View SC-401 Exam Questions

Q: 1

You have a Microsoft J65 E5 subscription that contains a user named User1. All users are assigned Microsoft 365 Copilot licenses. You deploy Microsoft Purview Data Security Posture Management for Al (DSPM for Al). You need to ensure that User1 can analyze prompts and responses for Al interaction events. The solution must follow the principle of least privilege. To which two role groups should you add User1? Each correct answer presents part of the solution. NOTE; Each correct selection is worth one point.

Options

Discussion

Karan T. Mar 1, 2026 9:50 am

Probably C and E here since those two roles let User1 view and drill into the actual content in Content Explorer without giving more than necessary. Least privilege is key for Purview, so not seeing a need for A or D. Anyone see an angle I missed?

Hannah E. Feb 15, 2026 4:08 pm

C/E. Both are needed for full access to prompt contents in Content Explorer. Not 100 percent but that's consistent with least privilege.

Chloe R. Mar 6, 2026 10:21 pm

C and E tbh

Nora A. Feb 24, 2026 2:00 pm

Seriously wish they'd make these Purview roles easier to remember. C and E.

Meera Feb 15, 2026 10:39 am

C and E tbh, not B. Security Reader is tempting but it can't see actual prompt contents, while Content Explorer roles do exactly that. Happened to see this mix up in other practice sets too.

Luna Feb 23, 2026 10:42 am

I remember a similar scenario from labs in exam reports and it was C and E.

Jason X. Mar 1, 2026 3:24 am

C and E tbh. Those two roles together let User1 see both the list of events and the actual contents, which is what you need for analyzing prompts and responses. Security Reader (B) is a bit of a trap here because it just gives visibility, not content access. Let me know if someone thinks D makes more sense?

NoraX Mar 5, 2026 5:32 am

Makes sense to pick C and E here. Only those Content Explorer roles allow viewing both the list and actual data for AI interactions, which is what "analyze prompts and responses" needs. Official docs and MS Learn modules on Purview permissions support this, but if someone has a different take from hands-on labs let me know.

PreciseSec3754 Feb 27, 2026 12:56 pm

A is wrong, B. Security Reader should let User1 see security events, which feels close for analysis tasks even though it's not as granular as Content Explorer. Not 100% sure since Purview roles can be confusing sometimes.

Sofia Feb 19, 2026 1:50 am

For User1 to review prompts and responses in Purview without extra permissions, I'm thinking C and E are exactly what's needed. Those roles let you see the list of items and open their contents, following least privilege. Not totally sure if there's a hidden catch with Al-specific stuff, but everything I've seen points to these two. Anyone come across a scenario where A or D would make sense here?

Be respectful. No spam.

Correct Answer:

C, E

Explanation

To analyze AI interaction events, including the content of prompts and responses, within Microsoft Purview, a user needs permissions to access the Content Explorer. Microsoft Purview uses a two-level access control model for Content Explorer to adhere to the principle of least privilege. The Content Explorer List Viewer role grants permission to see the list of items (in this case, AI interactions). The Content Explorer Content Viewer role grants the additional permission to open and view the actual content of those items. Therefore, User1 requires both roles to perform the complete task of analyzing the prompts and responses.

Why Incorrect

A. Information Protection Analysts: This role is for managing data classification, sensitivity labels, and data loss prevention (DLP) policies, not for viewing content in Content Explorer.

B. Security Reader: This is a broad Microsoft Entra ID and Microsoft Defender XDR role providing read-only access to various security features, but it does not grant specific permissions to Content Explorer.

D. Insider Risk Management Investigators: This is a highly privileged role specific to the Insider Risk Management solution and is not the least-privileged role required for viewing AI interactions in DSPM.

References

1. Microsoft Learn. "Get started with content explorer." Microsoft Purview documentation. Under the "Permissions" section, it states: "To get access to content explorer, an admin must add you to the Content Explorer List Viewer role group. To also see the content of the files in content explorer, you must be a member of the Content Explorer Content Viewer role group."

2. Microsoft Learn. "Investigate AI interactions in Microsoft Purview." Microsoft Purview documentation. This document explicitly states the required permissions for the task described in the question: "To view the content of prompts and responses, you need to be a member of the Content Explorer Content Viewer role group. To view the list of interactions, you need to be a member of the Content Explorer List Viewer role group."

3. Microsoft Learn. "Permissions in the Microsoft Purview compliance portal." Microsoft Purview documentation. This document details the various role groups, confirming that the Content Explorer roles are distinct and separate from roles like Information Protection Analysts or Insider Risk Management Investigators, reinforcing the principle of least privilege.

