SC-401 Microsoft Information Security Administrator - Practice Test 5

Microsoft Purview Audit has two tiers: Audit (Standard) - included with Microsoft 365 E3/Business Premium, retains logs for 90 days; and Audit (Premium) - requires E5 or add-on, retains logs up to 1 year (extendable to 10 years with add-on) and includes high-value events like MailItemsAccessed and intelligent insights.

MailItemsAccessed is a key Audit (Premium) event. It records every time mail data is accessed by a mail protocol or mail client, enabling incident responders to determine exactly which emails a threat actor read during a breach. It requires an E5 license or Audit (Premium) add-on.

Microsoft extended Audit (Standard) retention from 90 days to 180 days for E3 and higher licenses. Audit (Premium) extends this to 1 year default, and with the 10-Year Audit Log Retention add-on, records can be retained for up to 10 years. This change was part of Microsoft's response to security community feedback after high-profile incidents.

The Audit search in the Microsoft Purview compliance portal (compliance.microsoft.com) is the primary tool for searching unified audit logs across Microsoft 365 services including Exchange, SharePoint, OneDrive, Teams, and Azure AD. Investigators can filter by date range, user, activity type, and IP address. Results can be exported to CSV for further analysis.

Content Search is a Microsoft Purview eDiscovery tool that lets you search for email messages, documents, Teams conversations, and other content across Exchange Online, SharePoint, OneDrive, and Teams. Results can be previewed and exported. It is typically used as a standalone search tool without a full case structure (unlike eDiscovery Standard or Premium).

eDiscovery (Premium) extends Standard by adding: custodian management (legal holds tied to specific people), review sets (staged collections for analysis), advanced analytics (near-duplicate detection, email threading, themes, predictive coding/relevance tagging), and the ability to process non-M365 data. eDiscovery (Premium) requires E5 licensing.

A legal hold (also called a preservation hold) placed on a custodian in eDiscovery preserves all their content - mailbox items, OneDrive files, and SharePoint sites - regardless of any retention or deletion policies. Items that would normally be deleted are moved to a hidden Recoverable Items folder and preserved. This ensures evidence is not destroyed during litigation or investigation. Unlike a retention policy, a legal hold is indefinite until removed.

DSPM for AI (Data Security Posture Management for AI) is a Microsoft Purview capability that provides visibility into how AI tools - particularly Microsoft 365 Copilot - are interacting with sensitive data. It surfaces insights like: which sensitive data labels appear in Copilot interactions, risky AI usage patterns, and data oversharing risks. It helps organizations understand their AI data security posture and take action through policies in Information Protection, DLP, and Communication Compliance.

Microsoft 365 Copilot respects sensitivity labels and user permissions - it can only access content that the user running Copilot is authorized to see. Applying a sensitivity label with restrictive permissions (for example, limiting access to specific users or groups) and ensuring the document library is not broadly shared prevents Copilot from grounding responses in that content. DSPM for AI helps identify oversharing risks that could expose data through Copilot interactions.

The AI sites policy in Microsoft Purview (part of DSPM for AI) helps administrators identify and govern SharePoint sites that are frequently used as data sources in AI interactions. It provides visibility into data exposure risks and allows admins to set policies to restrict which sites AI tools can access, reducing the risk of sensitive data being inadvertently surfaced through AI-generated responses.

To search the audit log in Microsoft Purview, a user must have the View-Only Audit Logs or Audit Logs role assigned in the Microsoft Purview compliance portal. The Audit Logs role allows both searching and exporting; View-Only Audit Logs allows searching and viewing only. These roles can be assigned via custom role groups. Global Administrator and Compliance Administrator have these roles by default.

Audit (Premium) supports custom audit log retention policies that can extend retention beyond the default 1-year period. The 10-Year Audit Log Retention add-on license (per-user) is required to create policies that retain logs for up to 10 years. Without the add-on, the maximum is 1 year. Retention policies in Purview Audit are configured at the workload level (e.g., Exchange, SharePoint) and activity type level, not at a file storage level.

Activity Explorer (under Data Classification in Purview) provides a timeline view of classification-related activities including: label applied/changed/removed, file created/modified/deleted, DLP policy matches, and endpoint activities. It retains up to 30 days of activity data. Content Explorer shows what data exists (current state of labeled/classified content), while Activity Explorer shows what happened (event history).

