Pass the Microsoft Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with CertsForce

Goal: maximize sign‑in security for users who will test the AIP client (User1), install/configure the Microsoft Rights Management connector (User2), and act as the AIP scanner service account (User3).

Excluding users from MFA lowers security and is not recommended.

Passwordless with FIDO2 security keys (passkeys) provides strong phishing‑resistant authentication and is fully supported for Azure AD sign‑ins, including admin tasks and service scenarios that require interactive sign‑in during setup.

Therefore, enabling all three for FIDO2 passkey authentication best meets the “maximize security” requirement.

Box 1: Since you are looking for a specific pattern (PA followed by eight digits, e.g., PA 12345678), the best classification method is Sensitive Info Type. Sensitive Info Types allow pattern-based matching to identify structured data. Exact Data Match (EDM) is not needed because you're not comparing against a fixed dataset. Trainable classifier is not appropriate because this is a structured pattern, not an unstructured document classification.

Box 2: Since PA 12345678 follows a structured pattern, the most effective method is Regular Expression (Regex). A Regular Expression (Regex) can be written to match "PA" followed by exactly eight digits (e.g., PA\s\d{8}). Keyword dictionary is not ideal because it works for predefined words, not number patterns. Function is unnecessary because there is no need for checksum validation or predefined validation rules.

Comprehensive Detailed Explanation with References

Custom Data Access Governance (DAG) data assessment scans in Microsoft Purview can be run on selected SharePoint Online or OneDrive locations to check for oversharing and exposure. Each custom assessment scan supports up to 200,000 items per location. This cap is documented in Microsoft’s guidance for custom data access governance assessments.

The False positive and override report helps identify rules that were applied but did not generate an actual policy alert, which means they were overridden or deemed false positives.

The DLP policy matches report provides details on files that matched DLP policies, including the top 10 files.

The Incident reports report helps analyze and review alerts, including those that may have been miscategorized.

Step 1 – Scenario

Tenant domain = contoso.com

Encryption method = Microsoft Purview Advanced Message Encryption (AME) using branded, link-based emails.

Recipients:

Recipient1 → Contoso internal user (same tenant).

Recipient2 → External Microsoft 365 user (Fabrikam).

Recipient3 → Outlook.com consumer email.

Recipient4 → Gmail.com consumer email.

The question asks: For which recipients can User1 revoke the emails?

Step 2 – Revocation in Advanced Message Encryption

Microsoft Purview AME allows senders to:

Revoke sent encrypted emails.

Revoke applies to all recipients who receive a link-based branded encrypted message.

When revoked, the secure message link no longer works, regardless of whether the recipient is internal, external Microsoft 365, Outlook.com, Gmail, or another email provider.

This differs from traditional RMS-based encryption where revocation is tenant-specific. In AME, the revocation is possible because the recipient must open the message through a secure browser portal (Office 365 Message Encryption portal).

Step 3 – Evaluate each recipient

Recipient1 (contoso.com, internal) → Yes, message can be revoked.

Recipient2 (fabrikam.onmicrosoft.com, external Microsoft 365) → Yes, message can be revoked because AME link enforcement works across tenants.

Recipient3 (outlook.com, consumer) → Yes, message can be revoked, they use the secure OME portal.

Recipient4 (gmail.com, consumer) → Yes, message can be revoked, they also use the secure OME portal.

Step 4 – Microsoft Reference

From Microsoft Docs:

“With Advanced Message Encryption, admins can configure branding and revocation for encrypted email messages. Revocation applies to encrypted emails sent to both internal and external recipients, including those using Outlook.com, Gmail.com, and other email services.”

Step 1 – Scenario

You need to create a Microsoft Purview Insider Risk Management policy that detects data theft from SharePoint Online by users who have submitted their resignation or are close to termination.

Step 2 – Understanding how insider risk management works

Insider Risk policies rely on signals that identify potential risk events. These signals include:

HR data (resignation dates, termination notices).

Office activity indicators (file downloads, sharing, printing).

Device indicators (file copy to USB, printing).

Physical access (badge-in/badge-out).

Step 3 – Why HR signals are required here

To detect resignation or termination risk events, Microsoft Purview must first know which users are flagged by HR.

This is done by configuring an HR data connector, which imports employee termination/resignation data from HR systems (Workday, SAP SuccessFactors, or CSV import).

Without this HR data connector, Purview has no knowledge of employees’ resignation or termination timelines, and the policy cannot function.

Step 4 – Why not the other options

B. Configure Office indicators: These detect risky activity (downloads, sharing), but cannot determine resignation status. They are used after HR signals identify at-risk users.

C. Configure a Physical badging connector: Useful for detecting anomalous physical access, but irrelevant to resignation-based detection.

D. Onboard devices to Microsoft Defender for Endpoint: Required for device activity signals, not for HR resignation detection.

Step 5 – Microsoft Reference

Microsoft documentation states: “To use HR resignation/termination triggers, you must configure an HR connector to import resignation and termination data into insider risk management.”

Current setup:

DLP1 (priority 0, Rule1) → Stop processing additional rules enabled → means if Rule1 matches, later rules (including Rule2 with Tip2) will never be evaluated.

Requirement: Ensure that if all rules match, the user sees Tip2 (Rule2’s policy tip).

To fix this: Move DLP2 above DLP1 in priority (i.e., set DLP2 = priority 0). Then Rule2 will be evaluated first, and its policy tip (Tip2) will be displayed.

Why not others?

B. Prevent additional processing of the policies if there is a match for Rule2: That would stop processing later, but DLP1 would still block earlier due to its higher priority.

C. Change the priority of DLP2 to 3: That pushes it even lower, making it worse.

D. Enable additional processing for Rule1: Rule1 already has stop processing enabled. Changing that does not ensure Rule2 runs before Rule1, because priority is evaluated first.

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

File1

Location: SharePoint Online.

Created: Dec 28, 2015.

As of Jan 1, 2025 → File is 9+ years old.

If retention is (example: 7 years), then the retention period has expired, and the file will be deleted once the policy is turned on.

✅ Answer: Yes

File2

Location: OneDrive.

Created: Jan 2, 2015.

As of Jan 1, 2025 → File is 10 years old.

Retention period (7 years, for example) has expired → File will be deleted once the policy is turned on.

✅ Answer: Yes

File3

Location: Exchange Online public folder.

Created: May 1, 2010.

As of Jan 1, 2025 → File is 15 years old.

But Exchange public folders are not supported locations for Microsoft 365 retention policies.

Therefore, policy does not apply, and file will not be deleted.

Answer: No

A screenshot of a computer AI-generated content may be incorrect.

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

A screenshot of a computer AI-generated content may be incorrect.

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

A screenshot of a computer AI-generated content may be incorrect.

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.