Pass the Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with ValidTests

Step 1 – Scenario

The requirement is to ensure Microsoft Purview Insider Risk Management can collect signals when a user copies files to a USB device using their default browser. The devices differ by browser type:

Device1 → Default browser = Microsoft Edge

Device2 → Default browser = Google Chrome

Step 2 – Signal collection methods in Insider Risk Management

Insider Risk Management uses Microsoft Purview Information Protection client and Purview browser extensions to collect activity signals.

For Microsoft Edge (Chromium-based), insider risk signals are collected via the Microsoft Purview Information Protection client.

For Google Chrome, signals are collected through the Microsoft Purview extension (available in the Chrome Web Store).

The Microsoft Defender Browser Protection extension is for web protection against malicious sites, not for insider risk activity signals, so it is irrelevant here.

Step 3 – Microsoft Reference

Microsoft documentation:

“For insider risk signals collection in Microsoft Edge, the Microsoft Purview client must be deployed. For Google Chrome, the Microsoft Purview extension is required.”

Captures clips of key security-related user activities

This requirement refers to recording and surfacing evidence of risky user behavior (e.g., copying sensitive files to USB, uploading to cloud storage, or exfiltrating data).

In Microsoft Purview Insider Risk Management, this is achieved through Forensic evidence, which allows capturing screenshots/clips of user activities on endpoints when a policy is triggered.

Ref: Microsoft Learn – Insider risk forensic evidence

Integrates DLP capabilities with insider risk management

Microsoft introduced Adaptive Protection as part of Purview Insider Risk.

Adaptive Protection uses insider risk signals and DLP together, dynamically adjusting DLP controls (block, restrict, monitor) based on the user’s risk level.

This integration reduces false positives and ensures risky users are monitored more strictly while low-risk users are less impacted.

Ref: Microsoft Learn – Adaptive Protection in Microsoft Purview

Other options ruled out:

Adaptive scopes: Used for defining policy targeting groups dynamically, not capturing activities.

Classifiers/Trainable classifiers: Used for content classification, not exfiltration capture or DLP integration.

eDiscovery (Premium): For legal investigations, not insider risk + DLP integration.

Records management: Lifecycle retention, not related to insider risk.

Endpoint DLP builds on Microsoft Defender for Endpoint integration. Before enabling Endpoint DLP, you must turn on device onboarding in Microsoft Purview to allow devices (like Device1) to be enrolled. After onboarding, you can assign DLP policies to endpoints.

For creating a custom trainable classifier, seed content must be stored in a Microsoft 365 content location that Purview can crawl for training—SharePoint Online (or Exchange mailboxes). OneDrive, Azure Files, or other locations are not supported for training seed sets.

Yes , Yes, No

To determine whether each statement is true or false, let's analyze the provided information step by step based on the sensitivity label settings and the user permissions associated with the files.

Given Information:

Users and Subscriptions:

User1: Contoso subscription, email: user1@contoso.com

User2: Contoso subscription, email: user2@contoso.com

User3: Fabrikam subscription, email: user3@fabrikam.com

User4: Fabrikam subscription, email: user4@fabrikam.com

Files and Sensitivity Label Application:

File1: Automatically applied Sensitivity1 using an auto-labeling policy

File2: Applied by User2

File3: Applied by User1

Sensitivity Label (Sensitivity1) Assumptions: Since the exhibit for the sensitivity label is not fully detailed, we need to make reasonable assumptions based on typical Microsoft 365 sensitivity label behavior. Sensitivity labels can restrict access based on user permissions, subscription boundaries, or specific configurations (e.g., allowing only users within the same organization to edit or view). Given the context of two separate subscriptions (Contoso and Fabrikam), it’s likely that Sensitivity1 restricts access to users within the same subscription unless explicitly configured otherwise. A common default for such labels is to allow editing and other rights only to users within the applying user's organization, with possible restrictions for cross-subscription access.

Key Assumptions:

Sensitivity1 likely encrypts the files and restricts editing rights to users within the same subscription as the user who applied the label or where the auto-labeling policy is configured.

File1 (auto-applied) would inherit permissions based on the policy, likely restricting access to Contoso users if the policy is set up within the Contoso subscription.

