Microsoft Administering Information Security in Microsoft 365 SC-401 Exam Dumps: Updated Questions & Answers (April 2026)

To customize encrypted email in Microsoft 365, including adding a company logo, you need to modify the Office Message Encryption (OME) branding settings. The Set-OMEConfiguration PowerShell cmdlet allows you to configure branding elements such as:

● Company logo

● Custom text

● Background color

This cmdlet is used to update existing OME branding settings, ensuring that encrypted emails sent from your organization include the required customizations.

DLP policy tips are shown across all supported Outlook clients: Outlook on the web (OWA), Outlook desktop (Win32), and Outlook mobile apps (iOS and Android). This ensures users are informed when sending sensitive information across any supported client.

To ensure Azure Storage Account keys are encrypted when sent via email, you need a Data Loss Prevention (DLP) policy that detects Azure Storage Account keys using a sensitive information type and automatically encrypts emails containing these keys.

A DLP policy with Exchange email as the only location meets this requirement because it identifies sensitive data in email messages and it applies protection actions, such as encryption, blocking, or alerts.

Step 1 – Scenario

Microsoft 365 E5 subscription with 100 users and a Microsoft 365 group (Group1).

A sensitivity label (Label1) is published as the default label for Group1.

Label1 contains two sublabels: Sublabel1 and Sublabel2.

Requirement: Ensure Sublabel1 settings are applied by default to Group1.

Step 2 – Understanding label hierarchy

In Microsoft Purview Information Protection, a parent label (Label1) is a container.

Sublabels (Sublabel1, Sublabel2) inherit the parent name but represent distinct configurations (encryption, watermarking, access, etc.).

A parent label itself cannot have a sublabel’s settings automatically applied unless policy configuration specifies which sublabel is used as the default publishing option.

Step 3 – Why " Modify the policy of Label1 " is correct

To apply Sublabel1 by default, the published policy for Label1 must be modified so that Sublabel1 is the default label within the policy.

Simply reordering sublabels (Option A) does not change the default assignment.

Duplicating Sublabel1’s settings into Label1 (Option B) defeats the purpose of having sublabels and adds redundancy.

Deleting the policy of Label1 and publishing Sublabel1 (Option D) would remove flexibility and is unnecessary.

Step 4 – Microsoft Reference

Microsoft Docs: “If you want a sublabel to be applied by default, configure the label policy to select that sublabel as the default label for documents and emails.”

To track who accesses User1’s mailbox, you need to enable mailbox auditing for User1. By default, Exchange mailbox auditing is not enabled per mailbox (even though it is enabled tenant-wide).

The Set-Mailbox -Identity " User1 " -AuditEnabled $true command enables audit logging for mailbox actions like:

● Read emails

● Delete emails

● Send emails as User1

● Access by delegated users

Once enabled, you can search for future sign-ins and actions in the Microsoft Purview audit logs.

Statement 1 - No. The sensitivity label includes content marking (watermark: INTERNAL), but it only applies to documents where the label is manually or automatically applied, not to all documents by default.

Statement 2 - No. The sensitivity label only specifies a watermark, not a header. If a header marking was configured, it would explicitly appear in the label settings.

Statement 3 - No. There is no indication that auto-labeling is configured to apply the label only to documents with the word " rebranding " . Auto-labeling is an optional setting that needs explicit configuration.

Step 1 – Label publishing and scope

The sensitivity label Label1 is published to User1 and Group1.

User1 → Directly included in label publishing.

User2 → Member of Group1, so also included indirectly.

This means both User1 and User2 are eligible to use Label1.

Step 2 – File vs Folder labeling with the Information Protection client

The Microsoft Purview Information Protection (AIP unified labeling) client can apply labels to files such as .docx, .png, .pdf, etc.

It cannot label folders directly. Labels are applied to items (files and emails), not folders.

For creating a custom trainable classifier, seed content must be stored in a Microsoft 365 content location that Purview can crawl for training—SharePoint Online (or Exchange mailboxes). OneDrive, Azure Files, or other locations are not supported for training seed sets.

Step 1 – Understand the scenario

We have a Microsoft 365 E5 subscription with Copilot available.

File1.docx has a sensitivity label applied.

The sensitivity label controls usage rights (Owner, Editor, Restricted Editor, Viewer).

The question: Which users can summarize File1 with Microsoft 365 Copilot?

Step 2 – Sensitivity labels and usage rights

When a sensitivity label is configured to apply encryption with usage rights , each role has different levels of access:

Owner : Full control (read, edit, reshare, extract, etc.).

Editor : Can read, edit, and copy content.

Restricted Editor : Can read and edit in place, but cannot copy, print, or extract content.

Viewer : Can only read (view) the content.

???? Reference: Rights included in usage rights for sensitivity labels

Step 3 – Copilot’s requirements for summarization

Microsoft 365 Copilot requires that the user has the ability to read and extract text from the document in order to generate a summary.

Owners and Editors : ✅ Can both read and extract → Copilot works.

Restricted Editors : ❌ Cannot copy/extract text → Copilot cannot summarize.

Viewers : ❌ Can only view → Copilot cannot process content for summarization.

???? Reference: Microsoft 365 Copilot and sensitivity labels

“Users must have extract and copy rights in order for Microsoft 365 Copilot to process and summarize labeled documents.”

Step 4 – Apply to the case

User1 (Owner) → Can summarize.

User2 (Editor) → Can summarize.

User3 (Restricted Editor) → Cannot summarize.

User4 (Viewer) → Cannot summarize.

Comprehensive Detailed Explanation with References

Step 1 – Review File2 contents

File2 contains 3 IP addresses.

Step 2 – Review DLP rules and priorities

Rule Condition Policy Tip Stop Processing? Priority

Rule1 1 or more IP addresses Tip1 No 0

Rule2 3 or more IP addresses Tip2 Yes 1

Rule3 2 or more IP addresses Tip3 No 2

Step 3 – Rule evaluation order

Advanced DLP rules are processed by priority order (lowest number first).

Rule1 (Priority 0) will trigger because File2 has at least 1 IP address.

This applies Tip1.

However, Rule1 has Stop Processing = No, so evaluation continues.

Rule2 (Priority 1) will also trigger because File2 has 3 IP addresses (≥3).

This applies Tip2.

Rule2 has Stop Processing = Yes, so evaluation stops after this.

Rule3 (Priority 2) will not be evaluated because Rule2 stopped processing.

Step 4 – Final outcome

File2 matches Rule1 (Tip1), but since Rule2 fires afterward with Stop Processing = Yes, only Tip2 is applied.

Step 5 – Microsoft Reference

From Microsoft docs: “When a rule is configured to stop processing, subsequent rules are not evaluated and only the policy tip from the last triggered rule with stop processing applies.”