Microsoft SC-401 Exam With Confidence Using Practice Dumps

Step 1 – Scenario

Tenant domain = contoso.com

Encryption method = Microsoft Purview Advanced Message Encryption (AME) using branded, link-based emails.

Recipients:

Recipient1 → Contoso internal user (same tenant).

Recipient2 → External Microsoft 365 user (Fabrikam).

Recipient3 → Outlook.com consumer email.

Recipient4 → Gmail.com consumer email.

The question asks: For which recipients can User1 revoke the emails?

Step 2 – Revocation in Advanced Message Encryption

Microsoft Purview AME allows senders to:

Revoke sent encrypted emails.

Revoke applies to all recipients who receive a link-based branded encrypted message.

When revoked, the secure message link no longer works, regardless of whether the recipient is internal, external Microsoft 365, Outlook.com, Gmail, or another email provider.

This differs from traditional RMS-based encryption where revocation is tenant-specific. In AME, the revocation is possible because the recipient must open the message through a secure browser portal (Office 365 Message Encryption portal).

Step 3 – Evaluate each recipient

Recipient1 (contoso.com, internal) → Yes, message can be revoked.

Recipient2 (fabrikam.onmicrosoft.com, external Microsoft 365) → Yes, message can be revoked because AME link enforcement works across tenants.

Recipient3 (outlook.com, consumer) → Yes, message can be revoked, they use the secure OME portal.

Recipient4 (gmail.com, consumer) → Yes, message can be revoked, they also use the secure OME portal.

Step 4 – Microsoft Reference

From Microsoft Docs:

“With Advanced Message Encryption, admins can configure branding and revocation for encrypted email messages. Revocation applies to encrypted emails sent to both internal and external recipients, including those using Outlook.com, Gmail.com, and other email services.”

Step 1 – Review the configuration

Sensitivity label name: Contoso Confidential

Scope: Files and emails

Access control:

Encrypts documents/emails.

Permissions assigned to AuthenticatedUsers with Co-Author rights.

Offline access allowed only for 7 days.

Auto-labeling = None (not configured).

Content marking: Footer applied.

Step 2 – Analyze each statement

Statement 1: If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential.

Sensitivity labels with encryption enforce Azure AD authentication every time a user tries to access a file.

If the account is disabled in Azure AD, access is blocked immediately.

Answer: Yes

Statement 2: Guest users will be able to open documents protected by Contoso Confidential.

Access control was configured only for AuthenticatedUsers (internal users).

Guest or external users are not included in this group.

Therefore, guest users cannot open the protected documents.

Answer: No

Statement 3: Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online.

Auto-labeling for files and emails = None.

That means labeling must be applied manually by users, not automatically.

Answer: No

Final Verified Answers

If a user account is disabled, the user will be immediately prevented from opening a file protected by Contoso Confidential → Yes

Guest users will be able to open documents protected by Contoso Confidential → No

Contoso Confidential will be applied automatically to the files stored in Microsoft SharePoint Online → No

The action " SiteRenamed " for SharePoint is covered under the AuditRetention4 policy, which applies to User1 and retains logs for 9 months.

The action " Send " for ExchangeItem is covered under the AuditRetention2 policy, but this policy applies only to User1. Since User2 is not covered under a specific policy, the default retention period for audit logs in Microsoft Purview is 90 days.