Q: 2

You have a Microsoft 365 E5 subscription. You plan to use insider risk management to collect and investigate forensic evidence. You need to enable forensic evidence capturing. What should you do first?

Options

Discussion

Ishaan Feb 19, 2026 11:06 pm

Its B, you have to claim capacity before anything else happens in Purview for this feature. Nothing else is possible until that's done. Pretty sure that's required per docs, agree?

Priya S. Feb 17, 2026 4:49 am

Option B

Ravi R. Feb 15, 2026 1:31 pm

A is wrong, B. You can't set up forensic evidence capture unless you claim capacity first. It's a common trap to jump into config (like A or D) before this initial licensing step. Seen it trip up folks in similar questions.

Anita T. Mar 1, 2026 1:12 pm

I don't think it's A. You can't even configure any forensic settings until you've claimed capacity, so B should be first. That "first" word in these risk management setups is a classic trap for folks who just want to jump into config steps like A or D. Anyone else seen this sequence in practice exams?

Ravi C. Feb 27, 2026 4:21 pm

B (A is tempting, but it’s useless before claiming capacity). Seen this on other practice sets too.

Mason Mar 3, 2026 10:15 am

D isn't right, it's B. Without claiming capacity, the feature can't be activated at all.

Daniel N. Mar 4, 2026 8:17 am

I’d say B since you can't even see the option for forensic evidence before claiming capacity in Purview. The other steps only unlock after that, so pretty sure that's the right order unless I'm missing something.

Luke Mar 4, 2026 5:08 am

Sam Z. Mar 3, 2026 2:54 pm

Option B makes sense to me since you have to claim the forensic evidence capacity before any other config is possible in Purview. Without that, none of the settings for capture even become available. I think D comes later when scoping who gets monitored. Pretty sure but if someone actually tried this in a lab and got a different result, let me know!

Ethan A. Mar 4, 2026 4:40 am

D imo, since you usually define who the priority users are before configuring things like forensic capture. B looks tricky here but I'd go with D first. Anyone else see it that way?

Be respectful. No spam.

Correct Answer:

Explanation

Forensic evidence capturing in Microsoft Purview Insider Risk Management is an add-on feature that requires specific licensing capacity. After purchasing the add-on, the first administrative action required to activate the feature is to claim this capacity within the Microsoft Purview compliance portal. This step makes the forensic evidence functionality available for configuration within your tenant. Without claiming the capacity, the settings to enable and configure forensic evidence capturing for user devices will not be accessible, making it the necessary initial step.

Why Incorrect

A. The information protection scanner discovers and classifies sensitive data on-premises; it is not a prerequisite for enabling the device-based forensic evidence feature.

C. Adaptive Protection is a feature that dynamically adjusts Data Loss Prevention (DLP) policies based on user risk levels, not a requirement for forensic evidence.

D. Creating priority user groups is a step for targeting insider risk policies, which is performed after the core features, like forensic evidence, are enabled.

References

1. Microsoft. (n.d.). Learn about forensic evidence for insider risk management. Microsoft Learn.

Reference Point: In the "Prerequisites" section, the documentation explicitly states, "If you've purchased forensic evidence add-on capacity, you must first claim your capacity in the Microsoft Purview compliance portal." The subsequent section, "Claim your capacity," details this as the initial configuration step.

2. Microsoft. (n.d.). Get started with insider risk management. Microsoft Learn.

Reference Point: Under the "Deployment" heading, "Step 2: Enable permissions and forensic evidence (if needed)" outlines the initial setup tasks. It confirms that enabling forensic evidence is a distinct, early step in the configuration process, which involves meeting prerequisites like licensing and claiming capacity.

Q: 3

DRAG DROP You have a Microsoft 365 E5 subscription that has data loss prevention (DLP) implemented. You need to create a custom sensitive info type. The solution must meet the following requirements: ● Match product serial numbers that contain a 10-character alphanumeric string. ● Ensure that the abbreviation of SN appears within six characters of each product serial number. ● Exclude a test serial number of 1111111111 from a match. Which pattern settings should you configure for each requirement? To answer, drag the appropriate settings to the correct requirements. Each setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Additional checks
Character proximity
Confidence level
Primary element
Supporting elements

Discussion

Ava Feb 24, 2026 7:38 pm

Primary element for matching the 10-char alphanumeric, character proximity to handle SN within six characters, and additional checks to exclude 1111111111. Supporting elements might look tempting for exclusion, but additional checks is the only one that does this in DLP custom SITs. Unless MS changes syntax, this is safest. Disagree?

