SC-401 Exam Dumps - Administering Information Security in Microsoft 365

Step 1 – Review what’s configured

Labels: Public, General, Confidential, Internal, External.

Also shown in policy: Confidential/Internal and Confidential/External.

Policy setting: Users must provide justification to remove a label or lower its classification.

Confidential/External → encrypts content when applied.

Step 2 – Analyze each statement

Statement 1: The Internal sensitivity label inherits all the settings from the Confidential label.

Sub-labels (e.g., Confidential/Internal, Confidential/External) do not inherit settings from the parent.

They are independent labels grouped under a parent for organization, but each sub-label must have its own protection settings defined.

Answer: No

Statement 2: Users must provide justification if they change the label of content from Confidential/Internal to Confidential/External.

The policy requires justification only when removing a label or downgrading classification (lowering).

Changing between two sub-labels of the same parent (Confidential/Internal → Confidential/External) is considered a lateral move (not a downgrade).

Answer: No

Statement 3: Content that has the Confidential/External label applied will retain the encryption settings if the sensitivity label is removed from the label policy.

If a label is removed from a published policy, content already labeled retains its protection settings (such as encryption).

The label metadata stays applied to the file/email, even if unpublished.

Answer: Yes

When you create an auto-labeling policy for sensitivity labels and start it in simulation mode using the default settings, Microsoft Purview will automatically turn on the policy after 14 days if you make no changes during simulation. A policy created on February 1 would therefore be turned on on February 15.

References used:

Microsoft Purview Data Access Governance custom assessments item limits.

Exchange Online Managed Folder Assistant and Start-ManagedFolderAssistant.

Auto-labeling simulation mode behavior and automatic enable timeline.

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

To auto-apply a retention label to documents based on a specific file naming pattern (like abc_XX123.docx), you need to use a detection method that can recognize patterns.

Retention label: This is the outcome (what you apply), not the detection mechanism. It cannot itself identify files.

Trainable classifier: Used for identifying content based on text meaning/semantics (e.g., HR documents, contracts). It is not suitable for structured patterns like file names.

Sensitive info type (SIT): Best option. Custom SITs can be created with regular expressions to match naming formats (such as xxx_XX999). Once the SIT is defined, you can configure an auto-apply retention label policy to apply the “Project Documents” label when the SIT is detected.

To create a custom trainable classifier in Microsoft Purview (formerly Microsoft Compliance Center), you must first opt into the trainable classifier feature.

Before using custom trainable classifiers, Microsoft requires manual opt-in through the Microsoft Purview compliance portal. Without this step, you cannot create a new classifier.

The Compliance Administrator role has the necessary permissions to configure data classification, DLP policies, and trainable classifiers. Global Administrator has higher privileges but is not required for this task, violating the principle of least privilege. Security Administrator is focused on security-related settings but does not manage compliance features like classifiers.

In Microsoft Teams:

Files shared in 1:1 or group chats

These files are stored in the sender’s OneDrive for Business.

So, to protect them with DLP and prevent guest access, the relevant location is OneDrive accounts.

Files shared in Teams channels

These files are stored in the underlying SharePoint Online site associated with that Team.

So, to protect them with DLP and prevent guest access, the relevant location is SharePoint sites.

Incorrect options:

Exchange email: Protects email messages, not Teams-shared files.

Teams chat and channel messages: Protects text messages, not the attached or shared files.

Step 1 – Scenario

The alert in the exhibit is named Alert2.

Current status = Resolved.

The task is to identify which statuses you can change the alert to.

Step 2 – Microsoft 365 Alert Lifecycle

In Microsoft 365 compliance and security alerts, an alert can move between multiple statuses depending on investigation and remediation. The available statuses are:

Active – The alert is new and not yet acted upon.

Investigating – The alert is under review.

Resolved – The alert has been addressed.

Dismissed – The alert is ignored or deemed not relevant.

Step 3 – Status changes from "Resolved"

If an alert is in the Resolved state, administrators can reopen or reclassify it. According to Microsoft documentation, from Resolved, you can change it to:

Active

Investigating

Dismissed

This allows flexibility in continuing investigations if needed or dismissing false positives.

Step 4 – Microsoft Reference

From Microsoft Docs: “You can change the status of an alert between Active, Investigating, Resolved, and Dismissed to reflect its current stage in the triage process.”