Pass the Microsoft Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with CertsForce

To create a keyword dictionary for a sensitive information type in Microsoft Purview Data Loss Prevention (DLP), you must use a plain text (.txt) file where each keyword is on a separate line.

Format Example (TXT file):

confidential

sensitive

classified

top secret

This format is simple, efficient, and directly compatible with Microsoft 365 DLP policies for keyword dictionaries.

How to use the keyword dictionary?

● Create a text file with one keyword per line.

● Upload it to Microsoft Purview under Data Classification > Sensitive Info Types.

● Use the dictionary in a DLP policy to identify and protect sensitive information.

Comprehensive Detailed Explanation with References

We are given a sensitivity label with the following Access control settings:

Assign permissions now → meaning admins define permissions, not end users.

User access to content expires = Never.

Allow offline access = Always.

Permissions explicitly assigned:

LegalTeam@… → Co-Author

USSales@… → Reviewer

Dynamic watermarking and Double Key Encryption are not enabled.

Microsoft 365 Copilot can only process (summarize, answer questions about) a labeled file when the user has the Copy and extract content (EXTRACT) usage right granted by the applied sensitivity label.

From the table of labels:

Label1 → VIEW only (no EXTRACT) → Copilot cannot summarize.

Label2 → VIEW and EXTRACT granted → Copilot can summarize.

Label3 → VIEW and EXPORT (no EXTRACT) → Copilot cannot summarize.

Since File2 is labeled Label2, it’s the only file for which User1 has the required EXTRACT permission, so it’s the only file Copilot can summarize.

Step 1 – Scenario

The alert in the exhibit is named Alert2.

Current status = Resolved.

The task is to identify which statuses you can change the alert to.

Step 2 – Microsoft 365 Alert Lifecycle

In Microsoft 365 compliance and security alerts, an alert can move between multiple statuses depending on investigation and remediation. The available statuses are:

Active – The alert is new and not yet acted upon.

Investigating – The alert is under review.

Resolved – The alert has been addressed.

Dismissed – The alert is ignored or deemed not relevant.

Step 3 – Status changes from "Resolved"

If an alert is in the Resolved state, administrators can reopen or reclassify it. According to Microsoft documentation, from Resolved, you can change it to:

Active

Investigating

Dismissed

This allows flexibility in continuing investigations if needed or dismissing false positives.

Step 4 – Microsoft Reference

From Microsoft Docs: “You can change the status of an alert between Active, Investigating, Resolved, and Dismissed to reflect its current stage in the triage process.”

When implementing Microsoft Purview Insider Risk Management and using the HR data connector, you must prepare HR data in CSV (Comma-Separated Values) format. This format is required because Microsoft Purview supports CSV files for importing user employment details, termination dates, role changes, and other HR-related attributes.

To automatically encrypt email messages using Microsoft Purview Message Encryption (OME), administrators must configure mail flow rules (also known as transport rules) in the Exchange admin center. These rules can be configured to check conditions, such as when a recipient is a specific user or when an email contains attachments, and then apply encryption automatically. Sharing policies, Safe Attachments policies, and retention label policies are not used for OME encryption.

The False positive and override report helps identify rules that were applied but did not generate an actual policy alert, which means they were overridden or deemed false positives.

The DLP policy matches report provides details on files that matched DLP policies, including the top 10 files.

The Incident reports report helps analyze and review alerts, including those that may have been miscategorized.

Create one service domain group (Allow list) containing Site1 and Site2 and configure the policy action “Allow upload only to sensitive service domains”.

Create a second service domain group (Block list) containing Search1 and Search2 and configure the policy action to block paste (clipboard) to these domains.

A single Endpoint DLP policy can enforce multiple activities (upload to cloud service domains + clipboard to specific domains), so only one policy is required.

Refs: Microsoft Learn – Endpoint DLP: Configure service domains and policy actions (upload/clipboard restrictions) (Purview > Data loss prevention > Endpoint DLP settings and policies).