As an Information Security Administrator, you plan and implement information security of sensitive data by using Microsoft Purview and related services. You’re responsible for mitigating risks by protecting data inside collaboration environments that are managed by Microsoft 365 from internal and external threats and protecting data used by AI services. You also implement information protection, data loss prevention, retention, insider risk management, and manage information security alerts and activities.
You work with other roles that are responsible for governance, data, and security to evaluate and develop policies to address an organization’s information security and risk reduction goals. You collaborate with workload administrators, business application owners, and governance stakeholders to implement technology solutions that support the necessary policies and controls. This role also participates in responding to information security incidents.
You should be familiar with all Microsoft 365 services, PowerShell, Microsoft Entra, the Microsoft Defender portal, and Microsoft Defender for Cloud Apps.
Skills measured
Implement information protection (30–35%)
Implement data loss prevention and retention (30–35%)
Manage risks, alerts, and activities (30–35%)
Exam SC-401: Administering Information Security in Microsoft 365 (beta)
Languages: English
Retirement date: none
This exam measures your ability to accomplish the following technical tasks: implement information protection; implement data loss prevention and retention; manage risks, alerts, and activities.
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
Examkingdom Microsoft SC-401 Exam pdf
Best Microsoft SC-401 Downloads, Microsoft SC-401 Dumps at Certkingdom.com
Useful links Description
How to earn the certification Some certifications only require passing one exam, while others require passing multiple exams.
Certification renewal Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn.
Your Microsoft Learn profile Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates.
Exam scoring and score reports A score of 700 or greater is required to pass.
Exam sandbox You can explore the exam environment by visiting our exam sandbox.
Request accommodations If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation.
About the exam
Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. If the exam isn’t available in your preferred language, you can request an additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
Note
Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.
Skills measured
Audience profile
As an information security administrator, you plan and implement information security of sensitive data by using Microsoft Purview and related services. You’re responsible for mitigating risks by protecting data inside collaboration environments that are managed by Microsoft 365 from internal and external threats and protecting data used by AI services. You also implement information protection, data loss prevention, retention, insider risk management, and manage information security alerts and activities.
You work with other roles that are responsible for governance, data, and security to evaluate and develop policies to address an organization’s information security and risk reduction goals. You collaborate with workload administrators, business application owners, and governance stakeholders to implement technology solutions that support the necessary policies and controls. This role also participates in responding to information security incidents.
You should be familiar with all Microsoft 365 services, PowerShell, Microsoft Entra, the Microsoft Defender portal, and Microsoft Defender for Cloud Apps.
Skills at a glance
Implement information protection (30–35%)
Implement data loss prevention and retention (30–35%)
Manage risks, alerts, and activities (30–35%)
Implement information protection (30–35%)
Implement and manage data classification
Identify sensitive information requirements for an organization’s data
Translate sensitive information requirements into built-in or custom sensitive info types
Create and manage custom sensitive info types
Implement document fingerprinting
Create and manage exact data match (EDM) classifiers
Create and manage trainable classifiers
Monitor data classification and label usage by using data explorer and content explorer
Configure optical character recognition (OCR) support for sensitive info types
Implement and manage sensitivity labels in Microsoft Purview
Implement roles and permissions for administering sensitivity labels
Define and create sensitivity labels for items and containers
Configure protection settings and content marking for sensitivity labels
Configure and manage publishing policies for sensitivity labels
Configure and manage auto-labeling policies for sensitivity labels
Apply a sensitivity label to containers, such as Microsoft Teams, Microsoft 365 Groups, Microsoft Power BI, and Microsoft SharePoint
Apply sensitivity labels by using Microsoft Defender for Cloud Apps
Implement information protection for Windows, file shares, and Exchange
Plan and implement the Microsoft Purview Information Protection client
Manage files by using the Microsoft Purview Information Protection client
Apply bulk classification to on-premises data by using the Microsoft Purview Information Protection scanner
Design and implement Microsoft Purview Message Encryption
