Free Microsoft SC-401 Actual Exam Questions
Dumps Box (DumpsBox) offers up-to-date practice exam questions for SC-401 certification exam which are developed and validated by Microsoft subject domain experts certified in Microsoft SC-401 . These practice questions are update regularly as we keep an eye on any recent changes in SC-401 syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our Microsoft SC-401 exam questions and pass your exam on first try.
HOTSPOT You have a Microsoft 365 E5 subscription that has data loss prevention (DLP) implemented. You plan to export DLP activity by using Activity explorer. The exported file needs to display the sensitive info type detected for each DLP rule match. What should you do in Activity explorer before exporting the data, and in which file format is the file exported? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
Adding the Sensitive info type column ensures it appears; export is CSV by default.
Adding the Sensitive info type column is essential to show that data in the export. The file format is CSV since Microsoft 365 exports usually default to that for compatibility.
You have computer that run Windows 11 and have Microsoft 365 Apps instated The computers are
joined to a Microsoft Entra
tenant
You need to ensure that endpoint DIP policies can protect content on the computers.
Solution: You deploy the Microsoft Purview Information Protection client to the computers.
Does this meet the goal?
Option A, because installing the client is what activates protection on the devices.
Isn’t installing the Purview client just part of it? What about policy configuration?
You have a Microsoft 365 E5 subscription. The subscription contains a user named User1 and the sensitivity labels shown in the following table. 
You publish the labels to User1. The subscription contains the files shown in the following table. 
Which files can Microsoft 365 Copilot summarize for User1?
It’s C for me. File1’s encrypted, so no. But File2’s label is published to User1, so they should have access, plus File3 is unrestricted even if not explicitly published.
It’s A for me. File1 is definitely out since it’s encrypted and User1 doesn’t have access. File3’s label is “General” which usually means no restrictions, but the table shows it’s not published to User1, so Copilot can’t summarize it. File2 has a label assigned and published to User1, so assuming User1 has at least read access, Copilot should be able to summarize File2. The key is that for Copilot to work, the label must be published to the user and permissions allow access, which fits File2 best here.
HOTSPOT You have a Microsoft 365 £5 subscription. You are implementing insider risk management. You need to create an insider risk management notice template and format the message body of the notice template. How should you configure the template? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
I’d pick creating a new template with plain text formatting since markdown might not be fully supported in the £5 plan. Using plain text avoids compatibility problems and fits with basic subscription limits.
I’d rule out using an existing template since insider risk scenarios often need custom messages. Also, plain text is less likely to cause issues across different email clients compared to markdown here.
DRAG DROP You need to create a trainable classifier that can be used as a condition in an auto-apply retention label policy. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. 
First, create the trainable classifier itself. Then, publish it by associating with a sensitive info type or retention label. Lastly, configure the auto-apply label policy to use that classifier as a condition.
Before setting up the auto-apply label policy, you need to create the trainable classifier and then publish it as part of a sensitive info type or label. That way, the label can reference the classifier during auto-apply. So the order should be: create the trainable classifier, then create and configure the sensitive info type or label using that classifier, and finally set up the auto-apply retention label policy to apply based on that label. Skipping any of these steps breaks the chain for the classifier to trigger retention labels.
You need to identify all the changes made to retention labels during the last 30 days.
What should you use in the Microsoft Purview portal?
B imo, Activity explorer tracks detailed admin actions including label changes.
Reports (A) summarize changes well, so they’re suited for tracking label edits.
HOTSPOT You have a Microsoft 36S ES subscription that contains the devices shown in the following table. 
You plan to implement inside' risk management and capture forensic evidence Which devices support the collection of forensic evidence, and what should you do lo prepare each supported device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
Looks like Windows 10 and Server 2019 devices support forensic evidence via Defender for Endpoint. For those, enabling advanced hunting and onboard to Defender would be key. Other devices probably can’t collect forensic data directly.
I’m thinking only Windows 10 and Server devices actually support forensic evidence collection natively here. For others like Android or iOS, there isn’t much Microsoft 365 can do for forensic data without extra tools.
You plan to use Microsoft Purview insider risk management.
You need to create an insider risk management policy that will detect data theft from Microsoft
SharePoint Online by users that submitted their resignation or are near their employment
termination date.
What should you do first?
A/D? You definitely need the HR data connector to mark the right users, but onboarding devices to Defender for Endpoint could help catch suspicious activity on those devices later. Still, first step is A for sure.
