Microsoft SC-401 - Administering Information Security in Microsoft 365

Creating an app discovery policy in Microsoft Defender for Cloud Apps is used for detecting and monitoring cloud application usage, but it does not prevent a locally installed application (Tailspin_scanner.exe) from accessing sensitive files on Windows 11 devices.

To block Tailspin_scanner.exe from accessing sensitive documents while allowing it to access other files, the correct solution is to use Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) and add Tailspin_scanner.exe to the Restricted Apps list.

Endpoint DLP allows you to block specific applications from accessing sensitive files while keeping general access available. Restricted Apps List in Endpoint DLP ensures that Tailspin_scanner.exe cannot open, copy, or process protected documents, but it can still function normally for non-sensitive content.

The requirement is:

You need to provide a user with the ability to view DLP alerts in the Microsoft Purview portal. The solution must use the principle of least privilege.

Step 1 – Understanding the roles

Compliance Administrator → Full access to compliance features, including creating/editing policies. This is more than needed (not least privilege).

Compliance Data Administrator → Can manage compliance features and data governance, but still more permissions than required.

Security Operator → Can view and respond to active security incidents and alerts, which is more than just viewing DLP alerts.

Security Reader → Read-only access to security-related features, including viewing DLP alerts, Microsoft Purview alerts, incidents, reports, and recommendations. This matches the requirement precisely.

Step 2 – Microsoft Documentation

Microsoft Learn states:

Security Reader role:

“Can view and investigate security events, reports, and alerts without the ability to make changes.”

📖 Reference: Microsoft Entra built-in roles - Security Reader

Step 3 – Apply the principle of least privilege

Since the user only needs to view DLP alerts (not create or manage policies), the Security Reader role is the minimal role with sufficient permissions.

To test Microsoft Purview Advanced Message Encryption (which relies on Azure Information Rights Management), you use the Test-IRMConfiguration cmdlet. It verifies configuration, template availability, and encryption/decryption status.

Test-OAuthConnectivity → tests OAuth authentication.

Test-ClientAccessRule → tests client access rules.

Test-Mailflow → tests mail routing.

In Defender for Cloud Apps file policies, Access level is the filter used to detect how a file is exposed (e.g., Public on the internet, External, Internal, Private). Choosing Access level = External matches files that are shared with users outside your organization—exactly the “shared externally” condition.

Ref: Microsoft Defender for Cloud Apps – Create/Use file policies (File filters: Access level), Microsoft Learn.

See: Microsoft Defender for Cloud Apps > Policies > File policies documentation describing file filters including Access level and its values (Public, External, Internal, Private).

To target files that carry an MIP/AIP classification such as Internal Only, you use the Sensitivity label file filter. Defender for Cloud Apps ingests Microsoft Purview Information Protection labels and lets you build file policies that trigger when a specific label is applied.

Ref: Integrate Microsoft Information Protection with Microsoft Defender for Cloud Apps and File policies – Sensitivity label filter, Microsoft Learn.

These docs explain that MCAS can filter and govern files by Sensitivity label and apply governance based on labels such as Internal Only, Confidential, etc.

Why not the other options?

Collaborators filters by specific users/domains; it’s useful to find files shared with a particular external user but not for the generic “shared externally” condition.

Matched policy is for files already flagged by another policy/DLP engine and does not detect “Internal Only” labeling by itself.

To customize encrypted email in Microsoft 365, including adding a company logo, you need to modify the Office Message Encryption (OME) branding settings. The Set-OMEConfiguration PowerShell cmdlet allows you to configure branding elements such as:

● Company logo

● Custom text

● Background color

This cmdlet is used to update existing OME branding settings, ensuring that encrypted emails sent from your organization include the required customizations.

To allow users to apply retention labels to individual documents in Microsoft SharePoint libraries, you need to create a retention label and publish the label.

In Microsoft Purview, retention labels define how long content should be retained or deleted. You must first create a label that specifies the retention rules. After creating the label, you must publish it so that it becomes available for users in SharePoint document libraries. Once published, users can manually apply the retention label to individual documents.

File1

Location: SharePoint Online.

Created: Dec 28, 2015.

As of Jan 1, 2025 → File is 9+ years old.

If retention is (example: 7 years), then the retention period has expired, and the file will be deleted once the policy is turned on.

✅ Answer: Yes

File2

Location: OneDrive.

Created: Jan 2, 2015.

As of Jan 1, 2025 → File is 10 years old.

Retention period (7 years, for example) has expired → File will be deleted once the policy is turned on.

✅ Answer: Yes

File3

Location: Exchange Online public folder.

Created: May 1, 2010.

As of Jan 1, 2025 → File is 15 years old.

But Exchange public folders are not supported locations for Microsoft 365 retention policies.

Therefore, policy does not apply, and file will not be deleted.

Answer: No

If User1 sends an email externally with five credit card numbers, Policy1 applies. → Yes

If User1 sends an email externally with five credit card numbers, Policy2 also applies. → No (stopped by Policy1).

If User2 sends an email externally with five credit card numbers, Policy2 applies. → Yes

🔹 Policy1

Order: 0 (highest priority).

Scope: Exchange email for the Finance distribution group.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Encrypt with “Encrypt email” option.

Additional options: Stop processing additional DLP policies and rules.

🔹 Policy2

Order: 1 (lower priority).

Scope: All Exchange email.

Conditions: Content shared externally AND contains ≥ 5 credit card numbers.

Actions: Restrict/block OR encrypt depending on configuration, notify admin.

Additional options: None.

🔹 User-by-user Analysis

User1 (Finance group):

Policy1 applies first (priority 0).

If User1 sends email externally with ≥ 5 CCNs, Policy1 encrypts the email and stops further processing.

Therefore, Policy2 never applies to User1.

User2 (Sales group):

Not in Finance, so Policy1 does not apply.

Policy2 applies (all Exchange email).

If User2 sends email externally with ≥ 5 CCNs, Policy2 action is enforced (restrict/block or encrypt).