SC-401 Exam Dumps - Microsoft Certified: Information Security Administrator Associate Questions and Answers

User1: Since the Microsoft Purview browser extension is installed on Device1, AI-related activity performed by User1 (generating an image using a generative AI website) can be reviewed in Activity explorer in DSPM for AI.

User2: Since Device2 does not have the Microsoft Purview browser extension installed, AI-related activity cannot be tracked in DSPM for AI. Instead, Audit log search should be used to review activity such as using Microsoft 365 Copilot.

User3: Since Device3 has the Microsoft Purview browser extension installed, AI-related activity (browsing sample content on a generative AI website) can be reviewed using Activity explorer in DSPM for AI.

To customize encrypted email in Microsoft 365, including adding a company logo, you need to modify the Office Message Encryption (OME) branding settings. The Set-OMEConfiguration PowerShell cmdlet allows you to configure branding elements such as:

● Company logo

● Custom text

● Background color

This cmdlet is used to update existing OME branding settings, ensuring that encrypted emails sent from your organization include the required customizations.

To validate whether an audit log retention policy will apply to the intended entries, you should configure the following fields:

● Date and time range (UTC) ensures that you are searching for audit logs within the time period when the policy should be applied. Audit logs are time-sensitive, and policies affect logs based on their timestamp.

● Record types allows you to filter and search for specific audit log categories (e.g., Exchange, SharePoint, Teams, etc.) that are affected by the retention policy. Selecting the correct record type ensures that the policy is evaluated against the relevant data.

In Microsoft Purview Exact Data Match (EDM) classifiers, a primary element is a unique, identifying field used for data matching. EDM allows up to two primary elements per schema.

From the provided table, the Match mode indicates how data is analyzed:

● PP (EU Passport Number) → Likely a primary element because it's unique.

● Name (All Full Names) → Typically not a primary element as names are common.

● DateOfBirth (Single-token) → Usually a secondary element, not unique.

● AccountNumber (Multi-token) → Can be a primary element, as it's a unique identifier.

● Since EDM supports a maximum of two primary elements, the correct answer is 2.

The Service domains setting in Microsoft 365 Endpoint Data Loss Prevention (Endpoint DLP) allows administrators to block or allow specific domains for file uploads. The goal is to prevent users from uploading DLP-protected documents to web1.contoso.com and web2.contoso.com.

Setting the Service domains to "web1.contoso.com and web2.contoso.com" precisely targets the two specific third-party websites, minimizing administrative effort while ensuring strict control.

Create: → A sensitive info type

Element: → Keyword dictionary

You want to classify documents in SharePoint Online based on a list of customer names stored in Customer.csv (1,000 entries).

In Microsoft Purview, there are several options for custom classification:

Sensitive info type (SIT):

Designed to detect predefined or custom patterns such as credit cards, IDs, or custom lists.

You can build a custom SIT using elements like keyword dictionary, regular expressions, and functions.

In this case, since you have a large CSV with 1,000 customer names, you upload that list as a keyword dictionary element.

Trainable classifier:

Used when you want AI to classify documents by training on examples of positive/negative samples (like contracts, resumes).

Not relevant here because you already have a structured list of customer names rather than needing machine learning classification.

Adaptive scope:

Determines where (users, groups, sites) policies apply, not what content is classified.

Not relevant here.

Correct pairing:

Create: A sensitive info type (SIT).

Element: Keyword dictionary (upload the Customer.csv file).

Step 1 – Scenario

You need to grant User1 permission to search Microsoft 365 audit logs while following the principle of least privilege.

Step 2 – Roles that can search audit logs

Audit log search in Microsoft 365 is tied to Exchange Online role groups, because audit log data is stored in Exchange.

The following roles are relevant:

View-Only Audit Logs → Grants the ability to search and view audit logs, but not configure auditing or take other compliance actions. This is the least privilege role.

Audit Logs → Grants broader permissions, including turning auditing on/off.

Compliance Management → A broader role group that includes audit log search and many other compliance functions, violating least privilege.

Security Reader (Entra ID) → Grants read-only access to security features, but not audit logs.

Reviewer (Purview) → Used in eDiscovery, not audit logs.

Step 3 – Why "View-Only Audit Logs" is correct

According to Microsoft documentation:

“Users must be assigned the Audit Logs or View-Only Audit Logs role in Exchange Online to search the audit log. To minimize permissions, assign View-Only Audit Logs.”

???? Reference: Permissions required to search the audit log

Step 4 – Elimination of other options

A. Security Reader role → Allows reading security-related info in Microsoft 365 Defender, not Purview audit logs.

B. Compliance Management role → Includes more than just audit logs, not least privilege.

C. View-Only Audit Logs role → Correct and least privilege.

D. Reviewer role → For eDiscovery cases, not audit logs.

To track interactions between users and generative AI websites in Microsoft Purview Audit, you need to deploy the Microsoft Purview browser extension to the devices. This extension enables tracking of user activities on web-based applications, including AI-related tools like ChatGPT, Microsoft Copilot, and other generative AI platforms.

Microsoft Purview extension provides visibility into browser-based activities, including AI tool usage, ensuring compliance and risk management within Microsoft Purview. This extension works with Microsoft Edge and Google Chrome to track and log user interactions.

Let’s break it down:

File1.docx → DLP action = None

No DLP restrictions, so it is fully accessible to both User1 (owner) and User2 (member).

File2.docx → DLP action = Matched by DLP

“Matched” means the DLP policy detected sensitive content but has not blocked access. Instead, it may generate an alert or policy tip.

Both User1 and User2 can still open this file.

File3.docx → DLP action = Blocked by DLP

“Blocked” means the DLP policy actively restricts access or sharing of the file.

User2 (member) cannot open this file.

However, User1 (site owner) can open it because site collection admins and owners always retain full control over content, even if a DLP rule applies.

Ref: Microsoft Purview DLP policy tips and enforcement

→ DLP policies do not prevent SharePoint/OneDrive site collection admins (owners) from accessing content.

✅ Final Answer Table:

User1 (Site Owner): File1.docx, File2.docx, File3.docx

User2 (Site Member): File1.docx, File2.docx

To test Microsoft Purview Advanced Message Encryption (which relies on Azure Information Rights Management), you use the Test-IRMConfiguration cmdlet. It verifies configuration, template availability, and encryption/decryption status.

Test-OAuthConnectivity → tests OAuth authentication.

Test-ClientAccessRule → tests client access rules.

Test-Mailflow → tests mail routing.