Microsoft - SC-401: Administering Information Security in Microsoft 365
Sample Questions
Question: 128
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription.
From the Microsoft Purview Data Security Posture Management for Al portal, you review the recommendations for Al data security.
You plan to create a one-click policy to block elevated risk users from pasting or uploading sensitive data to Al websites.
How will the policy be configured?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | The policy mode will be configured to use: Run the policy in simulation mode
The policy will aply to: SharePoint sites only |
| B | The policy mode will be configured to use: Run the policy in simulation mode
The policy will aply to: Devices, Instances, and SharePoint sites |
| C | The policy mode will be configured to use: Turn the policy on immediately
The policy will aply to: Devices and SharePoint sites |
| D | The policy mode will be configured to use: Turn the policy on immediately
The policy will aply to: Devices only |
| E | The policy mode will be configured to use: Leave the policy turned off
The policy will aply to: Instances only |
| F | The policy mode will be configured to use: Leave the policy turned off
The policy will aply to: Devices, Instances, and SharePoint sites |
Correct answer: DExplanation:
The Detect sensitive info pasted or uploaded to AI sites DSPM for AI policy discovers sensitive content pasted or uploaded in Microsoft Edge, Chrome, and Firefox to AI sites. This policy covers all users and groups in your org in audit mode only.
By default the policy applies to the Devices location only.
Although the documentation says that the policy is enabled in audit mode, it is actually turned on right away. The exhibit shows the policy mode configuration of the DSPM for AI: Detect sensitive info added to AI sites DLP policy created by the Detect sensitive info pasted or uploaded to AI sites DSPM for AI on-click policy.
Reference: Considerations for DSPM for AI to manage data security and compliance protections for AI interactions
Question: 129
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription that contains two Windows devices named Devicel1 and Device2.
Device1 has the default browser set to Microsoft Edge. Device2 has the default browser set to Google Chrome.
You need to ensure that Microsoft Purview insider risk management can collect signals when a user copies files to a USB device by using their default browser.
What should you deploy to each device?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Device1: The Microsoft Defender Browser Protection extension
Device2: The Microsoft Purview Information Protection client |
| B | Device1: The Microsoft Defender Browser Protection extension
Device2: The Microsoft Purview extension |
| C | Device1: The Microsoft Purview extension
Device2: The Microsoft Purview Information Protection client |
| D | Device1: The Microsoft Purview extension
Device2: The Microsoft Purview extension |
| E | Device1: The Microsoft Purview Information Protection client
Device2: The Microsoft Purview Information Protection client |
| F | Device1: The Microsoft Purview Information Protection client
Device2: The Microsoft Purview extension |
Correct answer: DExplanation:
The Microsoft Defender Browser Protection extension for Google Chrome is currently suported in the United States only. The extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.
If you click a malicious link in an email or navigate to a site designed to trick you into disclosing financial, personal or other sensitive information, or a website that hosts malware, Microsoft Defender Browser Protection will check it against a constantly updated list of malicious URLs known to Microsoft.
If the malicious link matches one on the list, Microsoft Defender Browser Protection will show a red warning screen letting you know that the web page you are about to visit is known to be harmful, giving you a clear path back to safety with one click.
The Microsoft Purview extension is available for Microsoft Edge, Google Chrome, and Firefox. The extension enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10/11.
The Microsoft Purview Information Protection client extends sensitivity labels beyond labels that are built into Microsoft 365 apps and services, and supports a wider range of file types. This client runs on Windows only and replaces the Azure Information Protection (AIP) unified labeling client and the Office add-in for labeling in Word, Excel, PowerPoint, and Outlook.
References:
Microsoft Defender Browser Protection
Learn about the Microsoft Purview extension for Chrome
Extend sensitivity labeling on Windows
Question: 130
Measured Skill: Implement information protection (30–35%)
You have a Microsoft 365 tenant.
You need to create a new sensitive info type for items that contain the following:
- An employee ID number that consists of the hire date of the employee followed by a three digit number.
- The words "Employee", "ID", or "Identification" within 300 characters of the employee ID number.
