Microsoft SC-401 Exam Dumps, SC-401 Practice Test Questions

Microsoft SC-401 Dumps & Practice Test Questions

Question 1:

You manage a Microsoft 365 environment with a customer database, where each customer is identified by a 13-character alphanumeric code. Your organization wants to implement a DLP strategy with these rules: Emails containing a single customer ID can be sent externally. Emails with two or more customer IDs require approval from the data privacy team before external transmission.

Which two features are necessary to configure this solution?

A. Sensitivity label
B. Sensitive information type
C. DLP policy
D. Retention label
E. Mail flow rule

Answer: B, C

Explanation:
To achieve the described DLP (Data Loss Prevention) strategy in Microsoft 365, where emails are evaluated based on the number of customer IDs present before being allowed or blocked from external transmission, two key components are required: a Sensitive Information Type (SIT) and a DLP Policy.

B. Sensitive Information Type
A Sensitive Information Type is a fundamental building block in Microsoft Purview DLP solutions. It allows organizations to define custom patterns that identify sensitive content. In this case, the customer ID is a 13-character alphanumeric string, and this format can be modeled using a custom sensitive information type. The SIT can be designed with a regular expression (regex) that captures the specific 13-character pattern and includes checks like minimum and maximum instance thresholds, confidence levels, and supporting evidence (e.g., keywords).

Creating a custom SIT ensures that Microsoft 365 can detect when one or more customer IDs are present in an email or document. It forms the detection logic on which further actions, such as policy enforcement or approval workflows, are based.

C. DLP Policy
A DLP Policy is used to enforce business rules on the detected sensitive content. With a properly configured DLP policy, you can specify different actions based on the number of customer IDs found in the content:

If only one customer ID is detected, the policy can allow the message to be sent externally without intervention.
If two or more customer IDs are detected, the policy can trigger an action, such as sending the message for approval to the data privacy team or blocking the message until reviewed.

Microsoft 365 DLP supports threshold-based rules, so this kind of conditional enforcement is possible and aligns directly with the requirements.

The remaining options do not support this use case:

A. Sensitivity label
Sensitivity labels are used to classify and protect content with encryption, visual markings, and access controls. While useful for content protection, they are not designed for threshold-based rule enforcement on content patterns.

D. Retention label
Retention labels control how long content is retained and what happens at the end of the retention period. They have no role in detecting or managing content transmission based on sensitive data patterns.

E. Mail flow rule
Mail flow rules (also known as transport rules) can filter and take action based on certain conditions, but they do not offer the advanced content inspection and threshold-based controls that DLP policies provide. They also do not integrate with sensitive information types in the way that DLP policies do.

In summary, to meet the requirement of content-based enforcement using a pattern with a specific instance count, the combination of a Sensitive Information Type (B) and a DLP Policy (C) is necessary.

Question 2:

You're managing Microsoft 365 E5 and want to restrict uploads of DLP-protected files to specific third-party domains using Endpoint DLP. You aim to block file uploads to web1.contoso.com and web2.contoso.com while minimizing admin effort.

What value should be used for the Service domains configuration?

A. .contoso.com
B. contoso.com
C. web1.contoso.com and web2.contoso.com
D. web.contoso.com

Answer: C

Explanation:
Endpoint DLP in Microsoft Purview provides controls over how sensitive data is handled on endpoints, including file transfers via browsers to specific domains. The Service domains configuration in Endpoint DLP allows you to define which domains are allowed or blocked for certain actions, such as file uploads or copy/paste operations.

In this scenario, the goal is to block file uploads to web1.contoso.com and web2.contoso.com, while minimizing administrative effort. However, that doesn’t mean using a broad match like contoso.com or .contoso.com, because doing so would affect all subdomains and may be too restrictive or not precise enough.

Let’s evaluate the options:

A. .contoso.com
This format is not valid in the context of Service domains in Endpoint DLP. Leading with a dot might suggest a wildcard pattern, but Microsoft DLP does not interpret this format for domain matching. It may also result in unpredictable behavior or no effect at all.

B. contoso.com
This option would block or apply policies to the root domain (contoso.com) but not necessarily its subdomains. Microsoft’s documentation clarifies that matching is exact, and unless explicitly included, subdomains like web1.contoso.com would not be matched.

