Microsoft - SC-401: Administering Information Security in Microsoft 365
Sample Questions
Question: 71
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription.
You plan to implement insider risk management for users that manage sensitive data associated with a project.
You need to create a protection policy for the users. The solution must meet the following requirements:
- Minimize the impact on users who are NOT part of the project.
- Minimize administrative effort.
What should you do first?A | From the Microsoft Purview portal, create an insider risk management policy. |
B | From the Microsoft Entra admin center, create a security group. |
C | From the Microsoft Entra admin center create a User risk policy. |
D | From the Microsoft Purview portal create a priority user group. |
Correct answer: DExplanation:
Insider risk management includes support for assigning priority user groups to policies to help identify unique risk activities for user with critical positions, high levels of data and network access, or a past history of risk behavior. Creating a priority user group and assigning users to the group help scope policies to the unique circumstances presented by these users.
You can create a priority user group and assign users to the group to help you scope policies specific to the unique circumstances presented by these identified users.
A priority user group is required when using the following policy templates:
- Security policy violations by priority users
- Data leaks by priority users
References:
Get started with insider risk management
Prioritize user groups for insider risk management policies
Question: 72
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription. The subscription contains 500 devices that are onboarded to Microsoft Purview.
You select Activate Microsoft Purview Audit.
You need to ensure that you can track interactions between users and generative AI websites.
What should you deploy to the devices?A | The Microsoft Purview extension |
B | The Microsoft Purview Information Protection client |
C | The Microsoft Defender Browser Protection extension |
D | Endpoint analytics |
Correct answer: AExplanation:
Microsoft Purview Data Security Posture Management (DSPM) for AI from the Microsoft Purview portal provides a central management location to help you quickly secure data for AI apps and proactively monitor AI use. These apps include Microsoft 365 Copilot, agents, other copilots from Microsoft, and AI apps from third-party large language modules (LLMs).
Data Security Posture Management for AI offers a set of capabilities so you can safely adopt AI without having to choose between productivity and protection:
Insights and analytics into AI activity in your organization
Ready-to-use policies to protect data and prevent data loss in AI prompts
Data risk assessments to identify, remediate, and monitor potential oversharing of data.
Compliance controls to apply optimal data handling and storing policies
As a prerequisite to track interactions between users and generative AI websites the devices must be onboarded to Microsoft Purview and the Microsoft Purview browser extension must be installed on the devices.
The Microsoft Purview browser extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms. The browser extension is available for Chrome and Firefox and can be deployed to Windows and macOS devices. The browser extension is not required for native applications such as the Microsoft Edge browser.
References:
Microsoft Purview data security and compliance protections for generative AI apps
Get started with the Microsoft Purview extension for Chrome
Get started with the Microsoft Purview extension for Firefox
Question: 73
Measured Skill: Manage risks, alerts, and activities (30–35%)
Your company has offices in multiple countries.
The company has a Microsoft 365 E5 subscription that uses Microsoft Purview insider risk management.
You plan to perform the following actions:
- In a new country, open an office named Office1.
- Create a new user named User1.
- Deploy insider risk management to Office1.
- Add User1 to the Insider Risk Management Admins role group.
You need to ensure that User1 can perform insider risk management tasks for only the users and the devices in Office1.
What should you create first?A | A dynamic device group |
B | A dynamic user group |
C | An administrative unit |
D | A management group |
Correct answer: CExplanation:
Administrative units in Microsoft Entra ID allow you to restrict administrative permissions to specific parts of your Microsoft Entra organization. You create, delete, and edit administrative units in Microsoft Entra. In Microsoft Entra, you manage the users or groups that are members of the administrative unit. This feature lets you subdivide your organization into smaller units and assign specific administrators to manage only the members within those units. Microsoft Purview role groups allow you to assign admins to specific administrative units. Microsoft Purview solutions that support administrative unit will then restrict visibility and management permissions to the members of the unit.
For example, you could use administrative units to delegate permissions to administrators for each geographic region in a large multi-national organization, or for grouping administrator access by department within your organization. You can create region or department-specific policies or view user activity as a result of those policies and administrative unit assignment. You can also use administrative units as an initial scope for a policy, where the selection of users eligible for the policy depends on membership in administrative units.
Reference: Administrative units
Question: 74
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 subscription.
Users have devices that run Windows 11.
You plan to create a Microsoft Purview insider risk management policy that will detect when a user performs the following actions:
- Deletes files that contain a sensitive information type (SIT) from their device.
- Copies files that contain a SIT to a USB drive.
- Prints files that contain a SIT.
You need to prepare the environment to support the policy.
What should you do?A | Configure the physical badging connector. |
B | Configure the HR data connector. |
C | Create a Microsoft Purview communication compliance policy. |
D | Onboard the devices to Microsoft Purview. |
Correct answer: DExplanation:
Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. You can quickly create a security policy that applies to all users in your organization or define individual users or groups for management in a policy. Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores, and level and frequency of alerts.
You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft Purview portal.
Onboarding Windows 10 or Windows 11 devices
- he Microsoft Purview portal. Choose Settings > Device onboarding > Devices.
Choose Turn on device onboarding.
Choose Onboarding to begin the onboarding process.
Choose the way you want to deploy to these other devices from the Deployment method list and then download package.
- Choose the appropriate procedure to follow from the table below:

References:
Onboard Windows devices into Microsoft 365 overview
Create and manage insider risk management policies
Question: 75
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription that uses Microsoft Purview.
You need ensure that an incident will be generated when a user visits a phishing website.
What should you do?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
A | Type of policy to create: Communication Compliance
Prerequisite to complete: Deploy the Microsoft Defender Browser Protection extension. |
B | Type of policy to create: Communication Compliance
Prerequisite to complete: Create a sensitive service domain group. |
C | Type of policy to create: Data Loss Prevention (DLP)
Prerequisite to complete: Deploy the Microsoft Purview extension. |
D | Type of policy to create: Data Loss Prevention (DLP)
Prerequisite to complete: Deploy the Microsoft Defender Browser Protection extension. |
E | Type of policy to create: Insider Risk Management
Prerequisite to complete: From Data Loss Prevention, configure the Service domains settings. |
F | Type of policy to create: Insider Risk Management
Prerequisite to complete: Deploy the Microsoft Purview extension. |
Correct answer: FExplanation:
Microsoft Purview Insider Risk Management is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and escalating cases to Microsoft eDiscovery (Premium) if needed.
The Microsoft Purview browser extension is a lightweight tool that integrates with Microsoft Purview‘s Data Loss Prevention (DLP) and Insider Risk Management (IRM) systems. It monitors browser activity, specifically focusing on actions that could expose sensitive data—such as frequent use of generative AI tools or the sharing of sensitive information in online forms. The Microsoft Purview browser extension does not log your entire browser history. It only tracks specific activities when a pre-defined policy is violated, such as visiting a high-risk site or uploading sensitive data into an AI tool.
We should deploy the Insider Risk Management Risky browser usage policy template which requires the Microsoft Purview extension as shown below.

References:
Learn about insider risk management
Learn about the Microsoft Purview extension for Chrome