SC-401 Practice Exam Questions and Answers

To create a custom trainable classifier in Microsoft Purview (formerly Microsoft Compliance Center), you must first opt into the trainable classifier feature.

Before using custom trainable classifiers, Microsoft requires manual opt-in through the Microsoft Purview compliance portal. Without this step, you cannot create a new classifier.

The Compliance Administrator role has the necessary permissions to configure data classification, DLP policies, and trainable classifiers. Global Administrator has higher privileges but is not required for this task, violating the principle of least privilege. Security Administrator is focused on security-related settings but does not manage compliance features like classifiers.

Step 1 – Scenario

The requirement is to ensure Microsoft Purview Insider Risk Management can collect signals when a user copies files to a USB device using their default browser. The devices differ by browser type:

Device1 → Default browser = Microsoft Edge

Device2 → Default browser = Google Chrome

Step 2 – Signal collection methods in Insider Risk Management

Insider Risk Management uses Microsoft Purview Information Protection client and Purview browser extensions to collect activity signals.

For Microsoft Edge (Chromium-based), insider risk signals are collected via the Microsoft Purview Information Protection client.

For Google Chrome, signals are collected through the Microsoft Purview extension (available in the Chrome Web Store).

The Microsoft Defender Browser Protection extension is for web protection against malicious sites, not for insider risk activity signals, so it is irrelevant here.

Step 3 – Microsoft Reference

Microsoft documentation:

“For insider risk signals collection in Microsoft Edge, the Microsoft Purview client must be deployed. For Google Chrome, the Microsoft Purview extension is required.”

Yes , Yes, No

To determine whether each statement is true or false, let's analyze the provided information step by step based on the sensitivity label settings and the user permissions associated with the files.

Given Information:

Users and Subscriptions:

User1: Contoso subscription, email: user1@contoso.com

User2: Contoso subscription, email: user2@contoso.com

User3: Fabrikam subscription, email: user3@fabrikam.com

User4: Fabrikam subscription, email: user4@fabrikam.com

Files and Sensitivity Label Application:

File1: Automatically applied Sensitivity1 using an auto-labeling policy

File2: Applied by User2

File3: Applied by User1

Sensitivity Label (Sensitivity1) Assumptions: Since the exhibit for the sensitivity label is not fully detailed, we need to make reasonable assumptions based on typical Microsoft 365 sensitivity label behavior. Sensitivity labels can restrict access based on user permissions, subscription boundaries, or specific configurations (e.g., allowing only users within the same organization to edit or view). Given the context of two separate subscriptions (Contoso and Fabrikam), it’s likely that Sensitivity1 restricts access to users within the same subscription unless explicitly configured otherwise. A common default for such labels is to allow editing and other rights only to users within the applying user's organization, with possible restrictions for cross-subscription access.

Key Assumptions:

Sensitivity1 likely encrypts the files and restricts editing rights to users within the same subscription as the user who applied the label or where the auto-labeling policy is configured.

File1 (auto-applied) would inherit permissions based on the policy, likely restricting access to Contoso users if the policy is set up within the Contoso subscription.

File2 (applied by User2 from Contoso) would restrict access to Contoso users.

File3 (applied by User1 from Contoso) would also restrict access to Contoso users.

Users from Fabrikam (User3, User4) would not have edit rights unless explicitly granted, which is unlikely given the separation of subscriptions.

Statement Analysis:

User1 can edit rights for File1.

File1 was automatically applied with Sensitivity1 using an auto-labeling policy. Since the policy is likely configured within the Contoso subscription (where User1 resides), User1, as a Contoso user, should have edit rights unless the policy explicitly restricts this. Given User1's affiliation with Contoso, this is typically allowed.

Answer: Yes

User2 can edit rights for File3.

File3 was applied by User1, who is from the Contoso subscription. Since User2 is also from the Contoso subscription, they should have edit rights unless the label configuration explicitly denies this for other users within the same subscription. Typically, users within the same organization can edit files labeled by another user from the same organization.

Answer: Yes

User3 can print File2.

File2 was applied by User2, who is from the Contoso subscription. Sensitivity1 likely restricts access to Contoso users only. User3 is from the Fabrikam subscription, which is a separate entity. Unless cross-sub

Answer : No

Comprehensive Detailed Explanation with References

We are given a sensitivity label with the following Access control settings:

Assign permissions now → meaning admins define permissions, not end users.

User access to content expires = Never.

Allow offline access = Always.

Permissions explicitly assigned:

LegalTeam@… → Co-Author

USSales@… → Reviewer

Dynamic watermarking and Double Key Encryption are not enabled.

Let’s analyze each scenario based on the given retention policies and Microsoft 365 documentation.

???? Policies Recap

Policy1

Teams channel messages → All Teams → Retain 7 years → Delete automatically.

Teams chats → User1 → Retain 7 years → Delete automatically.

Policy2

Teams channel messages → Team1 → Retain 5 years → Delete automatically.

Teams chats → User2 → Retain 5 years → Delete automatically.

???? Reference: Retention policies in Microsoft Teams

???? Statement 1: The message edited by User1 will be deleted after five years.

Location = Team1 channel.

Policy1 applies (7 years for all Teams).

Policy2 applies (5 years for Team1).

Conflict rule: For retention, the longest duration wins.

Therefore, the message stays 7 years, not 5.

✅ Answer: NO

???? Statement 2: User1 can see the message sent by User2 for up to seven years.

Location = Private 1:1 chat (User2 → User1).

For User1’s mailbox: Policy1 applies (7 years).

For User2’s mailbox: Policy2 applies (5 years).

Retention in Teams chats is per-user, so each participant may have different durations.

For User1, the retention is 7 years.

✅ Answer: YES

???? Statement 3: The message deleted by User1 will be moved to the SubstrateHolds folder.

Location = Team2 channel.

User1 deletes the message, but retention policy (Policy1) applies (7 years).

Retention overrides user deletion: message is moved to the SubstrateHolds folder in the hidden mailbox for preservation.

???? Reference: How retention works with SubstrateHolds

✅ Answer: YES