Microsoft Information Security Administrator · Difficulty

Hard SC-401 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 10 hard questions available — no sign-up, always free.

Question 1 of 10

Contoso has deployed Endpoint DLP to onboarded Windows devices. Users routinely upload documents to sanctioned corporate cloud services but occasionally paste sensitive files into personal cloud storage sites through the browser. Security wants Endpoint DLP to ALLOW uploads to approved corporate cloud domains while BLOCKING uploads of sensitive content to all other web destinations. Which configuration should you implement?

Reviewed for accuracy · Report an issue
Question 2 of 10

Your organization has deployed Microsoft 365 Copilot and also allows employees to use consumer generative AI apps such as ChatGPT and Google Gemini from company devices. Security leadership wants a single dashboard in Purview that surfaces sensitive data being shared with BOTH Copilot and these third-party AI sites, including which sensitivity labels and sensitive info types are involved. Before this cross-app visibility works in DSPM for AI, which prerequisite must you complete for the third-party AI site activity to appear?

Reviewed for accuracy · Report an issue
Question 3 of 10

Contoso has deployed Microsoft 365 Copilot and enabled DSPM for AI. The security team reports that employees are pasting content labeled 'Highly Confidential' into third-party generative AI sites such as public ChatGPT, and they also want to reduce the risk of users prompting Copilot with sensitive data. Which combination of Purview DSPM for AI capabilities should you configure to address BOTH concerns with the least administrative effort?

Reviewed for accuracy · Report an issue
Question 4 of 10

Your organization has onboarded Windows 11 devices to Purview Endpoint DLP. The compliance team wants to prevent users from copying files that contain credit card numbers to unmanaged network file shares, while still allowing copies to a specific approved corporate share (\\corp-fs01\secure). Copies to the approved share should be permitted without any user prompt. What is the correct way to configure the Endpoint DLP rule to meet these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 10

Your organization has onboarded 200 Windows 11 devices to Microsoft Purview Endpoint DLP. Security notices that users are copying documents containing credit card numbers to removable USB drives. You must configure an Endpoint DLP rule that blocks copying such files to USB devices but still allows copying to corporate-approved USB drives without any prompt. What should you configure?

Reviewed for accuracy · Report an issue
Question 6 of 10

Contoso created an exact data match (EDM) sensitive information type based on a schema that includes CustomerID, LastName, and CreditCardNumber. Compliance analysts report that DLP is generating too many false positives because a match is triggered whenever a CreditCardNumber alone appears in a document, even without any related customer data. You need to reduce false positives by requiring that a detected CreditCardNumber must appear together with at least one other field from the same data row before it counts as an EDM match. Which EDM configuration change should you make?

Reviewed for accuracy · Report an issue
Question 7 of 10

Your organization uses Purview Insider Risk Management to detect data leaks. A concern has been raised that a user may be slowly exfiltrating data by copying small amounts of sensitive files to USB devices over several weeks — each individual action is too small to trigger a threshold alert, but the aggregated volume is significant. Which policy capability should you rely on to surface this pattern?

Reviewed for accuracy · Report an issue
Question 8 of 10

Contoso uses Purview Message Encryption. A compliance officer sends an encrypted email from Outlook on the web to an external recipient at a partner organization. The email contains a Word document attached from the sender's OneDrive as a cloud attachment (sharing link) rather than a copy. The compliance officer wants to ensure the attached document itself remains protected when the external recipient opens it. What determines whether the linked document is protected?

Reviewed for accuracy · Report an issue
Question 9 of 10

Contoso must protect a small set of highly sensitive research documents so that the encryption keys are held entirely by Contoso and are never accessible to Microsoft, while still allowing these documents to be labeled and consumed in Office desktop apps. Which encryption configuration should you implement for the sensitivity label protecting these documents?

Reviewed for accuracy · Report an issue
Question 10 of 10

Your organization uses Purview sensitivity labels with encryption. Legal team members frequently travel and need to open highly confidential documents while disconnected from the corporate network for up to two weeks. Security requires that if an employee leaves, access to protected content can be revoked quickly. When configuring the encryption settings on the sensitivity label, which setting directly controls the trade-off between offline access duration and how quickly revoked access takes effect?

Reviewed for accuracy · Report an issue