Microsoft Study Guide

SC-400: Information Protection and Compliance Administrator Study Guide

Microsoft SC-400 validates your ability to plan and implement information protection, data loss prevention, retention, and compliance investigations across Microsoft 365 using Microsoft Purview. It targets information protection administrators who classify and protect data, build DLP policies, govern data lifecycle, and support eDiscovery and insider-risk work, typically alongside security, compliance, and Microsoft 365 administrators. The exam is 120 minutes, passing score is 700, and it expects hands-on familiarity with the Purview compliance portal and PowerShell.

Domain 1 Domain 2 Domain 3 Domain 4

Practice SC-400 questions free Create free account

Domain 1: Implement Information Protection

Key concepts you must know · 168 practice questions

Sensitivity labels are the core Purview classification mechanism; a label can apply visual markings (header, footer, watermark), encryption with usage rights, and content-marking, and the protection travels with the file even after it leaves the tenant.
Label encryption uses Azure Rights Management (Azure RMS); usage rights such as View, Edit, Copy, Print, and Reply are bound to specified users or groups, so an unauthorized user who obtains the file still cannot open it.
A label policy publishes labels to users/groups and sets behaviors like a default label, mandatory labeling, justification for lowering a label, and the order labels appear; auto-labeling policies apply labels without user action.
Auto-labeling exists in two forms: client-side (in Office apps, can recommend or apply as users work) and service-side auto-labeling (applies to data at rest in Exchange, SharePoint, and OneDrive without opening the file).
Sensitive information types (SITs) are pattern-matching detectors (e.g., credit card number with Luhn check, U.S. SSN in XXX-XX-XXXX format) using primary patterns, supporting elements, proximity, and confidence levels.
Trainable classifiers use machine learning to categorize content by example rather than pattern (e.g., resumes, source code, contracts); they require seed and test data and are useful where SITs cannot define a fixed pattern.
Exact Data Match (EDM) classification matches against a hashed, uploaded reference table of your own sensitive records, giving high precision and low false positives versus generic SITs.
Double Key Encryption (DKE) requires two keys to decrypt: Microsoft's key plus a customer-held key stored in a customer-controlled service, used for highly regulated data where Microsoft must never be able to access content.
Bring Your Own Key (BYOK) lets the organization supply and manage its own RMS tenant key in Azure Key Vault for greater key control, while Microsoft still performs cryptographic operations.
Built-in labeling is native in Microsoft 365 Apps (Word, Excel, PowerPoint, Outlook) and is the recommended path; the older Azure Information Protection (AIP) unified labeling add-in is deprecated.
Label encryption can include external users and guests by adding their addresses (or a domain/anyone-authenticated option) to the permitted users so partners can open protected content.
Scoping reduces risk and noise: use adaptive scopes (attribute-query based, e.g., Department = 'Legal') so policy targeting updates automatically, and limit high-impact auto-labeling to specific high-risk sites rather than the whole tenant.
Apply encryption only to labels that genuinely need it; reserve marking-only labels for lower-sensitivity content so you do not break collaboration or co-authoring unnecessarily.
Microsoft Defender for Cloud Apps integrates with Purview to discover and label sensitive content in third-party SaaS apps and enforce session controls on labeled data.