File2 (applied by User2 from Contoso) would restrict access to Contoso users.

File3 (applied by User1 from Contoso) would also restrict access to Contoso users.

Users from Fabrikam (User3, User4) would not have edit rights unless explicitly granted, which is unlikely given the separation of subscriptions.

Statement Analysis:

User1 can edit rights for File1.

File1 was automatically applied with Sensitivity1 using an auto-labeling policy. Since the policy is likely configured within the Contoso subscription (where User1 resides), User1, as a Contoso user, should have edit rights unless the policy explicitly restricts this. Given User1's affiliation with Contoso, this is typically allowed.

Answer: Yes

User2 can edit rights for File3.

File3 was applied by User1, who is from the Contoso subscription. Since User2 is also from the Contoso subscription, they should have edit rights unless the label configuration explicitly denies this for other users within the same subscription. Typically, users within the same organization can edit files labeled by another user from the same organization.

Answer: Yes

User3 can print File2.

File2 was applied by User2, who is from the Contoso subscription. Sensitivity1 likely restricts access to Contoso users only. User3 is from the Fabrikam subscription, which is a separate entity. Unless cross-sub

Answer : No

Step 1 – Scenario

Endpoint Data Loss Prevention (Endpoint DLP) is implemented in Microsoft 365.

Computers: Windows 11, joined to Microsoft Entra (Azure AD), with Microsoft 365 Apps installed.

Goal: Ensure Endpoint DLP policies can protect local content on these devices.

Step 2 – How Endpoint DLP works

Endpoint DLP builds on the same policy framework as Microsoft Purview DLP, but specifically extends coverage to Windows 10/11 devices.

Requirements:

Devices must be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint or via Purview device onboarding).

Endpoint DLP does not require the Microsoft Purview Information Protection (MIP) client.

The MIP client is only required for sensitivity labeling and AIP functionality, not for Endpoint DLP.

Step 3 – Why the proposed solution is incorrect

Deploying the Microsoft Purview Information Protection client does not enable Endpoint DLP.

Endpoint DLP requires device onboarding into Microsoft Purview compliance.

Therefore, this solution does not meet the goal.

Step 4 – Microsoft Reference

Microsoft Docs states:

“To use Endpoint data loss prevention (Endpoint DLP), devices must be onboarded to the Microsoft Purview compliance portal. Installing the Microsoft Information Protection client is not required.”

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

A DLP policy with Exchange email as the only location meets this requirement because it identifies sensitive data in email messages and it applies protection actions, such as encryption, blocking, or alerts.

If User1 sends an email externally with five credit card numbers, Policy1 applies. → Yes

If User1 sends an email externally with five credit card numbers, Policy2 also applies. → No (stopped by Policy1).

If User2 sends an email externally with five credit card numbers, Policy2 applies. → Yes

???? Policy1

Order: 0 (highest priority).

Scope: Exchange email for the Finance distribution group.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Encrypt with “Encrypt email” option.

Additional options: Stop processing additional DLP policies and rules.

???? Policy2

Order: 1 (lower priority).

Scope: All Exchange email.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Restrict/block OR encrypt depending on configuration, notify admin.

Additional options: None.

???? User-by-user Analysis

User1 (Finance group):

Policy1 applies first (priority 0).

If User1 sends email externally with ≥ 5 CCNs, Policy1 encrypts the email and stops further processing.

Therefore, Policy2 never applies to User1.

User2 (Sales group):

Not in Finance, so Policy1 does not apply.

Policy2 applies (all Exchange email).

If User2 sends email externally with ≥ 5 CCNs, Policy2 action is enforced (restrict/block or encrypt).

Comprehensive Detailed Explanation with References

The command Set-AuditConfig -Workload Exchange is related to configuring auditing for workloads but does not enable mailbox auditing.

To capture and view who is accessing User1’s mailbox, mailbox auditing must be enabled at the mailbox level in Exchange Online.

Correct solution would be:

Set-Mailbox -Identity User1 -AuditEnabled $true

Mailbox auditing is enabled by default for all mailboxes in Microsoft 365 now, but if it is disabled, enabling auditing at the mailbox level is required. Running Set-AuditConfig -Workload Exchange alone does not accomplish this.