The DLP Compliance Management role in Microsoft Purview allows users to view and manage DLP policies and alerts. For alert management specifically, the role grants access to the DLP Alerts dashboard without requiring full Compliance Administrator access. Organizations typically assign this to data protection analysts or SOC team members who investigate DLP alerts but should not modify broader compliance settings.

eDiscovery (Standard) is the right tool for this scenario. The workflow is: (1) Create a case to organize the investigation, (2) Add custodians (the two users) - optionally placing them on legal hold, (3) Run a content search scoped to Exchange and Teams, date-filtered to the past 2 years, and scoped to those two users, (4) Preview results to verify, (5) Export the results. Audit Search shows activity metadata (who did what) but not the actual email content - it cannot produce email messages for review.

Forensic evidence in Insider Risk Management captures visual screen recordings (clips) of user activity on Windows devices when triggered by risk indicators. This helps investigators see exactly what a user did - for example, which application they used to copy sensitive data. It requires explicit opt-in through an insider risk policy with forensic evidence settings enabled, is subject to privacy controls, and requires users to acknowledge monitoring in some configurations. It is available only in IRM Premium (E5 or add-on).

Adaptive Protection integrates IRM risk signals with DLP policies. When a user's IRM risk level is elevated to High/Elevated, DLP policies that are configured with Adaptive Protection conditions automatically apply stricter actions to that user - for example, blocking USB device uploads that might otherwise only be audited. The user remains unaware of their risk classification by default. This dynamic approach reduces false positives by only applying restrictive controls when actually warranted by behavioral signals.

As of September 2023, Microsoft extended the default Audit (Standard) retention for mailbox audit log records from 90 days to 180 days for E3 and higher licenses. This applies to both mailbox audit logs and the unified audit log for users with E3. User mailbox auditing is on by default and generates records for actions like MessageBind, Send, and Move. The 90-day period was the historic default, but 180 days is now correct for the SC-401 exam.

DSPM for AI (Data Security Posture Management for AI) in Microsoft Purview provides an insights dashboard specifically designed to surface AI-related data risks. It shows which sensitivity labels appear in Copilot interactions, which users and apps are involved, and surfaces oversharing risks. This is the targeted tool for understanding AI data exposure. Content Explorer shows what classified content exists (not AI-specific). Audit Search can show Copilot activity events but lacks the AI-specific sensitivity insights of DSPM for AI.

Content Explorer (under Data Classification in Microsoft Purview) provides a current snapshot of the labeled and sensitive data estate. You can drill down by label, sensitive information type, and location to see exactly which items are classified and where. It requires the Content Explorer List Viewer or Content Explorer Content Viewer roles. Activity Explorer shows the historical activity (what happened), while Content Explorer shows the current state (what exists and where).

Sensitive Information Types (SITs) are the appropriate tool for detecting structured data patterns like credit card numbers. The built-in Credit Card Number SIT uses a regex pattern combined with a Luhn algorithm check to validate that detected numbers are mathematically valid card numbers - significantly reducing false positives. Communication Compliance policies can reference SITs to detect regulated data in Teams, Exchange, and Viva Engage communications.

When a Microsoft Purview Message Encrypted email (formerly Office 365 Message Encryption / OME) is sent to an external recipient outside Office 365, the recipient gets a wrapper email with a "Read the message" link. They are redirected to the OME portal where they can authenticate using: their Microsoft account, Google account, Yahoo account, or a one-time passcode sent to their email. After authentication, they can read the protected message in the browser. No special software is required.

Compliance Manager is a Microsoft Purview dashboard that: calculates a Compliance Score based on how well your Microsoft 365 configuration meets regulatory requirements; maps assessment controls to frameworks like GDPR, HIPAA, ISO 27001, NIST CSF, and SOC 2; and tracks improvement actions with step-by-step guidance. It does not automatically fix issues - it provides assessments and action items for administrators to implement. It helps organizations understand their regulatory posture across multiple compliance frameworks simultaneously.

DLP policies can be configured with user override permissions: "Override the rule automatically" (no justification needed) or "Allow override if they provide a business justification." When the latter is configured, users who provide a justification can send the email/file, but the action is logged in DLP reports and can trigger alerts for review. This balances security with business productivity. The override justification text is captured in the DLP match report, allowing compliance teams to audit override patterns.

Microsoft Defender for Endpoint (MDE) integration with Insider Risk Management allows IRM to receive endpoint signals from MDE-managed devices. These signals - such as a user copying files to a USB drive, uploading to an unsanctioned cloud app via browser, or printing sensitive documents - are ingested by IRM as risk indicators. This enriches the IRM risk score with device-level behavior. The integration is configured through the Insider Risk Management settings (Enable Microsoft Defender for Endpoint integration). Note: device onboarding to MDE is a prerequisite for these endpoint signals to flow into IRM.