Drew F. Mar 2, 2026 3:38 am

Yeah, I've seen this pattern too: Primary element maps to the alphanumeric match, character proximity is how you set 'SN' near the serial, and additional checks is where you exclude 1111111111. Pretty sure that's right but happy for other views.

Aaron K. Feb 15, 2026 7:12 pm

Had something like this in a mock: primary element for the serial, character proximity for SN, additional checks to exclude 1111111111.

MeeraZ Feb 14, 2026 7:49 pm

Primary element for the serial, character proximity for SN, additional checks for excluding 1111111111. Saw a similar mapping on a practice exam and it matched this setup.

Amelia Feb 27, 2026 8:46 am

Had something like this in a mock. Primary element for serial, character proximity for SN, additional checks to exclude that test number.

Riley M. Feb 14, 2026 4:57 am

Not quite, Primary element does the pattern for serials, character proximity is for 'SN' within 6 chars, and additional checks skips that test number. Saw similar in a practice bank, trick is not to pick supporting elements here.

Arjun X. Feb 23, 2026 3:06 am

Primary element → 10-char alphanumeric, character proximity → SN within 6, additional checks → exclude 1111111111. Supporting elements is tempting but it's meant for increasing confidence, not exclusions. Pretty sure this mapping matches actual DLP custom SIT logic. Disagree if you think supporting elements fits better here.

Aaron C. Feb 20, 2026 5:37 pm

Primary element = serial number pattern, character proximity = SN within 6, additional checks = exclude 1111111111. Supporting elements is a trap on this one, seen folks get tripped up by that.

Liam J. Feb 28, 2026 9:16 pm

Primary element → 10-char alphanumeric, character proximity → SN within 6, additional checks → exclude 1111111111

Zoe Feb 20, 2026 3:10 pm

Pretty sure this lines up with some official guide examples: Primary element for serial, character proximity for SN, supporting elements to exclude the test number. Haven't seen much on additional checks in practice sets. Anyone seen this phrasing on labs?

Be respectful. No spam.

Q: 4

You have a Microsoft 365 subscription. You have a user named User1 Several users have full access to the mailbox of User1. Some email messages sent to User 1 appeal to have been read and deleted before the user viewed them When you search the audit log in the Microsoft Purview portal to identify who signed in to the mailbox of User l. the results are blank. You need to ensure that you can view future sign-ins to the mailbox of User1. Solution: You run the Set-AuditConfig -Workload Exchange command. Does that meet the goal?

Options

Discussion

Sofia Feb 26, 2026 11:19 pm

B . Had something like this in a mock, Set-AuditConfig doesn’t handle auditing for just one mailbox, it’s for org-level only. You need Set-Mailbox -AuditEnabled $true for User1. Correct me if I’m missing new updates.

Grace R. Mar 1, 2026 11:47 pm

B is the right call here. Set-AuditConfig just sets audit logging at the org level, not per mailbox-easy to mix up if you don't work with these cmdlets much. You'd need Set-Mailbox -AuditEnabled $true for User1 specifically. Seen a few trip over this in practice.

Ben T. Feb 27, 2026 5:35 am

B that command only deals with org settings. Gotta target the actual mailbox for audit logs to show up. Unless MS changed something lately, pretty sure on this.

Neha C. Feb 19, 2026 5:57 pm

B , you can check this in the official MS docs or labs for the Exchange audit settings.

Sara Mar 1, 2026 10:11 am

Call it B. Set-AuditConfig is a trap here, since it’s not mailbox-level. You really need Set-Mailbox for specific auditing.

Arjun R. Feb 21, 2026 10:46 pm

B, saw this in a similar question on a practice test. Set-AuditConfig isn’t for mailbox-specific auditing.

Casey J. Feb 22, 2026 7:58 am

B tbh, Set-AuditConfig is more for org-wide audit log behaviors, it doesn't turn on mailbox auditing for individuals. You'd want Set-Mailbox -AuditEnabled $true on User1 instead. Super clear wording in this one, easy to follow.

Sofia B. Feb 27, 2026 5:22 pm

Ugh, Microsoft makes this so confusing with all the audit config cmdlets. Its B because Set-AuditConfig only hits org-wide settings, not a specific mailbox like User1. Pretty sure you still need Set-Mailbox for mailbox-level auditing, at least from what I've seen on other practice sets.

Emma Mar 5, 2026 6:37 pm

Rowan B. Feb 24, 2026 3:44 am

Pretty sure it's B. Set-AuditConfig is just org-wide, doesn't turn on auditing for a single mailbox like User1. You'd need Set-Mailbox -AuditEnabled $true for that user instead. Someone let me know if Microsoft changed this recently.

