Free Microsoft SC-401 Practice Exam with Questions & Answers

The requirement is that User1 must be able to analyze prompts and responses for AI interaction events in Microsoft Purview DSPM for AI, while following the principle of least privilege.

Information Protection Analysts role group:

Members can review and analyze sensitive data activity, including AI interaction events collected by Purview DSPM. This role is specifically intended for analysts monitoring sensitive information and is therefore necessary for User1.

Content Explorer List Viewer role group:

Members can see metadata about items with sensitive information, such as file names, locations, sensitivity labels, and policy matches, without accessing the actual file content. This provides the required visibility for AI-related data classification and interaction analysis while adhering to the least privilege principle.

Roles not required:

Content Explorer Content Viewer would give the ability to view the actual content of files, which is more access than needed.

Security Reader is intended for reviewing alerts and incidents but not for analyzing AI prompts and responses.

Insider Risk Management Investigators focus on insider risk investigations, not AI event analysis.

Box 1: Insider Risk Management policies in Microsoft Purview can be configured to detect risky behavior, such as accessing phishing websites. These policies monitor user activity, generate alerts, and help organizations investigate potential security threats.

Box 2: Microsoft Defender Browser Protection extension helps in detecting unsafe or phishing websites and integrating this detection with Insider Risk Management policies. This extension works with Microsoft Edge and Google Chrome to identify risky browsing activity and trigger alerts.

Let’s break it down:

File1.docx → DLP action = None

No DLP restrictions, so it is fully accessible to both User1 (owner) and User2 (member).

File2.docx → DLP action = Matched by DLP

“Matched” means the DLP policy detected sensitive content but has not blocked access. Instead, it may generate an alert or policy tip.

Both User1 and User2 can still open this file.

File3.docx → DLP action = Blocked by DLP

“Blocked” means the DLP policy actively restricts access or sharing of the file.

User2 (member) cannot open this file.

However, User1 (site owner) can open it because site collection admins and owners always retain full control over content, even if a DLP rule applies.

Ref: Microsoft Purview DLP policy tips and enforcement

→ DLP policies do not prevent SharePoint/OneDrive site collection admins (owners) from accessing content.

✅ Final Answer Table:

User1 (Site Owner): File1.docx, File2.docx, File3.docx

User2 (Site Member): File1.docx, File2.docx

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT) → Copilot cannot summarize.

Since File2 is labeled Label2, it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

If User1 sends an email externally with five credit card numbers, Policy1 applies. → Yes

If User1 sends an email externally with five credit card numbers, Policy2 also applies. → No (stopped by Policy1).

If User2 sends an email externally with five credit card numbers, Policy2 applies. → Yes

???? Policy1

Order: 0 (highest priority).

Scope: Exchange email for the Finance distribution group.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Encrypt with “Encrypt email” option.

Additional options: Stop processing additional DLP policies and rules.

???? Policy2

Order: 1 (lower priority).

Scope: All Exchange email.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Restrict/block OR encrypt depending on configuration, notify admin.

Additional options: None.

???? User-by-user Analysis

User1 (Finance group):

Policy1 applies first (priority 0).

If User1 sends email externally with ≥ 5 CCNs, Policy1 encrypts the email and stops further processing.

Therefore, Policy2 never applies to User1.

User2 (Sales group):

Not in Finance, so Policy1 does not apply.

Policy2 applies (all Exchange email).

If User2 sends email externally with ≥ 5 CCNs, Policy2 action is enforced (restrict/block or encrypt).

The Service domains setting in Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) allows administrators to block or allow specific domains for file uploads. The goal is to prevent users from uploading DLP-protected documents to web1.contoso.com and web2.contoso.com.

Setting the Service domains to "web1.contoso.com and web2.contoso.com" precisely targets the two specific third-party websites, minimizing administrative effort while ensuring strict control.

To prevent the contents of files stored in Channel1 from being included in Microsoft 365 Copilot responses and ensure unauthorized users cannot access them, you should use Microsoft Purview Sensitivity Labels.

Sensitivity labels allow you to classify, protect, and restrict access to sensitive files. You can configure label-based encryption and access control policies to ensure that only authorized users can access or interact with the files in Channel1. Microsoft 365 Copilot respects sensitivity labels, meaning if a file is labeled with restricted permissions, Copilot will not use it in generated responses for unauthorized users.

Comprehensive Detailed Explanation with References

Custom Data Access Governance (DAG) data assessment scans in Microsoft Purview can be run on selected SharePoint Online or OneDrive locations to check for oversharing and exposure. Each custom assessment scan supports up to 200,000 items per location. This cap is documented in Microsoft’s guidance for custom data access governance assessments.