Pass the Microsoft Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with CertsForce

Goal: maximize signin security for users who will test the AIP client (User1), install/configure the Microsoft Rights Management connector (User2), and act as the AIP scanner service account (User3).

Excluding users from MFA lowers security and is not recommended.

Passwordless with FIDO2 security keys (passkeys) provides strong phishingresistant authentication and is fully supported for Azure AD signins, including admin tasks and service scenarios that require interactive signin during setup.

Therefore, enabling all three for FIDO2 passkey authentication best meets the “maximize security” requirement.

Step 1 – Understanding the scenario

The screenshot shows multiple Sensitive Information Types (SITs) in Microsoft Purview, including:

ABA Routing Number (Microsoft-built)

ASP.NET Machine Key (Microsoft-built)

Adatum document patterns (custom, Fingerprint type)

Adatum numbers (custom, Entity type)

Bundled SITs (like All Credential Types, All Full Names)

The question is asking:

Which SITs can you copy to create a new SIT?

Which SITs can you edit directly without copying?

Step 2 – Microsoft rules for SITs

Built-in SITs (published by Microsoft Corporation):

These cannot be edited directly. To modify them, you must create a copy first.

Custom SITs (created in your tenant, e.g., Contoso):

These can be edited directly without making a copy.

To create a document fingerprint in Microsoft 365 Data Loss Prevention (DLP), you need to use PowerShell for Microsoft Purview. The correct cmdlet to connect to the Microsoft 365 Security & Compliance Center (where DLP policies are managed) is Connect-IPPSSession . This cmdlet establishes a PowerShell session to manage DLP policies, compliance settings, and document fingerprinting.

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

Text patterns in mail flow rules are not as reliable as sensitive information types in DLP.

Mail flow rules lack advanced content detection and machine learning-based classification, making them less effective than DLP.

Create: → A sensitive info type

Element: → Keyword dictionary

You want to classify documents in SharePoint Online based on a list of customer names stored in Customer.csv (1,000 entries).

In Microsoft Purview, there are several options for custom classification:

Sensitive info type (SIT):

Designed to detect predefined or custom patterns such as credit cards, IDs, or custom lists.

You can build a custom SIT using elements like keyword dictionary, regular expressions, and functions.

In this case, since you have a large CSV with 1,000 customer names, you upload that list as a keyword dictionary element.

Trainable classifier:

Used when you want AI to classify documents by training on examples of positive/negative samples (like contracts, resumes).

Not relevant here because you already have a structured list of customer names rather than needing machine learning classification.

Adaptive scope:

Determines where (users, groups, sites) policies apply, not what content is classified.

Not relevant here.

Correct pairing:

Create: A sensitive info type (SIT).

Element: Keyword dictionary (upload the Customer.csv file).

Policy tips in DLP: Policy tips are messages shown to users when their action (such as sending sensitive content via email) conflicts with a DLP policy.

For Exchange email location, policy tips are supported in the following apps:

Outlook for Microsoft 365 (desktop client) ✅

Outlook on the web (OWA) ✅

Outlook Mobile (iOS/Android) ❌ Policy tips are not shown in mobile apps. Instead, DLP actions (block/restrict/send incident report) still apply, but the user does not see a policy tip notification.

Therefore:

Supported: Outlook for Microsoft 365, Outlook on the web.

Not supported: Outlook Mobile apps.

In Defender for Cloud Apps file policies, Access level is the filter used to detect how a file is exposed (e.g., Public on the internet, External, Internal, Private). Choosing Access level = External matches files that are shared with users outside your organization—exactly the “shared externally” condition.

Ref: Microsoft Defender for Cloud Apps – Create/Use file policies (File filters: Access level), Microsoft Learn.

See: Microsoft Defender for Cloud Apps > Policies > File policies documentation describing file filters including Access level and its values (Public, External, Internal, Private).

To target files that carry an MIP/AIP classification such as Internal Only, you use the Sensitivity label file filter. Defender for Cloud Apps ingests Microsoft Purview Information Protection labels and lets you build file policies that trigger when a specific label is applied.

Ref: Integrate Microsoft Information Protection with Microsoft Defender for Cloud Apps and File policies – Sensitivity label filter, Microsoft Learn.

These docs explain that MCAS can filter and govern files by Sensitivity label and apply governance based on labels such as Internal Only, Confidential, etc.

Why not the other options?

Collaborators filters by specific users/domains; it’s useful to find files shared with a particular external user but not for the generic “shared externally” condition.

Matched policy is for files already flagged by another policy/DLP engine and does not detect “Internal Only” labeling by itself.