Manage risks, alerts, and activities
Drill 20 practice questions focused entirely on Manage risks, alerts, and activities for the Microsoft SC-401 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A security analyst at Contoso needs to determine which users have recently lowered the sensitivity label on documents from 'Confidential' to 'General' and where those files were stored when the change occurred. The analyst has been assigned appropriate Purview permissions. Which Microsoft Purview tool should the analyst use to review this specific label-change activity across the organization?
A compliance investigator at Contoso needs to determine which user accessed a specific highly confidential file stored in SharePoint Online, when it was accessed, and from which IP address, going back 9 months. The organization has Microsoft 365 E5 licensing. Which Purview capability should the investigator use to retrieve this historical activity?
A security analyst at Contoso is investigating a suspected business email compromise. They need to determine exactly which email messages in a compromised user's mailbox were accessed by the attacker over the past 90 days, including messages that were viewed but not forwarded or downloaded. The organization holds Microsoft 365 E5 licenses. Which Purview Audit capability should the analyst rely on to obtain this information?
Your organization uses Microsoft Defender for Cloud Apps connected to SharePoint Online and OneDrive. The security team wants an automated response whenever a file containing credit card numbers is shared with external users: the file should be placed in administrative quarantine and the file owner notified. You create a file policy that detects the sensitive content and the external sharing condition. Which governance action in the file policy meets the requirement to remove external access while preserving the file for review?
A DLP administrator at Contoso is reviewing alerts in the Microsoft Purview portal. A single alert shows that a user triggered a policy 47 times over two hours by attempting to email spreadsheets containing credit card numbers to an external domain. The administrator needs to formally begin working the alert and prevent other reviewers from duplicating effort, while keeping a record that the alert is being handled. Which action should the administrator take on the alert?
Your organization has deployed Microsoft 365 Copilot and also allows employees to use consumer generative AI apps such as ChatGPT and Google Gemini from company devices. Security leadership wants a single dashboard in Purview that surfaces sensitive data being shared with BOTH Copilot and these third-party AI sites, including which sensitivity labels and sensitive info types are involved. Before this cross-app visibility works in DSPM for AI, which prerequisite must you complete for the third-party AI site activity to appear?
Contoso has deployed Microsoft 365 Copilot and enabled DSPM for AI. The security team reports that employees are pasting content labeled 'Highly Confidential' into third-party generative AI sites such as public ChatGPT, and they also want to reduce the risk of users prompting Copilot with sensitive data. Which combination of Purview DSPM for AI capabilities should you configure to address BOTH concerns with the least administrative effort?
You are the security administrator at Contoso. Leadership wants to use Microsoft Purview Data Security Posture Management (DSPM) for AI to gain visibility into how users interact with generative AI apps such as Microsoft 365 Copilot and to detect sensitive data being shared with AI prompts. Before you can configure DSPM for AI policies and see activity in the analytics dashboard, which prerequisite action must you complete first?
A litigation event requires you to preserve and search email and OneDrive content for three custodians while an investigation is ongoing. Legal counsel is concerned that involved employees might delete relevant messages before the search is completed. Using Microsoft Purview Microsoft Purview eDiscovery, what should you do FIRST to ensure the relevant content is protected from deletion during the investigation?
Your organization uses Microsoft Purview Insider Risk Management and wants to automatically apply stricter DLP policies to users who show elevated risky behavior, without requiring an analyst to manually adjust each user's controls. You plan to enable Adaptive Protection. Which mechanism does Adaptive Protection use to determine which users receive the more restrictive DLP enforcement?
You are a security administrator at Contoso. Leadership is concerned about potential data leakage but is hesitant to deploy Insider Risk Management policies broadly because they worry about generating excessive alerts and impacting user privacy. They want to first understand the scope of potentially risky activities across the organization without configuring any specific policies or identifying individual users. What should you enable in Insider Risk Management to satisfy this requirement?
An insider risk analyst at Contoso is reviewing an active case in Microsoft Purview Insider Risk Management. The case was generated from a data leak policy, but after examining the activity timeline the analyst concludes the user's behavior was a one-time accidental oversharing with no malicious intent, and that a light-touch reminder about corporate data handling policy is the appropriate response. Which case action should the analyst take to formally document this outcome while reminding the user of policy expectations?
Your organization wants Insider Risk Management to automatically detect potential data theft by employees who have resigned or been terminated. The security team needs the resignation and termination dates from your on-premises HR system to be available as an event trigger for insider risk policies. Which action must you complete before these dates can serve as policy triggers?
Your organization has deployed Purview Insider Risk Management with a data theft by departing users policy. HR uses a third-party system to track resignations and terminations. Compliance leadership wants departing-user events to feed Insider Risk Management automatically each night without manual intervention. As the Insider Risk Management admin, what should you configure to reliably deliver these HR events to the policy?
Your organization uses Purview Insider Risk Management to detect data leaks. A concern has been raised that a user may be slowly exfiltrating data by copying small amounts of sensitive files to USB devices over several weeks — each individual action is too small to trigger a threshold alert, but the aggregated volume is significant. Which policy capability should you rely on to surface this pattern?
Contoso's HR system flags employees who have submitted resignations. The security team wants Purview Insider Risk Management to automatically detect when these specific employees download unusual volumes of SharePoint data or copy files to USB devices during their notice period, but they do not want to monitor the entire workforce for these behaviors. Which approach should you configure to meet this requirement most efficiently?
Contoso wants its Insider Risk Management policies to detect when a user copies sensitive files to a USB removable device or uploads them to an unsanctioned cloud service. The security team confirms Microsoft Defender for Endpoint is deployed to all managed workstations. After creating a Data Theft policy, the analyst notices that USB and cloud-upload activities are not appearing as detected indicators. What must the analyst configure to enable these device-based signals in Insider Risk Management?
Contoso's security team wants Insider Risk Management to visually capture what a high-risk user does on their managed Windows device when they perform risky activities, such as exfiltrating files to USB. Before the team can create a forensic evidence capturing rule, which two prerequisite steps must be completed first?
A security administrator at Contoso needs to detect employees who inadvertently or maliciously share sensitive information outside the organization. There is no HR connector configured, and the organization does not want the policy to be scoped only to users who have submitted resignations or triggered HR events. The administrator wants a policy that monitors all in-scope users for data leak activities such as copying files to USB, uploading to personal cloud storage, and printing sensitive documents. Which Insider Risk Management policy template should the administrator choose?
Contoso has an active Insider Risk Management policy that generates alerts when users share sensitive files externally. The compliance team wants a lightweight, first-response action that automatically emails an educational reminder to a user during case resolution—without escalating to HR or opening a legal investigation. As the Insider Risk Management administrator, what should you configure so investigators can send this standardized reminder from within a case?
More SC-401 practice
Keep going with the other Microsoft Information Security Administrator domains, or take a full timed mock exam.
← Back to SC-401 overview