SC-401 Exam Dumps - Microsoft Certified: Information Security Administrator Associate Questions and Answers

Step 1 – Problem statement

User1 has the Compliance Administrator role but cannot view the regular expression in the built-in IP Address sensitive info type.

This is expected because:

Microsoft provides a large set of built-in sensitive info types (SITs).

For these built-in SITs, the underlying regular expressions, keywords, or detection logic are not exposed to administrators for security reasons.

As a result, even with Compliance Administrator privileges, User1 cannot directly see or modify the regex in the built-in IP Address SIT.

Step 2 – Microsoft solution

To view or modify the regex:

You must create a copy of the built-in SIT.

Once copied, the new custom SIT allows you to edit and view the regex and supporting elements.

This is the only supported way to customize or examine the detection logic.

???? Reference: Create a custom sensitive information type

“You can ' t directly modify the definitions of built-in sensitive information types, but you can create a copy of an existing SIT and then edit it.”

Step 3 – Why not the other options?

A. Reviewer role group → Reviewers are for records management/discovery, not SIT regex visibility.

C. Test function → Allows you to test SIT detection but does not reveal the regex.

D. Global Reader role → Read-only access, does not expose regex definitions either.

Box 1: Publishing a Sensitivity Label

Sensitivity labels can be published to Microsoft 365 groups, security groups, SharePoint Online sites, and Microsoft Teams. Since we have:

● Group1 (Microsoft 365 group) - Supported

● Group2 (Security group) - Supported

● Site1 (SharePoint Online site) - Supported

● Team1 (Microsoft Teams team) - Supported

This means we can publish Label1 to Group1, Group2, Site1, and Team1.

Box 2: Auto-Applying a Sensitivity Label

Auto-apply policies for sensitivity labels work on:

● SharePoint Online sites (documents)

● OneDrive (documents)

● Exchange email (messages)

However, labels cannot be auto-applied to Microsoft 365 groups or Teams directly because labels are applied to files and emails, not to groups or Teams as entities. Since Site1 (a SharePoint Online site) supports auto-apply, it is the correct option.

Step 1 – Scenario

Microsoft 365 E5 subscription with 100 users and a Microsoft 365 group (Group1).

A sensitivity label (Label1) is published as the default label for Group1.

Label1 contains two sublabels: Sublabel1 and Sublabel2.

Requirement: Ensure Sublabel1 settings are applied by default to Group1.

Step 2 – Understanding label hierarchy

In Microsoft Purview Information Protection, a parent label (Label1) is a container.

Sublabels (Sublabel1, Sublabel2) inherit the parent name but represent distinct configurations (encryption, watermarking, access, etc.).

A parent label itself cannot have a sublabel’s settings automatically applied unless policy configuration specifies which sublabel is used as the default publishing option.

Step 3 – Why " Modify the policy of Label1 " is correct

To apply Sublabel1 by default, the published policy for Label1 must be modified so that Sublabel1 is the default label within the policy.

Simply reordering sublabels (Option A) does not change the default assignment.

Duplicating Sublabel1’s settings into Label1 (Option B) defeats the purpose of having sublabels and adds redundancy.

Deleting the policy of Label1 and publishing Sublabel1 (Option D) would remove flexibility and is unnecessary.

Step 4 – Microsoft Reference

Microsoft Docs: “If you want a sublabel to be applied by default, configure the label policy to select that sublabel as the default label for documents and emails.”

AutoApply1 is an auto-labeling policy that applies RLabel1 to Group1. Auto-labeling policies can apply retention labels across group mailboxes, SharePoint Online sites, and Teams channel messages if they are configured for group resources.

Retention1 is a retention policy applied to Group2. Retention policies for Microsoft 365 groups apply to all group resources, including group mailboxes, SharePoint Online teams sites, and Teams channel messages.

Since both AutoApply1 and Retention1 affect entire groups, they apply to all associated resources: group mailbox, SharePoint Online teams site, and Teams channel messages.

To create a custom trainable classifier in Microsoft Purview (formerly Microsoft Compliance Center), you must first opt into the trainable classifier feature.

Before using custom trainable classifiers, Microsoft requires manual opt-in through the Microsoft Purview compliance portal. Without this step, you cannot create a new classifier.

The Compliance Administrator role has the necessary permissions to configure data classification, DLP policies, and trainable classifiers. Global Administrator has higher privileges but is not required for this task, violating the principle of least privilege. Security Administrator is focused on security-related settings but does not manage compliance features like classifiers.

Statement 1 - No. The sensitivity label includes content marking (watermark: INTERNAL), but it only applies to documents where the label is manually or automatically applied, not to all documents by default.

Statement 2 - No. The sensitivity label only specifies a watermark, not a header. If a header marking was configured, it would explicitly appear in the label settings.

Statement 3 - No. There is no indication that auto-labeling is configured to apply the label only to documents with the word " rebranding " . Auto-labeling is an optional setting that needs explicit configuration.

Activity Explorer logs a DLP rule match event each time any DLP rule condition is met on a file.

File1 matches Rule11 and Rule12 → 2 events

File2 matches Rule21 and Rule22 → 2 events

File3 matches Rule11 and Rule22 → 2 events

Total events in Activity Explorer = 2 + 2 + 2 = 6.

Microsoft notes that Activity explorer shows granular DLP activities such as policy rule matches per item.

The DLP incidents report aggregates by policy match per item, not by each rule in that policy. Multiple rules from the same policy on the same item count as one incident; if different policies match the same item, each policy creates its own incident.

File1: Rules from DLP1 only → 1 incident

File2: Rules from DLP2 only → 1 incident

File3: One rule from DLP1 and one from DLP2 → 2 incidents

Total incidents = 1 + 1 + 2 = 4.

You need to prevent users from sharing sensitive information with third-party generative AI websites.

A. Information Protection → Classifies and labels data but does not block sharing with external AI sites.

B. Information Barriers → Restricts communication between groups of users (e.g., compliance walls), not web uploads.

C. Insider Risk Management → Detects risky behavior (like data exfiltration), but does not actively block data sharing.

D. Data Loss Prevention (DLP) → Detects and prevents sensitive data being copied to browsers, USBs, or uploaded to restricted domains (like ChatGPT, Bard, etc.).