Implement data loss prevention and retention
Drill 18 practice questions focused entirely on Implement data loss prevention and retention for the Microsoft SC-401 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your organization uses Microsoft Purview Insider Risk Management with Adaptive Protection enabled. Security leadership wants users who reach an 'Elevated' insider risk level to be automatically subjected to stricter DLP enforcement (blocking, rather than just auditing, the copying of sensitive files to USB), while lower-risk users continue with audit-only actions. You must configure a DLP policy that changes enforcement based on the user's current risk level without manually maintaining user lists. What should you do?
Your organization has onboarded 500 Windows 11 devices to Microsoft Purview Endpoint DLP. A compliance analyst reports that a user may have copied files containing credit card numbers to a personal cloud storage service last week. The analyst needs to review the full sequence of that user's file activities on their device — including copy-to-USB, upload-to-cloud, and print events — to build a timeline of what happened, even for actions that did not trigger any DLP policy alert. Which Microsoft Purview tool should the analyst use?
Contoso has deployed Endpoint DLP to onboarded Windows devices. Users routinely upload documents to sanctioned corporate cloud services but occasionally paste sensitive files into personal cloud storage sites through the browser. Security wants Endpoint DLP to ALLOW uploads to approved corporate cloud domains while BLOCKING uploads of sensitive content to all other web destinations. Which configuration should you implement?
Contoso has deployed an Endpoint DLP policy that detects credit card numbers on onboarded Windows devices. Compliance wants that when a user copies a file containing credit card data to a removable USB drive, the action is allowed to complete but a security incident is generated for the compliance team without notifying or interrupting the user. Which combination of rule actions should you configure in the DLP rule?
Contoso wants to prevent credit card numbers from being shared. Compliance requires that the DLP policy apply to Exchange email, SharePoint sites, OneDrive accounts, and Teams chat and channel messages, but the security team explicitly wants the SAME rule conditions and actions enforced identically across all these workloads with a single policy. When designing this DLP policy, what should the administrator do to meet the requirement most efficiently?
You are the Information Security Administrator at Contoso. A compliance analyst named Dana needs to create and edit data loss prevention (DLP) policies in the Microsoft Purview portal, but must NOT be granted broader compliance administration rights such as managing eDiscovery cases or retention policies. You want to follow the principle of least privilege. Which role or role group should you assign to Dana?
You are creating a new DLP policy in the Microsoft Purview portal to protect credit card numbers across Exchange, SharePoint, and OneDrive. Leadership is concerned that immediately blocking actions could disrupt legitimate business workflows during month-end financial processing. You need to observe which items and activities the policy would affect and view the generated DLP alerts without blocking any user actions or displaying policy tips to end users. Which policy mode should you select when deploying the policy?
Your organization has onboarded Windows 11 devices to Microsoft Purview Endpoint DLP. Users primarily use Google Chrome and Mozilla Firefox to access cloud services. You configure an Endpoint DLP policy that should audit and restrict uploads of documents containing credit card numbers to unsanctioned websites. During testing, you notice that upload activities from Chrome and Firefox are NOT being detected, while activities from Microsoft Edge are captured correctly. What must you do to ensure browser upload activities are monitored on Chrome and Firefox?
Your organization has onboarded Windows 11 devices to Purview Endpoint DLP. The compliance team wants to prevent users from copying files that contain credit card numbers to unmanaged network file shares, while still allowing copies to a specific approved corporate share (\\corp-fs01\secure). Copies to the approved share should be permitted without any user prompt. What is the correct way to configure the Endpoint DLP rule to meet these requirements?
Contoso has onboarded Windows 11 devices to Purview Endpoint DLP. Security wants to prevent egress (copy to USB, upload to cloud) of sensitive files that have NOT yet been evaluated by any DLP policy — for example, brand-new documents created offline before classification runs. They want the action blocked until a policy evaluation completes, then allowed or blocked based on the result. Which Endpoint DLP capability should you enable?
Your organization has onboarded 200 Windows 11 devices to Microsoft Purview Endpoint DLP. Security notices that users are copying documents containing credit card numbers to removable USB drives. You must configure an Endpoint DLP rule that blocks copying such files to USB devices but still allows copying to corporate-approved USB drives without any prompt. What should you configure?
You are deploying Microsoft Purview Endpoint DLP to protect sensitive documents on 200 corporate Windows 11 workstations. Before your Endpoint DLP policies will report any activity from these devices, you must ensure the devices meet all prerequisites. The devices are already Microsoft Entra hybrid joined. Which action is REQUIRED to make these devices appear as managed in the Purview portal and start generating Endpoint DLP signals?
A user permanently deleted an email from their Exchange Online mailbox by emptying the Recoverable Items folder (using the Purge action). The mailbox is covered by a Purview retention policy that retains items for 7 years. A compliance investigator now needs to recover this specific message. What is the correct way to retrieve the content?
Your organization must retain email for 7 years only for users in the Legal and Finance departments. Employees frequently transfer between departments, and HR keeps the Department attribute in Microsoft Entra ID current. You want the retention policy to automatically include or exclude mailboxes as the Department attribute changes, without manually editing the policy. Which approach should you configure?
Contoso must ensure that all documents in SharePoint sites containing credit card numbers are automatically retained for seven years, even if end users never manually classify the files. Compliance staff should not have to select a label for each document. Which approach should you implement?
Contoso's legal team must review financial contracts before they are permanently deleted at the end of a 7-year retention period. Different departments require different reviewers, and some documents need approval from two separate reviewer groups in sequence before deletion. You are configuring a retention label to meet these requirements in the Microsoft Purview portal. What should you configure on the retention label?
At Contoso, an email is subject to two retention actions at the same time. A published retention label applied to the message specifies retain for 5 years then delete. A separate org-wide retention policy scoped to all Exchange mailboxes specifies retain for 7 years then delete. The compliance officer wants to know how long the message will actually be kept before it is eligible for deletion. What is the outcome based on Purview retention principles?
A compliance administrator at Contoso must explain why a specific SharePoint document was retained even after a user attempted to delete it. Multiple retention policies and retention labels apply across the tenant, and the administrator is unsure which one is actually governing this particular item. Which Microsoft Purview capability should the administrator use to determine exactly which retention policy or label is currently in effect for that specific item?
More SC-401 practice
Keep going with the other Microsoft Information Security Administrator domains, or take a full timed mock exam.
← Back to SC-401 overview