Microsoft SC-400 Exam Dumps & Practice Test Questions

Question 1:

You have created three sensitivity labels: Sensitivity1, Sensitivity2, and Sensitivity3. You take the following steps:

• You publish Sensitivity1.

• You configure an auto-labeling policy for Sensitivity2.
  You are preparing to set up a file policy named Policy1 in Microsoft Cloud App Security (MCAS).

Which sensitivity labels are available to be used in Policy1 for Microsoft SharePoint Online?

A. Sensitivity1 only
B. Sensitivity1, Sensitivity2, and Sensitivity3
C. Sensitivity2 only
D. Sensitivity1 and Sensitivity2 only

Correct Answer: D

Explanation:

When configuring a file policy in Microsoft Cloud App Security (MCAS), the availability of sensitivity labels depends on how each label has been published or configured. Only sensitivity labels that are either published or part of an auto-labeling policy can be recognized and used by MCAS.

Here’s a detailed look at each label:

• Sensitivity1 has been published, meaning it’s active and can be used manually across Microsoft 365 services, including MCAS. Publishing makes the label globally available for users and services to apply.

• Sensitivity2 is not published manually, but it is linked to an auto-labeling policy. While this means users cannot manually select it, MCAS recognizes it because auto-labeling integrates with the information protection framework. Labels with auto-apply policies are still usable in MCAS policies when the automatic criteria are met.

• Sensitivity3 is neither published nor part of an auto-labeling policy. Therefore, MCAS cannot detect or use this label. Labels that are created but not published or linked to a policy are considered inactive and invisible to enforcement tools like MCAS.

Let’s assess the choices:

• A is incomplete because it omits Sensitivity2, which, despite being auto-applied, is still usable by MCAS.

• B incorrectly includes Sensitivity3, which hasn’t been made available through publishing or auto-labeling.

• C overlooks Sensitivity1, which is fully available due to publishing.

• D correctly includes Sensitivity1 (published) and Sensitivity2 (auto-labeled), both of which can be used in Policy1.

In conclusion, D is correct because only Sensitivity1 and Sensitivity2 are available to apply in SharePoint Online through Policy1.

Question 2:

You have a folder in Microsoft OneDrive for Business that contains several file types, including .docx, .txt, and others. You configure a file policy in Microsoft Cloud App Security (MCAS) to apply automatic classification.

What is the expected behavior of this policy?

A. It will only classify the .docx and .txt files, completing the process within 24 hours.
B. It will apply to all file types but only classify up to 100 files per day.
C. It will target .docx files exclusively and apply classification to 100 files daily.
D. It will classify .docx and .txt files immediately upon detection.

Correct Answer: B

Explanation:

In Microsoft Cloud App Security (MCAS), file policies can scan files in connected apps (such as OneDrive) and apply sensitivity labels or classifications automatically. These policies are powerful for identifying sensitive data and enforcing data protection measures. However, there are some operational limitations and behaviors that must be considered.

One of the key constraints in MCAS is the daily processing cap. By default, file policies in MCAS can only classify up to 100 files per day per policy. This limitation helps balance performance across large enterprise environments and ensures systems are not overwhelmed.

Let’s review the options in light of this:

• A claims the policy classifies only .docx and .txt files and completes the process within 24 hours. While those file types are common targets, MCAS file policies can target all file types, unless specifically filtered. Also, classification does not always finish within 24 hours; processing time varies by load and file queue.

• B is accurate. MCAS will evaluate all files in the folder, regardless of file type, as long as the policy does not restrict types. The system then classifies a maximum of 100 files daily. This daily cap is the default behavior in many MCAS environments and applies across most connected apps.

• C incorrectly limits the policy to only .docx files, which is misleading unless such filtering is explicitly configured.

• D wrongly assumes immediate classification. In practice, even though MCAS initiates scanning quickly, classification is not instantaneous due to system latency and queuing.

Thus, B is the most accurate and complete answer. The policy applies to all files (not just specific types) and adheres to a daily classification limit of 100 files, which is the core operational characteristic of MCAS file policies.

Question 3

Your company’s research team needs documents containing source code to be automatically labeled as Confidential. They’ve provided examples of such code from their library. 

You want a solution that requires minimal setup and maintenance. What is the best approach?

A. Create a custom classifier
B. Create a sensitive info type using Exact Data Match (EDM)
C. Use the source code classifier
D. Create a sensitive info type using regular expressions

Correct Answer: C

Explanation:

The requirement is to classify documents that include programming code and to label them as Confidential, all while keeping administrative work to a minimum. The research team has already shared sample code, which helps in choosing a solution that can intelligently detect and classify such content.

