SC-401 Microsoft Information Security Administrator - Practice Test 1

A Sensitive Information Type (SIT) defines a pattern - typically a regular expression plus confidence-boosting keywords - that Microsoft Purview uses to detect sensitive content automatically. For example, the "Credit Card Number" SIT uses a regex for 16-digit card numbers, checksum validation (Luhn algorithm), and nearby keyword hints. SITs are used by DLP policies, auto-labeling policies, and communication compliance. See more: Data Classification

Document fingerprinting creates a SIT from an existing form template (e.g., a patent application, NDA, or HR form). Microsoft Purview analyzes the unique word pattern of the blank form and creates a "fingerprint" hash. Any future document that matches this structural pattern - regardless of how it is filled in - is detected as containing that SIT. This is ideal for protecting standard company forms. See more: Data Classification

Exact Data Match (EDM) is a classification method that matches content against a customer-provided database (the sensitive data table) containing actual sensitive values - like exact employee SSNs, patient IDs, or customer phone numbers. Because it matches exact values instead of patterns, there are virtually no false positives. The sensitive data is hashed before upload so Microsoft never sees the raw values. EDM SITs are used in DLP policies and auto-labeling the same way as regular SITs. See more: Data Classification

Trainable classifiers use machine learning models rather than pattern rules. There are two types: - Pre-trained classifiers: Built by Microsoft (e.g., Offensive Language, Resumes, Financial Statements, Source Code, HR). Ready to use immediately. - Custom trainable classifiers: You provide 50-500 seed examples of positive content, then 200+ items each for the positive and negative test sets. The model trains and you evaluate/tune it before deploying. Trainable classifiers excel at semantic understanding - they recognize content by meaning, not format. See more: Data Classification

In Microsoft Purview compliance portal: - Data Explorer (now called Overview/Summary): Shows aggregate counts, trends, and charts of how sensitivity labels, retention labels, and SITs are distributed across your environment. - Content Explorer: Allows you to drill down and view the actual documents/emails that match a given sensitivity label, retention label, or SIT. Requires the "Content Explorer Content Viewer" role to see actual content. Both tools are under Data Classification in the compliance portal. See more: Data Classification

OCR support allows Microsoft Purview DLP and other classification services to detect sensitive information in images. Without OCR, a scanned image of a credit card statement (a JPEG or embedded image in a PDF) would not have its text recognized. With OCR enabled, the text is extracted from the image before classification runs, allowing SIT patterns to match. OCR must be configured in the compliance portal settings before it applies. See more: Data Classification

Sensitivity labels are persistent, portable metadata attached to content (Office files, emails, PDFs, Teams, SharePoint sites). A label can enforce: - Encryption (using Azure Rights Management) - Access control (restrict who can read/edit) - Content marking (header, footer, watermark) - Auto-labeling recommendations - Container settings (Teams/SharePoint external sharing restrictions) Labels travel with the document even when exported or shared externally. See more: Sensitivity Labels

Sensitivity label priority (order) matters in several scenarios: - Downgrade protection: If enforced, users must justify why they're applying a lower label (e.g., changing "Confidential" to "General") - Auto-labeling: When multiple SIT conditions match, the higher-priority label wins - Label inheritance: Child items inherit the parent site label only if the child's current label is lower priority - Sublabels inherit their parent's position Labels at the top of the list in the admin center have the lowest priority (order 0). Drag to reorder. See more: Sensitivity Labels

To create and manage sensitivity labels: Sensitivity Label Administrator role (or the higher-level Compliance Administrator or Global Administrator). The Sensitivity Label Administrator can create/edit/delete labels and label policies. To read labels without managing them: Sensitivity Label Reader. Note: Creating labels that apply encryption backed by Azure RMS may additionally require the Organization Management or Information Protection role group in Exchange admin center for some scenarios. See more: Sensitivity Labels

Content marking adds visible visual indicators to labeled documents/emails: - Header: Text inserted at the top (e.g., "CONFIDENTIAL") - Footer: Text inserted at the bottom (e.g., "Internal Use Only") - Watermark: Diagonal text overlaid on Word document pages Content markings are applied in Office apps and are visible to anyone who opens the document. They are different from metadata labels - markings are human-readable visual text. Content markings do not apply to Teams messages or SharePoint container labels. See more: Sensitivity Labels

SIT confidence levels: - High confidence: Primary pattern (regex) + corroborating evidence (supporting keywords nearby, valid checksum). Very few false positives but may miss some matches. - Medium confidence: Primary pattern with limited corroboration. - Low confidence: Pattern match only, no supporting evidence. More detections but more false positives. DLP policies and auto-labeling policies can be configured to trigger at different confidence levels. Setting High confidence reduces unnecessary policy matches. See more: Data Classification

A keyword dictionary supports up to 1 MB (approximately 100,000 keywords) and is used as a "corroborative evidence" element in a custom SIT. For example, a custom SIT for employee IDs might include a dictionary of job title names that commonly appear near the ID format. Keyword dictionaries are stored centrally in Purview and can be shared across multiple SITs. They are distinct from simple keyword lists, which are limited to ~100 keywords. See more: Data Classification

These are two separate label systems in Microsoft Purview: - Sensitivity labels: Information protection - control access, encryption, content marking, sharing restrictions. Focus: who can see/share the data. - Retention labels: Data lifecycle management - control how long content is kept, when it is deleted, or if it is a regulatory record. Focus: when data should be kept or deleted. Both can be applied to the same item simultaneously. They do not conflict - a document can be "Confidential" (sensitivity label) and kept for 7 years (retention label). See more: Sensitivity Labels

