SC-401 Microsoft Information Security Administrator - Practice Test 4

Key distinction: - Retention labels: Applied to specific items (files, emails) - either manually by users, published via label policy, or via auto-apply. The label travels with the item. Labels can declare items as records. Can trigger disposition review at end of retention. - Retention policies: Applied broadly to container locations (entire Exchange mailbox, entire SharePoint site, all OneDrive accounts). No per-item labeling. Cannot declare records. Both can retain content, delete content, or retain then delete. An item can have BOTH a retention label (for specific retention) and also be covered by a retention policy (organization-wide baseline). See more: Retention Management

Adaptive scopes vs static scopes: - Static scopes: You manually specify exact mailboxes, sites, or OneDrive accounts. Must be updated manually when org structure changes. - Adaptive scopes: Defined by a query on Azure AD attributes (Department = "Legal", Title contains "Manager") or SharePoint site properties. - User/mailbox scope: Based on Azure AD user properties - SharePoint site scope: Based on site template or custom properties - Microsoft 365 Group scope: Based on group properties Adaptive scopes update daily - new users matching criteria are automatically included. Advantage: No manual policy updates needed when organizational changes occur. See more: Retention Management

The "most restrictive retention wins" principle: - An item that would be retained for 7 years by a label but only 1 year by a policy: -> Kept for 7 years - An item that would be deleted after 1 year by a policy but kept forever by a label: -> Kept forever The content is NEVER deleted while any active retention label or policy requires it to be kept. Deletion happens only when ALL applicable retention requirements are satisfied. This is called the "Preservation Lock" principle. It applies across all combinations of retention labels and policies. See more: Retention Management

Disposition review is a feature of retention labels (not retention policies): 1. When the retention label's period expires, instead of auto-deleting, the content enters a "review" queue 2. Designated reviewers (configured in the label) receive email notifications 3. Reviewers go to the Purview compliance portal -> Records management -> Dispositions 4. For each item they can: Delete it, extend retention, re-apply a label, or trigger another review stage Supports multi-stage reviews (e.g., reviewing manager approves, then legal approves before deletion). Provides an audit trail of all disposition decisions. See more: Retention Management

Auto-apply retention label policies supported conditions: - Content contains specific sensitive information types (SITs) - Content contains specific words, phrases, or matching regex - Content is classified by a trainable classifier - SharePoint document properties match (for organization-specific metadata) - Cloud attachments - labels applied to files shared in Teams/SharePoint with teams messages Auto-apply policies scan content in: Exchange mailboxes, SharePoint sites, OneDrive accounts, Teams messages. The policy runs as a background service and can affect millions of items. Unlike published labels (manual), auto-apply requires no user action. See more: Retention Management

Retention action options: - Retain and then delete: Content is preserved for the retention period; after expiry, it is deleted. Protects against premature deletion AND ensures cleanup. - Retain only: Content is preserved indefinitely. Never deleted by this setting. Useful for regulatory "freeze" without specifying an end date. - Delete only: After the period, delete content that is NOT retained by another label/policy. Does NOT prevent users from manually deleting content during the period - it only ensures eventual deletion of old content. Note: A "Delete only" policy CANNOT override a "Retain" label or policy. Most restrictive wins. See more: Retention Management

Insider Risk Management has specialized role groups: - Insider Risk Management: Full access to all IRM features (create policies, view alerts, manage cases) - Insider Risk Management Admin: Create/manage policies and settings but not view alerts - Insider Risk Management Analysts: View alerts and cases without accessing actual content - Insider Risk Management Investigators: View alerts, cases, AND actual content (for investigation) - Insider Risk Management Auditors: View all IRM audit logs only This separation of duties ensures: policy makers, investigators, and auditors each have only what they need. Investigators need access to actual user content; analysts only need metadata. See more: Insider Risk Management

IRM policy templates provide a starting point for common insider risk scenarios: - Data theft by departing users: Triggered by HR resignation signals + unusual download activity - General data leaks: Exfiltration indicators without specific user trigger - Data leaks by priority users: Same but scoped to "priority users" (executives, finance staff) - Security policy violations by departing/disgruntled users: Endpoint policy violations - Patient data misuse: Healthcare-specific indicators - Browser-based signal patterns: Risky browsing behaviors - Offensive language in communications: Communication compliance-based signals Each template pre-selects relevant risk indicators and sets default thresholds. Admins customize from this starting point. See more: Insider Risk Management

Microsoft Purview data connectors import signals from external systems: HR connector: Imports CSV files from HR systems with fields like: - Resignation date, Last day of work - Performance improvement plan trigger date - Job level change, Involuntary termination When the HR connector fires a "resignation" event for a user, IRM policies using "Data theft by departing users" template begin monitoring that user's activities more closely. Other IRM-relevant connectors: - Healthcare EHR systems (patient data misuse template) - Physical badging data (suspicious after-hours access patterns) - Communication compliance signals See more: Insider Risk Management

Forensic evidence (visual evidence capture) in IRM: - Records short screen clips of user activity on Windows devices when IRM risk activity occurs - Captures desktop screenshots at configurable intervals during high-risk activity - Stored in a dedicated Azure Storage account in your tenant - Requires explicit admin approval before capture starts for any device - Privacy controls: Only Insider Risk Management Investigators can view forensic evidence - Supports global settings (capture everything IRM detects) or specific indicators - Helps investigators understand WHAT the user was doing during flagged activity Requires Microsoft 365 E5 or Insider Risk Management premium add-on. See more: Insider Risk Management

IRM notice templates are email templates that investigators can send to users from within a case: - Created in IRM Settings -> Notice templates - Customizable: Subject, body text, sender name, footer - Common uses: Send a "policy reminder" notice to users who appear to have violated policy (a gentle warning), or initiate HR process communications When an investigator sends a notice from a case, it is logged in the case timeline as an action taken. Notice templates support variable substitution (e.g., user name, case ID). See more: Insider Risk Management

IRM calculates a user risk score based on policy indicators: - Each policy has selected risk indicators (chosen during policy creation from the template) - Indicators are weighted - high-severity activities (bulk SharePoint download) contribute more to the score than low-severity (single email with attachment) - Scores accumulate over a moving time window - When a user's risk score reaches the alert threshold, an IRM alert is generated Admins can configure: - Which indicators are active - Indicator weights ("use built-in thresholds" or "use custom activity thresholds") - Alert threshold (minimum score to generate an alert) See more: Insider Risk Management

Escalating an IRM alert to a case creates a rich investigation workspace: - User activity timeline: Chronological view of all flagged activities - Content explorer: View actual files/emails involved (requires Investigator role) - Forensic evidence: Screen captures (if enabled) - Notes tab: Internal investigation notes - User activity report: Additional behavioral context - Send notice: Send warning/reminder using notice templates - Create eDiscovery case: Link to a Purview eDiscovery case for legal hold - Settings: Resolve case (with action taken: dismissed, resolved, escalated to HR/Legal) All case actions are audit-logged for accountability. See more: Insider Risk Management

Event-based retention is a powerful feature: - Retention label configured: "Retain for 7 years from [Event: Employee Departure]" - Employee files are labeled with this retention label now (they're being retained) - When the employee departs, an admin or automated process triggers the event (manually in Purview or via the Microsoft Graph retention events API) - The 7-year clock starts from the event trigger date - Until the event occurs, the content is retained indefinitely Use cases: Employee records, product documentation (retention starts when product retired), contract files (retention starts when contract ends). See more: Retention Management

Preservation Lock satisfies financial regulations (SEC Rule 17a-4, CFTC, FINRA) that require immutable electronic storage: - Once enabled, even Global Admins cannot delete the policy or reduce retention periods - Retention period can only be increased, not decreased - Policy cannot be disabled - WARNING: This is irreversible - once locked, it cannot be unlocked Used specifically for: Financial services, healthcare, and regulated industries that must demonstrate to regulators that records cannot be tampered with or deleted before the mandated retention period. See more: Retention Management

Records declaration via retention labels creates immutable records: - Regular record: Users cannot delete the item, but can still edit it (in-place record). Deletion is blocked during retention period. - Regulatory record: Users cannot delete OR edit the item during the retention period. Even more restrictive. Items declared as records: - Show the "Record" label in SharePoint/Teams - Cannot be deleted (even by admins, unless through special procedures) - At end of retention, must go through disposition review before deletion - Audit trail of all attempts to modify/delete Use records declaration for: legally required documents, contracts, regulatory filings. See more: Retention Management

Policy Lookup in IRM (also similar concept appears in retention as "Policy Lookup"): - IRM context: Lets admins enter a specific user's email address to see which IRM policies cover that user, their current risk score, and recent flagged activities. Useful for proactive checks. - Retention context: In Purview Records Management -> Policy Lookup, lets admins enter a specific file/email URL to see which retention labels and policies currently apply to that item, and what the calculated retention outcome is. The retention Policy Lookup is particularly valuable for troubleshooting: "Why is this file not being deleted?" or "What retention period applies to this specific document?" See more: Insider Risk Management

