, advanced device rules, and monitoring endpoint activities.
Adaptive Protection
Adaptive Protection dynamically adjusts DLP and other controls based on a user's calculated insider risk level. SC-401 covers configuring DLP policies for Adaptive Protection and enabling insider risk levels for it.
Retention label
A retention label classifies content to enforce how long it is kept and what happens at the end of its lifecycle. SC-401 covers creating retention labels and publishing or auto-applying them via label policies.
Retention policy
A retention policy applies retention or deletion settings broadly to locations such as mailboxes and sites without labeling individual items. SC-401 covers creating retention policies and interpreting policy precedence.
Insider Risk Management
Insider Risk Management is a Purview solution that detects and manages risky internal activities using policy templates and indicators. SC-401 covers connectors, policies, alerts, cases, and forensic evidence.
Purview Audit
Microsoft Purview Audit records user and admin activity across Microsoft 365 in the unified audit log, with a Premium tier for extended retention. SC-401 covers investigating activities and configuring audit retention policies.
DSPM for AI
DSPM for AI (Data Security Posture Management for AI) is a Purview capability that discovers, protects, and monitors data used by AI services such as Copilot. SC-401 covers its prerequisites, roles, policies, and activity monitoring.