Microsoft Information Security Administrator · Difficulty

Medium SC-401 practice questions

Applied — put a concept to work in a realistic situation. 74 medium questions available — no sign-up, always free.

Question 1 of 25

A security analyst at Contoso needs to determine which users have recently lowered the sensitivity label on documents from 'Confidential' to 'General' and where those files were stored when the change occurred. The analyst has been assigned appropriate Purview permissions. Which Microsoft Purview tool should the analyst use to review this specific label-change activity across the organization?

Reviewed for accuracy · Report an issue
Question 2 of 25

Contoso needs to send encrypted financial reports to external partners via email. Compliance requires that recipients accessing these encrypted messages through the web portal lose access automatically after 14 days, and that the organization can revoke access on demand. Which Purview capability must you configure to meet the automatic expiration requirement?

Reviewed for accuracy · Report an issue
Question 3 of 25

Your organization uses Microsoft Purview Message Encryption. The legal team frequently sends encrypted emails containing settlement details to external recipients at partner law firms. After a recent dispute, the legal team asks you to enable two capabilities: the ability to revoke access to an already-sent encrypted email, and the ability to set an expiration date so external recipients can no longer open the message after 30 days. Which solution meets both requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A compliance investigator at Contoso needs to determine which user accessed a specific highly confidential file stored in SharePoint Online, when it was accessed, and from which IP address, going back 9 months. The organization has Microsoft 365 E5 licensing. Which Purview capability should the investigator use to retrieve this historical activity?

Reviewed for accuracy · Report an issue
Question 5 of 25

A security analyst at Contoso is investigating a suspected business email compromise. They need to determine exactly which email messages in a compromised user's mailbox were accessed by the attacker over the past 90 days, including messages that were viewed but not forwarded or downloaded. The organization holds Microsoft 365 E5 licenses. Which Purview Audit capability should the analyst rely on to obtain this information?

Reviewed for accuracy · Report an issue
Question 6 of 25

Contoso wants to automatically apply a sensitivity label to email messages sent through Exchange Online whenever the message body contains credit card numbers, without requiring any user interaction and without depending on whether the user has the Purview Information Protection client installed. Which approach meets all these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 25

Your organization has created a new auto-labeling policy in Microsoft Purview to apply the 'Highly Confidential' sensitivity label to documents in SharePoint and OneDrive that contain credit card numbers. Before enabling the policy for all users, the compliance team wants to validate which files would be affected and review potential false positives without actually applying any labels. What should you do?

Reviewed for accuracy · Report an issue
Question 8 of 25

Contoso needs a sensitive information type that flags any document containing one of roughly 5,000 internal project code names your R&D team maintains in a spreadsheet. The list changes frequently and must be easy for a compliance admin to update without editing regular expressions. Which approach in Microsoft Purview should you use?

Reviewed for accuracy · Report an issue
Question 9 of 25

Your organization uses Microsoft Purview to classify documents with sensitivity labels. A compliance analyst named Dana needs to browse the actual content of files that have been labeled or that contain sensitive information types across SharePoint and Exchange, so she can verify that classification is working correctly. Dana can currently see aggregated label counts but receives an access error when she tries to open individual items in Content explorer. Which role should you assign to Dana to allow her to view the actual content of the classified items?

Reviewed for accuracy · Report an issue
Question 10 of 25

You are a compliance administrator at Contoso. Management asks for a report that shows the current count of documents and emails that carry each sensitivity label across SharePoint, OneDrive, and Exchange, and they also want to open individual labeled files to verify the applied classification is correct. Which Microsoft Purview capability should you use to see both the aggregated per-label counts and drill into the actual underlying items?

Reviewed for accuracy · Report an issue
Question 11 of 25

Contoso created a custom sensitive information type (SIT) to detect internal project codes formatted as three uppercase letters followed by a hyphen and five digits. During testing, a DLP policy using this SIT is generating too many false positives because it matches unrelated text strings that happen to fit the pattern. The security team wants to reduce false positives without abandoning the custom SIT. What should they do?

Reviewed for accuracy · Report an issue
Question 12 of 25

Contoso stores sensitive project files in a sanctioned third-party SaaS cloud storage app that is connected to Microsoft Defender for Cloud Apps via the API connector. The security team wants files in that app that contain credit card numbers to automatically receive the 'Highly Confidential' sensitivity label, which is already published to users. What must you configure to accomplish this?

Reviewed for accuracy · Report an issue
Question 13 of 25

Your organization uses Microsoft Defender for Cloud Apps connected to SharePoint Online and OneDrive. The security team wants an automated response whenever a file containing credit card numbers is shared with external users: the file should be placed in administrative quarantine and the file owner notified. You create a file policy that detects the sensitive content and the external sharing condition. Which governance action in the file policy meets the requirement to remove external access while preserving the file for review?