Be respectful. No spam.

Correct Answer:

Explanation

The Set-AuditConfig cmdlet is used to configure organization-wide settings for the unified audit log, such as the audit level or ingestion status. It does not enable or disable auditing for individual mailboxes. The problem states that audit log searches for a specific mailbox (User1) are blank, indicating that auditing for that particular mailbox is likely disabled. The correct procedure to ensure future sign-ins and other actions are logged for a specific mailbox is to enable auditing directly on that mailbox object using the Set-Mailbox -Identity User1 -AuditEnabled $true command. Therefore, the proposed solution is incorrect.

Why Incorrect

A: This is incorrect because the Set-AuditConfig command does not target or enable auditing for a specific user's mailbox. It manages the global configuration of the unified audit log service.

References

1. Microsoft Purview Documentation

"Enable or disable mailbox auditing": This document explicitly states that the Set-Mailbox -AuditEnabled parameter is used to turn on or off mailbox auditing for specific user mailboxes. It confirms this is the correct method to resolve the issue described.

URL: https://learn.microsoft.com/en-us/purview/audit-mailboxes#enable-or-disable-mailbox-auditing

2. Microsoft PowerShell Documentation

"Set-Mailbox": The official documentation for the Set-Mailbox cmdlet details the -AuditEnabled parameter

which "specifies whether to enable or disable mailbox auditing for the mailbox."

URL: https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailbox?view=exchange-ps#parameters (See -AuditEnabled parameter description).

3. Microsoft PowerShell Documentation

"Set-AuditConfig": The documentation for Set-AuditConfig shows its purpose is to "configure the unified audit log." Its parameters

such as -UnifiedAuditLogIngestionEnabled

affect the entire service

not individual mailboxes.

URL: https://learn.microsoft.com/en-us/powershell/module/exchange/set-auditconfig?view=exchange-ps

Q: 5

You implement Microsoft 36S Endpoint data loss pi event ion (Endpoint DIP). You have computer that run Windows 11 and have Microsoft 365 Apps instated The computers are joined to a Microsoft Entra tenant You need to ensure that endpoint DIP policies can protect content on the computers. Solution: You deploy the Microsoft Purview Information Protection client to the computers. Does this meet the goal?

Options

Discussion

Nathan T. Feb 22, 2026 7:04 am

B tbh. Good question, it tests if you know the difference between Endpoint DLP and MIP client. The MIP client is for labeling and doesn't enable Endpoint DLP protection on its own. Endpoint DLP works if devices are onboarded in the Purview compliance portal, not just by installing the MIP client. Pretty sure B is right here, but open to hearing if I missed anything.

Ishaan V. Mar 4, 2026 11:41 pm

I’d actually pick A. Deploying the Purview client feels like it should enable DLP since it manages information protection, right? Pretty sure there’s overlap with labeling and policy enforcement. Not 100 percent though, maybe I’m missing the device onboarding requirement.

Morgan Feb 15, 2026 1:05 pm

A isn’t correct here, it’s B. Deploying just the Purview client doesn’t turn on Endpoint DLP protection for Windows endpoints. Saw similar guidance in docs, but happy to hear if anyone has other info.

Chloe A. Feb 22, 2026 5:35 pm

B , saw this same scenario in some exam reports, it's not just about the Purview client for Endpoint DLP.

Quinn G. Feb 17, 2026 12:39 am

A is wrong, B.

Ben V. Mar 5, 2026 4:29 pm

B for sure. Installing the Purview Information Protection client is more about classification and labeling, not enabling Endpoint DLP. Some folks mix this up because Purview does a lot, but DLP protection needs onboarding in the compliance portal. Open to corrections if anyone thinks otherwise!

AlexE Feb 24, 2026 4:12 am

A is wrong, B. Official guide says onboarding devices through compliance portal is needed, not just installing Purview client.

Arjun H. Mar 4, 2026 5:07 pm

Option A

Jack V. Feb 28, 2026 8:50 pm

B , since deploying the Purview Information Protection client alone doesn't activate Endpoint DLP-onboarding devices in the Purview compliance portal is needed for policy enforcement. Similar question showed up in my practice set. If anyone thinks A is right, let me know.

Priya U. Feb 25, 2026 7:18 pm

Option A but pretty sure that's the trap since deploying Purview MIP client sounds close to enabling DLP.

Be respectful. No spam.

