SC-401 Exam Dumps - Microsoft Certified: Information Security Administrator Associate Questions and Answers

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

Policy1 monitors printing of files by users that submitted their resignation. In Insider Risk Management, the Data theft by departing users template is designed for users marked as leaving and watches for exfiltration indicators such as printing, USB copy, or uploads to cloud services.

Ref: Microsoft Purview Insider Risk Management – Policy templates: Data theft by departing users (monitors exfiltration activities for departing users).

Policy2 monitors accidental sharing of data outside the organization by users in a priority user group. The template for this is Data leaks by priority users, which targets a defined priority user group and focuses on oversharing/leak indicators (external sharing, email to external, cloud uploads, etc.).

Ref: Insider Risk Management – Data leaks by priority users template.

Policy3 monitors downloading of files from SharePoint Online to personal cloud storage services. This is a classic data leak/exfiltration scenario without a departing/priority qualifier, so the general Data leaks template is appropriate (covers uploads to personal cloud services and other exfiltration vectors).

Ref: Insider Risk Management – Data leaks template (monitors exfiltration such as uploads to personal cloud services).

These mappings align with Microsoft’s template purposes: Departing user exfiltration → Data theft by departing users; Priority users oversharing → Data leaks by priority users; Generic exfiltration → Data leaks.

Comprehensive Detailed Explanation with References

Exact Data Match (EDM) classifiers are designed to identify highly sensitive structured data (like customer IDs, account numbers) with higher accuracy.

EDM classifiers can only be used within Data Loss Prevention (DLP) policies in Microsoft Purview.

They cannot be used in Insider Risk Management or Retention policies.

Yes , Yes, No

To determine whether each statement is true or false, let's analyze the provided information step by step based on the sensitivity label settings and the user permissions associated with the files.

Given Information:

Users and Subscriptions:

User1: Contoso subscription, email: user1@contoso.com

User2: Contoso subscription, email: user2@contoso.com

User3: Fabrikam subscription, email: user3@fabrikam.com

User4: Fabrikam subscription, email: user4@fabrikam.com

Files and Sensitivity Label Application:

File1: Automatically applied Sensitivity1 using an auto-labeling policy

File2: Applied by User2

File3: Applied by User1

Sensitivity Label (Sensitivity1) Assumptions: Since the exhibit for the sensitivity label is not fully detailed, we need to make reasonable assumptions based on typical Microsoft 365 sensitivity label behavior. Sensitivity labels can restrict access based on user permissions, subscription boundaries, or specific configurations (e.g., allowing only users within the same organization to edit or view). Given the context of two separate subscriptions (Contoso and Fabrikam), it’s likely that Sensitivity1 restricts access to users within the same subscription unless explicitly configured otherwise. A common default for such labels is to allow editing and other rights only to users within the applying user's organization, with possible restrictions for cross-subscription access.

Key Assumptions:

Sensitivity1 likely encrypts the files and restricts editing rights to users within the same subscription as the user who applied the label or where the auto-labeling policy is configured.

File1 (auto-applied) would inherit permissions based on the policy, likely restricting access to Contoso users if the policy is set up within the Contoso subscription.

File2 (applied by User2 from Contoso) would restrict access to Contoso users.

File3 (applied by User1 from Contoso) would also restrict access to Contoso users.

Users from Fabrikam (User3, User4) would not have edit rights unless explicitly granted, which is unlikely given the separation of subscriptions.

Statement Analysis:

User1 can edit rights for File1.

File1 was automatically applied with Sensitivity1 using an auto-labeling policy. Since the policy is likely configured within the Contoso subscription (where User1 resides), User1, as a Contoso user, should have edit rights unless the policy explicitly restricts this. Given User1's affiliation with Contoso, this is typically allowed.

Answer: Yes

User2 can edit rights for File3.