Let’s examine the options:

A. Custom classifier: This method gives flexibility in defining what content should be classified. However, it involves significant manual setup, including training the classifier, defining relevant patterns, and testing accuracy. It does not meet the “minimal administrative effort” requirement.

B. Sensitive info type using EDM: Exact Data Match is best suited for identifying fixed, highly structured data like national ID numbers or bank account details. Source code tends to vary significantly in format and structure, making EDM unsuitable for this use case. It also requires a predefined list of data, which is not practical for variable code.

C. Source code classifier: This is the most appropriate option. Microsoft provides a built-in source code classifier that is trained to detect code snippets based on syntax patterns, programming keywords, and structural characteristics. It can recognize code across various languages automatically. Since it’s pre-configured and doesn't need custom training, it significantly reduces administrative burden.

D. Sensitive info type using regular expressions: Regular expressions can be used to match patterns in text, but programming code varies widely in syntax and structure. Creating and maintaining accurate regex patterns for all programming languages would be complex and time-consuming. This method would demand more effort than using the built-in classifier.

Hence, C is the best choice because the source code classifier provides a low-maintenance and effective way to detect programming content and label it appropriately.

Question 4

You are setting up a new Microsoft 365 environment and need to configure custom trainable classifiers for data classification. 

Which administrative role must you be assigned to in order to complete this task?

A. Security administrator
B. Security operator
C. Global administrator
D. Compliance administrator

Correct Answer: D

Explanation:

In Microsoft 365, trainable classifiers are used to automatically categorize documents based on learned content types (e.g., resumes, contracts, source code). Creating and managing these classifiers falls under compliance and data governance rather than security operations.

Let’s consider each role:

A. Security administrator: This role is primarily focused on managing the security-related elements of Microsoft 365, such as configuring threat protection and managing alerts. While important, it does not have the necessary permissions to access and manage compliance tools like trainable classifiers.

B. Security operator: This role offers limited access, mostly for monitoring and viewing alerts. It does not allow configuration changes or the creation of classifiers. This role is inappropriate for performing compliance configurations.

C. Global administrator: This role has full access across Microsoft 365, which includes the ability to manage classifiers. However, assigning someone the Global administrator role just to manage compliance settings is excessive. It grants access far beyond what’s necessary and goes against the principle of least privilege.

D. Compliance administrator: This is the most appropriate role for this task. It provides specific permissions for managing Microsoft Purview compliance features, including information governance, data classification, retention policies, and trainable classifiers. Assigning this role ensures that the user has the required access without giving them excessive permissions.

In summary, D is the correct answer. The Compliance administrator role allows for configuring custom trainable classifiers, aligning perfectly with the requirements of this task while maintaining secure and efficient role-based access.

Question 5:

You want to ensure that documents containing internal network details—such as IP addresses, system names, and configuration settings—are automatically labeled with appropriate sensitivity protections. 

What two components are required to accomplish this task? (Select two.)

A an Information protection auto-labeling policy
B a custom trainable classifier
C a sensitive info type that uses a regular expression
D a data loss prevention (DLP) policy
E a sensitive info type that uses keywords
F a sensitivity label that has auto-labeling

Correct Answers: A, F

Explanation:

To automatically classify and protect documents that include technical network information like IP addresses, device names, and system configurations, the combination of two specific Microsoft Purview Information Protection tools is necessary: auto-labeling policies and sensitivity labels with auto-application features.

Option A, the Information protection auto-labeling policy, plays a key role by detecting sensitive content based on defined rules. This policy can be set up to identify documents that contain patterns typical of internal IT assets—such as IP address formats or naming conventions for devices. Once such content is recognized, the system knows a labeling action is needed.

Option F, the sensitivity label with auto-labeling, complements this by carrying out the labeling action. It doesn’t detect the content itself but applies the correct protection (like encryption or access restrictions) when the auto-labeling policy triggers it. Together, these two components create a workflow: detection followed by labeling and enforcement.

The remaining options are less relevant for this exact use case:

• Option B, a custom trainable classifier, can detect nuanced data types based on user-trained models, but it's more complex and best suited for unstructured or varied content, not for specific patterns like IPs or configuration info.

• Option C, using a regular expression within a sensitive info type, is useful for identifying data patterns, but by itself it doesn’t apply labels. It needs to be embedded in an auto-labeling policy to be effective.