C. web1.contoso.com and web2.contoso.com
This is the correct approach. Endpoint DLP requires explicit domain entries when targeting specific sites. If the requirement is to manage traffic to web1.contoso.com and web2.contoso.com, those domains must be entered individually. This ensures precise control and avoids unintentionally blocking access to other contoso.com subdomains.

D. web.contoso.com
This is not one of the target domains. Entering web.contoso.com would not apply to web1 or web2, so it wouldn’t meet the requirement.

By entering web1.contoso.com and web2.contoso.com into the Service domains list, you gain granular control over just those specific endpoints, fulfilling the business requirement and minimizing broader administrative complications.

Therefore, the correct and most efficient solution is C.

Question 3:

You're setting up a Microsoft Purview DLP policy that covers all supported locations except Microsoft Fabric and Power BI. While creating an advanced rule within the policy, which condition type can be used?

A. Sensitive info type
B. Content search query
C. Sensitivity label
D. Keywords

Answer: A

Explanation:
When configuring a Microsoft Purview Data Loss Prevention (DLP) policy, especially one using advanced rules, it's crucial to understand the types of conditions that are supported within those rules. Microsoft Purview offers a robust framework for content inspection across various services such as Exchange, SharePoint, OneDrive, Teams, and more—with some limitations when it comes to newer services like Microsoft Fabric and Power BI.

In the context of advanced rules, Microsoft restricts the types of conditions that can be applied. These rules provide fine-grained control over DLP policies, often used for complex use cases. However, when creating such a rule, only a subset of condition types are allowed, with Sensitive Information Types (SITs) being the primary and most important one.

A. Sensitive info type
This is the correct answer. Advanced DLP rules currently support Sensitive Information Type conditions. A SIT allows you to define patterns or use prebuilt templates (like those for credit card numbers, Social Security numbers, etc.) to identify sensitive data within content. In the case of advanced rules, SITs provide the detection logic that drives the rule's behavior across supported workloads.

B. Content search query
This condition type is not available for DLP policies. Content search queries are used in the Microsoft Purview Content Search or eDiscovery features for locating content but are not valid condition types in a DLP rule.

C. Sensitivity label
While DLP policies can be scoped to match content labeled with sensitivity labels, advanced rules specifically do not support sensitivity labels as conditions. Only base rules (non-advanced) in a DLP policy can use this condition type.

D. Keywords
Although keywords are often useful in base policy rules, advanced rules do not currently support the keyword condition type. Keyword-based detection is less precise and is generally part of the standard rule creation experience, not the advanced rule editor.

So, when working within advanced DLP rules, especially across nearly all supported workloads (excluding Microsoft Fabric and Power BI), the only supported and valid condition type for detecting data is Sensitive Info Type.

Question 4:

You are about to create a document fingerprint from a structured Word file (Form.docx) for DLP purposes using PowerShell. Before proceeding,

Which cmdlet should be executed first to connect to the proper compliance service?

A. Connect-IPPSSession
B. Connect-SPOService
C. Connect-ExchangeOnline
D. Connect-MgGraph

Answer: A

Explanation:
Creating document fingerprints in Microsoft Purview for Data Loss Prevention (DLP) purposes requires connecting to the appropriate compliance center service via PowerShell. Document fingerprinting allows you to treat structured documents (like standardized forms or templates) as sensitive information types, enabling Microsoft Purview DLP to detect those forms even with minor content changes.

To perform DLP operations—particularly ones involving document fingerprinting, custom sensitive info types, or other compliance center functions—you need to connect to the Microsoft Purview compliance portal via PowerShell. This is done using the Security & Compliance PowerShell module, and the appropriate cmdlet is:

A. Connect-IPPSSession
This is the correct cmdlet. The Connect-IPPSSession command connects you to the Information Protection and Security Shell (IPPS), which provides access to compliance-related features such as DLP, retention, labeling, and document fingerprinting. Without this connection, you won't be able to execute any fingerprint creation or compliance-related tasks.

The other options are not suitable for this operation:

B. Connect-SPOService
This cmdlet is used to manage SharePoint Online services and configurations. While DLP policies can apply to SharePoint, this connection is not used for Purview DLP or fingerprinting.

C. Connect-ExchangeOnline
This connects to the Exchange Online PowerShell interface, which is used for managing mailboxes, mail flow, and transport rules—but not document fingerprinting or DLP creation at the compliance center level.