Design and implement Microsoft Purview Advanced Message Encryption
Implement data loss prevention and retention (30–35%)
Create and configure data loss prevention policies
Design data loss prevention policies based on an organization’s requirements
Implement roles and permissions for data loss prevention
Create and manage data loss prevention policies
Configure data loss prevention policies for Adaptive Protection
Interpret policy and rule precedence in data loss prevention
Create file policies in Microsoft Defender for Cloud Apps by using a DLP policy
Implement and monitor Microsoft Purview Endpoint DLP
Specify device requirements for Endpoint DLP, including extensions
Configure advanced DLP rules for devices in DLP policies
Configure Endpoint DLP settings
Configure just-in-time protection
Monitor endpoint activities
Implement and manage retention
Plan for information retention and disposition by using retention labels
Create, configure, and manage adaptive scopes
Create retention labels for data lifecycle management
Configure a retention label policy to publish labels
Configure a retention label policy to auto-apply labels
Interpret the results of policy precedence, including using Policy lookup
Create and configure retention policies
Recover retained content in Microsoft 365
Manage risks, alerts, and activities (30–35%)
Implement and manage Microsoft Purview Insider Risk Management
Implement roles and permissions for Insider Risk Management
Plan and implement Insider Risk Management connectors
Plan and implement integration with Microsoft Defender for Endpoint
Configure and manage Insider Risk Management settings
Configure policy indicators
Select an appropriate policy template
Create and manage Insider Risk Management policies
Manage forensic evidence settings
Enable and configure insider risk levels for Adaptive Protection
Manage insider risk alerts and cases
Manage Insider Risk Management workflow, including notice templates
Manage information security alerts and activities
Assign Microsoft Purview Audit (Premium) user licenses
Investigate activities by using Microsoft Purview Audit
Configure audit retention policies
Analyze Purview activities by using activity explorer
Respond to data loss prevention alerts in the Microsoft Purview portal
Investigate insider risk activities by using the Microsoft Purview portal
Respond to Purview alerts in Microsoft Defender XDR
Respond to Defender for Cloud Apps file policy alerts
Perform searches by using Content search
Protect data used by AI services
Implement controls in Microsoft Purview to protect content in an environment that uses AI services
Implement controls in Microsoft 365 productivity workloads to protect content in an environment that uses AI services
Implement pre-requisites for Data Security Posture Management (DSPM) for AI
Manage roles and permissions for DSPM for AI
Configure DSPM for AI policies
Monitor activities in DSPM for AI
Sample Question and Answers
New Topic: Topic 1, Contoso, Ltd Case Study 1
Instructions
This is a case study. Case studies are not timed separately from other exam sections. You can use as
much exam time as you would like to complete each case study. However, there might be additional
case studies or other exam sections. Manage your time to ensure that you can complete all the exam
sections in the time provided. Pay attention to the Exam Progress at the top of the screen so you
have sufficient time to complete any exam sections that follow this case study.
To answer the case study questions, you will need to reference information that is provided in the
case. Case studies and associated questions might contain exhibits or other resources that provide
more information about the scenario described in the case. Information provided in an individual
question does not apply to the other questions in the case study.
A Review Screen will appear at the end of this case study. From the Review Screen, you can review
and change your answers before you move to the next exam section. After you leave this case study,
you will NOT be able to return to it.
To start the case study
To display the first question in this case study, select the “Next” button. To the left of the question, a
menu provides links to information such as business requirements, the existing environment, and
problem statements. Please read through all this information before answering any questions. When
you are ready to answer a question, select the “Question” button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and three branch offices in
Seattle, Boston, and Johannesburg.
Existing Environment
Microsoft 365 Environment
Contoso has a Microsoft 365 E5 tenant. The tenant contains the administrative user accounts shown
in the following table.
Users store data in the following locations:
● SharePoint sites
● OneDrive accounts
● Exchange email
● Exchange public folders
● Teams chats
● Teams channel messages
When users in the research department create documents, they must add a 10-digit project code to each document. Project codes that start with the digits 999 are confidential.
SharePoint Online Environment
Contoso has four Microsoft SharePoint Online sites named Site1, Site2, Site3, and Site4.
Site2 contains the files shown in the following table.
Two users named User1 and User2 are assigned roles for Site2 as shown in the following table.
Site3 stores documents related to the company’s projects. The documents are organized in a folder
hierarchy based on the project.
Site4 has the following two retention policies applied:
● Name: Site4RetentionPolicy1
● Locations to apply the policy: Site4
● Delete items older than: 2 years
● Delete content based on: When items were created
● Name: Site4RetentionPolicy2
● Locations to apply the policy: Site4
● Retain items for a specific period: 4 years
● Start the retention period based on: When items were created
● At the end of the retention period: Do nothing
Problem Statements
Management at Contoso is concerned about data leaks. On several occasions, confidential research department documents were leaked.
Requirements
Planned Changes
Contoso plans to create the following data loss prevention (DLP) policy:
● Name: DLPpolicy1
● Locations to apply the policy: Site2
● Conditions:
● Content contains any of these sensitive info types: SWIFT Code
● Instance count: 2 to any
● Actions: Restrict access to the content
Technical Requirements
Contoso must meet the following technical requirements:
● All administrative users must be able to review DLP reports.
● Whenever possible, the principle of least privilege must be used.
● For all users, all Microsoft 365 data must be retained for at least one year.
● Confidential documents must be detected and protected by using Microsoft 365.
● Site1 documents that include credit card numbers must be labeled automatically.
● All administrative users must be able to create Microsoft 365 sensitivity labels.
● After a project is complete, the documents in Site3 that relate to the project must be retained for 10 years.
QUESTION 1
DRAG DROP
You need to meet the technical requirements for the Site1 documents.
Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
The goal is to automatically label documents in Site1 that contain credit card numbers.
To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.
Step 1: Create a Sensitive Info Type
● A sensitive info type is needed to detect credit card numbers in documents.
● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.
Step 2: Create a Sensitivity Label
● A sensitivity label is required to classify and protect documents containing sensitive information.
● This label can apply encryption, watermarking, or access controls to credit card data.
Step 3: Create an Auto-Labeling Policy
● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.
● This policy is configured to scan files and automatically apply the correct sensitivity label.
QUESTION 2
You need to meet the technical requirements for the creation of the sensitivity labels.
To which user or users must you assign the Sensitivity Label Administrator role?
A. Admin1 only
B. Admin1 and Admin4 only
C. Admin1 and Admin5 only
D. Admin1, Admin2, and Admin3 only
E. Admin1, Admin2, Admin4, and Admin5 only
Answer: D
Explanation:
To meet the requirement that all administrative users must be able to create Microsoft 365
sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.
Sensitivity Label Administrator Role Responsibilities
This role allows users to:
● Create and manage sensitivity labels in Microsoft Purview.
● Publish and configure auto-labeling policies.
● Modify label encryption and content marking settings.
Review of Admin Roles from the Table:
Users that must be assigned the Sensitivity Label Administrator role:
● Admin2 (Compliance Data Administrator)
● Admin3 (Compliance Administrator)
● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).
QUESTION 3
HOTSPOT
You need to meet the technical requirements for the confidential documents.
What should you create first, and what should you use for the detection method? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
To detect and protect confidential documents, we need a custom rule to identify project codes that
start with 999 (since they are classified as confidential).
Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data
(e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns,
keywords, or dictionary terms. A sensitivity label alone does not define detection logic”it is used for
classification and protection after content is identified.
Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression
(Regex) to match project codes that start with 999.
Example Regex pattern:
999\d{7}
This pattern detects a 10-digit number starting with “999”.
QUESTION 4
HOTSPOT
How many files in Site2 can User1 and User2 access after you turn on DLPpolicy1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Understanding DLP Policy Impact on File Access
The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:
● Content contains SWIFT Codes.
● Instance count is 2 or more.
File Analysis (Based on SWIFT Codes Count)
Files that remain accessible (not restricted by DLP):
● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)
User access after DLP policy is applied:
User1 (Site Owner):
● Has higher privileges and can override DLP restrictions (through admin intervention).
● Can access 2 files (File1.docx + override access to another file).
User2 (Site Visitor):
● Has read-only access but DLP blocks access to restricted files.
● Can only access 1 file (File1.docx), since all others are restricted.
QUESTION 5
HOTSPOT
You are reviewing policies for the SharePoint Online environment.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Understanding Site4’s Retention Policies:
● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1,
2023.
● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1,
2021, it will be kept until January 1, 2025, but not deleted after that (policy states “Do nothing”).
Statement 1 – Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.
Statement 2 – Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).
Statement 3 – No, because retention is only for 4 years (until January 1, 2025). After that, the policy does “nothing,” meaning the file is no longer
recoverable after that period.