SC-401 cheat sheet
A one-page reference for the Microsoft Information Security Administrator exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
Microsoft
Level
Associate
Questions
60
Time
100 min
Mock pass mark
70%
Domains
3
Practice Qs
84
Code
SC-401
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Microsoft Purview
- Microsoft Purview is Microsoft's unified data security, governance, and compliance suite. SC-401 centers on using Purview to protect sensitive data across Microsoft 365 and AI services.
- Sensitivity label
- A sensitivity label is a Purview classification applied to items and containers to enforce protection such as encryption, content marking, and access limits. SC-401 covers creating, publishing, and auto-applying sensitivity labels.
- Auto-labeling
- Auto-labeling is a Purview capability that automatically applies sensitivity or retention labels to content that matches defined conditions. SC-401 covers configuring auto-labeling policies for sensitivity labels.
- Sensitive information type
- A sensitive information type (SIT) is a pattern-based classifier — built-in or custom — used to detect data like credit-card or ID numbers. SC-401 covers custom SITs, document fingerprinting, and exact data match.
- Exact data match
- Exact data match (EDM) is a classification method that identifies sensitive data by matching against a hashed copy of an organization's own data values. SC-401 covers creating and managing EDM-based sensitive info types.
- Trainable classifier
- A trainable classifier is a Purview machine-learning classifier trained on examples to recognize a category of content. SC-401 covers creating and managing trainable classifiers for data classification.
- Data Loss Prevention
- Data Loss Prevention (DLP) is a Purview capability that detects and restricts the sharing of sensitive data across Microsoft 365 workloads and endpoints. SC-401 covers designing, creating, and monitoring DLP policies.
- Endpoint DLP
- Endpoint DLP extends Purview data loss prevention to activities on managed devices, such as copying files to USB or printing. SC-401 covers device requirements, advanced device rules, and monitoring endpoint activities.
- Adaptive Protection
- Adaptive Protection dynamically adjusts DLP and other controls based on a user's calculated insider risk level. SC-401 covers configuring DLP policies for Adaptive Protection and enabling insider risk levels for it.
- Retention label
- A retention label classifies content to enforce how long it is kept and what happens at the end of its lifecycle. SC-401 covers creating retention labels and publishing or auto-applying them via label policies.
- Retention policy
- A retention policy applies retention or deletion settings broadly to locations such as mailboxes and sites without labeling individual items. SC-401 covers creating retention policies and interpreting policy precedence.
- Insider Risk Management
- Insider Risk Management is a Purview solution that detects and manages risky internal activities using policy templates and indicators. SC-401 covers connectors, policies, alerts, cases, and forensic evidence.
- Purview Audit
- Microsoft Purview Audit records user and admin activity across Microsoft 365 in the unified audit log, with a Premium tier for extended retention. SC-401 covers investigating activities and configuring audit retention policies.
- DSPM for AI
- DSPM for AI (Data Security Posture Management for AI) is a Purview capability that discovers, protects, and monitors data used by AI services such as Copilot. SC-401 covers its prerequisites, roles, policies, and activity monitoring.