Pass the Microsoft Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with CertsForce

A. Create a DLP policy → Needed to detect sensitive information being shared externally.

B. Turn on Indicators → Required for insider risk policies to detect risky activities like external sharing.

C. Configure adaptive protection → Optional for tailoring enforcement, not mandatory here.

D. Turn on analytics → Helps assess policy impact but not required to generate alerts.

E. Create an insider risk policy → Required to generate insider risk alerts.

Step 1 – Scenario

Endpoint Data Loss Prevention (Endpoint DLP) is implemented in Microsoft 365.

Computers: Windows 11, joined to Microsoft Entra (Azure AD), with Microsoft 365 Apps installed.

Goal: Ensure Endpoint DLP policies can protect local content on these devices.

Step 2 – How Endpoint DLP works

Endpoint DLP builds on the same policy framework as Microsoft Purview DLP, but specifically extends coverage to Windows 10/11 devices.

Requirements:

Devices must be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint or via Purview device onboarding).

Endpoint DLP does not require the Microsoft Purview Information Protection (MIP) client.

The MIP client is only required for sensitivity labeling and AIP functionality, not for Endpoint DLP.

Step 3 – Why the proposed solution is incorrect

Deploying the Microsoft Purview Information Protection client does not enable Endpoint DLP.

Endpoint DLP requires device onboarding into Microsoft Purview compliance.

Therefore, this solution does not meet the goal.

Step 4 – Microsoft Reference

Microsoft Docs states:

“To use Endpoint data loss prevention (Endpoint DLP), devices must be onboarded to the Microsoft Purview compliance portal. Installing the Microsoft Information Protection client is not required.”

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT) → Copilot cannot summarize.

Since File2 is labeled Label2, it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

To meet the requirements, you need one DLP policy with two separate DLP rules to handle the different conditions:

1. First DLP Rule (For Group1 Members): If the user is a member of Group1 and attempts to copy a file with sensitive data to a USB storage device. Allow the file copy but log the event in the audit log.

2. Second DLP Rule (For All Other Users): If any user who is NOT in Group1 attempts to copy a file with sensitive data to a USB storage device. Block the file transfer.

Adding a folder path to the file path exclusions in Microsoft 365 Endpoint DLP does not prevent Tailspin_scanner.exe from accessing protected sensitive information. Instead, it would exclude those files from DLP protection, which is not the intended outcome.

To block Tailspin_scanner.exe from accessing sensitive documents while allowing it to access other files, the correct solution is to use Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) and add Tailspin_scanner.exe to the Restricted Apps list.

Endpoint DLP allows you to block specific applications from accessing sensitive files while keeping general access available. Restricted Apps List in Endpoint DLP ensures that Tailspin_scanner.exe cannot open, copy, or process protected documents, but it can still function normally for non-sensitive content.

Microsoft Purview Insider Risk Management flags high-impact users based on various risk factors, including role, access to confidential data, and influence within an organization. Let's analyze each user:

User1 (Regional Manager, assigned Reader role, manages department managers)

Risk Factors:

● Holds a managerial position (regional manager).

● Manages multiple department managers, indicating organizational influence.

● Access to critical business information.

Flagged? -Yes (Managerial role and access to confidential data).

User2 (HR department manager, no Microsoft Entra roles, manages HR department users)

Risk Factors:

● Manages HR department users, meaning they likely handle sensitive employee data.

● HR roles are often considered high-risk due to access to personal and payroll data.

Flagged? -Yes (HR role and access to sensitive employee data).

User3 (Developer, reports to User2, only user in compliance, assigned Compliance Administrator role)

Risk Factors:

● Compliance Administrator role grants access to sensitive security and regulatory data.

● Only person in the compliance department, meaning they hold a critical role.

● Potentially high impact on compliance and security settings.

Flagged? -Yes (Privileged Compliance Administrator role).

User4 (Assistant to User1, no Entra roles, handles confidential data on behalf of User1)

Risk Factors:

● Handles a high volume of confidential data on behalf of a regional manager.

● Assistants with access to sensitive data are considered insider risk candidates.

Flagged? -Yes (High access to sensitive information).

Since all four users fit high-impact criteria (managerial roles, privileged compliance access, handling sensitive data), Microsoft Purview Insider Risk Management will flag all of them.

You want files in Site1 that are labeled with Label1 to automatically move to Site2 two years after creation.

In Microsoft Purview Retention Labels, under “Choose what happens after the retention period”, the available options are:

Deactivate retention settings – Ends retention but does not move files.

Start a disposition review – Sends items to reviewers for approval (manual process, not auto-move).

Change the label – Applies a new retention label (but does not move files to another site).

Run a Power Automate flow – Executes an automated workflow such as moving the file to another SharePoint library or site, notifying users, or applying custom business processes.

Since the requirement is automatic movement of files from Site1 to Site2 after 2 years, the only valid choice is Run a Power Automate flow.

For creating a custom trainable classifier, seed content must be stored in a Microsoft 365 content location that Purview can crawl for training—SharePoint Online (or Exchange mailboxes). OneDrive, Azure Files, or other locations are not supported for training seed sets.