• Option D, a DLP policy, is designed to prevent data from leaking, not to classify or label it automatically.

• Option E, a keyword-based sensitive info type, is a detection mechanism like C, but again, requires pairing with an auto-labeling policy.

Thus, to label documents based on internal network data, you must use A and F together.

Question 6:

Which Microsoft 365 management interface allows you to define and publish sensitivity labels to classify and protect organizational data?

A Microsoft Compliance Center
B Microsoft Azure Security Center
C Microsoft PowerShell
D Microsoft Information Protection (MIP) Viewer

Correct Answer: A

Explanation:

The Microsoft Compliance Center is the primary console used in Microsoft 365 to manage compliance-related features, including the creation, configuration, and deployment of sensitivity labels. Sensitivity labels are essential for applying data classification, encryption, content marking, and access control across emails, documents, and other Microsoft 365 assets.

Within the Compliance Center, administrators can create label policies, assign protection settings like rights management and encryption, and define automatic or manual labeling rules. These labels help ensure that sensitive data is properly protected and handled according to internal policies or regulatory requirements. Moreover, these labels integrate seamlessly with Microsoft Purview Information Protection to enforce compliance across cloud services.

Let’s examine the other options:

• Option B, Azure Security Center, focuses on cloud infrastructure security and threat protection across Azure workloads. It does not manage Microsoft 365 sensitivity labels.

• Option C, Microsoft PowerShell, while useful for scripting and automating administrative tasks (including label configuration), is not the primary interface for creating labels. It serves as a secondary tool for administrators who prefer command-line operations.

• Option D, Microsoft Information Protection Viewer, is a tool for inspecting labeled documents and understanding how protection is applied. It cannot be used to create or assign labels.

In summary, while auxiliary tools like PowerShell and MIP Viewer support aspects of label visibility or automation, only the Microsoft Compliance Center provides the full interface for creating, managing, and deploying sensitivity labels across your Microsoft 365 environment.

Question 7:

What is the main function of Data Loss Prevention (DLP) policies within Microsoft 365?

A. Encrypt confidential email messages
B. Block the unintentional or unauthorized distribution of sensitive data
C. Organize data for regulatory compliance
D. Store deleted information for archival purposes

Answer: B

Explanation:

Data Loss Prevention (DLP) in Microsoft 365 is a critical feature designed to safeguard sensitive information by monitoring and controlling its flow within and outside an organization. The primary purpose of DLP is to ensure that confidential data—such as credit card numbers, social security numbers, personal health records, or financial data—is not inadvertently or deliberately shared with unauthorized users.

DLP policies work by scanning content in emails, Teams chats, SharePoint, OneDrive, and other Microsoft 365 services to identify predefined patterns associated with sensitive information. These policies can then automatically take actions, such as displaying warnings to users, blocking the transmission of data, or sending incident reports to administrators. This proactive approach greatly reduces the likelihood of data breaches or regulatory compliance violations.

While DLP works in tandem with other technologies like encryption and data classification, its core role is distinct. Encryption secures data by converting it into an unreadable format for unauthorized users, and classification helps label content based on sensitivity. DLP, on the other hand, governs the behavior surrounding that data—specifically, whether or not it can be shared or transmitted.

For example, if an employee tries to email a spreadsheet containing customer credit card numbers outside the company, DLP can block the action or prompt the user with a policy tip. It can also require justification or approval for sharing the file.

Ultimately, the role of DLP policies is to protect the integrity and privacy of an organization’s sensitive data by ensuring it remains within approved boundaries and is handled responsibly by users. This is a cornerstone of a strong data governance and compliance framework within Microsoft 365.

Question 8:

Which of these is not included as a capability of Microsoft Information Protection (MIP)?

A. Applying sensitivity labels to content
B. Encrypting data for protection
C. Managing how long data is retained
D. Controlling user identities and login access

Answer: D

Explanation:

Microsoft Information Protection (MIP) is a suite of tools built into Microsoft 365 to help organizations identify, classify, protect, and govern sensitive information. MIP is primarily centered around data—ensuring that important documents and emails are properly labeled, encrypted, and retained based on business rules or regulatory requirements.

Key features of MIP include sensitivity labels, which allow organizations to tag content such as “Confidential” or “Public” to enforce appropriate handling policies. These labels can trigger automatic encryption, restrict access permissions, or even prevent sharing outside the organization. Another feature is encryption, which is applied to protect sensitive content both at rest and in transit. Data retention policies also fall under MIP, allowing organizations to define how long different types of data should be kept before being deleted or archived, supporting compliance with laws like GDPR or HIPAA.