Domain 2: Implement Data Loss Prevention

Key concepts you must know · 145 practice questions

DLP policies detect sensitive content and prevent its unauthorized disclosure; actions include blocking/restricting sharing, notifying with a policy tip, generating admin alerts, allowing user override with justification, and encrypting.
DLP locations span Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages, and managed devices via Endpoint DLP, plus on-premises repositories through the Purview data scanner.
Endpoint DLP runs on Windows and macOS devices enrolled in Intune or onboarded with the agent; it can restrict copy to USB, copy to network share, print, paste to browser, and upload to unsanctioned cloud or restricted apps.
Always deploy a new DLP policy in simulation (test) mode first; it logs matches without blocking or notifying, so you can review Activity Explorer, assess business impact, and tune rules to reduce false positives before enforcing.
DLP rules combine conditions (e.g., content contains a SIT at or above an instance-count threshold, shared externally), exceptions, and actions; instance count and confidence level are the primary tuning levers.
Use a policy tip with user override and justification where business needs vary, and audit the overrides, rather than fully blocking or disabling the policy and breaking legitimate work.
Raising the instance-count threshold and requiring high-confidence SIT matches makes rules fire only on meaningful volumes, cutting false positives from incidental single matches.
Confidence level reflects how strongly content matches a SIT: higher confidence requires more supporting evidence (primary element plus supporting keywords in proximity), reducing accidental triggers.
EDM-based DLP rules match against a hashed reference table of exact records, ideal for protecting specific customer or employee data with far fewer false positives than pattern-only SITs.
Monitor DLP outcomes in the Purview compliance portal using DLP alerts and Activity Explorer; configure alert aggregation and severity so high-severity, high-volume events surface first.
Order and consolidate rules so the most common matches evaluate efficiently, and within a policy the first matching rule with the most restrictive action generally applies.
Target DLP policies to the locations and groups that actually handle sensitive data and exclude low-risk paths/extensions from inspection, rather than applying to the entire organization by default.
DLP can act on sensitivity-label conditions, so content carrying a specific label can be blocked from external sharing even when no raw SIT is detected.
Adaptive Protection integrates Insider Risk Management signals with DLP so users with elevated risk get more restrictive DLP enforcement automatically.

Domain 3: Implement Information Governance

Key concepts you must know · 140 practice questions

Retention controls how long content is kept and what happens at the end: retain only, retain then delete, or delete only; the retention period can be based on content creation, last modification, or when labeled.
Retention policies apply broadly to locations (mailboxes, sites, Teams, Yammer) without user action; retention labels apply to individual items/folders/libraries and can trigger record declaration and disposition.
Records management lets you declare content a record (editable metadata but locked content, can be relabeled) or a regulatory record (fully immutable, cannot be relabeled or unlocked) to meet legal recordkeeping obligations.
Retention principles of precedence resolve conflicts: retention wins over deletion, the longest retention period wins, explicit labels beat policies, and the shortest deletion is applied only after all retention is satisfied.
Disposition review inserts a manual approval step at end of retention so designated reviewers approve deletion, relabeling, or extension, producing an audit trail; reserve it for high-value records and use automatic deletion for routine content.
Adaptive scopes target retention dynamically using an attribute query (e.g., Department, country, or a site URL), so membership updates automatically as people and sites change, unlike static scopes that you maintain by hand.
Auto-apply retention labels can be triggered by SIT/keyword/query matches, trainable classifiers, or cloud attachments, applying governance without relying on users to label manually.
A recommended rollout starts with one broad org-wide retention policy, then adds targeted retention labels only for content categories that need different periods or record handling.
Teams chats and channel messages are governed by Teams-specific retention; a Teams retention policy can keep messages for a defined period then delete them automatically, including private channel messages as separate locations.
Apply retention with defined deletion so inactive mailboxes and sites do not accumulate content indefinitely beyond required periods; an inactive mailbox under hold or retention is preserved even after the user is deleted.
Content under retention that a user deletes is moved to a hidden, preserved location (e.g., Recoverable Items for mailboxes, the Preservation Hold library for SharePoint/OneDrive) and is still retained through the period.
Retention labels can be published to users in label policies or auto-applied; published labels appear in Office, Outlook, and SharePoint/OneDrive for manual classification.
Default retention behaviors differ by workload, so verify which locations a policy supports (for example, Yammer/Viva Engage and Teams have dedicated location options rather than being covered by Exchange/SharePoint policies).

