Pass the Microsoft Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with CertsForce

File1

Location: SharePoint Online.

Created: Dec 28, 2015.

As of Jan 1, 2025 → File is 9+ years old.

If retention is (example: 7 years), then the retention period has expired, and the file will be deleted once the policy is turned on.

✅ Answer: Yes

File2

Location: OneDrive.

Created: Jan 2, 2015.

As of Jan 1, 2025 → File is 10 years old.

Retention period (7 years, for example) has expired → File will be deleted once the policy is turned on.

✅ Answer: Yes

File3

Location: Exchange Online public folder.

Created: May 1, 2010.

As of Jan 1, 2025 → File is 15 years old.

But Exchange public folders are not supported locations for Microsoft 365 retention policies.

Therefore, policy does not apply, and file will not be deleted.

Answer: No

Step 1 – Requirement analysis

You need to prevent users from:

Pasting credit card numbers into ChatGPT/Google Gemini.

Uploading classified documents into ChatGPT/Google Gemini.

Both scenarios involve AI websites. Microsoft Purview provides Data Security Posture Management for AI and Endpoint DLP integrations that work through Data Loss Prevention (DLP) and Insider Risk Management policies.

Step 2 – Credit card numbers

Credit card numbers are structured sensitive information types (SITs).

DLP policies are the correct Microsoft Purview solution for detecting and blocking sensitive info (e.g., credit card, SSN, health ID) from being copied, pasted, or uploaded into restricted destinations like AI apps.

Therefore, Data Loss Prevention is the right choice.

???? Reference: Learn about Endpoint DLP and AI sites

Step 3 – Documents

Documents containing classified or labeled data (via sensitivity labels) fall under insider risk activity detection when exfiltrated.

Insider Risk Management policies can monitor and block uploads of classified/labeled files to AI services such as ChatGPT or Gemini.

Therefore, Insider Risk Management is the right choice for preventing document uploads.

???? Reference: Insider Risk Management – risky AI activity detection

Activity Explorer logs a DLP rule match event each time any DLP rule condition is met on a file.

File1 matches Rule11 and Rule12 → 2 events

File2 matches Rule21 and Rule22 → 2 events

File3 matches Rule11 and Rule22 → 2 events

Total events in Activity Explorer = 2 + 2 + 2 = 6.

Microsoft notes that Activity explorer shows granular DLP activities such as policy rule matches per item.

The DLP incidents report aggregates by policy match per item, not by each rule in that policy. Multiple rules from the same policy on the same item count as one incident; if different policies match the same item, each policy creates its own incident.

File1: Rules from DLP1 only → 1 incident

File2: Rules from DLP2 only → 1 incident

File3: One rule from DLP1 and one from DLP2 → 2 incidents

Total incidents = 1 + 1 + 2 = 4.

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

A DLP policy with Exchange email as the only location meets this requirement because it identifies sensitive data in email messages and it applies protection actions, such as encryption, blocking, or alerts.

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

To create custom trainable classifiers in Microsoft Purview, the user must have rights in the compliance portal. The Compliance Administrator role provides the necessary permissions to create and manage trainable classifiers. Security roles focus on threat management, and Global Administrator is excessive (not least privilege).

Step 1 – Scenario

Tenant domain = contoso.com

Encryption method = Microsoft Purview Advanced Message Encryption (AME) using branded, link-based emails.

Recipients:

Recipient1 → Contoso internal user (same tenant).

Recipient2 → External Microsoft 365 user (Fabrikam).

Recipient3 → Outlook.com consumer email.

Recipient4 → Gmail.com consumer email.

The question asks: For which recipients can User1 revoke the emails?

Step 2 – Revocation in Advanced Message Encryption

Microsoft Purview AME allows senders to:

Revoke sent encrypted emails.

Revoke applies to all recipients who receive a link-based branded encrypted message.

When revoked, the secure message link no longer works, regardless of whether the recipient is internal, external Microsoft 365, Outlook.com, Gmail, or another email provider.

This differs from traditional RMS-based encryption where revocation is tenant-specific. In AME, the revocation is possible because the recipient must open the message through a secure browser portal (Office 365 Message Encryption portal).

Step 3 – Evaluate each recipient

Recipient1 (contoso.com, internal) → Yes, message can be revoked.

Recipient2 (fabrikam.onmicrosoft.com, external Microsoft 365) → Yes, message can be revoked because AME link enforcement works across tenants.

Recipient3 (outlook.com, consumer) → Yes, message can be revoked, they use the secure OME portal.

Recipient4 (gmail.com, consumer) → Yes, message can be revoked, they also use the secure OME portal.

Step 4 – Microsoft Reference

From Microsoft Docs:

“With Advanced Message Encryption, admins can configure branding and revocation for encrypted email messages. Revocation applies to encrypted emails sent to both internal and external recipients, including those using Outlook.com, Gmail.com, and other email services.”

Box 1: When creating a Microsoft Purview Insider Risk Management case, you must first select a risky user to investigate. The case will be built around this specific user’s activities, linking alerts and risk signals to the investigation.

Box 2: The Insider Risk Management role groups determine who can access and contribute to cases:

● Admin1 (Insider Risk Management Admins) → Full admin access.

● Admin2 (Insider Risk Management Analysts) → Analysts who review cases.

● Admin3 (Risk Management Investigators) → Investigators who work on cases.

● Admin4 (Insider Risk Management Auditors) → Auditors who oversee cases.

All these roles have default access to insider risk cases in Microsoft Purview, so all four admins are added as contributors.

Box 1: To include the sensitive info type detected for each DLP rule match, you need to add a custom column in Activity Explorer. This ensures that the exported file contains specific details about the detected sensitive information types.

Box 2: DLP activity exports from Activity Explorer are always in CSV (Comma-Separated Values) format. This format allows for easy data analysis and reporting in Excel or other data-processing tools.

Box 1: The Insider Risk Management Investigators role allows users to view recommendations related to insider risk cases and Microsoft Purview DSPM for AI insights. This role is appropriate because it grants access to review AI-related risk recommendations without unnecessary administrative privileges.

Box 2: The Insider Risk Management Analysts role allows users to analyze user risk levels and events using Activity Explorer. This follows the principle of least privilege, ensuring that User1 can only view risk levels and investigate but does not gain full administrative control over insider risk policies.