SC-401 Leak Questions

You want files in Site1 that are labeled with Label1 to automatically move to Site2 two years after creation.

In Microsoft Purview Retention Labels, under “Choose what happens after the retention period”, the available options are:

Deactivate retention settings – Ends retention but does not move files.

Start a disposition review – Sends items to reviewers for approval (manual process, not auto-move).

Change the label – Applies a new retention label (but does not move files to another site).

Run a Power Automate flow – Executes an automated workflow such as moving the file to another SharePoint library or site, notifying users, or applying custom business processes.

Since the requirement is automatic movement of files from Site1 to Site2 after 2 years, the only valid choice is Run a Power Automate flow.

Captures clips of key security-related user activities

This requirement refers to recording and surfacing evidence of risky user behavior (e.g., copying sensitive files to USB, uploading to cloud storage, or exfiltrating data).

In Microsoft Purview Insider Risk Management, this is achieved through Forensic evidence, which allows capturing screenshots/clips of user activities on endpoints when a policy is triggered.

Ref: Microsoft Learn – Insider risk forensic evidence

Integrates DLP capabilities with insider risk management

Microsoft introduced Adaptive Protection as part of Purview Insider Risk.

Adaptive Protection uses insider risk signals and DLP together, dynamically adjusting DLP controls (block, restrict, monitor) based on the user’s risk level.

This integration reduces false positives and ensures risky users are monitored more strictly while low-risk users are less impacted.

Ref: Microsoft Learn – Adaptive Protection in Microsoft Purview

Other options ruled out:

Adaptive scopes: Used for defining policy targeting groups dynamically, not capturing activities.

Classifiers/Trainable classifiers: Used for content classification, not exfiltration capture or DLP integration.

eDiscovery (Premium): For legal investigations, not insider risk + DLP integration.

Records management: Lifecycle retention, not related to insider risk.

Step 1 – Where to configure Insider Risk Management notices

Insider risk management notices are part of the Microsoft Purview Insider Risk Management solution.

They are created and managed within the Microsoft Purview compliance portal.

The Microsoft 365 admin center, Microsoft Defender portal, or Microsoft Entra admin center are not used for notice templates.

Therefore, the correct choice for the portal is: Microsoft Purview portal.

Step 2 – Supported formats for notice templates

When creating an Insider Risk Management notice template, Microsoft Purview allows customization of the message body in HTML format.

HTML provides rich text formatting (fonts, colors, links, branding).

Markdown, RTF, and XML are not supported options for Purview notice templates.

Therefore, the correct format is: HTML.

Step 3 – Microsoft Reference

Microsoft documentation states:

“Notice templates are created and managed in the Microsoft Purview compliance portal. The body of the notice message is authored in HTML format to allow for full customization.”

Insider risk management policies in Microsoft Purview target users based on priority user groups.

If you want to monitor a specific project team, you must first define those users in a priority user group so that policies affect only them.

This approach:

Minimizes the impact on users not part of the project.

Reduces administrative effort since you don’t need to manage multiple security groups in Entra ID.