Demo Microsoft SC-401 Exam Questions

• Statement 1 (Yes): When a retention policy is active on a site (such as a 5-year retention window from the creation date), files remain active and accessible in their original location for normal user consumption as long as they are not manually deleted. Since January 15, 2023, falls well within the 5-year period (which ends January 1, 2026), users can access it normally.
  Statement 2 (Yes): If a file created on January 1, 2021, is deleted by a user, the retention policy ensures it is preserved in the Preservation Hold library for the remainder of the 5-year retention period (up until January 1, 2026). On April 15, 2023, the file is still within this protected duration, allowing an administrator to successfully recover it.
  Statement 3 (No): The 5-year retention clock begins on the file creation date (January 1, 2021) and expires on January 1, 2026. After this date, the retention policy no longer protects or locks the deleted file. By April 15, 2026, the data will have exceeded the retention threshold and been permanently purged, making it unrecoverable for administrators.

January 1, 2021, it would be deleted after January 1, 2023. ● Site4RetentionPolicy2 retains files for 4 years from creation. If a file was created on January 1, 2021, it will be kept until January 1, 2025, but not deleted after that (policy states "Do nothing"). Statement 1 - Yes, because Site4RetentionPolicy2 ensures files are retained for 4 years. Statement 2 - Yes, because Site4RetentionPolicy2 retains the file for 4 years (until January 1, 2025). Statement 3 - No, because retention is only for 4 years (until January 1, 2025). After that, the policy does "nothing," meaning the file is no longer recoverable after that period.

Create first: Before creating higher-level data protection constructs (like Data Loss Prevention policies or sensitivity labels) that rely on custom definitions, you must first create A sensitive info type (SIT). The SIT defines the unique pattern or structure of the data you want to identify and protect.

Use for detection method: To accurately capture strings or values that follow a rigid, predictable format (such as employee numbers, specific ID formats, or customized serial codes), a Regular expression (regex) is the ideal detection mechanism. It offers the precision required to match specific patterns rather than relying on exact word matches (Keywords) or static lists (Dictionary).

To detect and protect confidential documents, we need a custom rule to identify project codes that start with 999 (since they are classified as confidential). Box 1: A Sensitive Info Type (SIT) allows Microsoft Purview DLP policies to recognize structured data (e.g., project codes). DLP policies require a sensitive info type to detect content based on patterns,

keywords, or dictionary terms. A sensitivity label alone does not define detection logic—it is used for classification and protection after content is identified. Box 2: Since project codes follow a structured 10-digit pattern, we should use a Regular Expression (Regex) to match project codes that start with 999. Example Regex pattern: 999\d{7} This pattern detects a 10-digit number starting with "999".

To meet the requirement that all administrative users must be able to create Microsoft 365 sensitivity labels, we need to assign the Sensitivity Label Administrator role to the correct users. Sensitivity Label Administrator Role Responsibilities This role allows users to: ● Create and manage sensitivity labels in Microsoft Purview. ● Publish and configure auto-labeling policies. ● Modify label encryption and content marking settings. Review of Admin Roles from the Table:

Answer Area

Admin	Role Assigned	Can Create Sensitivity Labels?
Admin1	Global Reader	No, read-only permissions.
Admin2	Compliance Data Administrator	Yes, can manage compliance data, including labels.
Admin3	Compliance Administrator	Yes, has full compliance management, including labels.
Admin4	Security Operator	No, this role is focused on security alerts and response.
Admin5	Security Administrator	No, primarily focused on security policies and threat management.

Explanation
Admin1 (Global Reader): This role provides read-only access across the tenant. Users assigned this role can view settings and administrative data but cannot create or modify objects, including sensitivity labels.
Admin2 (Compliance Data Administrator): This role possesses permissions explicitly geared towards data governance and classification tasks, which include creating, managing, and publishing sensitivity labels.
Admin3 (Compliance Administrator): As a high-level administrative role for compliance features, it grants comprehensive permissions to configure and manage all compliance-related settings, directly allowing the creation of sensitivity labels.
Admin4 (Security Operator): This role is designated for operational security tasks, such as monitoring alerts and analyzing potential threats. It does not contain administrative permissions required to configure data classification or compliance policies like sensitivity labels.
Admin5 (Security Administrator): While this role grants broad security management privileges (such as managing threat policies and security alerts), it does not natively inherit full compliance creation privileges. Data classification and sensitivity management are handled within the compliance/purview scope, making it an incorrect role for creating sensitivity labels unless combined with proper compliance role groups.

Users that must be assigned the Sensitivity Label Administrator role: ● Admin2 (Compliance Data Administrator) ● Admin3 (Compliance Administrator) ● Admin1 (Global Reader) (should be assigned this role to fulfill the requirement that all admins can create labels).