Free Microsoft SC-401 Practice Exam with Questions & Answers | Set: 2

You need one Sensitive Information Type (SIT) per distinct information pattern. The minimum set that covers both SharePoint and Exchange is:

Credit Card Number (builtin) – used for documents and email.

UK National Health Service Number (builtin) – used for documents and email.

EU/UK Physical Address (builtin “EU PII: Physical address”).

User credentials (builtin “Credentials”/“User credentials”).

Custom keywordbased SIT for the sensitive project names (“Project Tailspin”, “Project Contoso”, “Project Falcon”) – can be one SIT using a keyword list.

SITs are reusable across locations, so you don’t count duplicates for email and documents.

Step 1 – Summarization in Copilot

For Microsoft 365 Copilot to summarize a file:

The user needs at least View permission.

Summarization does not require editing, copying, or ownership rights.

Looking at the exhibit:

User1 (Co-Owner) → has full access including view.

User2 (Co-Author) → has edit and view.

User3 (Reviewer) → has read-only rights.

User4 (Viewer) → has read rights.

All four users can view the document. Therefore, Copilot can summarize File1 for User1, User2, User3, and User4.

Step 2 – Referencing a file by link in Copilot

For Copilot to reference a file by link (i.e., cite or share within generated content):

The user must have rights that include resharing or exporting.

Only the Co-Owner has full rights to manage access and allow referencing by link.

From the exhibit:

User1 (Co-Owner) → Can reference by link.

User2 (Co-Author), User3 (Reviewer), User4 (Viewer) → Do not have reshare or link rights.

So, only User1 can reference File1 by link.

Box 1: Publishing a Sensitivity Label

Sensitivity labels can be published to Microsoft 365 groups, security groups, SharePoint Online sites, and Microsoft Teams. Since we have:

● Group1 (Microsoft 365 group) - Supported

● Group2 (Security group) - Supported

● Site1 (SharePoint Online site) - Supported

● Team1 (Microsoft Teams team) - Supported

This means we can publish Label1 to Group1, Group2, Site1, and Team1.

Box 2: Auto-Applying a Sensitivity Label

Auto-apply policies for sensitivity labels work on:

● SharePoint Online sites (documents)

● OneDrive (documents)

● Exchange email (messages)

However, labels cannot be auto-applied to Microsoft 365 groups or Teams directly because labels are applied to files and emails, not to groups or Teams as entities. Since Site1 (a SharePoint Online site) supports auto-apply, it is the correct option.

The mail flow rule is configured to apply OMEv2 protection (“Protect with OMEv2”) to messages. With OMEv2:

Recipients on consumer mail systems (such as Gmail) receive a link-protected message and must authenticate to the Office 365 Message Encryption portal to view the content.

Microsoft 365 recipients (even in external tenants) get a native reading experience in Outlook/OWA where protected messages are opened directly with automatic decryption using their Microsoft 365 identity—no separate OME portal workflow is required.

These behaviors are documented by Microsoft for OMEv2 user experiences for different recipient types and clients. See: Microsoft Purview Office 365 Message Encryption overview and user experiences for external Microsoft 365 and consumer email recipients.

We are asked which Microsoft Teams activities can be protected by a DLP policy when applied to different resource scopes: user accounts, Microsoft 365 groups, and security groups or distribution lists.

Step 1 – How DLP applies in Teams

User accounts → Controls 1:1 or group chats (1:1/n chats).

Microsoft 365 groups → Controls Team channel messages (general and private channels).

Security groups or distribution lists → Used as a scoping mechanism for users, but only applies to 1:1/n chats, not to channel messages.

???? Reference: Learn about DLP in Microsoft Teams

Step 2 – Map activities

User accounts → Can protect 1:1/n chats only.

Microsoft 365 groups → Can protect Private channels only and General chats only (both types of Teams channels).

If User1 sends an email externally with five credit card numbers, Policy1 applies. → Yes

If User1 sends an email externally with five credit card numbers, Policy2 also applies. → No (stopped by Policy1).

If User2 sends an email externally with five credit card numbers, Policy2 applies. → Yes

???? Policy1

Order: 0 (highest priority).

Scope: Exchange email for the Finance distribution group.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Encrypt with “Encrypt email” option.

Additional options: Stop processing additional DLP policies and rules.

???? Policy2

Order: 1 (lower priority).

Scope: All Exchange email.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Restrict/block OR encrypt depending on configuration, notify admin.

Additional options: None.

???? User-by-user Analysis

User1 (Finance group):

Policy1 applies first (priority 0).

If User1 sends email externally with ≥ 5 CCNs, Policy1 encrypts the email and stops further processing.

Therefore, Policy2 never applies to User1.

User2 (Sales group):

Not in Finance, so Policy1 does not apply.

Policy2 applies (all Exchange email).

If User2 sends email externally with ≥ 5 CCNs, Policy2 action is enforced (restrict/block or encrypt).

Microsoft 365 Endpoint data loss prevention (Endpoint DLP) is supported only on Windows 10 and Windows 11 devices. It does not support macOS or iOS at this time.

From the provided table:

● Device1 (Windows 11) - Supported

● Device2 (Windows 10) - Supported

● Device3 (iOS) - Not supported

● Device4 (macOS) - Not supported

Thus, only Device1 and Device2 support Endpoint DLP.

Microsoft Purview browser extensions for Endpoint DLP are supported on:

● Windows 10/11 (Config1)

● macOS (Config2)

● Not supported on Android (Config3)

Since Microsoft Purview does not support browser extensions on Android, Config3 is excluded from both Google Chrome and Firefox.

AutoApply1 is an auto-labeling policy that applies RLabel1 to Group1. Auto-labeling policies can apply retention labels across group mailboxes, SharePoint Online sites, and Teams channel messages if they are configured for group resources.

Retention1 is a retention policy applied to Group2. Retention policies for Microsoft 365 groups apply to all group resources, including group mailboxes, SharePoint Online teams sites, and Teams channel messages.

Since both AutoApply1 and Retention1 affect entire groups, they apply to all associated resources: group mailbox, SharePoint Online teams site, and Teams channel messages.