D. Connect-MgGraph
This cmdlet is part of the Microsoft Graph SDK for PowerShell. While Microsoft Graph provides programmatic access to many Microsoft 365 services, it is not used for configuring DLP fingerprinting through standard PowerShell operations.

Therefore, to successfully create a document fingerprint from a file like Form.docx, you must first connect to the compliance session using Connect-IPPSSession.

Question 5:

You’ve received a list of keywords to use in a sensitive info type in Microsoft 365. Which file format should be used to prepare the keyword list for a keyword dictionary?

A. XLSX file with one word in each cell of the first row
B. XML file with a keyword tag for each word
C. ACCDB file with a table named Dictionary
D. Text file with one word per line

Answer: D

Explanation:
When preparing a keyword list for a keyword dictionary in Microsoft 365, the Text file with one word per line is the appropriate format. This is because the keyword dictionary requires a plain-text list where each word or phrase to be identified is on its own line. This makes it simple and easy for the system to parse the file and use it to match sensitive data.

The other options are not suitable for this task. An XLSX file with one word per cell in the first row (A) could technically hold the keywords, but this file format is not optimized for keyword dictionaries in Microsoft 365. It might introduce unnecessary complexity since the system doesn't require a spreadsheet structure.

An XML file with a keyword tag for each word (B) might be more suitable for other tasks involving metadata or structured data but is not the required format for a keyword dictionary in this context. Similarly, an ACCDB file with a table named Dictionary (C) is not relevant for this task. ACCDB files are associated with Microsoft Access and are used for database management, which isn’t the optimal choice for a keyword list that needs to be used for content searching or classification in Microsoft 365.

For the correct format, using a Text file (D) is the best choice. This format ensures simplicity, ease of use, and compatibility with Microsoft 365's sensitive information management features. The file should contain one keyword per line, making it straightforward for the system to reference and apply these keywords during scanning and classification processes.

Question 6:

Employee assessments based on a Word template are stored across various Microsoft 365 locations. To prevent these documents from being emailed externally, you plan to use document fingerprinting.

What’s the best action to identify these documents accurately while minimizing setup time?

A. Create a fingerprint using the AssessmentTemplate.docx file
B. Create a sensitive info type with Exact Data Match (EDM)
C. Import 100 sample files into a seed folder
D. Create a fingerprint from 100 sample files stored in the Assessments folder

Answer: D

Explanation:
When setting up document fingerprinting for sensitive documents like employee assessments, it is essential to gather a sufficient sample of documents that represent the full scope of the content you want to classify. Creating a fingerprint from 100 sample files stored in the Assessments folder (D) is the best approach. By using a variety of files from the actual folder where these documents are stored, you ensure that the fingerprint is representative of the types of documents you need to protect. The fingerprint can then be applied to detect and block these documents if they are shared externally.

Option A, which suggests creating a fingerprint using the AssessmentTemplate.docx file, is a limited approach because it only uses one document as a reference. While the template might be useful, it may not account for the variations found in the actual assessments stored across different locations. Relying on just one file could lead to false positives or negatives.

Option B, which involves creating a sensitive info type with Exact Data Match (EDM), is a good method for identifying specific data patterns (like social security numbers or credit card numbers). However, EDM is not the most efficient for document fingerprinting, especially for varied documents like assessments where the content might change. Fingerprinting offers a more accurate and dynamic solution for identifying documents based on their content.

Option C, which recommends importing 100 sample files into a seed folder, may be useful for some classification tasks, but it does not directly address the fingerprinting process itself. Seed folders are typically used to build machine learning models or train classifiers, but for fingerprinting, selecting files directly from the relevant folder with the actual documents is the most effective method.

Thus, D is the best choice because it provides a robust fingerprint of the specific documents being managed and prevents them from being emailed externally without excessive setup time.

Question 7:

You want to define a new keyword dictionary for use in Microsoft 365 DLP or security policies. What should you create to incorporate this dictionary?

A. Trainable classifier
B. Retention policy
C. Sensitivity label
D. Sensitive info type

Answer: D

Explanation:
In Microsoft 365, to define a new keyword dictionary for use in Data Loss Prevention (DLP) or security policies, you should create a Sensitive info type (D). Sensitive info types in Microsoft 365 are designed to identify, classify, and protect sensitive content based on specific characteristics, such as keywords, patterns, or regular expressions.

