Pass the Microsoft Certified: Information Security Administrator Associate SC-401 Questions and answers with Dumpstech

AutoApply1 is an auto-labeling policy that applies RLabel1 to Group1. Auto-labeling policies can apply retention labels across group mailboxes, SharePoint Online sites, and Teams channel messages if they are configured for group resources.

Retention1 is a retention policy applied to Group2. Retention policies for Microsoft 365 groups apply to all group resources, including group mailboxes, SharePoint Online teams sites, and Teams channel messages.

Since both AutoApply1 and Retention1 affect entire groups, they apply to all associated resources: group mailbox, SharePoint Online teams site, and Teams channel messages.

Microsoft Purview browser extensions for Endpoint DLP are supported on:

● Windows 10/11 (Config1)

● macOS (Config2)

● Not supported on Android (Config3)

Since Microsoft Purview does not support browser extensions on Android, Config3 is excluded from both Google Chrome and Firefox.

Step 1 – Scenario

Endpoint Data Loss Prevention (Endpoint DLP) is implemented in Microsoft 365.

Computers: Windows 11, joined to Microsoft Entra (Azure AD), with Microsoft 365 Apps installed.

Goal: Ensure Endpoint DLP policies can protect local content on these devices.

Step 2 – How Endpoint DLP works

Endpoint DLP builds on the same policy framework as Microsoft Purview DLP, but specifically extends coverage to Windows 10/11 devices.

Requirements:

Devices must be onboarded to Microsoft Purview (via Microsoft Defender for Endpoint or via Purview device onboarding).

Endpoint DLP does not require the Microsoft Purview Information Protection (MIP) client.

The MIP client is only required for sensitivity labeling and AIP functionality, not for Endpoint DLP.

Step 3 – Why the proposed solution is incorrect

Deploying the Microsoft Purview Information Protection client does not enable Endpoint DLP.

Endpoint DLP requires device onboarding into Microsoft Purview compliance.

Therefore, this solution does not meet the goal.

Step 4 – Microsoft Reference

Microsoft Docs states:

“To use Endpoint data loss prevention (Endpoint DLP), devices must be onboarded to the Microsoft Purview compliance portal. Installing the Microsoft Information Protection client is not required.”

You are creating a Data Loss Prevention (DLP) policy in Microsoft 365 with advanced rules . Advanced DLP rules provide more granular conditions and actions than standard DLP rules.

Conditions available in advanced DLP

According to Microsoft Docs on Conditions in DLP policies:

✅ Content contains → Used to detect sensitive information types , keywords, or exact data matches. This is one of the most common and fundamental DLP conditions.

✅ Content is shared from Microsoft 365 → Used to detect whether content has been shared externally or with specific domains/users. This is a modern advanced DLP condition .

Why the others are not correct:

A. Document property is → This condition applies to information governance retention policies/labels (not DLP). Not available in DLP rules.

B. Attachment ' s file extension is → This is supported in Exchange mail flow rules (transport rules) but not in advanced DLP rules.

C. Document size equals or is greater than → Also applies in Exchange transport rules and certain SharePoint restrictions, but not available as a DLP rule condition.

Adding a folder path to the file path exclusions in Microsoft 365 Endpoint DLP does not prevent Tailspin_scanner.exe from accessing protected sensitive information. Instead, it would exclude those files from DLP protection, which is not the intended outcome.

To block Tailspin_scanner.exe from accessing sensitive documents while allowing it to access other files, the correct solution is to use Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) and add Tailspin_scanner.exe to the Restricted Apps list.

Endpoint DLP allows you to block specific applications from accessing sensitive files while keeping general access available. Restricted Apps List in Endpoint DLP ensures that Tailspin_scanner.exe cannot open, copy, or process protected documents, but it can still function normally for non-sensitive content.

Endpoint DLP builds on Microsoft Defender for Endpoint integration. Before enabling Endpoint DLP, you must turn on device onboarding in Microsoft Purview to allow devices (like Device1) to be enrolled. After onboarding, you can assign DLP policies to endpoints.

Forensic evidence in Microsoft Purview Insider Risk Management allows capturing screenshots/clips of user activity on endpoints.

Requirements for forensic evidence capture:

The device must be onboarded to Microsoft Purview (via Defender for Endpoint).

The Microsoft Purview client must be installed.

Supported platforms: Windows 10 and Windows 11 (macOS is not supported for forensic evidence).

Now check each device:

Device1 (Windows 11) → Client installed, but not onboarded → ❌ Not eligible.

Device2 (Windows 10) → Onboarded and client installed → ✅ Eligible.

Device3 (macOS) → Onboarded, but client not installed and macOS is not supported → ❌ Not eligible.

Therefore, only Device2 qualifies.

for each of the following you can have a retention policy

1.EXO, SPO, ODfB, M365 groups

2.Teams channel messages, teams chat

3.Teams private channel messages

A. Create a DLP policy → Needed to detect sensitive information being shared externally.

B. Turn on Indicators → Required for insider risk policies to detect risky activities like external sharing.

C. Configure adaptive protection → Optional for tailoring enforcement, not mandatory here.

D. Turn on analytics → Helps assess policy impact but not required to generate alerts.

E. Create an insider risk policy → Required to generate insider risk alerts.