SC-400: Information Protection and Compliance Administrator Practice Exam

What the SC-400 exam covers

• Implement Information Protection152 questions
• Implement Data Loss Prevention131 questions
• Implement Information Governance125 questions
• Monitor and Investigate134 questions

Free SC-400 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 542.

1. Question 1Implement Information Protection

   In Microsoft Purview, what are sensitivity labels used for?

   • AResolving DNS
   • BAssigning IP addresses
   • CLoad balancing
   • DClassifying and protecting content (encryption, watermarking, access) based on sensitivityCorrect
   ✓ Correct answer: D

   Sensitivity labels in Microsoft Purview are the primary mechanism for classifying and protecting content throughout your organization. When a sensitivity label is applied to a document or email, it enforces configured protections including encryption that restricts who can open the file, usage rights that determine edit/copy/print permissions, and visual markings like watermarks or headers. These protections travel with the file even when shared externally, ensuring consistent data security regardless of location.

   Why the other options are wrong

   • AResolving DNS is incorrect because sensitivity labels have no role in DNS name resolution.
   • BAssigning IP addresses is incorrect because labels work with information classification, not network infrastructure.
   • CLoad balancing is incorrect because sensitivity labels are not related to distributing network traffic across servers.
2. Question 2Implement Information Governance

   What is adaptive (vs static) scope for retention?

   • AA scope based on query attributes (e.g., department) that updates membership automaticallyCorrect
   • BA firewall rule
   • CA fixed list of users that never changes
   • DA DNS zone
   ✓ Correct answer: A

   Adaptive policy scopes in Purview enable dynamic targeting of retention policies based on user or location attributes. Instead of manually maintaining a static list of mailboxes in the Sales department, an adaptive scope uses a query like "Department = 'Sales'" and automatically updates to include any mailbox added to the Sales department. When employees transfer departments, the scope adjusts automatically without administrator intervention. This is essential for frequently changing organizational structures where manual updates would be error-prone.

   Why the other options are wrong

   • BA firewall rule is incorrect because firewall rules manage traffic routing.
   • CA fixed list of users that never changes is incorrect because that's a static scope, not adaptive.
   • DA DNS zone is incorrect because DNS zones are not policy scopes.
3. Question 3Monitor and Investigate

   Insider Risk Management is producing many low-value alerts, raising review cost. Which adjustment improves signal quality most efficiently?

   • AAlert on every single user action
   • BTune policy thresholds and indicators to focus on meaningful risk signals and reduce noiseCorrect
   • CRoute alerts to a print queue
   • DDisable the solution entirely
   ✓ Correct answer: B

   Insider Risk Management generates low-value alerts when policy indicators are too sensitive, flooding the queue with mundane activities. Improve signal quality by tuning policy thresholds and indicators: adjust the risk score threshold so only higher-risk activities generate alerts, disable irrelevant indicators for the specific policy template, and adjust timeframes (e.g., high-volume download threshold from 50 files to 500 files) to match actual risk. This focuses investigation on genuinely concerning activities while reducing false positives and analyst fatigue.

   Why the other options are wrong

   • AAlert on every single user action is incorrect because that maximizes noise.
   • CRoute alerts to a print queue is incorrect because printers do not process alerts.
   • DDisable the solution entirely is incorrect because that removes threat detection.
4. Question 4Implement Information Protection

   Your design requires that label-based encryption still works when users are offline and that highly sensitive files remain unreadable to Microsoft. Which approach best meets this?

   • AUse Double Key Encryption (DKE) for the most sensitive label, accepting reduced service-side features like content inspectionCorrect
   • BUse anonymous sharing links with passwords
   • CUse a standard cloud-managed label key for all labels
   • DDisable encryption and rely on content marking only
   ✓ Correct answer: A

   Double Key Encryption provides the most stringent protection: encryption requires two keys, one held by the customer, so even Microsoft cannot decrypt the data. This meets requirements where highly sensitive data must remain unreadable to cloud providers. Users can open and edit encrypted documents offline because the DKE client caches licensing information. The tradeoff is that Microsoft Purview cannot perform server-side content inspection (DLP scanning, auto-labeling at rest) on DKE-encrypted content. This design is appropriate only for the most sensitive data where this limitation is acceptable.

   Why the other options are wrong

   • BUse anonymous sharing links with passwords is incorrect because anonymous sharing removes encryption.
   • CUse a standard cloud-managed label key for all labels is incorrect because that does not prevent Microsoft access.
   • DDisable encryption and rely on content marking only is incorrect because marking provides no access control.
5. Question 5Implement Data Loss Prevention

   A DLP rule uses an exact data match (EDM) SIT, but no matches occur even though the data is present. What is the most likely cause?

   • AThe sensitive information source table was not hashed and uploaded, or the schema/data refresh has not completed indexingCorrect
   • BEDM requires the policy to be in the Exchange location only
   • CEDM cannot be used in DLP, only in retention
   • DEDM matches only numbers, never text
   ✓ Correct answer: A

   Exact Data Match depends on the reference table of sensitive values being hashed and uploaded through the EDM data upload tool and fully indexed in the cloud. If the upload is incomplete, the schema is missing, or indexing has not finished, the EDM SIT will not match even when the data is present in a document.

