SC-401 Microsoft Information Security Administrator - Practice Test 3

A DLP policy contains one or more rules. Each rule has: - Conditions: What triggers the rule - SIT matches, sensitivity label applied, specific recipient domains, file extensions, etc. - Exceptions: Items/users/locations to exclude from the rule - Actions: What to do - block sharing, restrict access, encrypt, notify user, generate incident report Plus rule settings: - User notifications: Show policy tip to end user - Incident reports: Send alert email to admin - Alerting: Configure alert severity and aggregation - Priority: Rule order within the policy (higher priority rules evaluated first) See more: Data Loss Prevention

Microsoft Purview DLP supports these workload locations: - Exchange Online: Emails (inbound/outbound) - SharePoint Online: Documents and sites - OneDrive for Business: User files - Microsoft Teams: Chat messages and channel messages - Endpoint (Windows 10/11, macOS): Files on devices - Microsoft Defender for Cloud Apps: Connected SaaS apps (Box, Salesforce, etc.) - On-premises file shares and SharePoint Server (via the MIP scanner) - Power BI (for certain content) A single policy can cover multiple locations simultaneously. See more: Data Loss Prevention

Policy tips are user-facing notifications that appear inline in Office apps, Outlook, or SharePoint when a DLP rule condition is met: - "This email contains sensitive financial information that cannot be shared externally" - Users can see why the action is being restricted - Depending on the rule, users may be able to override the policy with a business justification (that is logged for review) - Or the action may be blocked entirely without override option Policy tips help educate users about data protection policies in real time, reducing accidental violations. See more: Data Loss Prevention

DLP precedence rules: - Policies: Numbered by priority (Policy 1 = highest priority). Higher priority policies can override or supplement lower ones. - Rules within a policy: Also have priority order. - Multiple rules matching: The highest-priority matching rule executes. If it includes "Stop processing more rules" - no more rules in the policy run. Otherwise subsequent rules may also run. - Multiple policies: Actions from all matching policies can accumulate - the most restrictive combined actions apply. But "Stop processing more rules" in a policy only affects that policy (not other policies). See more: Data Loss Prevention

Adaptive Protection bridges Insider Risk Management (IRM) and DLP: 1. IRM continuously evaluates user activity and assigns risk levels: Elevated Risk, Moderate Risk, Minor Risk 2. Adaptive Protection creates DLP rules that target users by their current IRM risk level 3. Example: An "Elevated Risk" user might have SharePoint uploads blocked, while "Moderate Risk" users see a policy tip only Benefits: - Dynamic - protections automatically tighten when a user's risk score rises - No per-user manual policy assignment needed - When a user's risk drops, stricter controls automatically relax Requires both Insider Risk Management and DLP to be configured. See more: Data Loss Prevention

Endpoint DLP device requirements: - Windows 10/11 (1809 and later) or macOS (three latest major releases) - Device must be onboarded to Microsoft Purview endpoint DLP, which uses the SAME onboarding mechanism as Microsoft Defender for Endpoint (MDE) - Onboarding methods: Microsoft Intune, SCCM/Configuration Manager, Group Policy, Local script, VDI onboarding script Once onboarded, the device reports DLP activity (file access, uploads, prints, removable media) to Microsoft Purview for policy application and auditing. Note: If devices are already onboarded to Defender for Endpoint, they're already onboarded to Endpoint DLP. See more: Data Loss Prevention

Endpoint DLP monitors and can control these activities on Windows/Mac endpoints for files matching DLP policies: - Copy to USB/removable storage - Copy to network share - Print (to local/network printer) - Copy to clipboard - Upload to cloud services (browsers) - can allow all, block unallowed, or audit - Access by restricted apps (e.g., unauthorized cloud sync clients) - Upload via Bluetooth - RDP (Remote Desktop) file sharing - Screen capture apps Actions: Audit only, Block + override, or Block always. Different actions can be set per activity type. See more: Data Loss Prevention

Restricted app groups in Endpoint DLP settings let you define named sets of applications and assign specific behaviors: - Define a "Restricted Apps" group containing specific app executables (e.g., 7zip.exe, Notepad++.exe) - In Endpoint DLP rules, reference the group: "When file matching policy is accessed by app in [group name] -> Block/Audit/Override" Similarly, you can define: - Allowed cloud services: Domains that are allowed for upload even if the policy would otherwise block - Sensitive service domains: Upload to these domains generates an audit even if not blocked This gives granular control over WHICH applications are allowed to access protected files. See more: Data Loss Prevention

Just-in-time (JIT) protection in Endpoint DLP addresses the gap between policy assignment and full propagation: - Normally, policy propagation can take time (especially across many devices) - JIT protection activates baseline restrictions (audit + block key exfiltration activities) immediately, even before the full DLP policy propagates to the device - Ensures sensitive content is protected from the moment the device is targeted JIT is configured per DLP policy in the Endpoint DLP settings. It provides an immediate security blanket while the full policy propagates normally. See more: Data Loss Prevention

DLP management roles in Microsoft Purview: - DLP Compliance Management: Can create/edit/delete DLP policies and view DLP reports - Compliance Administrator: Includes DLP management plus sensitivity labels, retention, etc. - Global Administrator: All permissions For read-only access: - Compliance Data Investigation: Can view DLP alerts and reports but not modify policies - View-Only DLP Compliance Management: Read-only access to DLP policies Best practice: Use the least privileged role - assign DLP Compliance Management to DLP policy managers rather than full Compliance Administrator. See more: Data Loss Prevention

Defender for Cloud Apps file policies extend DLP-like protections to SaaS apps connected via Defender for Cloud Apps connectors: - Scan files already stored in connected apps (Box, Google Workspace, Salesforce, GitHub, etc.) - Conditions: SIT matches, sensitivity label, file shared publicly, file owned by specific user - Actions: Quarantine file, remove public link, apply sensitivity label (if Purview integration enabled), notify user or admin, revoke collaborator access This complements Microsoft Purview DLP (which covers Microsoft 365 workloads) by extending protection to the broader cloud app ecosystem. See more: Data Loss Prevention

DLP incident reports are email notifications sent to admins when a rule match occurs: - Configured in the "Incident reports" section of each DLP rule - Specify email recipients (can include distribution groups) - Configure severity level: Low, Medium, High - Choose what to include in the report: service/location, policy/rule name, matched user, content details - Can aggregate multiple rule matches into a single notification (to reduce email noise) Incident reports appear in: the DLP alerts page in the Purview compliance portal AND can trigger Microsoft Sentinel rules or Power Automate flows via the alerts API. See more: Data Loss Prevention

Endpoint DLP and Microsoft Defender for Endpoint share the same onboarding pipeline: - When a device is onboarded to MDE (via Intune, SCCM, GP, or local script), it's simultaneously available for Endpoint DLP - This means organizations already using MDE for security can immediately start using Endpoint DLP without additional agent deployment - The MDE agent provides file activity telemetry for DLP policy enforcement - Devices appear in both the Defender portal and the Purview compliance portal (Endpoint DLP devices list) This unified agent approach significantly reduces deployment complexity. See more: Data Loss Prevention

In DLP policies with Microsoft Teams location: - Internal only: DLP rule applies when content matches and the message is between users within your organization only - Internal and external: DLP rule also applies to Teams messages with external guests or federated partner users This distinction allows policies to be more strict for external sharing (block with policy tip) while being less restrictive (audit only) for internal sharing of the same sensitive content. Teams DLP covers both 1:1 chats and channel messages, including file attachments sent via Teams. See more: Data Loss Prevention

DLP test/simulation mode (also called "read-only" or "audit" mode when first creating a policy): - Policy evaluates content matches and generates DLP alerts and activity explorer entries - No user-facing policy tips or notifications appear - No content is blocked or restricted - Admins can review matches in the compliance portal to assess accuracy/coverage New DLP policies default to this mode. After reviewing test results, admins switch the policy to "Turn on" (enforce) mode. This prevents unexpected blocking of legitimate business activities during initial deployment. See more: Data Loss Prevention

Rule precedence within a policy: - Rule 1 (priority 0) is the HIGHEST priority - it evaluates first - If Rule 1 matches AND includes "Stop processing more rules" -> only Rule 1's action applies (block, no override) - If Rule 1 does NOT include "Stop processing more rules" -> Rule 2 also evaluated, but Rule 1's more restrictive action (block) typically overrides Rule 2's less restrictive action (block with override) In practice, when both rules match and actions conflict, the more restrictive action wins. The user would be blocked without override option (from Rule 1). Best practice: Always consider rule ordering carefully when mixing block/override actions. See more: Data Loss Prevention

Activity Explorer (in Microsoft Purview compliance portal -> Data Classification -> Activity Explorer) provides a timeline view of activities on labeled content: - DLP rule matches and overrides - Label applied, changed, removed (by user or auto-labeling) - File copy to USB, cloud upload, print events (from Endpoint DLP) - Discoverable via filters: date range, activity type, user, location, label It shows up to 30 days of activity and is useful for: - Investigating specific incidents - Assessing DLP policy effectiveness - Identifying users who override policies frequently See more: Data Loss Prevention

DLP policy override workflow: 1. User attempts an action (sharing a file, sending email) that triggers a DLP rule with "block with override" 2. User sees a policy tip with an override option 3. User selects a business justification reason and/or enters free text 4. The action proceeds (content is shared/sent) 5. Override event is logged with: user identity, timestamp, justification text, content details This data appears in Activity Explorer and DLP alerts. Frequent overrides may indicate a policy is too restrictive or users need more training. Admins can also require a false positive report instead of a justification ("This content is not sensitive"). See more: Data Loss Prevention

Adaptive Protection risk levels from Insider Risk Management: - Elevated Risk: Highest concern - user shows multiple risk indicators (data download + exfiltration patterns, HR termination signal, etc.) - Moderate Risk: Some risk indicators present - Minor Risk: Minor risk signals In Adaptive Protection DLP rules, you can create different rule actions per level: - Minor Risk users -> Audit only (log the activity) - Moderate Risk users -> Show policy tip, allow override - Elevated Risk users -> Block action entirely, no override DLP rules using these conditions are maintained automatically - when a user's IRM risk level changes, their applicable DLP restrictions change automatically. See more: Data Loss Prevention

Endpoint DLP cloud service domains settings in Purview: - Allowed cloud services: Domains listed here are PERMITTED for file upload even if Endpoint DLP policies would otherwise block/restrict cloud uploads. Use for approved corporate cloud storage (e.g., company SharePoint, Box corporate account). - Unallowed cloud services: Domains that are explicitly blocked or audited. - Sensitive service domains: Domains where upload generates an audit event even if not blocked. Example: Block upload to personal storage (dropbox.com, personal.onedrive.com) but allow upload to corporate storage (company.sharepoint.com). See more: Data Loss Prevention

Teams DLP scanning scope: - Teams chat and channel messages: Scanned in real time by DLP (text content + file attachments) - Meeting recordings: Stored as video files in SharePoint/OneDrive - the underlying video files can be subject to DLP policies for SharePoint/OneDrive, but the video content itself is not transcribed and scanned for SIT patterns in real time - Meeting chat: Scanned like regular Teams chat DLP protects the files stored from meetings, but real-time audio/video content cannot currently be scanned for sensitive information during live meetings. See more: Data Loss Prevention

Exchange DLP actions available in rules: - Block the email: Sender receives an NDR (Non-Delivery Report) - Block with notification: Blocked + user sees policy tip before sending (Outlook only) - Send email notification to admin: Creates incident report - Encrypt email: Applies OME encryption to the message - Restrict access: Modify permissions (e.g., change to internal only) - Override with justification: User can bypass by entering a reason DLP for Exchange evaluates content BEFORE delivery - it intercepts the message in transport. See more: Data Loss Prevention

Instance count is a key tuning mechanism for DLP rules: - Min count = 1 (any occurrence triggers the rule) - catches even single instances of a SIT - Min count = 5 (only trigger if 5 or more instances found) - avoids alerting on documents with one accidental credit card number; targets bulk data exfiltration Example use: - Rule 1 (priority 0): 5+ credit card numbers -> Block + alert (bulk theft scenario) - Rule 2 (priority 1): 1-4 credit card numbers -> Policy tip only (lower risk) This layered approach provides proportional responses based on volume. See more: Data Loss Prevention

DLP alerts are surfaced in both portals: - Microsoft Purview compliance portal (Data loss prevention -> Alerts): Compliance team view - shows policy name, matched content, user, action taken. Used by compliance officers for policy tuning. - Microsoft Defender XDR portal (Incidents & alerts): Security team view - DLP alerts correlate with other signals (MDE threat events, identity alerts, cloud app alerts) to build complete incident timelines. Used by SOC analysts. This dual-portal approach serves both compliance and security teams with their relevant context. See more: Data Loss Prevention

Adaptive Protection is the ideal solution for this scenario: 1. An IRM policy triggers when a user exhibits data exfiltration risk signals (downloads + external sharing patterns, HR termination event, etc.) 2. IRM assigns "Elevated Risk" to the user automatically 3. A pre-configured Adaptive Protection DLP rule targeting "Elevated Risk" users automatically activates stricter controls (block USB copy, block cloud upload) for that user 4. When the investigation concludes and risk signals are resolved, IRM risk level drops and stricter controls relax automatically No manual DLP policy updates needed. Controls scale automatically with user risk. See more: Data Loss Prevention