SC-401 Exam Dumps - Administering Information Security in Microsoft 365

Step 1 – Scenario

A user named User1 was a member of a dynamic security group (Group1).

User1 is no longer a member of that group.

You need to determine why User1 was removed by searching the audit log.

Step 2 – How group membership changes are logged in Microsoft 365 audit logs

Microsoft 365 audit logs record group membership activities in Azure AD. The most relevant activities for a user disappearing from a group are:

Removed member from group – Directly indicates that a user was removed from a group.

Updated group – Logged when group properties or membership rules (for dynamic groups) are modified. If Group1 is a dynamic group, changes to membership rules could have caused User1 to no longer qualify, and this would appear as an Updated group event.

Step 3 – Why not other options

Deleted user / Deleted group: Would mean the entire user or group object was deleted, not just removal.

Changed user password, Reset user password, Set license properties, Changed user license: These are account-related, not group membership-related.

Added member to group: The opposite action.

Step 4 – Microsoft Reference

From Microsoft documentation:

Audit logs include events such as when a member is added or removed from a group, and when group properties or membership rules are updated.

When you configure Microsoft Purview DLP policies for the Teams chat and channel messages location, the following entities are protected:

1:1 and n:n chats (private chats between two or more users).

Team channel messages (including the General channel and all standard channels).

Private channel messages.

This means that if a DLP policy is applied to User1 and User2, it will monitor and enforce rules across:

Chats between User1 and User2 (1:1 or group chats).

Any channel conversations they participate in (General or other channels).

Private channels they belong to.

Incorrect options:

A (1:1/n chats and general channels only) → Excludes private channels, but DLP supports them.

B (1:1/n chats and private channels only) → Excludes general channels, but DLP supports them too.

This question is about creating a one-click policy within Microsoft Purview's Data Security Posture Management for AI portal. These policies are designed to mitigate risks associated with sensitive data and AI websites. The correct configuration for this specific scenario is to select "Test it out first" and apply the policy to "Devices, Instances, and SharePoint sites." This configuration is based on Microsoft's recommended practices for deploying data loss prevention (DLP) and similar policies.

Policy Mode: "Test it out first"

Microsoft recommends using test mode for new policies to evaluate their impact and effectiveness before enforcing them. This approach prevents unintended disruptions to user workflows. In test mode, the policy monitors and audits the specified activities without blocking them. It generates alerts and reports, allowing administrators to review the policy's behavior and make necessary adjustments. This aligns with the principle of "start small, then scale," ensuring that a policy designed to block sensitive data transfers doesn't inadvertently prevent legitimate business activities.

Policy Scope: "Devices, Instances, and SharePoint sites"

The policy aims to block users from pasting or uploading sensitive data to AI websites. This requires a comprehensive scope to cover all potential data exfiltration points.

Devices: This covers the user's local device, preventing data from being uploaded or pasted from applications running on the machine. This is crucial for controlling data from endpoints.

Instances: This refers to SaaS (Software as a Service) instances, including AI websites. Applying the policy to instances ensures that data transfers to these external services are monitored and controlled.

SharePoint sites: Data residing in SharePoint is a common source of sensitive information. Including SharePoint sites in the policy scope ensures that data cannot be directly copied from these locations and uploaded to AI websites, providing a holistic security posture.

By selecting "Devices, Instances, and SharePoint sites," the policy is configured to monitor and protect data across the most common sources and destinations, providing a robust defense against data exfiltration to AI services. This comprehensive approach is a cornerstone of modern data security strategies in Microsoft 365.

This information is verifiable through Microsoft's official documentation for Microsoft Purview, particularly sections related to Data Loss Prevention (DLP) policies and Data Security Posture Management for AI. The best practice of "test first" and the broad scope for sensitive data protection are consistently recommended.

A screenshot of a computer AI-generated content may be incorrect.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with "999".

A white paper with black text AI-generated content may be incorrect.

Understanding Site4's Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing").

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

A screenshot of a questionnaire AI-generated content may be incorrect.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

A screenshot of a computer AI-generated content may be incorrect.

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

A screenshot of a computer AI-generated content may be incorrect.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

A screenshot of a computer AI-generated content may be incorrect.

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

A screenshot of a computer AI-generated content may be incorrect.

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.