All SC-401 Test Inside Microsoft Questions

Create: → A sensitive info type

Element: → Keyword dictionary

You want to classify documents in SharePoint Online based on a list of customer names stored in Customer.csv (1,000 entries).

In Microsoft Purview, there are several options for custom classification:

Sensitive info type (SIT):

Designed to detect predefined or custom patterns such as credit cards, IDs, or custom lists.

You can build a custom SIT using elements like keyword dictionary, regular expressions, and functions.

In this case, since you have a large CSV with 1,000 customer names, you upload that list as a keyword dictionary element.

Trainable classifier:

Used when you want AI to classify documents by training on examples of positive/negative samples (like contracts, resumes).

Not relevant here because you already have a structured list of customer names rather than needing machine learning classification.

Adaptive scope:

Determines where (users, groups, sites) policies apply, not what content is classified.

Not relevant here.

Correct pairing:

Create: A sensitive info type (SIT).

Element: Keyword dictionary (upload the Customer.csv file).

Step 1 – Review what’s configured

Labels: Public, General, Confidential, Internal, External.

Also shown in policy: Confidential/Internal and Confidential/External.

Policy setting: Users must provide justification to remove a label or lower its classification.

Confidential/External → encrypts content when applied.

Step 2 – Analyze each statement

Statement 1: The Internal sensitivity label inherits all the settings from the Confidential label.

Sub-labels (e.g., Confidential/Internal, Confidential/External) do not inherit settings from the parent.

They are independent labels grouped under a parent for organization, but each sub-label must have its own protection settings defined.

Answer: No

Statement 2: Users must provide justification if they change the label of content from Confidential/Internal to Confidential/External.

The policy requires justification only when removing a label or downgrading classification (lowering).

Changing between two sub-labels of the same parent (Confidential/Internal → Confidential/External) is considered a lateral move (not a downgrade).

Answer: No

Statement 3: Content that has the Confidential/External label applied will retain the encryption settings if the sensitivity label is removed from the label policy.

If a label is removed from a published policy, content already labeled retains its protection settings (such as encryption).

The label metadata stays applied to the file/email, even if unpublished.

Answer: Yes

This question is about creating a one-click policy within Microsoft Purview's Data Security Posture Management for AI portal. These policies are designed to mitigate risks associated with sensitive data and AI websites. The correct configuration for this specific scenario is to select "Test it out first" and apply the policy to "Devices, Instances, and SharePoint sites." This configuration is based on Microsoft's recommended practices for deploying data loss prevention (DLP) and similar policies.

Policy Mode: "Test it out first"

Microsoft recommends using test mode for new policies to evaluate their impact and effectiveness before enforcing them. This approach prevents unintended disruptions to user workflows. In test mode, the policy monitors and audits the specified activities without blocking them. It generates alerts and reports, allowing administrators to review the policy's behavior and make necessary adjustments. This aligns with the principle of "start small, then scale," ensuring that a policy designed to block sensitive data transfers doesn't inadvertently prevent legitimate business activities.

Policy Scope: "Devices, Instances, and SharePoint sites"

The policy aims to block users from pasting or uploading sensitive data to AI websites. This requires a comprehensive scope to cover all potential data exfiltration points.

Devices: This covers the user's local device, preventing data from being uploaded or pasted from applications running on the machine. This is crucial for controlling data from endpoints.

Instances: This refers to SaaS (Software as a Service) instances, including AI websites. Applying the policy to instances ensures that data transfers to these external services are monitored and controlled.

SharePoint sites: Data residing in SharePoint is a common source of sensitive information. Including SharePoint sites in the policy scope ensures that data cannot be directly copied from these locations and uploaded to AI websites, providing a holistic security posture.

By selecting "Devices, Instances, and SharePoint sites," the policy is configured to monitor and protect data across the most common sources and destinations, providing a robust defense against data exfiltration to AI services. This comprehensive approach is a cornerstone of modern data security strategies in Microsoft 365.

This information is verifiable through Microsoft's official documentation for Microsoft Purview, particularly sections related to Data Loss Prevention (DLP) policies and Data Security Posture Management for AI. The best practice of "test first" and the broad scope for sensitive data protection are consistently recommended.