What should you use for the primary and secondary elements?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Primary element: Functions
Secondary element: A keyword list |
| B | Primary element: Functions
Secondary element: A regular expression |
| C | Primary element: A keyword list
Secondary element: Functions |
| D | Primary element: A keyword list
Secondary element: A regular expression |
| E | Primary element: A regular expression
Secondary element: Functions |
| F | Primary element: A regular expression
Secondary element: A keyword list |
Correct answer: FExplanation:
To identify the employee ID we shoul use the following regular expression as the primary element.
\d{1,2}\/\d{1,2}\/\d{2,4}\d{3}
- \d{1,2} matches 1 or 2 digits
- \/ matches a slash (the separator). You can also make a hyphen (-) the separator
- \d{2,4} matches 2 or 4 digits
- \d{3} matches 3 digits
To identify the words "Employee", "ID", or "Identification" within 300 characters of the employee ID number, we should use a keyword list.
References:
Create custom sensitive information types
Regular Expressions 101
Question: 131
Measured Skill: Implement information protection (30–35%)
You have two Microsoft 365 subscriptions named Contoso and Fabrikam. The subscriptions contain the users shown in the following table.
You have a sensitivity label named Sensitivity1 as shown in the following exhibit.
You have the files shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 can remove the encryption from File1: Yes
User2 can remove the encryption from File3: Yes
User3 can print File2: Yes |
| B | User1 can remove the encryption from File1: Yes
User2 can remove the encryption from File3: Yes
User3 can print File2: No |
| C | User1 can remove the encryption from File1: Yes
User2 can remove the encryption from File3: No
User3 can print File2: Yes |
| D | User1 can remove the encryption from File1: No
User2 can remove the encryption from File3: Yes
User3 can print File2: No |
| E | User1 can remove the encryption from File1: No
User2 can remove the encryption from File3: No
User3 can print File2: Yes |
| F | User1 can remove the encryption from File1: No
User2 can remove the encryption from File3: No
User3 can print File2: No |
Correct answer: BExplanation:
Sensitivity labels can be applied and removed by all users to whom the label has been published.
The co-owner permisson allows the following actions:
The reviewer permisson allows the following actions:
Reference: Apply sensitivity labels to your files and email
Question: 132
Measured Skill: Implement information protection (30–35%)
You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.
You publish Microsoft Purview Information Protection sensitivity labels.
You plan to deploy the information protection client to the devices.
The solution must ensure that the labels can be applied to sensitive images and documents.
On which devices can you install the information protection client, and what should users use to apply labels?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.) 
| A | Devices: Device1 only
Use: File Explorer |
| B | Devices: Device1 and Device2 only
Use: The Settings app |
| C | Devices: Device1 and Device3 only
Use: Microsoft Word |
| D | Devices: Device1 and Device3 only
Use: File Explorer |
| E | Devices: Device1, Device2, and Device3
Use: The Microsoft Defender portal |
| F | Devices: Device1, Device2, and Device3
Use: The Microsoft Purview portal |
Correct answer: AExplanation:
The Microsoft Purview Information Protection client extends sensitivity labels beyond labels that are built into Microsoft 365 apps and services, and supports a wider range of file types.
This client runs on Windows only and replaces the Azure Information Protection (AIP) unified labeling client. It has the following components:
- Information protection scanner - Used to discover, label, and encrypt files on data stores such as network shares and SharePoint Server libraries.
- Information protection file labeler - Used to apply sensitivity labels and encryption using File Explorer.
- Information protection viewer - Used to view files that are encrypted.
- Microsoft Purview Information Protection PowerShell module - Used to adjust sensitivity labels on files, and install and configure Microsoft Purview Information Protection scanner.
There's no Office Add-in with the Microsoft Purview Information Protection client because this functionality is replaced with sensitivity labels that are built into Office.
The following operating systems support the Microsoft Purview Information Protection client:
- Windows 11, including Windows 11 Enterprise multi-session
- Windows 10 (x64) (Handwriting isn't supported in the Windows 10 RS4 build and later.)
- Windows Server 2019
- Windows Server 2016
ARM64 isn't supported.
Reference: Extend sensitivity labeling on Windows