Domain 4: Monitor and Investigate

Key concepts you must know · 173 practice questions

eDiscovery searches for and preserves content across Exchange, SharePoint, OneDrive, and Teams for legal matters; eDiscovery (Standard) provides case management, search, hold, and export, while eDiscovery (Premium) adds custodian management, legal hold notifications, review sets, analytics, and predictive coding.
An eDiscovery hold preserves potentially relevant content from deletion or alteration while a matter is active; holds are scoped to specific locations and can be narrowed with a content match query.
Key eDiscovery cmdlets: New-ComplianceCase creates a case; New-CaseHoldPolicy plus New-CaseHoldRule place and define a hold; New-ComplianceSearch, Start-ComplianceSearch, and New-ComplianceSearchAction run and export searches.
New-ComplianceSearchAction with -Export exports results; with -Purge -PurgeType HardDelete it permanently removes matching items (used for remediating phishing/malware); Get-ComplianceSearchAction -Details checks status.
Litigation hold is set per mailbox with Set-Mailbox -LitigationHoldEnabled $true and preserves all mailbox content; it differs from case/eDiscovery holds, which are query-scoped across multiple workloads.
The unified audit log records actions across M365 (mailbox operations, file access, sharing, policy and admin changes, eDiscovery activity); query it with Search-UnifiedAuditLog filtered by -StartDate, -EndDate, -Operations, -UserIds.
Auditing must be enabled before events are captured; enable ingestion with Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true; it is on by default for most modern tenants.
Default unified audit log retention is 180 days for most licenses; Audit (Premium) extends default retention to one year (up to ten years with an add-on) and provides higher-value events and bandwidth.
Communication Compliance analyzes Exchange, Teams, and Viva Engage messages to detect harassment/offensive language, confidential-data sharing, and regulatory breaches; scope policies to the regulated population and define reviewers and escalation.
Insider Risk Management correlates HR connector signals with risky activity; the departing-employee data-theft template flags bulk downloads, external forwarding, and copying to USB by users with a resignation date.
Compliance Manager scores your compliance posture as a percentage against frameworks (GDPR, HIPAA, ISO 27001, SOC 2, NIST) and recommends improvement actions, tracking implementation and test status of controls.
Refine searches and investigations before collecting: narrow by date range, custodians/users, keywords, and specific workloads/operations to reduce noise and the volume exported.
Tune Insider Risk and alert thresholds and indicators so meaningful risk signals surface and low-value noise is suppressed; apply audit retention policies to keep critical activity longer while letting lower-value logs expire.
Activity Explorer and Content Explorer in Purview let you see labeled and sensitive content and the activities performed on it, supporting both investigation and DLP/label tuning.

SC-400 exam tips

Always run new DLP and auto-labeling policies in simulation/test mode first, review Activity Explorer, and tune instance count and confidence before enforcing; expect several questions framed around reducing false positives without disabling protection.
Memorize the retention precedence rules cold: retention wins over deletion, longest retention wins, explicit labels beat policies, and deletion applies only after all retention is satisfied.
Know the PowerShell cmdlets verbatim, especially New-ComplianceCase, New-CaseHoldPolicy/New-CaseHoldRule, New-ComplianceSearchAction (-Export vs -Purge -PurgeType HardDelete), Set-Mailbox -LitigationHoldEnabled, and Search-UnifiedAuditLog parameters.
Distinguish overlapping features by their unique purpose: SIT vs trainable classifier vs EDM; sensitivity label vs retention label; record vs regulatory record; eDiscovery Standard vs Premium; DKE vs BYOK; adaptive vs static scopes.
When a scenario stresses scale or noise, prefer adaptive scopes, targeted locations/groups, high-confidence SITs, and disposition review only for high-value records rather than broad, tenant-wide enforcement.

Study guide FAQ

What is the difference between a sensitivity label and a retention label?

A sensitivity label classifies and protects content by applying encryption, usage rights, and visual markings that travel with the file. A retention label governs the data lifecycle, defining how long an item is kept and whether it is deleted, reviewed, or declared a record at the end of the period. An item can carry both simultaneously.

When should I use Exact Data Match (EDM) instead of a built-in sensitive information type?

Use EDM when you need to protect specific, known records (such as your customer or employee database) with high precision. EDM matches against a hashed, uploaded reference table of your own data, dramatically reducing false positives compared with generic SITs that match any value fitting a pattern.

What is the default retention period of the unified audit log, and how do I extend it?

By default the unified audit log retains records for 180 days on most licenses. Audit (Premium) extends default retention to one year and, with an add-on, up to ten years, and also surfaces additional high-value events. Make sure audit ingestion is enabled before relying on the log.

How do I export search results versus permanently delete malicious content with eDiscovery?

Use New-ComplianceSearchAction -SearchName "Search1" -Export to export results for review, and check progress with Get-ComplianceSearchAction -Details. To permanently remove matching items, such as a phishing message, use New-ComplianceSearchAction -SearchName "Phish1" -Purge -PurgeType HardDelete.

Test yourself: 626 SC-400 practice questions