Correct Answer:

Explanation

The proposed solution is incorrect. Endpoint Data Loss Prevention (DLP) functionality is natively integrated into the Windows 10 and Windows 11 operating systems. To enable Endpoint DLP policies to protect content on these computers, the devices must be onboarded into the Microsoft Purview compliance portal. The installation of the Microsoft Purview Information Protection (MIP) client is not the required step to enable the Endpoint DLP engine. The MIP client's primary function is for classification and labeling, and its functionality is increasingly being built directly into Microsoft 365 Apps, making the separate client unnecessary for this specific goal.

(Note: The provided question format with two "Yes" options is non-standard. Assuming a standard "A. Yes / B. No" format, the correct answer is No.)

Why Incorrect

A. Yes: This is incorrect because installing the Microsoft Purview Information Protection client does not enable the Endpoint DLP engine on Windows 11. The required action is device onboarding into Microsoft Purview.

References

1. Microsoft Learn. (2024). Get started with Endpoint data loss prevention. "For devices running Windows 10

Windows 11 and macOS (three latest released versions)

you don't need to install any additional software. Everything is already included." This source explicitly states that no additional client software is needed for Endpoint DLP on Windows 11.

URL: https://learn.microsoft.com/en-us/purview/endpoint-dlp-getting-started

2. Microsoft Learn. (2024). Onboard devices into Microsoft Purview solutions. This document details the required onboarding process for devices to be managed by Purview solutions

including Endpoint DLP

confirming that onboarding

not client installation

is the key step.

URL: https://learn.microsoft.com/en-us/purview/device-onboarding-overview

3. Microsoft Learn. (2024). Microsoft Purview Information Protection client - Version release history & support policy. This page describes the purpose of the MIP client

which is focused on applying sensitivity labels

confirming its role is distinct from enabling the core Endpoint DLP engine.

URL: https://learn.microsoft.com/en-us/purview/information-protection-client-version-release-history

Q: 6

DRAG DROP You have a Microsoft 365 tenant. A new regulatory requirement states that all documents containing a patent ID be labeled, retained for 10 years, and then deleted. The policy used to apply the retention settings must never be disabled or deleted by anyone. You need to implement the regulatory requirement. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Add a management lock.
Create a retention policy.
Create a retention label.
Create a retention label policy.
Add a preservation lock.

Discussion

Luna C. Feb 19, 2026 3:03 pm

Create retention label > create retention label policy > add preservation lock. Management lock is just for Azure, easy trap.

Quinn R. Feb 26, 2026 1:07 am

Nah, it's create retention label, then retention label policy, then add a preservation lock. Management lock is more for Azure resources, preservation lock is what actually blocks admin changes to retention policies. Seen similar on practice, pretty sure this is the sequence. There's a trap on management lock here.

Zoe Mar 3, 2026 11:09 pm

Create a retention label → retention label policy → add preservation lock. Preservation lock is the one that enforces no disabling or deleting, so it's needed for strict compliance. Pretty sure management lock only applies to Azure, not M365 compliance policies. Disagree?

MethodicalNeteng554 Feb 19, 2026 3:34 am

Create retention label → retention label policy → preservation lock. This matches the "never be disabled or deleted by anyone" part, since only preservation lock fully enforces that in M365. Pretty sure this is right.

Nina Q. Feb 22, 2026 8:57 pm

Order looks solid to me: create retention label, then retention label policy, finally add preservation lock. That last step is what really locks it down so no admin can delete or turn off the policy in M365. I'm almost certain management lock isn't relevant here since that's for Azure resources. Agree?

OliviaH Mar 4, 2026 2:00 am

Create retention label > retention label policy > add preservation lock. If this was Azure storage, management lock would apply, but here only preservation lock guarantees nobody can remove or disable the policy. I think this flips the answer if regulatory asks for "never disabled by anyone" versus a softer requirement.

MayaF Feb 27, 2026 2:39 am

Create a retention label, then a retention label policy, then add a management lock.
I thought management lock was the right control here to stop any changes or deletions on the policy. Pretty sure that's closer to Azure admin restrictions but the wording in the requirement about never being disabled made me pick that. If I missed something, let me know.

Aaron M. Feb 22, 2026 5:17 am

Retention label, then retention label policy, then add a management lock. I thought management lock was enough to prevent changes but maybe that's not as strict as preservation lock. Not 100 percent sure but that was my logic here. Agree?

Sara Y. Feb 16, 2026 9:24 pm

Create a retention policy, create a retention label, add a management lock

Anita Feb 24, 2026 2:47 am

Create retention label, retention label policy, add preservation lock. Management lock is Azure only, easy trap here.

Be respectful. No spam.