However, identity and access management (IAM) does not fall under the scope of MIP. Instead, IAM is managed through Azure Active Directory (Azure AD), a separate Microsoft service responsible for authentication, user sign-ins, single sign-on (SSO), multifactor authentication (MFA), and conditional access policies. Azure AD ensures that the right individuals have access to the right resources, and it plays a key role in securing the environment from identity-based threats.

While MIP and Azure AD are both part of Microsoft’s broader security and compliance ecosystem, their functions are distinct. MIP focuses on securing and governing the data itself, whereas Azure AD governs who can access what, and under what conditions.

In summary, although MIP handles sensitive data labeling, encryption, and retention, it does not include identity and access management capabilities. That responsibility lies with Azure Active Directory, making option D the correct answer.

Question 9:

Which Microsoft 365 tool should you use to define and manage retention labels for organizational content?

A) Microsoft 365 Compliance Center
B) Microsoft Power BI
C) Microsoft SharePoint Admin Center
D) Microsoft Teams Admin Center

Correct Answer: A

Explanation:

Retention labels are a core feature of Microsoft 365’s information governance and compliance capabilities. These labels allow organizations to manage the lifecycle of data by specifying how long content should be retained and what actions should be taken once the retention period ends—such as deletion or archival. The correct platform to configure and manage these retention labels is the Microsoft 365 Compliance Center.

The Compliance Center is specifically designed to help administrators implement policies related to data governance, compliance, privacy, and risk management. Through this interface, you can create and publish retention labels and policies, monitor compliance status, and apply automatic classification rules based on content types or conditions.

Each of the other options listed serves a different purpose within the Microsoft 365 ecosystem. Microsoft Power BI is a business analytics tool used for data visualization and reporting. Microsoft SharePoint Admin Center focuses on managing SharePoint sites, storage, and sharing settings, but it does not handle compliance settings like retention policies. Similarly, the Microsoft Teams Admin Center is used for managing Teams-specific configurations such as user settings, policies for communication, and app permissions, not data retention rules.

Using the Compliance Center, retention labels can be either applied manually by users or automatically through pre-defined conditions. These settings help organizations meet regulatory requirements such as GDPR, HIPAA, or industry-specific mandates by ensuring data is kept only as long as necessary and properly disposed of when no longer needed.

Understanding where and how to configure retention policies is crucial for anyone pursuing the Microsoft SC-400 exam or working in a compliance role within an organization using Microsoft 365. Mastery of this area ensures that sensitive information is handled appropriately across the lifecycle of its use, thereby mitigating legal and operational risks.

Question 10:

Which category of data is most commonly safeguarded using Microsoft Information Protection (MIP) policies?

A) Network configurations
B) Sensitive financial data
C) Application source code
D) End-user device configurations

Correct Answer: B

Explanation:

Microsoft Information Protection (MIP) is primarily used to protect sensitive and confidential data within an organization. The most common examples of this type of data include financial records, personal information (PII), intellectual property, and other content that could pose a legal, financial, or reputational risk if exposed. Among the options listed, sensitive financial data best fits this category, making it the correct answer.

MIP is a framework that supports the classification, labeling, and protection of data across Microsoft 365 services and beyond. It includes tools such as sensitivity labels, data classification, encryption, and access controls to ensure that sensitive information remains secure, even when shared or stored externally. Sensitivity labels, for example, can automatically encrypt a document or restrict access based on user roles or group memberships.

Additionally, Data Loss Prevention (DLP) policies within MIP help prevent the unintentional sharing of sensitive information by scanning emails, documents, and messages for patterns that match known sensitive data types, such as credit card numbers or tax identifiers. These DLP rules can block or alert users before data is sent to unauthorized recipients.

While MIP plays a critical role in data governance, it is not typically used to manage infrastructure-related elements like network configurations, application source code, or device settings. These components fall under the responsibilities of different tools and teams. For instance, device configurations may be handled via Microsoft Intune, and network setups are managed through specialized network security platforms or Azure Network Manager.

MIP policies are a cornerstone of Microsoft’s compliance strategy, helping organizations meet stringent regulatory requirements such as GDPR, HIPAA, and CCPA. By properly implementing these policies, companies can ensure the confidentiality and integrity of their most valuable data assets.

For SC-400 exam candidates, a solid understanding of Microsoft Information Protection—including its scope, tools, and real-world use cases—is essential for demonstrating proficiency in protecting organizational data within the Microsoft 365 ecosystem.