Free Microsoft SC-401 Practice Exam with Questions & Answers

To ensure that encrypted email messages sent to external recipients can be revoked or expire within seven days, you need to configure a sensitivity label with encryption settings in Microsoft Purview Information Protection. A sensitivity label allows you to encrypt emails and documents, set expiration policies (e.g., emails expire after 7 days), and enable email revocation

How to configure it?

● Go to Microsoft Purview compliance portal → Information Protection

● Create a sensitivity label

● Enable encryption and configure the content expiration policy

● Publish the label to users

Box 1: To include the sensitive info type detected for each DLP rule match, you need to add a custom column in Activity Explorer. This ensures that the exported file contains specific details about the detected sensitive information types.

Box 2: DLP activity exports from Activity Explorer are always in CSV (Comma-Separated Values) format. This format allows for easy data analysis and reporting in Excel or other data-processing tools.

Step 1 – Scenario

A user named User1 was a member of a dynamic security group (Group1).

User1 is no longer a member of that group.

You need to determine why User1 was removed by searching the audit log.

Step 2 – How group membership changes are logged in Microsoft 365 audit logs

Microsoft 365 audit logs record group membership activities in Azure AD. The most relevant activities for a user disappearing from a group are:

Removed member from group – Directly indicates that a user was removed from a group.

Updated group – Logged when group properties or membership rules (for dynamic groups) are modified. If Group1 is a dynamic group, changes to membership rules could have caused User1 to no longer qualify, and this would appear as an Updated group event.

Step 3 – Why not other options

Deleted user / Deleted group: Would mean the entire user or group object was deleted, not just removal.

Changed user password, Reset user password, Set license properties, Changed user license: These are account-related, not group membership-related.

Added member to group: The opposite action.

Step 4 – Microsoft Reference

From Microsoft documentation:

Audit logs include events such as when a member is added or removed from a group, and when group properties or membership rules are updated.

You need one Sensitive Information Type (SIT) per distinct information pattern. The minimum set that covers both SharePoint and Exchange is:

Credit Card Number (builtin) – used for documents and email.

UK National Health Service Number (builtin) – used for documents and email.

EU/UK Physical Address (builtin “ EU PII: Physical address ” ).

User credentials (builtin “ Credentials ” / “ User credentials ” ).

Custom keywordbased SIT for the sensitive project names ( “ Project Tailspin ” , “ Project Contoso ” , “ Project Falcon ” ) – can be one SIT using a keyword list.

SITs are reusable across locations, so you don’t count duplicates for email and documents.

Step 1 – Requirement

We need a custom sensitive information type (SIT) that detects:

An employee ID number in a specific format → hire date + three digits.

This is a pattern-based requirement.

Specific keywords within 300 characters of that ID → “Employee”, “ID”, or “Identification”.

This is a keyword proximity requirement.

Step 2 – Sensitive info type elements in Microsoft 365

When creating custom SITs, you define primary and secondary elements:

Primary element → The main pattern or data to detect (the most defining factor).

Secondary element → Supporting evidence that must be found near the primary element to increase confidence.

Available elements:

Regular expression → Used to define patterns such as date + digits (for employee ID).

Keyword list → Used for lists of words/phrases like " Employee " , " ID " , " Identification " .

Functions → Used for built-in validators like credit card checksum, not relevant here.

???? Reference: Create a custom sensitive information type in Microsoft 365

Step 3 – Apply to scenario

Employee ID pattern (hire date + 3 digits) → Needs a regular expression → This must be the Primary element.

Keywords (“Employee”, “ID”, “Identification”) within 300 characters → A keyword list → This must be the Secondary element.

Trainable classifiers in Microsoft Purview learn from sample documents. When the initial results are unsatisfactory, retraining is done by reviewing and reclassifying items through Content explorer under the Data classification section of the Purview compliance portal. This allows you to give feedback by marking documents as “relevant” or “not relevant” to improve classifier accuracy.

The other options do not support retraining:

Labels from Information protection → Used to configure and manage sensitivity labels, not train classifiers.

Labels from Information governance → Used for retention labels, not classifiers.

Content search → Used for eDiscovery and searching content, not classifier training.

Retention policy tags (MRM) for Exchange Online are applied by the Managed Folder Assistant (MFA). To apply a newly created Exchange retention policy to mailbox items immediately, you manually invoke MFA with Start-ManagedFolderAssistant for the mailbox or set of mailboxes. Creating DLP policies or label policies in Purview does not accelerate MRM processing.

The False positive and override report helps identify rules that were applied but did not generate an actual policy alert, which means they were overridden or deemed false positives.

The DLP policy matches report provides details on files that matched DLP policies, including the top 10 files.

The Incident reports report helps analyze and review alerts, including those that may have been miscategorized.