Microsoft Role-based SC-400 Questions & Answers

• Question 1:

  You have a Microsoft 365 E5 tenant.

  You create a data loss prevention (DLP) policy.

  You need to ensure that the policy protects documents in Microsoft Teams chat sessions.

  Which location should you enable in the policy?

  A. OneDrive accounts

  B. Exchange email

  C. Teams chat and channel messages

  D. SharePoint sites

  Correct Answer: A

  Documents shared in Team Chats are stored in OneDrive and shared in Channel Chats are stored in SharePoint Sites

• Question 2:

  You have a Microsoft 365 E5 subscription that contains a data loss prevention (DLP) policy named DLP1.

  DLP1 has a rule that triggers numerous alerts.

  You need to reduce the number of alert notifications that are generated. The solution must maintain the sensitivity of DLP1.

  What should you do?

  A. Change the mode of DLP1 to Test without notifications.

  B. Modify the rule and increase the instance count.

  C. Modify the rule and configure an alert threshold.

  D. Modify the rule and set the priority to the highest value.

  Correct Answer: C

  Reference: https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide

• Question 3:

  You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1.

  You need to create a data loss prevention (DLP) policy to prevent the sharing of files that contain source code. The solution must minimize administrative effort.

  What should you include in the solution?

  A. an exact data match (EDM) data classification

  B. a sensitive info type that uses a keyword dictionary

  C. a sensitive info type that uses regular expressions

  D. a trainable classifier

  Correct Answer: D

  Explanation:

  Support for trainable classifiers as a condition in your DLP policy

  We are excited to share that you can now use trainable classifiers (out-of-the-box as well as custom) as conditions in your DLP policies to detect and prevent sensitive business contexts (e.g., financial statements, contracts, legal and HR

  documents, etc.) as well as behavioral context data (e.g., discrimination, profanity, and more) from unauthorized use, sharing, or transfer.

  See below for a chart of business content and behavior classifiers supported in DLP policies today. We will be adding additional classifiers to this list in the coming months.

  * Source Code

  detects items that contain a set of instructions and statements written in the top 25 used computer programming languages on GitHub.

  Reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-machine-learning-features-in-microsoft-purview-data/ba-p/3583916

• Question 4:

  You have a Microsoft 365 tenant and 500 computers that run Windows 10. The computers are onboarded to the Microsoft 365 compliance center.

  You discover that a third-party application named Tailspin_scanner.exe accessed protected sensitive information on multiple computers. Tailspin_scanner.exe is installed locally on the computers.

  You need to block Tailspin_scanner.exe from accessing sensitive documents without preventing the application from accessing other documents.

  Solution: From the Microsoft Defender for Cloud Apps, you mark the application as Unsanctioned.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Explanation:

  Sanctioning/unsanctioning an app

  You can unsanction a specific risky app by clicking the three dots at the end of the row. Then select Unsanction. Unsanctioning an app doesn't block use, but enables you to more easily monitor its use with the Cloud Discovery filters. You can

  then notify users of the unsanctioned app and suggest an alternative safe app for their use, or generate a block script using the Defender for Cloud Apps APIs to block all unsanctioned apps.

  Instead Solution: From the Microsoft 365 Endpoint data loss prevention (Endpoint DLP) settings, you add the application to the unallowed apps list.

  Unallowed apps is a list of applications that you create which will not be allowed to access a DLP protected file.

  Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/governance-discovery#BKMK_SanctionApp

  https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-using?view=o365-worldwide

• Question 5:

  You need to be alerted when users share sensitive documents from Microsoft OneDrive to any users outside your company. What should you do?

  A. From the Microsoft Purview compliance portal, start a data investigation.

  B. From the Microsoft Defender for Cloud Apps portal, create a file policy.

  C. From the Azure Active Directory admin center, configure an Identity Protection policy.

  D. From the Exchange admin center, create a data loss prevention (DLP) policy.

  Correct Answer: B

  Explanation:

  File filters in Microsoft Defender for Cloud Apps

  After you connect an app to Defender for Cloud Apps, integrate with Microsoft Purview Information Protection. Then, in the Files page, filter for files labeled Confidential and exclude your domain in the Collaborators filter. If you see that there

  are confidential files shared outside your organization, you can create a file policy to detect them.

  Incorrect:

  Not D: In Microsoft Purview, you can create a data loss prevention (DLP) policy in two different admin centers:

  In the Microsoft Purview compliance portal, you can create a single DLP policy to help protect content in SharePoint, OneDrive, Exchange, Teams, and now Endpoint Devices. We recommend that you create a DLP policy here.

  (Not D) In the Exchange admin center, you can create a DLP policy to help protect content only in Exchange. This policy can use Exchange mail flow rules (also known as transport rules), so it has more options specific to handling email.

  You can use a Microsoft Purview data loss prevention (DLP) policy to identify, monitor, and protect sensitive information across Office 365. You want people in your organization who work with this sensitive information to stay compliant with

  your DLP policies, but you don't want to block them unnecessarily from getting their work done. This is where email notifications and policy tips can help.

  Reference:

  https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters

  https://learn.microsoft.com/en-us/microsoft-365/compliance/how-dlp-works-between-admin-centers

• Question 6:

  You are creating a data loss prevention (DLP) policy that will apply to all available locations. You configure an advanced DLP rule in the policy. Which type of condition can you use in the rule?

  A. Keywords

  B. Content search query

  C. Sensitive info type

  D. Sensitive label

  Correct Answer: C

• Question 7:

  You plan to implement Microsoft Office 365 Advanced Message Encryption.

  You need to ensure that encrypted email sent to external recipients expires after seven days.

  What should you create first?

  A. a custom branding template

  B. a remote domain in Microsoft Exchange

  C. a mail flow rule

  D. an X.509 version 3 certificate

  E. a connector in Microsoft Exchange

  Correct Answer: A

  Explanation:

  You can only set expiration dates for emails to external recipients.

  With Microsoft Purview Advanced Message Encryption, anytime you apply custom branding, the Office 365 applies the wrapper to email that fits the mail flow rule to which you apply the template. In addition, you can only use expiration if you

  use custom branding.

  Note: Create a custom branding template to force mail expiration by using PowerShell

  Connect to Exchange Online PowerShell with an account that has global administrator permissions in your organization.

  Run the New-OMEConfiguration cmdlet. PowerShell New-OMEConfiguration -Identity "Expire in 7 days" -ExternalMailExpiryInDays 7

  Where:

  Identity is the name of the custom template.

  ExternalMailExpiryInDays identifies the number of days that recipients can keep mail before it expires. You can use any value between 1

• Question 8:

  You have a Microsoft 365 E5 tenant.

  You need to add a new keyword dictionary.

  What should you create?

  A. a trainable classifier

  B. a sensitivity label E3

  C. a sensitive info type

  D. a retention policy

  Correct Answer: C

• Question 9:

  You have a Microsoft 365 tenant that uses Microsoft Exchange Online.

  You need to recover deleted email messages from a user's mailbox.

  Which two PowerShell cmdlets should you use? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Restore-RecoverableItems

  B. Get-MailboxRestoreRequest

  C. Restore-Mailbox

  D. Get-RecoverableItems

  E. Set-MailboxRestoreRequest

  Correct Answer: AD

  Reference: https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/recover-deleted-messages

• Question 10:

  A compliance administrator recently created several data loss prevention (DLP) policies.

  After the policies are created, you receive a higher than expected volume of DLP alerts.

  You need to identify which rules are generating the alerts.

  Which DLP report should you use?

  A. Third-party DLP policy matches

  B. DLP policy matches

  C. DLP incidents

  D. False positive and override

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide