SC-401: The Purview Exam That Replaced SC-400 and Why It's Harder

The short version#

• 65 questions, 100 minutes, 700/1000 to pass. One case study (roughly 4 questions), about 6 yes/no binary-choice items you cannot skip or revisit, plus drag-and-drop, hotspot, and standard multiple choice. No live labs.
• Three domains, equally weighted at 30-35% each. Information protection, DLP plus retention, and insider risk plus alerts. You can't ignore any one of them.
• Hands-on lab time in an E5 trial tenant is the single highest-ROI preparation activity. Scenario questions test configuration judgment, not vocabulary recall.
• 40-80 hours for experienced M365 admins; 80-120+ hours if you're newer to Purview. The range depends almost entirely on how much time you've spent inside the Purview portal before studying.
• DSPM for AI is new, lightly documented, and tested. Candidates who treated it as a minor bullet point were caught off guard.
• Policy precedence is the recurring killer. Retention precedence, DLP rule precedence, label priority, audit log retention priority: each follows different logic, and the exam tests all of them.
• SC-400 holders are not grandfathered. Your old credential stays on your transcript, but you must sit SC-401 separately. The domains have genuinely changed.

What SC-401 is really about#

SC-401 validates one specific skill: configuring Microsoft Purview to classify, protect, and monitor sensitive data across Microsoft 365 and AI services. The mental model isn't "know what each feature does." The mental model is "given a business requirement, pick the right Purview feature, configure it correctly, and understand what happens when multiple policies overlap."

That second part is where the exam separates people who read documentation from people who've built policies in a live tenant. A sensitivity label marks data. A DLP policy enforces rules about what users can do with labeled data. An Insider Risk Management policy monitors behavioral patterns and feeds risk levels into Adaptive Protection, which dynamically adjusts DLP enforcement. The exam tests this chain end to end. If you think of labels, DLP, and IRM as three independent features, you will miss integration questions that connect all three.

What changed from SC-400 to SC-401#

SC-401 is not a minor revision. It's a scope realignment. Here's what moved:

Added in SC-401 (not in SC-400):

• DSPM for AI (Data Security Posture Management for AI services, including Copilot)
• Adaptive Protection for DLP (dynamic risk-based enforcement linked to Insider Risk Management)
• Just-in-time protection for Endpoint DLP
• OCR support for sensitive information types
• Forensic evidence settings in Insider Risk Management
• The Purview Information Protection client and scanner section
• Audit Premium license assignment

Removed from SC-401 (was in SC-400):

• Records Management (file plans, event-based retention, disposition review)
• Compliance Manager
• eDiscovery (Core and Premium)
• Communication Compliance
• Information Barriers
• Microsoft Priva

The three remaining domains were rebalanced to 30-35% each. SC-400 had five domains with uneven weights. The consolidation means each domain now carries real consequences: you can't afford to write off a third of the exam.

The most recent skills update was April 27, 2026. Per Microsoft's change log, the changes were minor, touching data classification, retention, and alert management subtopics. No domain restructuring. The exam is stable as of mid-2026.

Exam at a glance#

The 700/1000 scoring is scaled, not a straight percentage. Getting 70% of questions correct won't necessarily produce a 700. Multi-select hotspot and drag-and-drop items award partial credit per selection ("each correct selection is worth one point"), so getting most of a complex item right still earns you something.

Time pressure is real despite the math looking generous. One hundred minutes for 65 questions works out to roughly 90 seconds per question, but case study items and multi-table hotspot scenarios eat disproportionate time. A Microsoft MVP who passed the January 2026 version called it "very long and difficult." The beta version (February 2025, 72 questions) had even more items crammed into a 2.5-hour seat-time block.

The exam includes open-book access to Microsoft Learn during the test. Don't plan around it. Candidates who intended to look up answers during the exam ran out of time. Budget it for at most two or three targeted lookups on specific PowerShell syntax or configuration details.

Who should take this exam#

SC-401 is built for people already working in or adjacent to the Microsoft 365 security and compliance space. If you're currently an M365 administrator, security operations analyst, data protection officer, or compliance analyst working with Microsoft Purview, this is the certification that validates your daily work.

If you've never opened the Purview portal and don't have a working understanding of sensitivity labels, DLP policies, or Entra ID, start with SC-900 (Security, Compliance, and Identity Fundamentals) to build the conceptual foundation. SC-401 assumes you already know the M365 ecosystem. It won't teach you what SharePoint is.

SC-400 holders should not assume they can walk into SC-401 cold. The DSPM for AI, Adaptive Protection, just-in-time protection, and forensic evidence content is genuinely new. Review the delta explicitly.

Domain breakdown#

All three domains carry equal weight at 30-35% each. The exam treats them as interconnected rather than siloed, and integration questions spanning two or three domains are common.

Domain 1 — Implement Information Protection (33%)#

33%

This domain covers the full data classification spectrum and the complete sensitivity label lifecycle. It is the densest domain by topic count.

Data classification is the foundation. You need to know when to use each classification approach: built-in sensitive information types (SITs) for standard patterns like credit card numbers, custom SITs for organization-specific patterns, exact data match (EDM) for deterministic matching against a trusted data store, document fingerprinting for form-based and template-based detection, and trainable classifiers for ML-based classification of unstructured content like contracts or resumes. The exam tests your ability to pick the right tool for a specific scenario. Candidates consistently confuse EDM with trainable classifiers. EDM matches exact values from a database you provide. Trainable classifiers learn patterns from sample documents. Fingerprinting detects documents that look like a specific template. Each solves a different problem.

