Free Microsoft SC-401 Practice Exam with Questions & Answers

File1

Location: SharePoint Online.

Created: Dec 28, 2015.

As of Jan 1, 2025 → File is 9+ years old.

If retention is (example: 7 years), then the retention period has expired, and the file will be deleted once the policy is turned on.

✅ Answer: Yes

File2

Location: OneDrive.

Created: Jan 2, 2015.

As of Jan 1, 2025 → File is 10 years old.

Retention period (7 years, for example) has expired → File will be deleted once the policy is turned on.

✅ Answer: Yes

File3

Location: Exchange Online public folder.

Created: May 1, 2010.

As of Jan 1, 2025 → File is 15 years old.

But Exchange public folders are not supported locations for Microsoft 365 retention policies.

Therefore, policy does not apply, and file will not be deleted.

Answer: No

Step 1 – Requirement

We need a custom sensitive information type (SIT) that detects:

An employee ID number in a specific format → hire date + three digits.

This is a pattern-based requirement.

Specific keywords within 300 characters of that ID → “Employee”, “ID”, or “Identification”.

This is a keyword proximity requirement.

Step 2 – Sensitive info type elements in Microsoft 365

When creating custom SITs, you define primary and secondary elements:

Primary element → The main pattern or data to detect (the most defining factor).

Secondary element → Supporting evidence that must be found near the primary element to increase confidence.

Available elements:

Regular expression → Used to define patterns such as date + digits (for employee ID).

Keyword list → Used for lists of words/phrases like "Employee", "ID", "Identification".

Functions → Used for built-in validators like credit card checksum, not relevant here.

???? Reference: Create a custom sensitive information type in Microsoft 365

Step 3 – Apply to scenario

Employee ID pattern (hire date + 3 digits) → Needs a regular expression → This must be the Primary element.

Keywords (“Employee”, “ID”, “Identification”) within 300 characters → A keyword list → This must be the Secondary element.

You need one Sensitive Information Type (SIT) per distinct information pattern. The minimum set that covers both SharePoint and Exchange is:

Credit Card Number (builtin) – used for documents and email.

UK National Health Service Number (builtin) – used for documents and email.

EU/UK Physical Address (builtin “EU PII: Physical address”).

User credentials (builtin “Credentials”/“User credentials”).

Custom keywordbased SIT for the sensitive project names (“Project Tailspin”, “Project Contoso”, “Project Falcon”) – can be one SIT using a keyword list.

SITs are reusable across locations, so you don’t count duplicates for email and documents.

Since all employee assessments follow a specific template (AssessmentTemplate.docx), the best way to identify these documents for Data Loss Prevention (DLP) is to create a document fingerprint of that template.

Document fingerprinting allows Microsoft 365 DLP policies to recognize documents based on their structure and format, even when content inside varies (such as different employee names and results). By creating a fingerprint of AssessmentTemplate.docx, any copy derived from that template will be automatically detected by the DLP policy and blocked from being emailed externally.

Steps to implement:

● Create a document fingerprint of AssessmentTemplate.docx using PowerShell and the Microsoft Purview compliance portal.

● Apply a DLP policy to prevent external sharing of documents matching this fingerprint.

● Test the policy by attempting to email an assessment externally.

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

AutoApply1 is an auto-labeling policy that applies RLabel1 to Group1. Auto-labeling policies can apply retention labels across group mailboxes, SharePoint Online sites, and Teams channel messages if they are configured for group resources.

Retention1 is a retention policy applied to Group2. Retention policies for Microsoft 365 groups apply to all group resources, including group mailboxes, SharePoint Online teams sites, and Teams channel messages.

Since both AutoApply1 and Retention1 affect entire groups, they apply to all associated resources: group mailbox, SharePoint Online teams site, and Teams channel messages.

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

Step 1 – Where to configure Insider Risk Management notices

Insider risk management notices are part of the Microsoft Purview Insider Risk Management solution.

They are created and managed within the Microsoft Purview compliance portal.

The Microsoft 365 admin center, Microsoft Defender portal, or Microsoft Entra admin center are not used for notice templates.

Therefore, the correct choice for the portal is: Microsoft Purview portal.

Step 2 – Supported formats for notice templates

When creating an Insider Risk Management notice template, Microsoft Purview allows customization of the message body in HTML format.

HTML provides rich text formatting (fonts, colors, links, branding).

Markdown, RTF, and XML are not supported options for Purview notice templates.

Therefore, the correct format is: HTML.

Step 3 – Microsoft Reference

Microsoft documentation states:

“Notice templates are created and managed in the Microsoft Purview compliance portal. The body of the notice message is authored in HTML format to allow for full customization.”

To ensure that encrypted email messages sent to external recipients can be revoked or expire within seven days, you need to configure a sensitivity label with encryption settings in Microsoft Purview Information Protection. A sensitivity label allows you to encrypt emails and documents, set expiration policies (e.g., emails expire after 7 days), and enable email revocation

How to configure it?

● Go to Microsoft Purview compliance portal → Information Protection

● Create a sensitivity label

● Enable encryption and configure the content expiration policy

● Publish the label to users