You gotta start with connecting HR data to identify users who resigned or are leaving, so A makes the most sense here. Without that, you can’t target the right people effectively. A
DRAG DROP You have a Microsoft 365 subscription that contains 20 data loss prevention (DLP) policies. You need to identify the following: ● Rules that are applied without triggering a policy alert ● The top 10 files that have matched DLP policies ● Alerts that are miscategorized Which report should you use for each requirement? To answer, drag the appropriate reports to the correct requirements. Each report may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. 
Policy Matches shows rules applied silently, so fits no alert requirement.
For rules without alerts, "Policy Matches" works since it shows matches ignored by alerts. The top 10 files need "File Matches" because it focuses on file-level hits. Miscategorized alerts fit "Alerts" report better.
You plan to deploy Microsoft Purview Data Security Posture Management for AI (DSPM for AI).
You need to ensure that you can monitor user activities on third-party generative AI websites.
Which two prerequisites should you complete for DSPM for AI? Each correct answer presents part of
the solution.
NOTE: Each correct selection is worth one point.
B imo since a data leaks policy is crucial to define what to monitor, plus A because without the Purview extension, monitoring third-party AI sites isn’t possible. Intune (F) helps but isn't mandatory if devices are already managed somehow.
A and F, since the extension needs Intune for deployment and management.
You have a Microsoft 36515 subscription tha1 contains a Microsoft SharePoint Online site named
Site1 Site1 contains three tiles named File1. File2 and File3.
You create the data loss prevention (DIP) policies shown in the following table.
The DIP rule matches for each tile are shown in the following table.
How many DIP policy matches events will be added to Activity explorer, and how many policy
matches will be added to the DLP incidents report? To answer, select the appropriate options m the
answer area.
I’m thinking Activity Explorer should show 4 matches because it logs every individual policy match without merging. For the incidents report, it usually groups matches by user and content within a timeframe, so if File3 triggered two policies but they got merged into one incident, that explains seeing 3 incidents instead of 4. The question doesn’t specify changing the default merging behavior, so it makes sense the incidents report reflects merged entries while Activity Explorer keeps them separate.
I’m with the idea that Activity Explorer will list each match separately, so that’s 4 matches total—one for each policy hit on File1, File2, and File3. For the incidents report, since the question doesn’t say anything about merging being turned off, it makes sense that incidents get grouped by file, meaning File3’s two matches count as one incident. That results in 3 incidents overall. So basically, Activity Explorer is more granular, showing every match, while the incidents report summarizes by grouping related matches into single incidents.
Purview Data Security Posture Management for AD (DSPM for AD). You need to ensure that User1
can verify the auditing status of the subscription. The solution must follow the principle of least
privilege. To which role group should you add User1?
D imo, the View-Only Organization Management role is mostly tied to Exchange Online and wouldn’t cover auditing status across Microsoft Purview. Insider Risk roles (A and C) focus on risk investigations, which seems overkill and unrelated. B makes sense because Security Reader is designed for read-only access to security features, which would logically include auditing status. So, I’d skip the others since they either grant too many privileges or don’t fit the auditing context.
Option B makes the most sense since it’s designed for security-related read-only access across the tenant, which should include auditing info. The Exchange role is too narrow and risk roles are unrelated here.
You are implementing insider risk management.
You need to maximize the amount of historical data that is collected when an event is triggered.
What is the maximum number of days that historical data can be collected?
Probably B, since triggered events usually keep 60 days max even with E5.
C imo, since advanced audit might boost data retention up to 90 days.
the series contains a unique solution that might meet the stated goals. Some question sets might
have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You recently discovered that the developers at your company emailed Azure Storage Account keys in
plain text to third parties.
You need to ensure that when Azure Storage Account keys are emailed, the emails are encrypted.
Solution: You configure a mail flow rule that matches a sensitive info type.
Does this meet the goal?
B assuming it only detects but doesn’t auto-encrypt without extra setup.
Probably A, mail flow rules can encrypt sensitive info in emails.
HOTSPOT You need to meet the technical requirements for the confidential documents. What should you create first, and what should you use for the detection method? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
Starting with a sensitivity label makes sense to apply protection, but I’d skip exact data match if the info isn’t standardized. Custom sensitive info detection might catch more variations in confidential content here.
Creating the sensitivity label first is a must, for sure. For detection, I’d rule out generic keywords since confidentiality usually needs precise matching—exact data match seems more reliable here.