Microsoft Updated SC-401 Exam Questions and Answers by alys

In Microsoft Purview Data Lifecycle Management, different Microsoft 365 locations require separate retention policies because they fall under different storage and compliance models.

Teams Chats & Teams Channel Messages (1 Policy) require a separate retention policy because Teams messages are stored differently than Exchange and SharePoint content. One policy can cover both Teams chats and Teams channel messages. Exchange Email (1 Policy) requires its own separate policy since emails are managed differently than Teams or SharePoint content. SharePoint Sites & Microsoft 365 Groups (1 Policy) are both stored in SharePoint Online, so they can be managed under one policy.

Step 1 – Understand the scenario

The security manager is receiving an email every time a Data Loss Prevention (DLP) policy match occurs. The requirement is to reduce the number of unnecessary alerts and only notify for meaningful or actionable violations.

Step 2 – Analyze each option

A. From the Microsoft Defender portal, apply a filter to the alerts.

This action would only filter what is displayed in the portal. It does not prevent the security manager from receiving email notifications each time a DLP match occurs. This does not solve the problem.

B. From the Microsoft Purview portal, modify the Policy Tips settings of a DLP policy.

Policy Tips are intended for end users inside Outlook, Word, Excel, or PowerPoint to guide them about sensitive information before they send or share content. They do not change how or when admin alert notifications are triggered.

C. From the Microsoft Purview portal, modify the matched activities threshold of an alert policy.

DLP alert policies allow configuration of thresholds such as the number of matches, severity levels, and repeated activity counts. By adjusting the matched activities threshold, alerts can be generated only when a violation reaches a significant level, which reduces unnecessary alerts and ensures that notifications are sent only for actionable events. This matches the requirement.

D. From the Microsoft Purview portal, modify the User overrides settings of a DLP policy.

User override settings allow end users to bypass a DLP restriction if they provide a justification, but this does not impact the number of alert notifications sent to the security manager.

Step 3 – Microsoft Reference

According to Microsoft documentation: “You can configure alert policies with thresholds to reduce the number of alert notifications and focus only on actionable DLP events.”

Step 1 – Scenario

Microsoft 365 E5 subscription with 100 users and a Microsoft 365 group (Group1).

A sensitivity label (Label1) is published as the default label for Group1.

Label1 contains two sublabels: Sublabel1 and Sublabel2.

Requirement: Ensure Sublabel1 settings are applied by default to Group1.

Step 2 – Understanding label hierarchy

In Microsoft Purview Information Protection, a parent label (Label1) is a container.

Sublabels (Sublabel1, Sublabel2) inherit the parent name but represent distinct configurations (encryption, watermarking, access, etc.).

A parent label itself cannot have a sublabel’s settings automatically applied unless policy configuration specifies which sublabel is used as the default publishing option.

Step 3 – Why "Modify the policy of Label1" is correct

To apply Sublabel1 by default, the published policy for Label1 must be modified so that Sublabel1 is the default label within the policy.

Simply reordering sublabels (Option A) does not change the default assignment.

Duplicating Sublabel1’s settings into Label1 (Option B) defeats the purpose of having sublabels and adds redundancy.

Deleting the policy of Label1 and publishing Sublabel1 (Option D) would remove flexibility and is unnecessary.

Step 4 – Microsoft Reference

Microsoft Docs: “If you want a sublabel to be applied by default, configure the label policy to select that sublabel as the default label for documents and emails.”

The requirements are:

Detect credit card information → requires a sensitive info type (built-in: Credit Card Number).

Detect keywords “Project1” or “Project2” → can be handled in the same sensitive info type by using keyword matching.

Watermarks (“Confidential”, “Internal Use Only”) are label actions, not sensitive info types.

Therefore, only 2 sensitive info types are required: one for keywords, one for credit card data.