SC-401 Microsoft Information Security Administrator - Practice Test 2

The Microsoft Purview Information Protection client (formerly AIP unified labeling client) is a Windows add-in that extends sensitivity labeling beyond Office apps. It adds: - Right-click labeling in File Explorer for any file type - Sensitivity labeling in Office 2016/2019 (built-in labeling requires Microsoft 365 Apps) - The Information Protection scanner (for on-premises content) - Viewer for protected PDF files and other RMS-protected content - The "Sensitivity" button in Outlook for additional labeling options For modern Microsoft 365 Apps, built-in labeling is preferred over the AIP client. See more: Information Protection

The Microsoft Purview Information Protection scanner (formerly AIP scanner) is installed on-premises and: - Scans Windows Server file shares (UNC paths), SharePoint Server 2013/2016/2019 libraries, NFS/CIFS locations - Uses sensitivity label auto-labeling rules and SIT matching to classify files - Can apply labels, apply encryption, and add content markings to files - Managed from the Microsoft Purview compliance portal (Scanner content scan jobs) - Requires a Windows Server and network access to the file repositories This is critical for organizations with on-premises data that haven't fully moved to the cloud. See more: Information Protection

Microsoft Purview Message Encryption (OME) allows sending encrypted emails to anyone: - Internal Microsoft 365 users: Open encrypted emails seamlessly in Outlook - External Gmail/Yahoo/other users: Receive a notification with a link to a web portal (OME portal) where they authenticate with OTP or Google/Microsoft account to view the message - Any recipient: Can receive encrypted mail without needing specific email client software Encryption options include Encrypt-Only (content encrypted), Do Not Forward (can't forward/copy/print), and custom templates. Triggered via mail flow rules or sensitivity labels. See more: Information Protection

Advanced Message Encryption (available with Microsoft 365 E5 or as an add-on) extends standard OME with: - Revocation: Sender can revoke access to a sent encrypted email, making it inaccessible to the recipient - Expiration: Set an auto-expiry date - the recipient's access automatically expires on the specified date - Multiple branding templates: Create different OME portal branding for different departments or purposes (e.g., HR notices vs. legal notices) Standard OME (included with E3) provides single branding templates only and no revocation. See more: Information Protection

Exchange Online mail flow rules (transport rules) can apply OME encryption automatically: - Condition: Email sent to external domain + subject contains "Confidential" -> Apply "Encrypt-Only" OME template - Condition: Email body matches Credit Card SIT -> Apply "Do Not Forward" encryption - Condition: From Legal distribution group -> Apply custom Legal Branding template This automates encryption without requiring users to manually label emails. Mail flow rules complement sensitivity labels - they're especially useful for policy-driven encryption of messages from users who may not use Outlook (e.g., application-generated emails). See more: Information Protection

S/MIME (Secure/Multipurpose Internet Mail Extensions): - Requires both sender and recipient to have PKI certificates - End-to-end encryption: Only the recipient's private key can decrypt - Supports digital signatures for non-repudiation/integrity - Works natively in email clients that support S/MIME (Outlook, Apple Mail) Microsoft Purview Message Encryption (OME): - No certificates needed for recipients - Based on AIP/Azure RMS infrastructure - External recipients use a web portal with OTP authentication - Easier to deploy for broad external communication Both can coexist; S/MIME is better for high-security B2B scenarios with known partners. See more: Information Protection

The "default label" policy setting automatically applies the specified label when a user creates a new document in Word, Excel, or PowerPoint. The label appears in the Sensitivity button. Users can change it, but the document always starts labeled instead of unlabeled. Similarly, a default label for emails applies the label to new emails in Outlook. For emails, you can set different default labels for new emails vs. replies/forwards. This promotes labeling culture without forcing users to always choose - combined with mandatory labeling, it ensures all content gets classified. See more: Sensitivity Labels

Simulation mode is available for service-side auto-labeling policies in Microsoft Purview. When enabled: 1. The policy scans targeted content (SharePoint, OneDrive, Exchange) 2. It identifies all items that would receive the label 3. Reports the count and lists affected items in the policy dashboard 4. No labels are actually applied Admins review the results to ensure the policy matches intended scope. After validation, the policy is switched from simulation to active enforcement. This prevents accidentally labeling/encrypting thousands of wrong files. See more: Sensitivity Labels