File3 was applied by User1, who is from the Contoso subscription. Since User2 is also from the Contoso subscription, they should have edit rights unless the label configuration explicitly denies this for other users within the same subscription. Typically, users within the same organization can edit files labeled by another user from the same organization.

Answer: Yes

User3 can print File2.

File2 was applied by User2, who is from the Contoso subscription. Sensitivity1 likely restricts access to Contoso users only. User3 is from the Fabrikam subscription, which is a separate entity. Unless cross-sub

Answer : No

In Microsoft Purview Exact Data Match (EDM) classifiers, a primary element is a unique, identifying field used for data matching. EDM allows up to two primary elements per schema.

From the provided table, the Match mode indicates how data is analyzed:

● PP (EU Passport Number) → Likely a primary element because it's unique.

● Name (All Full Names) → Typically not a primary element as names are common.

● DateOfBirth (Single-token) → Usually a secondary element, not unique.

● AccountNumber (Multi-token) → Can be a primary element, as it's a unique identifier.

● Since EDM supports a maximum of two primary elements, the correct answer is 2.

Adding a folder path to the file path exclusions in Microsoft 365 Endpoint DLP does not prevent Tailspin_scanner.exe from accessing protected sensitive information. Instead, it would exclude those files from DLP protection, which is not the intended outcome.

To block Tailspin_scanner.exe from accessing sensitive documents while allowing it to access other files, the correct solution is to use Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) and add Tailspin_scanner.exe to the Restricted Apps list.

Endpoint DLP allows you to block specific applications from accessing sensitive files while keeping general access available. Restricted Apps List in Endpoint DLP ensures that Tailspin_scanner.exe cannot open, copy, or process protected documents, but it can still function normally for non-sensitive content.

Endpoint DLP builds on Microsoft Defender for Endpoint integration. Before enabling Endpoint DLP, you must turn on device onboarding in Microsoft Purview to allow devices (like Device1) to be enrolled. After onboarding, you can assign DLP policies to endpoints.

The Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox* command is incorrect. This enables admin audit logging, which tracks changes to mailbox configurations (e.g., mailbox settings updates), not user activity inside the mailbox.

The question asks about creating a Microsoft Defender for Cloud Apps (MCAS / MDA) policy that will detect Data Loss Prevention (DLP) violations.

Understanding the policy types in Defender for Cloud Apps:

File Policy

Used for monitoring and controlling files stored in cloud apps (e.g., SharePoint, OneDrive, Box, Google Drive).

Can detect sensitive information types (like credit cards, SSNs, SWIFT codes) and flag DLP violations.

Can apply governance actions (e.g., quarantine, remove sharing, notify user).

Correct for DLP violation detection.

Activity Policy

Monitors user activities (e.g., login attempts, mass downloads, suspicious behavior).

Not for file content DLP.

Session Policy

Applied through Conditional Access App Control for real-time monitoring/control during a user session.

Used for controlling actions (download, cut/paste) but not for broad DLP scanning of stored files.

Access Policy

Controls access to apps based on conditions (e.g., unmanaged device access).

Not designed for DLP content inspection.

Why File Policy is correct

Since the requirement is:

"detect DLP violations"

That means scanning file content for sensitive information. This is only possible with a File Policy in Microsoft Defender for Cloud Apps.

Step 1 – Understanding the scenario

The screenshot shows multiple Sensitive Information Types (SITs) in Microsoft Purview, including:

ABA Routing Number (Microsoft-built)

ASP.NET Machine Key (Microsoft-built)

Adatum document patterns (custom, Fingerprint type)

Adatum numbers (custom, Entity type)

Bundled SITs (like All Credential Types, All Full Names)

The question is asking:

Which SITs can you copy to create a new SIT?

Which SITs can you edit directly without copying?

Step 2 – Microsoft rules for SITs

Built-in SITs (published by Microsoft Corporation):

These cannot be edited directly. To modify them, you must create a copy first.

Custom SITs (created in your tenant, e.g., Contoso):

These can be edited directly without making a copy.