Reviewed for accuracy · Report an issue
Question 14 of 25

Your organization uses Microsoft Purview Insider Risk Management with Adaptive Protection enabled. Security leadership wants users who reach an 'Elevated' insider risk level to be automatically subjected to stricter DLP enforcement (blocking, rather than just auditing, the copying of sensitive files to USB), while lower-risk users continue with audit-only actions. You must configure a DLP policy that changes enforcement based on the user's current risk level without manually maintaining user lists. What should you do?

Reviewed for accuracy · Report an issue
Question 15 of 25

A DLP administrator at Contoso is reviewing alerts in the Microsoft Purview portal. A single alert shows that a user triggered a policy 47 times over two hours by attempting to email spreadsheets containing credit card numbers to an external domain. The administrator needs to formally begin working the alert and prevent other reviewers from duplicating effort, while keeping a record that the alert is being handled. Which action should the administrator take on the alert?

Reviewed for accuracy · Report an issue
Question 16 of 25

Your organization has onboarded 500 Windows 11 devices to Microsoft Purview Endpoint DLP. A compliance analyst reports that a user may have copied files containing credit card numbers to a personal cloud storage service last week. The analyst needs to review the full sequence of that user's file activities on their device — including copy-to-USB, upload-to-cloud, and print events — to build a timeline of what happened, even for actions that did not trigger any DLP policy alert. Which Microsoft Purview tool should the analyst use?

Reviewed for accuracy · Report an issue
Question 17 of 25

Contoso has deployed an Endpoint DLP policy that detects credit card numbers on onboarded Windows devices. Compliance wants that when a user copies a file containing credit card data to a removable USB drive, the action is allowed to complete but a security incident is generated for the compliance team without notifying or interrupting the user. Which combination of rule actions should you configure in the DLP rule?

Reviewed for accuracy · Report an issue
Question 18 of 25

Contoso wants to prevent credit card numbers from being shared. Compliance requires that the DLP policy apply to Exchange email, SharePoint sites, OneDrive accounts, and Teams chat and channel messages, but the security team explicitly wants the SAME rule conditions and actions enforced identically across all these workloads with a single policy. When designing this DLP policy, what should the administrator do to meet the requirement most efficiently?

Reviewed for accuracy · Report an issue
Question 19 of 25

You are the Information Security Administrator at Contoso. A compliance analyst named Dana needs to create and edit data loss prevention (DLP) policies in the Microsoft Purview portal, but must NOT be granted broader compliance administration rights such as managing eDiscovery cases or retention policies. You want to follow the principle of least privilege. Which role or role group should you assign to Dana?

Reviewed for accuracy · Report an issue
Question 20 of 25

You are creating a new DLP policy in the Microsoft Purview portal to protect credit card numbers across Exchange, SharePoint, and OneDrive. Leadership is concerned that immediately blocking actions could disrupt legitimate business workflows during month-end financial processing. You need to observe which items and activities the policy would affect and view the generated DLP alerts without blocking any user actions or displaying policy tips to end users. Which policy mode should you select when deploying the policy?

Reviewed for accuracy · Report an issue
Question 21 of 25

Your organization uses a standardized patent application intake form that all engineers must fill out. The blank template has fixed field labels and boilerplate text, while the completed forms contain highly confidential invention details. The compliance team wants a custom detection method that recognizes any document based on this specific form template, so DLP policies can protect completed submissions. Which Purview data classification capability should you implement?

Reviewed for accuracy · Report an issue
Question 22 of 25

You are the security administrator at Contoso. Leadership wants to use Microsoft Purview Data Security Posture Management (DSPM) for AI to gain visibility into how users interact with generative AI apps such as Microsoft 365 Copilot and to detect sensitive data being shared with AI prompts. Before you can configure DSPM for AI policies and see activity in the analytics dashboard, which prerequisite action must you complete first?

Reviewed for accuracy · Report an issue
Question 23 of 25

A litigation event requires you to preserve and search email and OneDrive content for three custodians while an investigation is ongoing. Legal counsel is concerned that involved employees might delete relevant messages before the search is completed. Using Microsoft Purview Microsoft Purview eDiscovery, what should you do FIRST to ensure the relevant content is protected from deletion during the investigation?

Reviewed for accuracy · Report an issue
Question 24 of 25

Your organization maintains a table of 2 million patient records (medical record number, patient name, date of birth) in a SQL database. You must create an exact data match (EDM) sensitive information type so DLP policies can detect only these specific records, not any values that merely resemble the pattern. After defining the schema in the Purview portal, what must you do to make the actual record values available for matching while ensuring the raw sensitive data never leaves your environment in clear text?

Reviewed for accuracy · Report an issue
Question 25 of 25

Your organization uses an exact data match (EDM) sensitive information type to detect customer account numbers in outbound email. The source data file changes weekly as new customers are added. After uploading the initial hashed data, you notice that recently added customer records are not being detected in DLP policy matches, even though they exist in the current source file. What must you do to ensure new records are detected?

Reviewed for accuracy · Report an issue