Q: 7

You have a Microsoft 36S ES subscription that contains a Windows 11 device named Device 1 and three users named User 1. User2. and User3. You plan to deploy Azure Information Protection (AIP) and the Microsoft Purview Information Protection client to Device 1. You need to ensure that the users can perform the following actions on Device1 as part of the planned deployment • User 1 will test the functionality of the client. • User2 will install and configure the Microsoft Rights Management connector. • User3 will be configured as the service account for the information protection scanner. The solution must maximize the security of the sign-in process for the users What should you do?

Options

Discussion

Logan A. Feb 23, 2026 4:06 pm

Option B makes more sense here since passwordless authentication is supported for both interactive and service accounts (like User3), but passkey (D) won't work for non-interactive scenarios. D looks tempting but is a trap for service use. Anyone disagree?

SaraO Feb 24, 2026 2:53 pm

B tbh

Skyler O. Mar 3, 2026 11:49 pm

Probably B, since passwordless authentication boosts security for both service and interactive accounts. User2 and User3 are handling service-level stuff like the connector and scanner, so they benefit most from it. Traditional MFA wouldn't really fit those roles. If I'm missing something about how they log in for setup, let me know.

Neha D. Feb 28, 2026 2:01 am

B or D? Both sound like they raise security, but I think B covers the service account best. FIDO2 (D) is great for humans but not for a service like User3 running background jobs. Anyone see a downside to B?

QuietReviewer5863 Mar 5, 2026 1:24 pm

D doesn't actually help the service account since FIDO2 needs someone there to tap or verify. Isn't that a trap here?

Nathan R. Feb 17, 2026 8:42 pm

I was thinking D makes sense here since FIDO2 passkeys are super secure for logins. Since all three would be covered for strong auth, seemed solid. Not sure if the service account setup would be tricky with this though, so maybe I'm missing something.

PreciseMentor1616 Feb 28, 2026 1:33 pm

Option D, People overlook that service accounts sometimes work with FIDO2 if configured right, so D might be valid.

Layla K. Feb 14, 2026 2:57 pm

Pretty sure it's B here. Service accounts like User3 can't handle FIDO2, so passwordless is the safer bet for non-interactive stuff. Open to other thoughts if someone disagrees.

AjayW Feb 22, 2026 4:18 pm

B . D is tempting but FIDO2 needs user interaction, which doesn't work for service accounts.

Alex Feb 19, 2026 7:02 pm

I don’t think it’s B. D makes more sense if you want strong security for all three users, since enabling passkey (FIDO2) means everyone would have phishing-resistant sign-in. Even if User3 is a service account, you could technically assign FIDO2, though setup might be tricky. Pretty sure about this but open to other views.

Be respectful. No spam.

Correct Answer:

Explanation

Passwordless sign-in provides phishing-resistant authentication without interactive MFA prompts.

• The Rights Management connector that User2 installs and the AIP scanner that runs under User3 both support (and Microsoft recommends) certificate-based, app-only authentication—classified by Microsoft Entra ID as a passwordless method.

• Enabling passwordless for these two accounts therefore maximises sign-in security while still allowing the non-interactive services to obtain tokens.

User1 needs only to test the client interactively and can continue to use the normal, MFA-protected sign-in already configured for the tenant.

Why the other options are wrong (≤30 words each):

A. Removing MFA weakens security and is unnecessary; service components can use certificate-based authentication instead.

C. Same weakness as A and excludes the tester, further reducing security.

D. FIDO2/passkey requires interactive user presence; a Windows service (scanner account) cannot complete this flow.

References

1. Microsoft Learn – “Passwordless authentication methods in Microsoft Entra ID”

section “Certificate-based authentication”: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#certificate-based-authentication

2. Microsoft Learn – “Deploy the Azure Information Protection unified labeling scanner”

section “Configure the scanner to use app-only authentication”: https://learn.microsoft.com/en-us/azure/information-protection/deploy-aip-scanner#step-5-configure-aip-authentication

3. Microsoft Learn – “Deploy and configure the Microsoft Rights Management connector”

section “How the connector authenticates”: https://learn.microsoft.com/en-us/azure/information-protection/ConfigureRMSConnector#how-the-connector-authenticates

Q: 8

You have a Microsoft 365 ES subscription. You have a Microsoft SharePoint Online document library that contains Microsoft Word and Excel documents. The documents contain the following types of information: • Credit card numbers • Physical addresses in the UK • National hearth service numbers from the UK • Sensitive projects that contain the following words: Project Tailspin. Project Contoso, and Project falcon You have email messages m Microsoft Exchange Online that contain the following information types: • Credit card numbers • User sign-in credentials • National health service numbers from the UK You plan to use sensitive information types (SITs) for compliance policies. What is the minimum number of SITs required to classify all the information types?