   Why the other options are wrong

   • BEDM requires the policy to be in the Exchange location only is incorrect because EDM SITs can be used across DLP locations, not only Exchange.
   • CEDM cannot be used in DLP, only in retention is incorrect because EDM is a classification method used in DLP and auto-labeling rules.
   • DEDM matches only numbers, never text is incorrect because EDM can match text, numbers, and mixed values defined in the schema.
6. Question 6Monitor and Investigate

   During an eDiscovery investigation, what is the correct order of the workflow stages?

   • AResolve DNS, then renew DHCP leases
   • BExport first, then delete all content immediately
   • Cidentify custodians and locations, place holds, search/collect, review/analyze, then exportCorrect
   • DReboot servers, then assign new IP addresses
   ✓ Correct answer: C

   The eDiscovery workflow proceeds in order: identify the custodians and data locations, place holds to preserve content, search and collect responsive items, review and analyze in a review set, and finally export for production. This sequence ensures a defensible process.

   Why the other options are wrong

   • AResolve DNS, then renew DHCP leases is incorrect because those are network operations with no place in an eDiscovery workflow.
   • BExport first, then delete all content immediately is incorrect because exporting before searching and reviewing, and deleting content, would be both out of order and destructive to evidence.
   • DReboot servers, then assign new IP addresses is incorrect because server reboots and IP assignment are infrastructure tasks unrelated to eDiscovery.
7. Question 7Implement Information ProtectionSelect all that apply

   A user complains that a highly confidential label blocks them from saving as PDF and printing. Which TWO label encryption rights would produce this behavior? (Choose TWO)

   • AThe user has the Full Control right
   • BThe user has the Co-Owner right
   • CThe user lacks the Export (Save As) rightCorrect
   • DThe user lacks the Print rightCorrect
   ✓ Correct answer: C, D

   Sensitivity label encryption restricts actions through usage rights. Lacking the Export right prevents saving the file as PDF or another unencrypted format, and lacking the Print right prevents printing, which together produce the reported behavior.

   Why the other options are wrong

   • AThe user has the Full Control right is incorrect because Full Control grants all usage rights, so the user would be able to save and print rather than be blocked.
   • BThe user has the Co-Owner right is incorrect because Co-Owner also grants full usage rights, which would allow saving and printing instead of blocking them.
8. Question 8Implement Data Loss Prevention

   Which Endpoint DLP action restricts uploading sensitive files to personal cloud storage services?

   • AA static route on the firewall
   • BA DNS A record change
   • CCloud egress / service domain restrictions in Endpoint DLP settingsCorrect
   • DA print queue priority
   ✓ Correct answer: C

   Endpoint DLP cloud egress controls restrict uploading sensitive files to specific cloud services by service domain, preventing data from leaving managed devices to personal cloud storage such as Dropbox or Google Drive.

   Why the other options are wrong

   • AA static route on the firewall is incorrect because a static route directs network traffic and cannot enforce content-aware upload restrictions.
   • BA DNS A record change is incorrect because changing an A record alters name resolution and does not control cloud uploads.
   • DA print queue priority is incorrect because print queue priority orders print jobs and has no cloud egress function.
9. Question 9Implement Information ProtectionSelect all that apply

   An administrator at Lucerne Publishing is planning to use Azure Information Protection scanner. Which two of the following are requirements or features of this solution? (Choose two.)

   • Adefault labeling
   • Blabel policies
   • Clabel scopingCorrect
   • Dscanner Protection Information Azure
   • Eexact data matchCorrect
   ✓ Correct answer: C, E

   For this Microsoft Purview scenario the configuration relies on the two selected components. Label scoping - scopes a label policy to specific users or groups so only the intended population sees and is governed by the label. Exact data match - matches content against a customer-supplied, hashed reference table of exact values to detect specific records with high precision. Together they implement the requirement described.

   Why the other options are wrong

   • ADefault labeling is incorrect because it sets a starting default label and is not the configuration this scenario requires.
   • BLabel policies is incorrect because it publishes labels to users and is not the component this scenario is asking you to configure.
   • DScanner Protection Information Azure is incorrect because it is a malformed/reordered label that does not name a real Microsoft Purview feature; the correctly named capability (the Azure Information Protection scanner) is not one of the components this scenario requires.
10. Question 10Implement Information GovernanceSelect all that apply

    A consultant is reviewing the retention in SharePoint configuration at Adatum Corporation. Which two actions should be performed to optimize the implementation? (Choose two.)

    • Aarchive mailboxesCorrect
    • BDisable retention in SharePoint monitoring
    • Cfile plan descriptorsCorrect
    • Dretention in Teams
    • Eadaptive scopes
    ✓ Correct answer: A, C

    Archive mailboxes expand available storage so that content held under retention does not exhaust primary quotas, supporting long-term preservation in Microsoft Purview. File plan descriptors add metadata such as reference IDs, authorities, categories, and citations to retention labels, classifying content for records management and improving the organization and discoverability of the retention implementation.

    Why the other options are wrong

    • BDisable retention in SharePoint monitoring would remove the visibility and audit signals that confirm retention policies are applying correctly, weakening compliance rather than optimizing it.
    • DRetention in Teams governs Teams chat and channel messages in their own locations and operates independently of SharePoint content, so it does not optimize SharePoint retention.
    • EAdaptive scopes dynamically target policy locations by attributes or queries; they are a policy-targeting mechanism and add unnecessary complexity here rather than optimizing the existing SharePoint retention.

SC-400 practice exam FAQ