Sensitive info types can incorporate keyword dictionaries as part of the matching criteria. These dictionaries are a set of specific words or phrases that are flagged whenever they appear in the content of documents, emails, or other data within Microsoft 365 services. Once a sensitive info type is created, it can be used in various compliance solutions like DLP policies or Information Governance to automatically identify and protect sensitive information based on the defined keywords.

Let’s break down why the other options are not suitable for this task:

A. Trainable classifier: This refers to machine learning-based classifiers that are used for content that may not follow fixed patterns or keywords. While trainable classifiers are useful for detecting more complex and evolving data, they are not the appropriate solution when you specifically want to use a keyword dictionary. Trainable classifiers work best when there is a need to detect patterns based on previous learning or training rather than a defined set of words.

B. Retention policy: Retention policies are used to manage how long information is retained within Microsoft 365, not for detecting sensitive data based on keywords. These policies ensure that data is kept for a certain period or deleted after a set time but do not assist in creating a keyword-based dictionary for security or DLP purposes.

C. Sensitivity label: Sensitivity labels are used to classify and protect data based on its sensitivity level, but they are not directly related to keyword dictionaries. Sensitivity labels typically use predefined classifications or labels (like "Confidential" or "Public") rather than a set of keywords. While you can apply sensitivity labels as part of DLP or other policies, creating a keyword dictionary specifically requires a Sensitive info type.

Thus, D is the correct answer because it specifically refers to the use of a keyword dictionary in Microsoft 365 to identify and manage sensitive information.

Question 8:
A local application named Tailspin_scanner.exe is accessing sensitive files on devices managed by Microsoft Purview. You want to block this app from accessing sensitive content but still allow it to access non-sensitive files.

You propose excluding a folder path using Endpoint DLP settings. Does this approach meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Using Endpoint DLP settings to exclude a folder path will not achieve the goal of blocking a specific application from accessing sensitive content while still allowing it to access non-sensitive files. Excluding a folder path in Endpoint DLP settings would prevent the DLP system from applying protection or monitoring to files within that folder, but it does not control which applications can access those files. This would likely lead to a situation where the application could still access the sensitive content within that folder, thus not achieving the intended goal.

The reason this approach does not meet the goal is that Endpoint DLP settings primarily help enforce policies around the data itself, such as restricting the sharing of sensitive content or blocking the transfer of sensitive data to non-approved locations. It does not provide granular control over individual applications' access to specific types of content. Endpoint DLP can detect when sensitive content is being accessed or transferred but does not have the functionality to block specific applications from interacting with that data, especially if those applications are accessing data that is stored within folders that are not covered by DLP rules.

The correct approach would involve using application-specific controls within Microsoft Purview or another more granular application control setting. For example, you could configure application control policies or Device Compliance Policies in Microsoft Intune or use app-based restrictions through Microsoft Defender for Endpoint. These tools allow you to define which applications can access certain types of content and prevent unauthorized applications from accessing sensitive information, regardless of the folder path.

Therefore, the correct answer is B, as excluding a folder path in Endpoint DLP will not effectively block the application from accessing sensitive files.

Question 9:

The local application Tailspin_scanner.exe has been accessing protected data on devices in your Microsoft 365 environment. You want to block it from accessing sensitive data but not other files. You propose using Microsoft Defender for Cloud Apps to create an app discovery policy.

Does this approach meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Microsoft Defender for Cloud Apps is a powerful tool for discovering and managing cloud applications within your environment. It provides visibility into the apps being used and helps identify any risky behaviors or compliance violations. However, the App Discovery Policy in Defender for Cloud Apps is primarily designed to monitor cloud-based applications and understand how they are interacting with cloud resources. It is not specifically designed to block local applications, such as Tailspin_scanner.exe, from accessing sensitive data stored on devices.

The goal in this scenario is to prevent a specific local application from accessing sensitive data but still allow it to access non-sensitive files. For this, the solution requires a method that can block or restrict specific local applications from interacting with sensitive content, which is typically managed through device or application-level controls rather than through cloud-based app discovery.

Defender for Cloud Apps would be more suitable if your goal was to manage cloud apps (such as Office 365 applications, third-party cloud apps, etc.) and their access to sensitive data within your cloud environment. However, since Tailspin_scanner.exe is a local application on the device, this tool would not be able to directly control access to sensitive files on that device.

A more appropriate solution would involve using Microsoft Defender for Endpoint or Endpoint DLP settings, which are designed to provide control over local device applications and their interactions with sensitive data. Endpoint DLP allows you to create policies that can block or monitor specific apps from accessing certain types of sensitive content on managed devices. Additionally, Microsoft Intune can help enforce device compliance policies to restrict local applications based on specific criteria, including access to sensitive information.

In conclusion, using Microsoft Defender for Cloud Apps to create an app discovery policy does not meet the goal of blocking a local application from accessing sensitive data. The correct approach would involve using device-specific controls such as Endpoint DLP or Defender for Endpoint.

Therefore, the correct answer is B.

Question 10:

Your organization has configured Microsoft Purview sensitivity labels with label-based encryption. You must ensure that documents labeled Highly Confidential – Finance can only be decrypted on Intune-compliant, domain-joined Windows devices.

Which two items must you configure to enforce this requirement? (Choose 2.)

A. A sensitivity label policy scoped to the Finance department that requires Azure AD authentication and “User must be on an Intune-compliant device”
B. A Conditional Access policy with the cloud app Microsoft Azure Information Protection and the grant control Require device to be marked as compliant
C. A Microsoft Intune app protection policy (MAM) that blocks copy/paste for Office desktop apps
D. Purview Data Loss Prevention (DLP) rule that blocks access from unmanaged devices for the selected label
E. A Microsoft Purview Endpoint DLP device configuration profile requiring domain join for decryption

Answer: A, B

Explanation:
To ensure that documents labeled as Highly Confidential – Finance can only be decrypted on Intune-compliant, domain-joined Windows devices, you need to configure settings that enforce both compliance requirements and device conditions. Let's break down the options and why the correct ones are A and B.

A. A sensitivity label policy scoped to the Finance department that requires Azure AD authentication and “User must be on an Intune-compliant device”

This option is necessary because it specifically targets the sensitivity label policy for the Finance department, ensuring that the policy applies only to relevant users. The policy also specifies that the user must be on an Intune-compliant device, meaning the device must adhere to security standards set in Intune. This directly meets the goal of ensuring that only compliant devices can access sensitive documents, making it a key component in enforcing the decryption conditions.

B. A Conditional Access policy with the cloud app Microsoft Azure Information Protection and the grant control Require device to be marked as compliant

A Conditional Access policy is a crucial mechanism for controlling access to cloud apps, such as those using Microsoft Azure Information Protection (AIP) for label-based encryption. By requiring that the device be marked as compliant, this policy ensures that only devices that meet the Intune compliance requirements can access the labeled documents. Conditional Access policies are typically used to enforce access control based on the device's compliance state, ensuring that only Intune-compliant devices can decrypt the sensitive files. This is a vital piece of the puzzle for the decryption requirement.

Why the other options do not meet the goal:

C. A Microsoft Intune app protection policy (MAM) that blocks copy/paste for Office desktop apps
This option relates to controlling app behaviors rather than enforcing device compliance. It specifically blocks actions like copy/paste in Office apps, which is useful for securing data from unauthorized use but doesn't directly address the requirement to ensure that sensitive documents are only decrypted on compliant devices. This policy is more about managing app behaviors than enforcing access based on device compliance, so it doesn't help enforce the Intune-compliant, domain-joined device requirement.

D. Purview Data Loss Prevention (DLP) rule that blocks access from unmanaged devices for the selected label
While DLP rules are useful for preventing unmanaged devices from accessing sensitive data, they don't address the requirement for device compliance in a comprehensive way. A DLP rule can block access from unmanaged devices, but it doesn’t ensure the device is also domain-joined or compliant with Intune security standards. This option is more focused on preventing access entirely, rather than enforcing the decryption condition tied to compliance and domain-joining.

E. A Microsoft Purview Endpoint DLP device configuration profile requiring domain join for decryption
Endpoint DLP settings are useful for managing access to sensitive data, but this option is not directly related to the specific requirements of Intune-compliant devices for decryption. Although requiring a domain join is important for some scenarios, it doesn’t cover the compliance check that Intune provides. This option focuses more on the network and access controls, not on ensuring that only Intune-compliant devices can decrypt sensitive data.

To enforce the requirement that documents labeled Highly Confidential – Finance can only be decrypted on Intune-compliant, domain-joined Windows devices, you need both a sensitivity label policy (A) and a Conditional Access policy (B) to ensure the device meets both the compliance and access conditions. These two configurations together will effectively block access to sensitive data based on compliance status and domain-joining requirements. Therefore, the correct answers are A and B.