Options

Discussion

Riley Feb 16, 2026 1:51 pm

Option B seen similar on exam reports. You need 5 SITs here.

SaraY Feb 22, 2026 6:35 am

Man, these exam questions are wordy for no reason. B tbh.

Jamie V. Mar 3, 2026 1:29 am

B tbh

AnitaY Mar 5, 2026 7:54 am

B. since official docs and practice tests always mention grouping keywords like project names into one custom SIT. If you're using labs or the Microsoft guide as a resource, they show this exact breakdown.

Kevin Feb 25, 2026 6:12 am

B or C? If the exam expects a unique custom SIT for every single project name (since "Project Tailspin" etc are separate keywords), you might argue for more than five, but Microsoft compliance usually lets you bundle those names in one custom SIT. I think B is right if you can group them, but it's a bit nitpicky. Anyone else see it differently from similar questions?

Aisha K. Feb 27, 2026 11:31 am

Don't think it's C, since you can use just one custom SIT for all project names. The rest are built-in types like credit card and NHS numbers, so that makes B the best fit in my view. Maybe I'm missing something but I really doubt it's more than five.

Rowan Y. Mar 1, 2026 3:26 pm

Yeah, B makes sense. You'd only need one custom SIT for all those project names together so five total, not more. Pretty sure that's the minimum required setup here.

Chloe Feb 19, 2026 6:39 pm

B tbh. You'd need four built-ins for credit card, UK NHS number, physical address and credentials, then a custom SIT for those project code names. Five in total covers all types listed, unless I'm missing something?

Kevin Feb 20, 2026 12:56 pm

I don't think it's C, since grouping all project keywords in one custom SIT is allowed. Built-ins cover credit cards, NHS, addresses, and credentials. So B makes more sense-C is a trap if you miss that detail. Agree?

Mia U. Feb 16, 2026 11:43 am

I remember a similar scenario from labs, in another practice set, always came out as B.

Be respectful. No spam.

Correct Answer:

Explanation

To classify all the specified information, a minimum of five Sensitive Information Types (SITs) are required. Four of these are built-in SITs provided by Microsoft, and one must be a custom SIT.

1. Credit Card Number: A built-in SIT.

2. U.K. National Health Service Number: A built-in SIT.

3. All Physical Addresses: A built-in SIT that can detect UK addresses.

4. User Credentials: A built-in SIT for sign-in information.

5. Custom Project SIT: A single custom SIT can be created using a keyword list to detect all three project names ("Project Tailspin," "Project Contoso," "Project Falcon").

This combination covers all requirements with the minimum number of SITs.

Why Incorrect

A. 2: This is insufficient as it cannot cover the five distinct categories of sensitive information described in the scenario.

C. 7: This is incorrect. It likely results from counting each project keyword as a separate SIT, which is inefficient, or by double-counting repeated information types.

D. 10: This number is arbitrarily high and does not align with the principle of using the minimum number of SITs required.

References

1. Microsoft Learn. (2024). Sensitive information type entity definitions. This official documentation lists the built-in SITs

including "Credit Card Number

" "U.K. National Health Service (NHS) Number

" "All Physical Addresses

" and "User Credentials."

URL: https://learn.microsoft.com/en-us/purview/sensitive-information-type-entity-definitions

2. Microsoft Learn. (2024). Create custom sensitive information types in the Microsoft Purview compliance portal. This document explains that a single custom SIT can be configured with a list of keywords

making it unnecessary to create separate SITs for each project name.

URL: https://learn.microsoft.com/en-us/purview/create-custom-sensitive-information-types

Q: 9

DRAG DROP You need to create a trainable classifier that can be used as a condition in an auto-apply retention label policy. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Publish the trainable classifier.
Retrain the trainable classifier.
Create the trainable classifier.
Test the trainable classifier.
Create a terms of use (ToU) policy.

Discussion

LunaM Mar 4, 2026 6:09 pm

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier. Retrain's just a decoy here.

Jordan P. Mar 4, 2026 12:25 pm

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier

This is the right order because you always have to create it first, test and tweak it so it works well, then publish for use in policies. "Retrain" isn’t a required step unless accuracy isn’t good and ToU doesn’t fit here. Pretty sure on this sequence from similar questions.

Liam Feb 25, 2026 3:44 pm

Looks right to me: Create the trainable classifier, Test the trainable classifier, Publish the trainable classifier. That's the actual sequence in Purview for using it in auto-apply policies. Retrain only matters if it fails testing first time, pretty sure. Someone correct me if I missed anything.