Container labels apply to Microsoft 365 Groups, SharePoint sites, and Teams rather than individual files. Container label settings can control: - External sharing: Allow/prevent external users from accessing content - Privacy: Make the Team/Group/Site public or private - Unmanaged device access: Restrict or block access from non-compliant devices - External user access in Teams meetings Note: Container labels do not inherit to the files inside the container. Files need their own sensitivity labels (though label inheritance from container to new files can be configured separately). See more: Sensitivity Labels

Sensitivity labels must be published via a label policy before they appear to users. A label policy: - Specifies which labels are available - Specifies which users/groups the policy targets - Sets policy settings: default label, mandatory labeling (force users to apply a label), justify downgrade, require justification for removing labels Unpublished labels exist in the system but are invisible to users. You can publish different label subsets to different groups (e.g., Legal team sees Privileged Attorney-Client label; general users do not). See more: Sensitivity Labels

Two auto-labeling modes: - Client-side (in Office apps): When a user opens/edits a file in Word/Excel/PowerPoint/Outlook and Purview detects a SIT match, the app shows a recommendation bar ("This file appears to contain Confidential data") or automatically applies the label. Requires AIP client or built-in labeling. - Service-side (label policies): Runs in the cloud across SharePoint, OneDrive, and Exchange content at rest. Scans existing content and applies labels without the user needing to open the file. Can be run in simulation mode first to assess impact. See more: Sensitivity Labels

Microsoft Defender for Cloud Apps extends sensitivity label coverage to connected cloud apps (non-Microsoft SaaS). You can: - Create file policies in Defender for Cloud Apps that scan connected app content for SITs - Apply sensitivity labels to matching files in third-party cloud apps via Defender for Cloud Apps - Create session policies to block download of labeled files from cloud apps (conditional access app control) This extends Purview labels beyond Microsoft 365 to the broader SaaS ecosystem. See more: Sensitivity Labels

Microsoft now supports co-authoring for files with AIP/Purview encryption stored in SharePoint and OneDrive. This requires: - The sensitivity label uses Microsoft-managed or customer-managed encryption (not S/MIME) - Co-authoring for encrypted files is enabled in the compliance portal settings - Files are stored in SharePoint/OneDrive (not local) Previously, encryption prevented simultaneous multi-user editing. This feature resolved a major adoption barrier. See more: Sensitivity Labels

Sublabels let you organize labels hierarchically. Users see a parent label (e.g., "Confidential") with an expand arrow revealing sublabels ("All Employees", "Finance Only", "Executive Only"). Each sublabel has its own protection settings. This structure: - Users only apply sublabels to content (parent labels are not applied directly) - Provides intuitive categorization - Keeps the label menu manageable Sublabels inherit their parent's order/priority position. See more: Sensitivity Labels

Mandatory labeling is a label policy setting that blocks users from saving a document or sending an email without first applying a sensitivity label. Combined with a default label, it ensures all content is classified: - Default label: Pre-applies a label (e.g., "General") so users don't need to choose unless they want a different label - Mandatory labeling: Forces users to actively confirm or change a label before saving/sending Both settings are configured in the label publishing policy in the Purview compliance portal. See more: Sensitivity Labels

When configuring encryption on a sensitivity label: - Assign permissions now: Admin defines exactly who (specific users, groups, domains) can access labeled content and what they can do (View, Edit, Print, Copy, etc.). Protection is pre-set. - Let users assign permissions: Users choose at label application time. Options include "Encrypt-Only" (encryption without access restriction) or "Do Not Forward" (email recipients cannot forward/copy/print). Allows flexibility for user-driven protection. Both use Azure Rights Management (Azure RMS/AIP) as the underlying encryption service. See more: Sensitivity Labels

In the Microsoft Purview compliance portal (compliance.microsoft.com): - Information protection -> Labels: Create and manage sensitivity labels - Information protection -> Label policies: Publish labels to users/groups - Information protection -> Auto-labeling: Configure service-side auto-labeling policies The same labels can also be managed via Microsoft Graph API or Security & Compliance PowerShell (Set-Label cmdlet). The Azure Information Protection (AIP) classic unified labeling admin center is deprecated. See more: Sensitivity Labels

Container labels apply governance settings to the container itself - not its contents. When you apply a container label to a Teams channel or SharePoint site: - External sharing settings are enforced (e.g., no external sharing) - Guest/external access is restricted based on the label configuration - Unmanaged device access can be blocked - For Teams: meeting recording, chat transcript, and lobby settings can be configured Individual files inside the container keep their own sensitivity labels (or none). Label inheritance to new files can be configured separately with default labeling for libraries. See more: Sensitivity Labels

Custom trainable classifier creation process: 1. Provide 50-500 seed examples (positive content samples) stored in a SharePoint location 2. Initial model training runs automatically (takes up to 24 hours) 3. You review predictions and provide a test set: - 200+ positive test items (items that should match) - 200+ negative test items (items that should not match) 4. Evaluate the classifier - check precision/recall metrics 5. Publish the classifier for use in DLP, retention, and communication compliance policies See more: Data Classification

EDM is the correct solution when the sensitive data consists of known specific values (exact customer data from a system of record). EDM: - Uploads a hashed version of the actual data (customer names, IDs, amounts from CRM) - Only triggers when the exact combination appears in content - Virtually eliminates false positives because it matches real data, not patterns Document fingerprinting works for structural form matching. Trainable classifiers work for semantic content categories. Keyword dictionaries boost existing SITs but don't prevent false positives on their own. See more: Data Classification