"Do Not Forward" is a built-in RMS protection template available in Outlook and via mail flow rules: - The email is encrypted - Recipients can read the message in their original Outlook client - They CANNOT: Forward, Reply All (to new recipients), Copy content, Print, Save attachments - External recipients access via OME portal with the same restrictions Important distinction: "Do Not Forward" is an IRM permission set, not a sensitivity label. It can be user-applied in Outlook. Labels with encryption may include Do Not Forward as one of the predefined permission sets. See more: Information Protection

Client-side auto-labeling: - Triggers in Office apps (Word, Excel, PowerPoint, Outlook) when user opens/edits content - Can show "recommendation" (user sees bar saying "Apply this label?") or "automatic" (label silently applied) - User must open the file for labeling to occur Service-side auto-labeling: - Runs as a background cloud service scanning Exchange, SharePoint, OneDrive content - Applies labels to files AT REST without user opening them - Higher throughput - can label thousands of existing files - Supports simulation mode for impact assessment - Requires Microsoft 365 E5 or compliance add-on for full capability See more: Sensitivity Labels

Microsoft 365 Message Encryption (standard OME) is included in: - Microsoft 365 E3, Microsoft 365 Business Premium, Office 365 E3, E5 Advanced Message Encryption (revocation + expiration + multiple branding templates) requires: - Microsoft 365 E5 - Microsoft 365 E5 Compliance add-on - Microsoft Purview Advanced Message Encryption (standalone add-on) This is a common exam topic - remember that revocation is an E5/Advanced feature. See more: Information Protection

When configuring encryption on a sensitivity label with "Assign permissions now": - You can add specific users by name/email (including external addresses) - You can add email domains (e.g., contoso.com) to allow all users in that domain - "Authenticated Users" allows anyone with any organizational or personal Microsoft/Google account to access the content after authentication - Permissions are defined per user/group (Full Control, Co-Author, Co-Owner, Reviewer, Viewer) The key concept: encryption does not inherently block external users - the admin decides who gets what permissions via the label's encryption settings. See more: Information Protection

Label inheritance from attachments applies in Outlook: if you attach a file with a "Confidential" label to an email currently labeled "General," Outlook will prompt you to upgrade the email label to "Confidential" to match the attachment. This must be configured in the label policy settings. This prevents inconsistencies where a "General" email carries a "Confidential" attachment - the email's protection should match or exceed the most sensitive attachment. See more: Sensitivity Labels

The Microsoft Purview Information Protection scanner operates in two modes: - Discovery mode: Scans repositories and reports what sensitive information types are found, without applying labels or encryption. Generates a report. Used for initial assessment of your on-premises data footprint. - Enforcement mode: Applies sensitivity labels (and optionally encryption and content markings) to files that match the configured auto-labeling rules. A content scan job is configured in the Purview compliance portal, specifying repositories, label actions, and override settings. See more: Information Protection

OME branding templates customize how the encrypted email portal appears to external recipients: - Organization logo - Portal background color - Custom introductory text - Custom disclaimer/footer text - Custom "Read the message" button text Standard OME supports one custom branding template. Advanced Message Encryption supports multiple templates (e.g., different branding for HR vs. Legal communications). Templates are applied via mail flow rules or sensitivity labels in Exchange Online. See more: Information Protection

Azure RMS encryption works by embedding a license in the file containing: - Who has rights (users/groups) - What rights they have (permissions) - Expiration dates (if configured) When opening the file, the app contacts Azure RMS to verify the user's identity. If the user is not in the permitted list, no usage license is issued and the file remains encrypted. The user sees "Access denied" or similar error. This protection persists even if the file is: - Copied to a USB drive - Emailed externally - Uploaded to a non-Microsoft cloud service The file remains encrypted wherever it goes. See more: Information Protection

"Encrypt-Only" vs "Do Not Forward": - Encrypt-Only: Email is encrypted in transit and at rest, but once the legitimate recipient decrypts the message, they can reply, forward, copy, or print. The encryption ensures confidentiality of delivery only. - Do Not Forward: Encrypted AND usage rights are restricted - recipients cannot forward, copy, or print. Choose Encrypt-Only when you want to protect data in transit but still allow normal business communication by the recipient. Use Do Not Forward when you want to prevent redistribution. See more: Information Protection

MIP scanner deployment requirements: - Windows Server (2012 R2 or later) to host the scanner service - SQL Server (local Express or remote) for the scanner configuration/status database - Service account in Active Directory with rights to: read/write files in scanned repositories, authenticate to Azure AD, connect to Exchange/SharePoint if included - Azure AD app registration (client ID + secret) for scanner authentication to Purview - Outbound internet access to Microsoft endpoints (RMS, Purview compliance portal) - The scanner is installed via Install-AIPScanner PowerShell command and configured via Purview compliance portal (content scan jobs) See more: Information Protection

Microsoft 365 Apps now support PDF sensitivity labeling. When you export an Office file (Word, Excel, PowerPoint) to PDF: - If the source document has an AIP-encrypted sensitivity label, the PDF inherits the same label and encryption - The PDF can be opened in Microsoft Edge (natively supports RMS-protected PDFs) or Adobe Reader with the AIP extension - The sensitivity label metadata is preserved in the PDF This prevents users from circumventing protection by "printing to PDF" - the output PDF retains the protection. See more: Information Protection

Compliance Data Administrator is an Azure AD admin role that: - Manages compliance policies in the Microsoft Purview compliance portal - Has read access to the Microsoft 365 security center - Can access Azure Purview data map governance features - Manages sensitivity labels, DLP policies, retention, eDiscovery Compared to Compliance Administrator: - Both manage compliance portal policies - Compliance Data Administrator has broader read access including Azure Purview (data governance for multi-cloud, not just M365) - Compliance Administrator is more focused on M365 compliance portal See more: Sensitivity Labels

Azure Rights Management Service (Azure RMS) is the encryption backbone of Microsoft Purview Information Protection: - Manages the cryptographic keys used to encrypt protected content - Issues usage licenses when users open protected files (validates they have rights) - Integrated into Office apps, SharePoint, Exchange, and the AIP client - The Azure RMS service is tenant-managed by default (Microsoft-managed keys) or can use Bring Your Own Key (BYOK) or Hold Your Own Key (HYOK) for organizations with stricter key management requirements Sensitivity labels "sit on top" of Azure RMS - they provide the policy framework; Azure RMS provides the actual encryption. See more: Information Protection

Double Key Encryption (DKE) is for the highest-sensitivity scenarios: - Organization deploys a DKE service key server on their own infrastructure (or trusted cloud) - Files encrypted with DKE require BOTH the customer-controlled DKE key AND the Microsoft Azure RMS key - Even if Microsoft receives a legal order, they cannot decrypt the content without the customer's key - Use cases: Government agencies, regulated industries (defense, banking) with specific data sovereignty requirements DKE-protected files can only be accessed using Microsoft 365 Apps with internet access to the DKE key service. See more: Information Protection

Service-side auto-labeling policies support multiple content detection methods: - Sensitive information types (both built-in and custom SITs, including EDM and document fingerprints) - Trainable classifiers (pre-trained and custom) - Keywords and keyword lists - Document property values (specific SharePoint metadata) - Specific file extensions The policy scans content in SharePoint Online, OneDrive for Business, and Exchange Online. It can be scoped to specific sites, OneDrive accounts, or all users. Multiple conditions can be combined with AND/OR logic. See more: Sensitivity Labels

When a sensitivity label with container settings is applied to a Microsoft 365 Group: - Privacy: Public (anyone in the org can join) or Private (only approved members) - External user access: Allow or prevent external users from being added - Unmanaged device access: Allow full access, allow limited (web-only), or block - SharePoint site features: Prevents download on unmanaged devices; enforced by Conditional Access These settings enforce governance over collaboration containers, ensuring sensitive projects have appropriate access controls at the container level. See more: Sensitivity Labels

This scenario requires: 1. Automatic encryption (no user action) - mail flow rules satisfy this 2. External recipient access without Microsoft accounts - OME portal with OTP authentication satisfies this 3. PHI detection - US Health Insurance Act SIT or HIPAA-related SITs detect the content The mail flow rule: - Condition: Recipient is external AND email contains US Health Insurance Act SIT - Action: Apply OME encryption (Encrypt-Only template) External recipients get an email saying "You have a secure message" with a link to the OME portal where they use a one-time passcode sent to their email to authenticate and read the message. See more: Information Protection