SC-401 Exam Dumps - Administering Information Security in Microsoft 365

The Set-MailboxFolderPermission -Identity " User1 " -User User1@contoso.com -AccessRights Owner command is incorrect. This assigns folder permissions but does not enable auditing. It does not track who accessed the mailbox or deleted emails.

Step 1 – Scenario

Tenant domain = contoso.com

Encryption method = Microsoft Purview Advanced Message Encryption (AME) using branded, link-based emails.

Recipients:

Recipient1 → Contoso internal user (same tenant).

Recipient2 → External Microsoft 365 user (Fabrikam).

Recipient3 → Outlook.com consumer email.

Recipient4 → Gmail.com consumer email.

The question asks: For which recipients can User1 revoke the emails?

Step 2 – Revocation in Advanced Message Encryption

Microsoft Purview AME allows senders to:

Revoke sent encrypted emails.

Revoke applies to all recipients who receive a link-based branded encrypted message.

When revoked, the secure message link no longer works, regardless of whether the recipient is internal, external Microsoft 365, Outlook.com, Gmail, or another email provider.

This differs from traditional RMS-based encryption where revocation is tenant-specific. In AME, the revocation is possible because the recipient must open the message through a secure browser portal (Office 365 Message Encryption portal).

Step 3 – Evaluate each recipient

Recipient1 (contoso.com, internal) → Yes, message can be revoked.

Recipient2 (fabrikam.onmicrosoft.com, external Microsoft 365) → Yes, message can be revoked because AME link enforcement works across tenants.

Recipient3 (outlook.com, consumer) → Yes, message can be revoked, they use the secure OME portal.

Recipient4 (gmail.com, consumer) → Yes, message can be revoked, they also use the secure OME portal.

Step 4 – Microsoft Reference

From Microsoft Docs:

“With Advanced Message Encryption, admins can configure branding and revocation for encrypted email messages. Revocation applies to encrypted emails sent to both internal and external recipients, including those using Outlook.com, Gmail.com, and other email services.”

Endpoint DLP builds on Microsoft Defender for Endpoint integration. Before enabling Endpoint DLP, you must turn on device onboarding in Microsoft Purview to allow devices (like Device1) to be enrolled. After onboarding, you can assign DLP policies to endpoints.

Step 1 – Scenario

A user named User1 was a member of a dynamic security group (Group1).

User1 is no longer a member of that group.

You need to determine why User1 was removed by searching the audit log.

Step 2 – How group membership changes are logged in Microsoft 365 audit logs

Microsoft 365 audit logs record group membership activities in Azure AD. The most relevant activities for a user disappearing from a group are:

Removed member from group – Directly indicates that a user was removed from a group.

Updated group – Logged when group properties or membership rules (for dynamic groups) are modified. If Group1 is a dynamic group, changes to membership rules could have caused User1 to no longer qualify, and this would appear as an Updated group event.

Step 3 – Why not other options

Deleted user / Deleted group: Would mean the entire user or group object was deleted, not just removal.

Changed user password, Reset user password, Set license properties, Changed user license: These are account-related, not group membership-related.

Added member to group: The opposite action.

Step 4 – Microsoft Reference

From Microsoft documentation:

Audit logs include events such as when a member is added or removed from a group, and when group properties or membership rules are updated.

Comprehensive Detailed Explanation with References

The command Set-AuditConfig -Workload Exchange is related to configuring auditing for workloads but does not enable mailbox auditing.

To capture and view who is accessing User1’s mailbox, mailbox auditing must be enabled at the mailbox level in Exchange Online.

Correct solution would be:

Set-Mailbox -Identity User1 -AuditEnabled $true

Mailbox auditing is enabled by default for all mailboxes in Microsoft 365 now, but if it is disabled, enabling auditing at the mailbox level is required. Running Set-AuditConfig -Workload Exchange alone does not accomplish this.

In Defender for Cloud Apps file policies, Access level is the filter used to detect how a file is exposed (e.g., Public on the internet, External, Internal, Private). Choosing Access level = External matches files that are shared with users outside your organization—exactly the “shared externally” condition.

Ref: Microsoft Defender for Cloud Apps – Create/Use file policies (File filters: Access level), Microsoft Learn.

See: Microsoft Defender for Cloud Apps > Policies > File policies documentation describing file filters including Access level and its values (Public, External, Internal, Private).

To target files that carry an MIP/AIP classification such as Internal Only, you use the Sensitivity label file filter. Defender for Cloud Apps ingests Microsoft Purview Information Protection labels and lets you build file policies that trigger when a specific label is applied.

Ref: Integrate Microsoft Information Protection with Microsoft Defender for Cloud Apps and File policies – Sensitivity label filter, Microsoft Learn.

These docs explain that MCAS can filter and govern files by Sensitivity label and apply governance based on labels such as Internal Only, Confidential, etc.

Why not the other options?

Collaborators filters by specific users/domains; it’s useful to find files shared with a particular external user but not for the generic “shared externally” condition.

Matched policy is for files already flagged by another policy/DLP engine and does not detect “Internal Only” labeling by itself.

Comprehensive Detailed Explanation with References

We are given a sensitivity label with the following Access control settings:

Assign permissions now → meaning admins define permissions, not end users.

User access to content expires = Never.

Allow offline access = Always.

Permissions explicitly assigned:

LegalTeam@… → Co-Author

USSales@… → Reviewer

Dynamic watermarking and Double Key Encryption are not enabled.