Microsoft Updated SC-401 Exam Questions and Answers by amaia

The requirement is:

You need to provide a user with the ability to view DLP alerts in the Microsoft Purview portal. The solution must use the principle of least privilege.

Step 1 – Understanding the roles

Compliance Administrator → Full access to compliance features, including creating/editing policies. This is more than needed (not least privilege).

Compliance Data Administrator → Can manage compliance features and data governance, but still more permissions than required.

Security Operator → Can view and respond to active security incidents and alerts, which is more than just viewing DLP alerts.

Security Reader → Read-only access to security-related features, including viewing DLP alerts, Microsoft Purview alerts, incidents, reports, and recommendations. This matches the requirement precisely.

Step 2 – Microsoft Documentation

Microsoft Learn states:

Security Reader role:

“Can view and investigate security events, reports, and alerts without the ability to make changes.”

???? Reference: Microsoft Entra built-in roles - Security Reader

Step 3 – Apply the principle of least privilege

Since the user only needs to view DLP alerts (not create or manage policies), the Security Reader role is the minimal role with sufficient permissions.

Step 1 – Review of Preservation Lock

Preservation Lock in Microsoft 365 retention policies ensures that once a policy is locked, no one (including administrators) can turn it off, delete it, or make it less restrictive.

Preservation Lock is only available for static retention policies and not supported for adaptive scopes .

???? Reference: Preservation Lock in Microsoft 365 retention policies

From Microsoft docs:

“Preservation Lock can only be applied to retention policies configured with static scopes. Adaptive scopes do not currently support Preservation Lock.”

Step 2 – Analyzing the Case Data

RPolicy1 → Adaptive scope (Scope1: Users). ❌ Not eligible for Preservation Lock.

RPolicy2 → Adaptive scope (Scope2: SharePoint Online sites). ❌ Not eligible for Preservation Lock.

RPolicy3 → Static scope (Microsoft 365 groups). ✅ Eligible for Preservation Lock.

Step 3 – Conclusion

Only RPolicy3 qualifies for Preservation Lock.

Step 1 – Where to configure Insider Risk Management notices

Insider risk management notices are part of the Microsoft Purview Insider Risk Management solution.

They are created and managed within the Microsoft Purview compliance portal.

The Microsoft 365 admin center, Microsoft Defender portal, or Microsoft Entra admin center are not used for notice templates.

Therefore, the correct choice for the portal is: Microsoft Purview portal.

Step 2 – Supported formats for notice templates

When creating an Insider Risk Management notice template, Microsoft Purview allows customization of the message body in HTML format.

HTML provides rich text formatting (fonts, colors, links, branding).

Markdown, RTF, and XML are not supported options for Purview notice templates.

Therefore, the correct format is: HTML.

Step 3 – Microsoft Reference

Microsoft documentation states:

“Notice templates are created and managed in the Microsoft Purview compliance portal. The body of the notice message is authored in HTML format to allow for full customization.”

To track who accesses User1’s mailbox, you need to enable mailbox auditing for User1. By default, Exchange mailbox auditing is not enabled per mailbox (even though it is enabled tenant-wide).

The Set-Mailbox -Identity " User1 " -AuditEnabled $true command enables audit logging for mailbox actions like:

● Read emails

● Delete emails

● Send emails as User1

● Access by delegated users

Once enabled, you can search for future sign-ins and actions in the Microsoft Purview audit logs.