Microsoft SC-401 - Administering Information Security in Microsoft 365 Certification Exam
HOTSPOT You are reviewing policies for the SharePoint Online environment. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Correct Answer: A
Statement 1 (Yes): When a retention policy is active on a site (such as a 5-year retention window from the creation date), files remain active and accessible in their original location for normal user consumption as long as they are not manually deleted. Since January 15, 2023, falls well within the 5-year period (which ends January 1, 2026), users can access it normally.
Statement 2 (Yes): If a file created on January 1, 2021, is deleted by a user, the retention policy ensures it is preserved in the Preservation Hold library for the remainder of the 5-year retention period (up until January 1, 2026). On April 15, 2023, the file is still within this protected duration, allowing an administrator to successfully recover it.
Statement 3 (No): The 5-year retention clock begins on the file creation date (January 1, 2021) and expires on January 1, 2026. After this date, the retention policy no longer protects or locks the deleted file. By April 15, 2026, the data will have exceeded the retention threshold and been permanently purged, making it unrecoverable for administrators.
Statement 1 (Yes): When a retention policy is active on a site (such as a 5-year retention window from the creation date), files remain active and accessible in their original location for normal user consumption as long as they are not manually deleted. Since January 15, 2023, falls well within the 5-year period (which ends January 1, 2026), users can access it normally.
Statement 2 (Yes): If a file created on January 1, 2021, is deleted by a user, the retention policy ensures it is preserved in the Preservation Hold library for the remainder of the 5-year retention period (up until January 1, 2026). On April 15, 2023, the file is still within this protected duration, allowing an administrator to successfully recover it.
Statement 3 (No): The 5-year retention clock begins on the file creation date (January 1, 2021) and expires on January 1, 2026. After this date, the retention policy no longer protects or locks the deleted file. By April 15, 2026, the data will have exceeded the retention threshold and been permanently purged, making it unrecoverable for administrators.
January 1, 2021, it would be deleted after January 1, 2023. ● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing"). Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years. Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025). Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.
HOTSPOT You need to meet the technical requirements for the confidential documents. What should you create first, and what should you use for the detection method? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Correct Answer: A
Create first: Before creating higher-level data protection constructs (like Data Loss Prevention policies or sensitivity labels) that rely on custom definitions, you must first create A sensitive info type (SIT). The SIT defines the unique pattern or structure of the data you want to identify and protect.
Use for detection method: To accurately capture strings or values that follow a rigid, predictable format (such as employee numbers, specific ID formats, or customized serial codes), a Regular expression (regex) is the ideal detection mechanism. It offers the precision required to match specific patterns rather than relying on exact word matches (Keywords) or static lists (Dictionary).
To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential). Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns,
keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified. Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999. Example Regex pattern: 999\d{7} This pattern detects a 10-digit number starting with "999".
You need to meet the technical requirements for the creation of the sensitivity labels. To which user or users must you assign the Sensitivity Label Administrator role?
Correct Answer: D
To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users. Sensitivity Label Administrator Role Responsibilities This role allows users to: ● Create and manage sensitivity labels in Microsoft Purview. ● Publish and configure auto-labeling policies. ● Modify label encryption and content marking settings. Review of Admin Roles from the Table:
Answer Area
| Admin | Role Assigned | Can Create Sensitivity Labels? |
| Admin1 | Global Reader | No, read-only permissions. |
| Admin2 | Compliance Data Administrator | Yes, can manage compliance data, including labels. |
| Admin3 | Compliance Administrator | Yes, has full compliance management, including labels. |
| Admin4 | Security Operator | No, this role is focused on security alerts and response. |
| Admin5 | Security Administrator | No, primarily focused on security policies and threat management. |
Admin1 (Global Reader): This role provides read-only access across the tenant. Users assigned this role can view settings and administrative data but cannot create or modify objects, including sensitivity labels.
Admin2 (Compliance Data Administrator): This role possesses permissions explicitly geared towards data governance and classification tasks, which include creating, managing, and publishing sensitivity labels.
Admin3 (Compliance Administrator): As a high-level administrative role for compliance features, it grants comprehensive permissions to configure and manage all compliance-related settings, directly allowing the creation of sensitivity labels.
Admin4 (Security Operator): This role is designated for operational security tasks, such as monitoring alerts and analyzing potential threats. It does not contain administrative permissions required to configure data classification or compliance policies like sensitivity labels.
Admin5 (Security Administrator): While this role grants broad security management privileges (such as managing threat policies and security alerts), it does not natively inherit full compliance creation privileges. Data classification and sensitivity management are handled within the compliance/purview scope, making it an incorrect role for creating sensitivity labels unless combined with proper compliance role groups.
Users that must be assigned the Sensitivity Label Administrator role: ● Admin2 (Compliance Data Administrator) ● Admin3 (Compliance Administrator) ● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).
DRAG DROP
You need to meet the technical requirements for the Site1 documents. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Correct Answer: A
Step 1: Create a sensitive info type. Before a custom category of data can be classified automatically, you must first define the criteria used to identify it (such as a specific pattern or regex). Creating a sensitive info type forms the building block for detection.
Step 2: Create a sensitivity label. Once the detection criteria exist, you must create the container that defines what happens to that data (e.g., applying encryption or content markings) when it is identified.
Step 3: Create an auto-labeling policy. This policy brings everything together by scanning content locations (such as SharePoint, OneDrive, or Exchange) for the sensitive info type defined in Step 1 and automatically applying the sensitivity label created in Step 2.