Microsoft SC-401 - Administering Information Security in Microsoft 365

Step 1 – Review scenario

You created a retention label policy Contoso_Policy.

Status shows Off (Error) with message: " It ' s taking longer than expected to deploy the policy. "

Requirement: Reinitiate the policy.

Step 2 – Correct PowerShell cmdlet

To manage retention label policies in Microsoft Purview (compliance), the cmdlet is:

Set-RetentionCompliancePolicy

Other cmdlets:

Set-RetentionPolicy → Legacy Exchange Online retention policies, not Purview label policies.

Start-EdgeSynchronization → Sync for Edge Transport servers, not retention.

Start-RetentionAutoTagLearning → Used for auto-tagging learning, not relevant here.

Step 3 – Correct parameter

To force redistribution of a retention label policy when deployment fails, the parameter is:

-RetryDistribution

Other options:

-ForceFullSync and -FullCrawl → Apply to search/crawl, not retention.

-Train → Related to auto-tagging learning models, not retention.

Final Verified Answer

Set-RetentionCompliancePolicy –id Contoso_Policy –RetryDistribution

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

Mail flow rules (transport rules) can detect sensitive info, but they are limited in encryption capabilities.

DLP policies provide more advanced protection and integration with Microsoft Purview for sensitive info detection.

Step 1 – Review what’s configured

Labels: Public, General, Confidential, Internal, External.

Also shown in policy: Confidential/Internal and Confidential/External.

Policy setting: Users must provide justification to remove a label or lower its classification.

Confidential/External → encrypts content when applied.

Step 2 – Analyze each statement

Statement 1: The Internal sensitivity label inherits all the settings from the Confidential label.

Sub-labels (e.g., Confidential/Internal, Confidential/External) do not inherit settings from the parent.

They are independent labels grouped under a parent for organization, but each sub-label must have its own protection settings defined.

Answer: No

Statement 2: Users must provide justification if they change the label of content from Confidential/Internal to Confidential/External.

The policy requires justification only when removing a label or downgrading classification (lowering).

Changing between two sub-labels of the same parent (Confidential/Internal → Confidential/External) is considered a lateral move (not a downgrade).

Answer: No

Statement 3: Content that has the Confidential/External label applied will retain the encryption settings if the sensitivity label is removed from the label policy.

If a label is removed from a published policy, content already labeled retains its protection settings (such as encryption).

The label metadata stays applied to the file/email, even if unpublished.

Answer: Yes

You need one Sensitive Information Type (SIT) per distinct information pattern. The minimum set that covers both SharePoint and Exchange is:

Credit Card Number (builtin) – used for documents and email.

UK National Health Service Number (builtin) – used for documents and email.

EU/UK Physical Address (builtin “ EU PII: Physical address ” ).

User credentials (builtin “ Credentials ” / “ User credentials ” ).

Custom keywordbased SIT for the sensitive project names ( “ Project Tailspin ” , “ Project Contoso ” , “ Project Falcon ” ) – can be one SIT using a keyword list.

SITs are reusable across locations, so you don’t count duplicates for email and documents.

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users.

Sensitivity Label Administrator Role Responsibilities

This role allows users to:

● Create and manage sensitivity labels in Microsoft Purview.

● Publish and configure auto-labeling policies.

● Modify label encryption and content marking settings.

Review of Admin Roles from the Table:

Users that must be assigned the Sensitivity Label Administrator role:

● Admin2 (Compliance Data Administrator)

● Admin3 (Compliance Administrator)

● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).

Understanding DLP Policy Impact on File Access

The DLP policy (DLPpolicy1) applies to Site2 and restricts access when:

● Content contains SWIFT Codes.

● Instance count is 2 or more.

File Analysis (Based on SWIFT Codes Count)

Files that remain accessible (not restricted by DLP):

● File1.docx (Contains only 1 SWIFT Code → Below restriction threshold)

User access after DLP policy is applied:

User1 (Site Owner):

● Has higher privileges and can override DLP restrictions (through admin intervention).

● Can access 2 files (File1.docx + override access to another file).

User2 (Site Visitor):

● Has read-only access but DLP blocks access to restricted files.

● Can only access 1 file (File1.docx), since all others are restricted.

The goal is to automatically label documents in Site1 that contain credit card numbers. To achieve this, we need a sensitivity label with an auto-labeling policy based on a sensitive info type that detects credit card numbers.

Step 1: Create a Sensitive Info Type

● A sensitive info type is needed to detect credit card numbers in documents.

● Microsoft Purview includes built-in sensitive info types for credit card numbers, but we can also create a custom one if necessary.

Step 2: Create a Sensitivity Label

● A sensitivity label is required to classify and protect documents containing sensitive information.

● This label can apply encryption, watermarking, or access controls to credit card data.

Step 3: Create an Auto-Labeling Policy

● An auto-labeling policy ensures that the sensitivity label is applied automatically when credit card numbers are detected in Site1.

● This policy is configured to scan files and automatically apply the correct sensitivity label.

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential).

Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns, keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified.

Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999.

Example Regex pattern:

999\d{7}

This pattern detects a 10-digit number starting with " 999 " .

The requirement states that all Microsoft 365 data for users must be retained for at least one year. In Microsoft 365, retention policies must be configured for each type of data storage.

Step 1: Identifying Where Data is Stored

From the case study, users store data in the following locations:

● SharePoint Online sites

● OneDrive accounts

● Exchange email

● Exchange public folders

● Teams chats

● Teams channel messages

Since these locations fall under two broad categories:

● Microsoft Exchange data (Emails, Public folders)

● SharePoint, OneDrive, and Teams data

Step 2: Required Retention Policies

1️. A single retention policy can cover:

● SharePoint Online

● OneDrive

● Microsoft Teams

2. A second retention policy is required for:

● Exchange (Emails & Public Folders)

Thus, the minimum number of retention policies required to meet the requirement is 2.

Microsoft 365 retention policies can be applied broadly across multiple services with just two policies:

● One for Exchange & Public Folders

● One for SharePoint, OneDrive, and Teams

There ' s no need for separate policies for each individual workload unless different retention durations are required, which is not stated in the requirement.

Understanding Site4 ' s Retention Policies:

● Site4RetentionPolicy1 deletes items older than 2 years from creation. If a file was created on January 1, 2021, it would be deleted after January 1, 2023.

● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states " Do nothing " ).

Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years.

Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025).

Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does " nothing, " meaning the file is no longer recoverable after that period.