SC-401 Exam Dumps - Administering Information Security in Microsoft 365

Step 1 – Review of Preservation Lock

Preservation Lock in Microsoft 365 retention policies ensures that once a policy is locked, no one (including administrators) can turn it off, delete it, or make it less restrictive.

Preservation Lock is only available for static retention policies and not supported for adaptive scopes.

📖 Reference: Preservation Lock in Microsoft 365 retention policies

From Microsoft docs:

“Preservation Lock can only be applied to retention policies configured with static scopes. Adaptive scopes do not currently support Preservation Lock.”

Step 2 – Analyzing the Case Data

RPolicy1 → Adaptive scope (Scope1: Users). ❌ Not eligible for Preservation Lock.

RPolicy2 → Adaptive scope (Scope2: SharePoint Online sites). ❌ Not eligible for Preservation Lock.

RPolicy3 → Static scope (Microsoft 365 groups). ✅ Eligible for Preservation Lock.

Step 3 – Conclusion

Only RPolicy3 qualifies for Preservation Lock.

To automatically encrypt email messages using Microsoft Purview Message Encryption (OME), administrators must configure mail flow rules (also known as transport rules) in the Exchange admin center. These rules can be configured to check conditions, such as when a recipient is a specific user or when an email contains attachments, and then apply encryption automatically. Sharing policies, Safe Attachments policies, and retention label policies are not used for OME encryption.

In Microsoft Purview, when multiple alert policies trigger alerts, duplicate alerts within a short period (typically 5 minutes) may be suppressed to avoid redundancy.

Step-by-step Analysis:

● Policy1 at 10:00:04 is ignored because Policy1 already triggered at 10:00:00, and it's within 5 minutes.

● Policy2 at 10:00:31 is ignored because Policy2 already triggered at 10:00:03, and it's within 5 minutes.

● Policy1 at 10:01:01 is a new alert because it's over 1 minute after the previous Policy1 alert.

● Policy1 at 10:04:45 is a new alert because it's over 3 minutes after the previous Policy1 alert.

In Microsoft Teams:

Files shared in 1:1 or group chats

These files are stored in the sender’s OneDrive for Business.

So, to protect them with DLP and prevent guest access, the relevant location is OneDrive accounts.

Files shared in Teams channels

These files are stored in the underlying SharePoint Online site associated with that Team.

So, to protect them with DLP and prevent guest access, the relevant location is SharePoint sites.

Incorrect options:

Exchange email: Protects email messages, not Teams-shared files.

Teams chat and channel messages: Protects text messages, not the attached or shared files.

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

To ensure User1 can perform insider risk management tasks only for the users and devices in Office1, the first step is to create an administrative unit in Microsoft Entra ID (formerly Azure AD).

Administrative units allow you to scope permissions to specific users, devices, and locations. By creating an administrative unit for Office1 and assigning User1 to the Insider Risk Management Admins role group within that unit, User1 will only have access to users and devices in Office1.

Activity Explorer logs a DLP rule match event each time any DLP rule condition is met on a file.

File1 matches Rule11 and Rule12 → 2 events

File2 matches Rule21 and Rule22 → 2 events

File3 matches Rule11 and Rule22 → 2 events

Total events in Activity Explorer = 2 + 2 + 2 = 6.

Microsoft notes that Activity explorer shows granular DLP activities such as policy rule matches per item.

The DLP incidents report aggregates by policy match per item, not by each rule in that policy. Multiple rules from the same policy on the same item count as one incident; if different policies match the same item, each policy creates its own incident.

File1: Rules from DLP1 only → 1 incident

File2: Rules from DLP2 only → 1 incident

File3: One rule from DLP1 and one from DLP2 → 2 incidents

Total incidents = 1 + 1 + 2 = 4.

Comprehensive Detailed Explanation with References

Step 1 – Review File2 contents

File2 contains 3 IP addresses.

Step 2 – Review DLP rules and priorities

RuleConditionPolicy TipStop Processing?Priority

Rule11 or more IP addressesTip1No0

Rule23 or more IP addressesTip2Yes1

Rule32 or more IP addressesTip3No2

Step 3 – Rule evaluation order

Advanced DLP rules are processed by priority order (lowest number first).

Rule1 (Priority 0) will trigger because File2 has at least 1 IP address.

This applies Tip1.

However, Rule1 has Stop Processing = No, so evaluation continues.

Rule2 (Priority 1) will also trigger because File2 has 3 IP addresses (≥3).

This applies Tip2.

Rule2 has Stop Processing = Yes, so evaluation stops after this.

Rule3 (Priority 2) will not be evaluated because Rule2 stopped processing.

Step 4 – Final outcome

File2 matches Rule1 (Tip1), but since Rule2 fires afterward with Stop Processing = Yes, only Tip2 is applied.

Step 5 – Microsoft Reference

From Microsoft docs: “When a rule is configured to stop processing, subsequent rules are not evaluated and only the policy tip from the last triggered rule with stop processing applies.”