MasonE Feb 20, 2026 3:41 pm

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier. That's how you prep it for auto-apply retention labels in Purview. Retrain comes into play only if your initial testing isn't accurate enough, I think. Open to correction though.

Priya W. Feb 21, 2026 11:24 pm

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier is the right flow. Retrain is tempting as a distractor but only applies if accuracy needs fixing after initial testing.

Mia I. Feb 26, 2026 1:30 pm

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier. That's the typical flow for Microsoft Purview classifiers if you want to use them in retention policies. Retrain only comes up if testing fails, which isn't part of the base requirement here. Confident this is right, but open to corrections if I missed an edge case.

Mia B. Mar 3, 2026 5:16 am

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier. That's the sequence Microsoft wants for an auto-apply retention label using a trainable classifier in Purview. Retrain only comes up if your test results aren't good enough, not as part of the initial flow. Pretty sure this is right but open to pushback if anyone's seen different.

AdamS Feb 27, 2026 8:03 pm

Create classifier → test classifier → publish classifier. Had something like this in a mock, matches their flow exactly.

OliviaC Feb 24, 2026 10:02 am

Create the trainable classifier → Test the trainable classifier → Publish the trainable classifier. Saw almost this exact sequence in a mock, so confident.

Aisha E. Mar 2, 2026 8:52 pm

Nah, not retrain here-it's Create, Test, Publish. Retrain is just a trap for if accuracy fails.

Be respectful. No spam.

Q: 10

DRAG DROP You have a Microsoft 365 E5 subscription that uses Microsoft Purview insider risk management and contains three users named User1, User2, and User3. All insider risk management policies have adaptive protection enabled and the default conditions for insider risk levels configured. The users perform the following activities, which trigger insider risk policy alerts: User1 performs at least one data exfiltration activity that results in a high severity risk score. User2 performs at least three risky user activities within seven days, that each results in a high severity risk score. User3 performs at least bwo data exfiltration activities within seven days, that each results in a high severity risk score. Which insider risk level is assigned to each user? To answer, drag the appropriate levels to the correct users. Each level may be used once, more than once, or not at all. You may need to drag the split bar between panes or seroll to view content. NOTE: Each correct selection is worth one point.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Elevated risk level
Minor risk level
Moderate risk level

Discussion

Mason P. Feb 24, 2026 4:18 am

User1 minor, User2 elevated, User3 moderate risk level. Seen similar mapping in exam reviews.

Karan U. Mar 6, 2026 10:31 am

Minor risk level (User1), Elevated risk level (User2), Moderate risk level (User3). In the default adaptive protection config, User2's frequency of high-severity activity bumps them to elevated, while just one exfiltration keeps User1 at minor. Policy changes could flip the order but nothing custom in this scenario.

SkepticalNeteng5057 Feb 14, 2026 1:28 pm

Looks good, it's Minor risk for User1, Elevated for User2, Moderate for User3. That's the mapping I remember from adaptive protection defaults in Insider Risk policies. Not totally certain, but lines up with what MS docs say about single vs repeated high-severity actions.

Aaron W. Feb 20, 2026 11:49 pm

User1 minor, User2 elevated, User3 moderate. I don’t think User2 is moderate since three high-severity risky activities push it to elevated by default settings. The exfil counts in User3 are the main trap here.

LaylaV Feb 19, 2026 6:39 pm

User1 minor, User2 elevated, User3 moderate. That fits the adaptive protection thresholds for activity count and severity in Purview. Pretty sure this matches the docs but open to other logic.

AdamG Mar 5, 2026 3:11 am

Minor risk level (User1), Elevated (User2), Moderate (User3). Not 100 percent but that's what I remember from the docs.

Priya D. Mar 5, 2026 3:35 am

Minor risk level (User1), Elevated risk level (User2), Moderate risk level (User3). This fits with how adaptive protection uses both incident type and frequency, I think. Open to a different take if someone has labbed this out more recently.

Ben Z. Feb 16, 2026 2:30 pm

User1: Moderate risk level, User2: Elevated risk level, User3: Minor risk level. I think single high-severity exfiltration bumps User1 up, and since User3 only did two events, theirs feels lower. Might be off on the default config though.

Ivy E. Feb 25, 2026 8:40 am

User1: Moderate, User2: Minor, User3: Elevated risk level

FocusedSec5588 Feb 18, 2026 10:53 am

User1: Minor, User2: Elevated, User3: Moderate risk level. That's what I've seen in Purview docs for default adaptive protection-single high-severity exfiltration usually just triggers Minor, while frequency bumps up the others. Not 100% sure, but makes sense with how their scoring works.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE