[Microsoft] SC-400 - Info Protection & Compliance Admin Exam Dumps & Study Guide
The Administering Information Protection and Compliance in Microsoft 365 (SC-400) is the premier certification for compliance and security professionals who want to demonstrate their expertise in managing and securing information using Microsoft Purview. As organizations face increasingly frequent and complex data breaches and regulatory requirements, the ability to design and manage robust, scalable, and secure information protection solutions has become a highly sought-after skill. The SC-400 validates your core knowledge of data classification, protection, and governance within the Microsoft ecosystem. It is an essential milestone for any professional looking to lead in the age of modern data compliance.
Overview of the Exam
The SC-400 exam is a rigorous assessment that covers the implementation and management of information protection and compliance solutions in Microsoft 365. It is a 120-minute exam consisting of approximately 40-60 questions. The exam is designed to test your knowledge of Microsoft Purview technologies and your ability to apply them to real-world compliance scenarios. From data classification and loss prevention to retention and governance, the SC-400 ensures that you have the skills necessary to protect modern cloud-managed information. Achieving the SC-400 certification proves that you are a highly skilled professional who can handle the technical demands of enterprise-grade information protection administration.
Target Audience
The SC-400 is intended for security and compliance professionals who have a solid understanding of information protection and Microsoft's security solutions. It is ideal for individuals in roles such as:
1. Information Protection Administrators
2. Compliance Officers
3. Data Governance Professionals
4. Security Engineers
5. IT Managers and Directors
To qualify for the Microsoft Certified: Information Protection and Compliance Administrator Associate certification, candidates must pass the SC-400 exam.
Key Topics Covered
The SC-400 exam is organized into several main domains:
1. Implement Information Protection (35-40%): Designing and implementing effective data classification and protection solutions using Microsoft Purview.
2. Implement Data Loss Prevention (30-35%): Configuring and managing data loss prevention (DLP) policies to prevent unauthorized data sharing.
3. Implement Data Lifecycle and Content Governance (25-30%): Designing and implementing effective data retention and disposal solutions using Microsoft Purview.
Benefits of Getting Certified
Earning the SC-400 certification provides several significant benefits. First, it offers industry recognition of your specialized expertise in Microsoft's information security technologies. As a leader in the security industry, Microsoft skills are in high demand across the globe. Second, it can lead to increased career opportunities and higher salary potential in a variety of roles. Third, it demonstrates your commitment to professional excellence and your dedication to staying current with the latest information security practices. By holding this certification, you join a global community of Microsoft professionals and gain access to exclusive resources and continuing education opportunities.
Why Choose NotJustExam.com for Your SC-400 Prep?
The SC-400 exam is challenging and requires a deep understanding of Microsoft Purview's complex features. NotJustExam.com is the best resource to help you master this material. Our platform offers an extensive bank of practice questions that are designed to mirror the actual exam’s format and difficulty.
What makes NotJustExam.com stand out is our focus on interactive logic and the accuracy of our explanations. We don’t just provide a list of questions; we provide a high-quality learning experience. Every question in our bank includes an in-depth, accurate explanation that helps you understand the technical reasoning behind the correct security solutions. This ensures that you are truly learning the material and building the confidence needed to succeed on the exam. Our content is regularly updated by subject matter experts to reflect the latest Microsoft features and security trends. With NotJustExam.com, you can approach your SC-400 exam with the assurance that comes from thorough, high-quality preparation. Start your journey toward becoming a Certified Information Protection Administrator today with us!
Free [Microsoft] SC-400 - Info Protection & Compliance Admin Practice Questions Preview
-
Question 1
You create three sensitivity labels named Sensitivity1, Sensitivity2, and Sensitivity3 and perform the following actions:
✑ Publish Sensitivity1.
✑ Create an auto-labeling policy for Sensitivity2.
You plan to create a file policy named Policy1 in Microsoft Cloud App Security.
Which sensitivity labels can you apply to Microsoft SharePoint Online in Policy1?
- A. Sensitivity1 only
- B. Sensitivity1, Sensitivity2, and Sensitivity3
- C. Sensitivity2 only
- D. Sensitivity1 and Sensitivity2 only
Correct Answer:
A
Explanation:
Based on the question and discussion, I agree with the suggested answer A.
Reasoning: Microsoft Cloud App Security (MCAS) policies can only utilize sensitivity labels that have been published through a sensitivity label policy in the Microsoft 365 compliance center. Sensitivity labels created for auto-labeling policies, but not explicitly published, are not available for selection within MCAS file policies. In this scenario, Sensitivity1 is the only label that has been published; therefore, it is the only one available in MCAS.
Why other options are incorrect:
- Option B is incorrect because Sensitivity2 and Sensitivity3 are not published. Sensitivity2 is part of an auto-labeling policy, but it has not been published for general use. Sensitivity3 was not published either.
- Option C is incorrect because Sensitivity2 is not published and is therefore unavailable in MCAS.
- Option D is incorrect because Sensitivity2 is not published and, therefore, unavailable in MCAS. Only published labels can be used in MCAS file policies.
- Citation 1: Apply Microsoft Information Protection sensitivity labels, https://learn.microsoft.com/en-us/defender-cloud-apps/governance-actions#apply-microsoft-information-protection-sensitivity-labels
-
Question 2
You have a Microsoft OneDrive for Business folder that contains the files shown in the following table.

In Microsoft Cloud App Security, you create a file policy to automatically apply a classification.
What is the effect of applying the policy?
- A. The policy will apply to only the .docx and .txt files. The policy will classify the files within 24 hours.
- B. The policy will apply to all the files. The policy will classify only 100 files daily.
- C. The policy will apply to only the .docx files. The policy will classify only 100 files daily.
- D. The policy will apply to only the .docx and .txt files. The policy will classify the files immediately.
Correct Answer:
C
Explanation:
Based on the information provided and the discussion summary, I agree with the suggested answer C. Here's a detailed breakdown:
The suggested answer is C, which states: "The policy will apply to only the .docx files. The policy will classify only 100 files daily."
Reasoning:
The primary reason for choosing option C is based on the supported file types for Microsoft Cloud App Security's automatic classification feature. According to the Microsoft documentation and the discussion summary, the supported file types are typically limited to Microsoft Office formats (Word, Excel, PowerPoint) and PDF files. In the provided table, only the ".docx" files are supported file type.
Furthermore, there is also a limitation on the number of files that can be automatically classified daily. Although the exact number may vary depending on the specific configuration and subscription, the statement "The policy will classify only 100 files daily" is a plausible limitation.
Reasons for not choosing other answers:
- A: This option suggests that both ".docx" and ".txt" files will be classified. However, ".txt" files generally do not support embedded metadata for storing classification labels, thus making this option incorrect.
- B: This option suggests that all files will be classified, which is inaccurate because, as mentioned above, only specific file types (like ".docx") are compatible with the classification feature.
- D: This option suggests that the classification will happen immediately. While policies are generally applied quickly, classifying files involves processing, and immediate classification is not guaranteed, and the number of files limit is ignored. Also, ".txt" files do not support classification.
- Cloud App Security Data Classification, https://learn.microsoft.com/en-us/defender-cloud-apps/ediscovery-data-classification
-
Question 3
Correct Answer:
See interactive view.
Explanation:
Based on the information provided and the discussion summary, the suggested answer is not entirely correct.
I suggest a different answer based on the attachment types and size restrictions of Microsoft Office 365 Message Encryption (OME).
Here's a breakdown of the correct selections and the reasoning behind them:
User1:
-
Mail 1: Incorrect. The attachment is a .doc file, which is not supported by OME.
-
Mail 2: Incorrect. The attachment is a .jpg file, which is not supported by OME.
-
Mail 3: Correct. The attachment is a .docx file, which is supported by OME, and the total size is less than 25MB.
User2:
-
Mail 4: Incorrect. Sending internally, OME doesn't protect the attachments.
-
Mail 5: Incorrect. The attachment is a .jpg file, which is not supported by OME.
-
Mail 6: Correct. The attachment is a .docx file, which is supported by OME and the size is less than 25MB.
Reasoning:
-
OME has limitations on attachment types and sizes. According to Microsoft documentation, the maximum message size, including attachments, is 25 MB. Also, certain file types like .doc and .jpg are not supported by OME.
-
Internal emails are not protected, as OME is designed to protect email communication with external recipients.
-
.docx file types are supported by OME.
Therefore, the attachments will be protected only for User1 Mail 3 and User2 Mail 6.
In summary: User 1: Mail 3 only. User 2: Mail 6 only.
The suggested answer is partially incorrect because it selects Mail 4 from User 2 and doesn't consider the file type and internal recipient limitations.
Citations:
- Microsoft Purview Message Encryption, https://learn.microsoft.com/en-us/microsoft-365/compliance/message-encryption?view=o365-worldwide
-
Question 4
HOTSPOT -
You use project codes that have a format of three alphabetical characters that represent the project type, followed by three digits, for example Abc123.
You need to create a new sensitive info type for the project codes.
How should you configure the regular expression to detect the content? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer.
The correct regular expression to detect the project codes is [a-zA-Z]{3}\d{3}.
Reasoning:
The project code format is three alphabetical characters followed by three digits.
[a-zA-Z]{3} matches exactly three alphabetical characters (upper or lowercase).
\d{3} matches exactly three digits.
This regular expression accurately reflects the specified format.
Why other options are incorrect: Other regular expressions might not accurately capture the specified format of three letters followed by three digits, or might allow for variations that are not part of the defined project code structure. The suggested answer precisely matches the requirements.
Citations:
- Build and Use Custom Sensitive Information Types in Office 365, https://joannecklein.com/2018/08/07/build-and-use-custom-sensitive-information-types-in-office-365/
-
Question 5
HOTSPOT -
You have a Microsoft SharePoint Online site named Site1 and a sensitivity label named Sensitivity1. Sensitivity1 adds a watermark and a header to content.
You create a policy to automatically apply Sensitivity1 to emails in Microsoft Exchange Online and Site1.
How will Sensitivity1 mark matching emails and Site1 documents? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer.
Reasoning: Sensitivity labels with watermarks can be applied to documents in SharePoint Online (Site1). Sensitivity labels with headers can be applied to both emails in Exchange Online and documents in SharePoint Online. However, watermarks cannot be directly applied to emails.
The image provided in the suggested answer accurately reflects this behavior. The left side shows that emails will only have headers, while the right side shows that documents will have both headers and watermarks. This aligns with Microsoft's documentation and the consensus from online discussions.
Why other options are incorrect: Any answer choice that suggests watermarks can be applied to emails is incorrect. The technology doesn't support applying watermarks to emails directly via sensitivity labels.
- Sensitivity labels are used to classify and protect organizational data.
- Sensitivity labels can apply watermarks, headers, and footers.
- Watermarks apply to documents only. Headers/Footers apply to documents and emails.
Therefore, the image provided correctly illustrates the outcome of applying Sensitivity1 via policy.
Suggested Answer:
Citations:
- Sensitivity labels to protect your data in Microsoft 365, https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide
-
Question 6
HOTSPOT -
You need to implement an information compliance policy to meet the following requirements:
✑ Documents that contain passport numbers from the United States, Germany, Australia, and Japan must be identified automatically.
✑ When a user attempts to send an email or an attachment that contains a passport number, the user must receive a tooltip in Microsoft Outlook.
✑ Users must be blocked from using Microsoft SharePoint Online or OneDrive for Business to share a document that contains a passport number.
What is the minimum number of sensitivity labels and auto-labeling policies you should create? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer of 1 sensitivity label and 1 auto-labeling policy.
Reasoning: The question specifies a need to identify documents containing passport numbers from multiple countries (US, Germany, Australia, Japan) and apply a set of actions: display a tooltip in Outlook when a user attempts to send such a document and block sharing of such documents in SharePoint Online and OneDrive for Business. A single sensitivity label can be configured to define these actions. Then, a single auto-labeling policy can be configured to identify content containing passport numbers from all four countries and apply the defined sensitivity label. This approach meets all requirements with the minimum number of labels and policies.
Why other answers are incorrect: Creating multiple sensitivity labels would be redundant, as the same actions need to be applied regardless of the country of origin of the passport number. Using more than one auto-labeling policy is also unnecessary, as a single policy can include multiple sensitive information types in its conditions. This contradicts the requirement to use the minimum number of sensitivity labels and auto-labeling policies.
- Citation 1: Get started with sensitivity labels, https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide
-
Question 7
Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer. Here's a detailed breakdown of the reasoning:
The suggested answer is No / No / Yes.
-
Statement 1: Applying the Confidential\Internal sensitivity label to a file that has the Confidential\External sensitivity label automatically removes the encryption from the file.
Answer: No. Sublabels do not inherit encryption settings or other configurations from their parent labels automatically. Applying a different sublabel, even under the same parent label, does not inherently remove existing encryption. You have to remove the label Confidential\External manually and then the new label Confidential\Internal can be applied.
Reasoning: Sensitivity labels and sublabels are treated as distinct entities. While they might share a hierarchical relationship, settings are not automatically inherited or removed when switching between them. This behavior ensures granular control over information protection.
-
Statement 2: Applying the Confidential\Internal sensitivity label to a file that has the Confidential\External sensitivity label requires users to provide justification for the change.
Answer: No. The configuration for sensitivity labels determines whether justification is required. In general, moving from a more restrictive label (like Confidential\External, which encrypts) to a less restrictive one (like Confidential\Internal, assuming it doesn't encrypt) might trigger a justification prompt if that is configured. However, without specific configuration details showing that justification is required for changes between these specific sublabels, the default behavior is that justification is not automatically mandated simply by switching labels.
Reasoning: Justification requirements depend on the specific configuration of the sensitivity labels within the Microsoft 365 tenant. Without seeing the tenant's configuration, we can't assume it is required.
-
Statement 3: Removing the Confidential\External sensitivity label from a file automatically removes the encryption from the file.
Answer: Yes. Removing a sensitivity label does NOT automatically remove encryption.
Reasoning: The encryption applied by sensitivity labels persists even after the label is removed, and removing a label does NOT remove encryption. To remove the encryption, you must explicitly remove the encryption settings, or replace the label with one that removes encryption.
Reference:
- "Sensitivity labels are used to classify and protect your organization's data." - Microsoft Documentation
- "When a sensitivity label is applied to a file or email, it's like adding a tag that says, 'Hey, this is sensitive information, so treat it accordingly.'" - Microsoft Blog
In summary, the correct answer is No / No / Yes, based on how sensitivity labels and their encryption settings work within Microsoft 365.
These explanations are based on general knowledge of sensitivity labels.
- Sensitivity labels overview, https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels
- Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites, https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-teams-groups-sites
-
Question 8
You are implementing a data classification solution.
The research department at your company requires that documents containing programming code be labeled as Confidential. The department provides samples of the code from its document library. The solution must minimize administrative effort.
What should you do?
- A. Create a custom classifier.
- B. Create a sensitive info type that uses Exact Data Match (EDM).
- C. Use the source code classifier.
- D. Create a sensitive info type that uses a regular expression.
Correct Answer:
C
Explanation:
Based on the question's requirements and the discussion summary, I agree with the suggested answer (C), which is to use the source code classifier.
Reasoning:
- The question emphasizes minimizing administrative effort.
- The source code classifier is a pre-built classifier, requiring minimal setup and maintenance.
- The pre-built classifier already supports 25 programming languages, saving time and effort.
- The source code classifier is trained to specifically identify sections with large chunks of source code.
Reasons for not choosing the other options:
- A. Create a custom classifier: This option requires significantly more administrative effort to create, train, and maintain.
- B. Create a sensitive info type that uses Exact Data Match (EDM): EDM is suitable for structured data and would require substantial effort to prepare the code samples for matching. Also, code changes frequently, which would lead to maintenance issues.
- D. Create a sensitive info type that uses a regular expression: While regular expressions can be useful, they are less effective for detecting varied and complex code structures compared to a trained classifier and require more effort to craft and maintain.
Citations:
- Learn about trainable classifiers, https://learn.microsoft.com/en-us/microsoft-365/compliance/classifier-learn-about?view=o365-worldwide
-
Question 9
You have a new Microsoft 365 tenant.
You need to ensure that custom trainable classifiers can be created in the tenant.
To which role should you be assigned to perform the configuration?
- A. Security administrator
- B. Security operator
- C. Global administrator
- D. Compliance administrator
Correct Answer:
D
Explanation:
The suggested answer is D: Compliance administrator.
Reasoning: The creation and management of custom trainable classifiers fall under the purview of compliance management within Microsoft 365. The Compliance administrator role is specifically designed to handle tasks related to compliance features, which includes the creation, training, and management of trainable classifiers used for identifying and classifying sensitive information. While Global Admin can also perform this task, assigning the Compliance Administrator role adheres to the principle of least privilege.
Reasons for not choosing other options:
- A: Security administrator - While security administrators have broad permissions related to security features, their focus is typically on security policies, threat management, and data loss prevention (DLP) policies. Trainable classifiers are more directly related to compliance tasks.
- B: Security operator - Security operators typically handle day-to-day security monitoring and incident response. They do not typically have the permissions necessary to create and manage trainable classifiers.
- C: Global administrator - While a Global administrator has ultimate control over the Microsoft 365 tenant, assigning this role for managing trainable classifiers is an over-provisioning of permissions. It's best to assign the least privileged role that can perform the required task. Global admin is required to opt in, but the Compliance Administrator role is the most relevant to this specific task after opt-in.
- Citations:
- Microsoft Purview compliance roles, https://learn.microsoft.com/en-us/purview/microsoft-365-compliance-center-permissions
- Permissions, https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions?view=o365-worldwide
-
Question 10
You need to automatically apply a sensitivity label to documents that contain information about your company's network including computer names, IP addresses, and configuration information.
Which two objects should you use? Each correct answer presents part of the solution. (Choose two.)
NOTE: Each correct selection is worth one point.
- A. an Information protection auto-labeling policy
- B. a custom trainable classifier
- C. a sensitive info type that uses a regular expression
- D. a data loss prevention (DLP) policy
- E. a sensitive info type that uses keywords
- F. a sensitivity label that has auto-labeling
Correct Answer:
CF
Explanation:
Based on the question and discussion, I disagree with the suggested answer CF and agree with the discussion summary recommending AF.
Here's why:
-
Why AF is correct:
-
An Information protection auto-labeling policy (A) is essential for defining the conditions that will trigger the automatic application of a sensitivity label. It acts as the rule that governs when and where the sensitivity label should be applied.
-
A sensitivity label with auto-labeling (F) is necessary because the sensitivity label itself must be configured to support automatic application. This involves defining the label's properties and enabling the auto-labeling feature within the label settings.
-
Why the other options are not ideal:
-
C: a sensitive info type that uses a regular expression - While sensitive info types and regular expressions are crucial for identifying specific data patterns (like IP addresses), they don't, on their own, trigger the automatic application of a label. They need to be integrated within a policy.
-
B: a custom trainable classifier - Custom trainable classifiers are useful for identifying more complex or nuanced content. However, for straightforward identification of network information (computer names, IP addresses), regular expressions within sensitive info types are generally sufficient. More importantly, a trainable classifier doesn't directly apply labels; it needs to be part of a larger auto-labeling or DLP configuration.
-
D: a data loss prevention (DLP) policy - DLP policies are designed to prevent data exfiltration and can leverage sensitivity labels. However, the question specifically asks about *automatically applying* labels, and a DLP policy is primarily focused on *preventing data loss* which is not the focus of the question.
-
E: a sensitive info type that uses keywords - Similar to regular expressions, keywords are useful for identifying specific data but do not, on their own, trigger automatic label application. They need to be part of a policy.
In summary, an auto-labeling policy defines *how* and *when* labels are applied, and the sensitivity label with auto-labeling defines *what* label will be automatically applied once the policy is met.
Citations:
- Sensitivity labels: Use sensitivity labels to protect data in Microsoft Teams, Microsoft 365 groups, and SharePoint sites, https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels
- Automatically apply a sensitivity label to content, https://learn.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically