Microsoft Administering Information Security in Microsoft 365 SC-401 Exam Dumps: Updated Questions & Answers (October 2025)

Step 1 – Scenario

You need to grant User1 permission to search Microsoft 365 audit logs while following the principle of least privilege.

Step 2 – Roles that can search audit logs

Audit log search in Microsoft 365 is tied to Exchange Online role groups, because audit log data is stored in Exchange.

The following roles are relevant:

View-Only Audit Logs → Grants the ability to search and view audit logs, but not configure auditing or take other compliance actions. This is the least privilege role.

Audit Logs → Grants broader permissions, including turning auditing on/off.

Compliance Management → A broader role group that includes audit log search and many other compliance functions, violating least privilege.

Security Reader (Entra ID) → Grants read-only access to security features, but not audit logs.

Reviewer (Purview) → Used in eDiscovery, not audit logs.

Step 3 – Why "View-Only Audit Logs" is correct

According to Microsoft documentation:

“Users must be assigned the Audit Logs or View-Only Audit Logs role in Exchange Online to search the audit log. To minimize permissions, assign View-Only Audit Logs.”

???? Reference: Permissions required to search the audit log

Step 4 – Elimination of other options

A. Security Reader role → Allows reading security-related info in Microsoft 365 Defender, not Purview audit logs.

B. Compliance Management role → Includes more than just audit logs, not least privilege.

C. View-Only Audit Logs role → Correct and least privilege.

D. Reviewer role → For eDiscovery cases, not audit logs.

User1: Since the Microsoft Purview browser extension is installed on Device1, AI-related activity performed by User1 (generating an image using a generative AI website) can be reviewed in Activity explorer in DSPM for AI.

User2: Since Device2 does not have the Microsoft Purview browser extension installed, AI-related activity cannot be tracked in DSPM for AI. Instead, Audit log search should be used to review activity such as using Microsoft 365 Copilot.

User3: Since Device3 has the Microsoft Purview browser extension installed, AI-related activity (browsing sample content on a generative AI website) can be reviewed using Activity explorer in DSPM for AI.

When you run a Content Search in the Microsoft Purview compliance portal and want to download/export the search results, you must:

Select Export results in the Content Search tool.

Purview generates an Export key.

Use the eDiscovery Export Tool (ClickOnce application) to download the results.

The Export key is required to authenticate the export process.

Certificate → Not used in this process.

Password → Not required for export.

PIN → Not relevant here.

Export Key → ✅ Mandatory to export search results.

???? Reference:

Export Content Search results - Microsoft Learn

Step 1 – Understand the feature

The scenario is about Microsoft Purview Data Security Posture Management for AI (DSPM for AI), a capability in Microsoft Purview that helps:

Discover sensitive data across AI environments (including Copilot for Microsoft 365).

Assess data exposure risks.

Apply policies for data classification and protection.

When you deploy DSPM for AI, Microsoft Purview automatically creates default policies to classify and protect sensitive content.

Step 2 – Which solutions are used to edit these policies?

DSPM for AI (D) → This is the core solution where the default DSPM policies are deployed and visible. To edit or manage them, you must use the DSPM for AI blade in Microsoft Purview.

Information Protection (B) → DSPM relies on Microsoft Information Protection (MIP), specifically sensitivity labels and sensitive information types. These labels and SITs are part of Purview Information Protection. Editing classification rules (e.g., sensitivity labels, sensitive info types, trainable classifiers) requires Information Protection.

???? Reference:

Microsoft Purview Data Security Posture Management for AI (DSPM for AI)

Overview of sensitivity labels in Microsoft Purview Information Protection

Step 3 – Why not the others?

A. Insider Risk Management → Detects risky insider activities (data theft, sabotage). Not used to configure DSPM policies.

C. Compliance Manager → Provides compliance score and assessments, but does not configure DSPM policies.

E. Information Barriers → Used to restrict communication between groups of users. Not related to DSPM.

F. Data Lifecycle Management → Manages retention and deletion of data. Not related to DSPM for AI policy editing.

G. Data Loss Prevention (DLP) → Protects sensitive data from being shared in apps/services, but DSPM’s default policies are not edited here.

Let’s analyze each scenario based on the given retention policies and Microsoft 365 documentation.

???? Policies Recap

Policy1

Teams channel messages → All Teams → Retain 7 years → Delete automatically.

Teams chats → User1 → Retain 7 years → Delete automatically.

Policy2

Teams channel messages → Team1 → Retain 5 years → Delete automatically.

Teams chats → User2 → Retain 5 years → Delete automatically.

???? Reference: Retention policies in Microsoft Teams

???? Statement 1: The message edited by User1 will be deleted after five years.

Location = Team1 channel.

Policy1 applies (7 years for all Teams).

Policy2 applies (5 years for Team1).

Conflict rule: For retention, the longest duration wins.

Therefore, the message stays 7 years, not 5.

✅ Answer: NO

???? Statement 2: User1 can see the message sent by User2 for up to seven years.

Location = Private 1:1 chat (User2 → User1).

For User1’s mailbox: Policy1 applies (7 years).

For User2’s mailbox: Policy2 applies (5 years).

Retention in Teams chats is per-user, so each participant may have different durations.

For User1, the retention is 7 years.

✅ Answer: YES

???? Statement 3: The message deleted by User1 will be moved to the SubstrateHolds folder.

Location = Team2 channel.

User1 deletes the message, but retention policy (Policy1) applies (7 years).

Retention overrides user deletion: message is moved to the SubstrateHolds folder in the hidden mailbox for preservation.

???? Reference: How retention works with SubstrateHolds

✅ Answer: YES

Box 1: When creating a Microsoft Purview Insider Risk Management case, you must first select a risky user to investigate. The case will be built around this specific user’s activities, linking alerts and risk signals to the investigation.

Box 2: The Insider Risk Management role groups determine who can access and contribute to cases:

● Admin1 (Insider Risk Management Admins) → Full admin access.

● Admin2 (Insider Risk Management Analysts) → Analysts who review cases.

● Admin3 (Risk Management Investigators) → Investigators who work on cases.

● Admin4 (Insider Risk Management Auditors) → Auditors who oversee cases.

All these roles have default access to insider risk cases in Microsoft Purview, so all four admins are added as contributors.

The Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *Mailbox* command is incorrect. This enables admin audit logging, which tracks changes to mailbox configurations (e.g., mailbox settings updates), not user activity inside the mailbox.

Step 1 – Understanding the requirement

The task is about applying Microsoft Purview Information Protection sensitivity labels to sensitive images and documents using the Azure Information Protection (AIP) unified labeling client.

Sensitivity labels in Purview can be applied in Microsoft 365 apps (Word, Excel, Outlook, PowerPoint), but to label non-Office files like images, PDFs, and other documents, users must use the AIP unified labeling client.

With the AIP client installed, labels can be applied directly in File Explorer by right-clicking the file.

Step 2 – Device compatibility

The AIP unified labeling client runs on Windows devices only.

In the question’s context (based on the provided dropdowns), all listed devices (Device1, Device2, Device3) are compatible Windows endpoints.

Therefore, the AIP client can be deployed to all three devices.

Step 3 – How users apply labels

For Office documents → labels can be applied from the ribbon inside Word, Excel, PowerPoint.

For other file types (images, PDFs, text files, etc.) → labels must be applied using File Explorer via the AIP client.

???? Reference:

Install and use the Azure Information Protection unified labeling client

Apply sensitivity labels to files and emails in Microsoft Purview