Free Microsoft SC-401 Practice Exam with Questions & Answers

Let’s analyze each scenario based on the given retention policies and Microsoft 365 documentation.

???? Policies Recap

Policy1

Teams channel messages → All Teams → Retain 7 years → Delete automatically.

Teams chats → User1 → Retain 7 years → Delete automatically.

Policy2

Teams channel messages → Team1 → Retain 5 years → Delete automatically.

Teams chats → User2 → Retain 5 years → Delete automatically.

???? Reference: Retention policies in Microsoft Teams

???? Statement 1: The message edited by User1 will be deleted after five years.

Location = Team1 channel.

Policy1 applies (7 years for all Teams).

Policy2 applies (5 years for Team1).

Conflict rule: For retention, the longest duration wins.

Therefore, the message stays 7 years, not 5.

✅ Answer: NO

???? Statement 2: User1 can see the message sent by User2 for up to seven years.

Location = Private 1:1 chat (User2 → User1).

For User1’s mailbox: Policy1 applies (7 years).

For User2’s mailbox: Policy2 applies (5 years).

Retention in Teams chats is per-user, so each participant may have different durations.

For User1, the retention is 7 years.

✅ Answer: YES

???? Statement 3: The message deleted by User1 will be moved to the SubstrateHolds folder.

Location = Team2 channel.

User1 deletes the message, but retention policy (Policy1) applies (7 years).

Retention overrides user deletion: message is moved to the SubstrateHolds folder in the hidden mailbox for preservation.

???? Reference: How retention works with SubstrateHolds

✅ Answer: YES

The scenario is about retaining audit logs for User1 for 10 years in Microsoft 365. Admin1 is responsible for managing audit retention policies, but the requirement specifically applies to User1’s audit logs.

Key points:

Microsoft 365 E5 includes Audit (Premium) by default. This provides access to advanced auditing features and retention up to 1 year.

To retain audit logs for longer than 1 year (such as 10 years), Microsoft requires the 10-year Audit Log Retention Add-on license.

This license must be assigned to the user whose activities need to be retained (User1), not the administrator (Admin1).

Admin1 only needs permissions to configure and manage retention policies, but the actual long-term retention is tied to the licensed users’ activity.

Why other options are incorrect:

A. Assign a Microsoft Purview Audit (Premium) add-on license to User1: Not needed because E5 already includes Audit (Premium).

B. Assign a 10-year audit log retention add-on license to Admin1: Incorrect because Admin1 is not the user whose logs must be retained; the license applies to the user being audited, not the admin.

D. Assign a Microsoft Purview Audit (Premium) add-on license to Admin1: Again, unnecessary because E5 already includes Audit (Premium), and Admin1’s license does not affect User1’s log retention.

Policy tips in DLP: Policy tips are messages shown to users when their action (such as sending sensitive content via email) conflicts with a DLP policy.

For Exchange email location, policy tips are supported in the following apps:

Outlook for Microsoft 365 (desktop client) ✅

Outlook on the web (OWA) ✅

Outlook Mobile (iOS/Android) ❌ Policy tips are not shown in mobile apps. Instead, DLP actions (block/restrict/send incident report) still apply, but the user does not see a policy tip notification.

Therefore:

Supported: Outlook for Microsoft 365, Outlook on the web.

Not supported: Outlook Mobile apps.

Step 1 – Requirement

The scenario requires using Microsoft Purview Insider Risk Management to import HR data (such as employee hire dates, resignations, and department changes). HR data connectors allow insider risk policies to use workforce signals to detect risky user activities.

Step 2 – What to do first

Before importing HR data, you must configure Insider Risk Management settings in the Microsoft Purview compliance portal. This is a prerequisite step that enables HR data connectors and policies to be created.

Since all employee assessments follow a specific template (AssessmentTemplate.docx), the best way to identify these documents for Data Loss Prevention (DLP) is to create a document fingerprint of that template.

Document fingerprinting allows Microsoft 365 DLP policies to recognize documents based on their structure and format, even when content inside varies (such as different employee names and results). By creating a fingerprint of AssessmentTemplate.docx, any copy derived from that template will be automatically detected by the DLP policy and blocked from being emailed externally.

Steps to implement:

● Create a document fingerprint of AssessmentTemplate.docx using PowerShell and the Microsoft Purview compliance portal.

● Apply a DLP policy to prevent external sharing of documents matching this fingerprint.

● Test the policy by attempting to email an assessment externally.

Trainable classifiers in Microsoft Purview learn from sample documents. When the initial results are unsatisfactory, retraining is done by reviewing and reclassifying items through Content explorer under the Data classification section of the Purview compliance portal. This allows you to give feedback by marking documents as “relevant” or “not relevant” to improve classifier accuracy.

The other options do not support retraining:

Labels from Information protection → Used to configure and manage sensitivity labels, not train classifiers.

Labels from Information governance → Used for retention labels, not classifiers.

Content search → Used for eDiscovery and searching content, not classifier training.

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

The False positive and override report helps identify rules that were applied but did not generate an actual policy alert, which means they were overridden or deemed false positives.

The DLP policy matches report provides details on files that matched DLP policies, including the top 10 files.

The Incident reports report helps analyze and review alerts, including those that may have been miscategorized.