Adaptive scope types and their query attributes: - Users/Mailboxes: Query Azure AD user attributes - Department, Country, Title, Custom extension attributes, etc. Example: Department = "Legal" -> includes all Legal mailboxes, refreshed daily. - SharePoint sites: Query SharePoint site properties - site template type (Team site, Communication site), custom SharePoint site columns. Example: Custom column "BusinessUnit" = "Finance" -> all Finance SharePoint sites. - Microsoft 365 Groups: Query Azure AD group attributes - group type, custom extension attributes. Each scope type applies to: Users -> Exchange mailboxes + OneDrive; Sites -> SharePoint; Groups -> M365 Group mailbox + SharePoint site. See more: Retention Management

Microsoft Defender for Endpoint integration with IRM: - MDE collects endpoint file activity on onboarded devices - This data flows to IRM as risk indicators: File copied to USB, file renamed and emailed, browser-based upload to cloud storage, process execution patterns - IRM uses these signals in risk score calculation - Without MDE integration, IRM cannot see endpoint file activities - only cloud service (SharePoint, Exchange) activities This is why endpoint onboarding is important for comprehensive insider risk coverage: cloud activities alone miss what happens on local devices. See more: Insider Risk Management

Exchange retention mechanism: - Users can still delete emails normally - they see normal delete behavior - When a retention policy covers the mailbox, deleted items are preserved in the Recoverable Items folder (hidden from users) - Specifically: in the "Holds" or "DiscoveryHolds" subfolder in Recoverable Items - Items remain there until the retention period expires - Even if a user "permanently deletes" items (Shift+Delete or empties Recoverable Items), the compliance hold prevents actual deletion This is transparent to users - they don't see the preserved copies. But eDiscovery and legal holds can access them. See more: Retention Management

User anonymization is an optional IRM privacy control: - When enabled: IRM alerts, user activity data, and cases show pseudonyms (generated consistently per user - "User1234") - This prevents unconscious bias during initial alert triage - analysts assess risk based on behavior, not identity - When an analyst/investigator decides the case warrants formal investigation, they can access actual identity details - De-anonymization is logged in audit logs (who accessed real identity, when) This feature helps balance IT security investigations with employee privacy rights - particularly important in Europe (GDPR) and other jurisdictions with employee privacy protections. See more: Insider Risk Management

Priority user groups in IRM: - Created by IRM administrators specifically for users posing higher risk (based on their access privileges, not their behavior) - Policy templates like "Data leaks by priority users" apply to these groups - Multiplier effect: The same activity (e.g., SharePoint bulk download) generates a higher risk score when performed by a priority user than a standard user - Rationale: An executive exfiltrating data is potentially more harmful than a junior employee Configure in: IRM Settings -> Priority user groups. Add users/groups like C-suite, Finance leads, IT system admins, Legal partners. See more: Insider Risk Management

Cumulative exfiltration risk scoring in IRM uses behavioral baselines: - IRM learns each user's normal data handling patterns (typical file download volume, email behavior) - If a user suddenly downloads 10x their typical number of files in a short window, this is flagged as a "cumulative exfiltration" anomaly - Helps detect users who try to exfiltrate slowly over time to avoid single-action thresholds This differs from absolute thresholds (e.g., "more than 50 files") - behavioral comparison catches gradual changes that absolute rules miss. Uses machine learning models to establish per-user baselines. See more: Insider Risk Management

By default, Exchange Online has no automatic retention or deletion. Content stays until: - The user manually deletes it - The mailbox reaches storage quota (soft limits before archiving) - An admin deletes the mailbox Exception: Exchange Online has "Deleted Item Retention" (items in the Deleted Items folder are kept for 14 days by default before being cleaned up), but this is not a compliance retention policy. For compliance purposes, organizations must explicitly create Microsoft Purview retention policies to ensure appropriate retention and deletion of email content. See more: Retention Management

This is the ideal event-based retention scenario: 1. Create a retention label: "Contract Records" - Retain 7 years - Start from [Event: Contract Signed] - Action: Retain and then delete 2. Create an auto-apply retention label policy: Condition = SharePoint column "DocumentType" = "Contract" (or match ContractDate column exists) -> Apply "Contract Records" label 3. Configure event-based trigger: Use the Microsoft 365 REST API (RetentionEvent) to create events that fire on each contract's ContractDate, with the ContractDate value as the event date 4. The retention clock for each document starts from its own specific ContractDate, not a single fixed date This ensures each contract is retained exactly 7 years from ITS OWN signature date, not the date the label was applied. See more: Retention Management