Microsoft Information Security Administrator · Domain 2 · 33% of exam

Implement data loss prevention and retention

Drill 18 practice questions focused entirely on Implement data loss prevention and retention for the Microsoft SC-401 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer18 questions
Question 1 of 18

Your organization uses Microsoft Purview Insider Risk Management with Adaptive Protection enabled. Security leadership wants users who reach an 'Elevated' insider risk level to be automatically subjected to stricter DLP enforcement (blocking, rather than just auditing, the copying of sensitive files to USB), while lower-risk users continue with audit-only actions. You must configure a DLP policy that changes enforcement based on the user's current risk level without manually maintaining user lists. What should you do?

Reviewed for accuracy · Report an issue
Question 2 of 18

Your organization has onboarded 500 Windows 11 devices to Microsoft Purview Endpoint DLP. A compliance analyst reports that a user may have copied files containing credit card numbers to a personal cloud storage service last week. The analyst needs to review the full sequence of that user's file activities on their device — including copy-to-USB, upload-to-cloud, and print events — to build a timeline of what happened, even for actions that did not trigger any DLP policy alert. Which Microsoft Purview tool should the analyst use?

Reviewed for accuracy · Report an issue
Question 3 of 18

Contoso has deployed Endpoint DLP to onboarded Windows devices. Users routinely upload documents to sanctioned corporate cloud services but occasionally paste sensitive files into personal cloud storage sites through the browser. Security wants Endpoint DLP to ALLOW uploads to approved corporate cloud domains while BLOCKING uploads of sensitive content to all other web destinations. Which configuration should you implement?

Reviewed for accuracy · Report an issue
Question 4 of 18

Contoso has deployed an Endpoint DLP policy that detects credit card numbers on onboarded Windows devices. Compliance wants that when a user copies a file containing credit card data to a removable USB drive, the action is allowed to complete but a security incident is generated for the compliance team without notifying or interrupting the user. Which combination of rule actions should you configure in the DLP rule?

Reviewed for accuracy · Report an issue
Question 5 of 18

Contoso wants to prevent credit card numbers from being shared. Compliance requires that the DLP policy apply to Exchange email, SharePoint sites, OneDrive accounts, and Teams chat and channel messages, but the security team explicitly wants the SAME rule conditions and actions enforced identically across all these workloads with a single policy. When designing this DLP policy, what should the administrator do to meet the requirement most efficiently?

Reviewed for accuracy · Report an issue
Question 6 of 18

You are the Information Security Administrator at Contoso. A compliance analyst named Dana needs to create and edit data loss prevention (DLP) policies in the Microsoft Purview portal, but must NOT be granted broader compliance administration rights such as managing eDiscovery cases or retention policies. You want to follow the principle of least privilege. Which role or role group should you assign to Dana?

Reviewed for accuracy · Report an issue
Question 7 of 18

You are creating a new DLP policy in the Microsoft Purview portal to protect credit card numbers across Exchange, SharePoint, and OneDrive. Leadership is concerned that immediately blocking actions could disrupt legitimate business workflows during month-end financial processing. You need to observe which items and activities the policy would affect and view the generated DLP alerts without blocking any user actions or displaying policy tips to end users. Which policy mode should you select when deploying the policy?

Reviewed for accuracy · Report an issue
Question 8 of 18

Your organization has onboarded Windows 11 devices to Microsoft Purview Endpoint DLP. Users primarily use Google Chrome and Mozilla Firefox to access cloud services. You configure an Endpoint DLP policy that should audit and restrict uploads of documents containing credit card numbers to unsanctioned websites. During testing, you notice that upload activities from Chrome and Firefox are NOT being detected, while activities from Microsoft Edge are captured correctly. What must you do to ensure browser upload activities are monitored on Chrome and Firefox?

Reviewed for accuracy · Report an issue
Question 9 of 18

Your organization has onboarded Windows 11 devices to Purview Endpoint DLP. The compliance team wants to prevent users from copying files that contain credit card numbers to unmanaged network file shares, while still allowing copies to a specific approved corporate share (\\corp-fs01\secure). Copies to the approved share should be permitted without any user prompt. What is the correct way to configure the Endpoint DLP rule to meet these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 18

Contoso has onboarded Windows 11 devices to Purview Endpoint DLP. Security wants to prevent egress (copy to USB, upload to cloud) of sensitive files that have NOT yet been evaluated by any DLP policy — for example, brand-new documents created offline before classification runs. They want the action blocked until a policy evaluation completes, then allowed or blocked based on the result. Which Endpoint DLP capability should you enable?

Reviewed for accuracy · Report an issue
Question 11 of 18

Your organization has onboarded 200 Windows 11 devices to Microsoft Purview Endpoint DLP. Security notices that users are copying documents containing credit card numbers to removable USB drives. You must configure an Endpoint DLP rule that blocks copying such files to USB devices but still allows copying to corporate-approved USB drives without any prompt. What should you configure?

Reviewed for accuracy · Report an issue
Question 12 of 18

You are deploying Microsoft Purview Endpoint DLP to protect sensitive documents on 200 corporate Windows 11 workstations. Before your Endpoint DLP policies will report any activity from these devices, you must ensure the devices meet all prerequisites. The devices are already Microsoft Entra hybrid joined. Which action is REQUIRED to make these devices appear as managed in the Purview portal and start generating Endpoint DLP signals?

Reviewed for accuracy · Report an issue
Question 13 of 18

A user permanently deleted an email from their Exchange Online mailbox by emptying the Recoverable Items folder (using the Purge action). The mailbox is covered by a Purview retention policy that retains items for 7 years. A compliance investigator now needs to recover this specific message. What is the correct way to retrieve the content?

Reviewed for accuracy · Report an issue
Question 14 of 18

Your organization must retain email for 7 years only for users in the Legal and Finance departments. Employees frequently transfer between departments, and HR keeps the Department attribute in Microsoft Entra ID current. You want the retention policy to automatically include or exclude mailboxes as the Department attribute changes, without manually editing the policy. Which approach should you configure?

Reviewed for accuracy · Report an issue
Question 15 of 18

Contoso must ensure that all documents in SharePoint sites containing credit card numbers are automatically retained for seven years, even if end users never manually classify the files. Compliance staff should not have to select a label for each document. Which approach should you implement?

Reviewed for accuracy · Report an issue
Question 16 of 18

Contoso's legal team must review financial contracts before they are permanently deleted at the end of a 7-year retention period. Different departments require different reviewers, and some documents need approval from two separate reviewer groups in sequence before deletion. You are configuring a retention label to meet these requirements in the Microsoft Purview portal. What should you configure on the retention label?

Reviewed for accuracy · Report an issue
Question 17 of 18

At Contoso, an email is subject to two retention actions at the same time. A published retention label applied to the message specifies retain for 5 years then delete. A separate org-wide retention policy scoped to all Exchange mailboxes specifies retain for 7 years then delete. The compliance officer wants to know how long the message will actually be kept before it is eligible for deletion. What is the outcome based on Purview retention principles?

Reviewed for accuracy · Report an issue
Question 18 of 18

A compliance administrator at Contoso must explain why a specific SharePoint document was retained even after a user attempted to delete it. Multiple retention policies and retention labels apply across the tenant, and the administrator is unsure which one is actually governing this particular item. Which Microsoft Purview capability should the administrator use to determine exactly which retention policy or label is currently in effect for that specific item?

Reviewed for accuracy · Report an issue

More SC-401 practice

Keep going with the other Microsoft Information Security Administrator domains, or take a full timed mock exam.

← Back to SC-401 overview