OCR support for sensitive information types is a newer addition. It appears in scenario questions asking how to detect sensitive data in scanned documents or images.

Sensitivity labels are where the exam gets surgical. You need to understand the full lifecycle: creating a label, configuring protection settings (encryption, content marking, watermarks), publishing the label via a label policy, and auto-applying labels via auto-labeling policies. The distinction between a published label policy (which makes the label available for users to manually apply) and an auto-labeling policy (which automatically applies the label based on content inspection) trips many candidates. These are two different policy types with different configuration workflows.

Label priority matters. When multiple labels could apply, the higher-priority label wins. Sublabels do not inherit settings from the parent label except color. Removing a label does not necessarily remove encryption; encryption is only stripped when you switch to a label explicitly configured to remove it. These are exactly the kinds of counterintuitive details the exam tests.

Container labels (applied to Teams, Microsoft 365 Groups, SharePoint sites, Power BI) control access settings at the container level rather than encrypting individual files. Know the difference.

The auto-labeling propagation delay is a testable operational detail: after turning on an auto-labeling policy, it takes roughly 24 hours to begin applying labels. Sequencing questions test whether you know this.

The Purview Information Protection client and scanner handle on-premises and local file classification. The scanner is tested lightly, but you should understand when it's the right tool (on-premises file shares and SharePoint Server libraries that need classification without migrating to the cloud).

Purview Message Encryption and Advanced Message Encryption cover email protection scenarios. Know the difference: standard Message Encryption handles basic encryption for external recipients, while Advanced Message Encryption adds capabilities like revoking access and setting expiration dates on encrypted emails.

Domain 2 — Implement Data Loss Prevention and Retention (33%)#

33%

This domain splits into two equally important halves: DLP and retention. Candidates frequently underestimate the retention half.

DLP policy design requires translating business requirements into specific policy configurations. You need to know which locations a DLP policy can target (Exchange, SharePoint, OneDrive, Teams, endpoints, Defender for Cloud Apps, on-premises repositories, Power BI), how to configure conditions and exceptions, and how rule precedence works when multiple rules match within a policy or across policies.

Adaptive Protection is a favorite scenario question topic. It connects Insider Risk Management risk levels to DLP enforcement in real time: a user flagged as elevated risk by IRM automatically gets stricter DLP rules applied to their actions. Understanding this integration is non-negotiable. You need to know how risk levels (elevated, moderate, minor) map to DLP policy conditions and what happens when a user's risk level changes.

Endpoint DLP is the most technically dense sub-topic in the entire exam. Know the device requirements cold: Windows 10/11, Microsoft 365 Apps installed, Entra-joined. macOS is supported with limitations. The Microsoft Purview browser extension is required for Chrome-based endpoint monitoring and for monitoring third-party generative AI site visits. Just-in-time protection is a newer capability that creates temporary DLP enforcement on devices that aren't fully onboarded. Advanced DLP rules for devices let you configure different actions based on whether content is being copied to USB, printed, uploaded to a cloud service, or accessed by an unallowed app.

Mail flow (transport) rules are being deprecated in favor of DLP policies for data protection scenarios. The exam tests this direction: if a question asks whether a mail flow rule that matches text patterns meets a data protection goal, the answer leans toward "No, use a DLP policy with a SIT plus Purview Message Encryption instead."

Defender for Cloud Apps file policies using DLP are in scope. Know the difference between a file policy (monitors and acts on files at rest) and an activity policy (monitors user actions in real time). "Alert when a file is shared externally" is a file policy. "Alert when someone shares a file" is an activity policy.

Retention is where the precedence logic gets complex. Retention labels apply to individual items. Retention policies apply to locations (entire mailboxes, sites, accounts). Auto-apply label policies use conditions to automatically stamp retention labels on matching content. Adaptive policy scopes let you target policies dynamically based on user or site attributes rather than static lists.

The principles of retention are testable: retention wins over deletion; the longest retention period wins; explicit (label) beats implicit (policy). But here's where candidates lose points: audit log retention policies follow different precedence rules. For audit retention, the policy with the lowest priority number wins, and when priorities are equal, the longest duration wins. These are distinct systems with distinct logic. Conflating them is a common failure pattern.

Policy lookup is a tool in the Purview portal that shows you which policy applies to a specific piece of content when multiple policies match. Practice using it in a trial tenant.

Domain 3 — Manage Risks, Alerts, and Activities (33%)#

33%

This domain covers Insider Risk Management, audit and investigation tools, multi-portal alert response, and DSPM for AI. It's the conceptually hardest domain.

Insider Risk Management (IRM) is a full lifecycle: configure roles and permissions, set up connectors (HR connector for employment events, healthcare connector, etc.), integrate with Microsoft Defender for Endpoint for device signal, configure policy indicators, select the right policy template, create and manage policies, handle forensic evidence, configure Adaptive Protection risk levels, and manage the alert-to-case-to-investigation workflow including notice templates.

The policy template selection is a judgment call the exam tests repeatedly. Each template targets a specific risk scenario: data theft by departing users, data leaks, security policy violations, patient data misuse (healthcare), risky browser usage. Given a business scenario ("an employee received a poor performance review and started downloading files"), you need to pick the correct template. Create a reference mapping each template to its use case, then configure each one in a lab at least once.

Forensic evidence is a newer IRM feature that enables capturing clips of user activity when policy violations are detected. Candidates who only studied core IRM policy creation miss questions about forensic evidence configuration, approval workflows, and storage settings.

The four investigation tools serve distinct purposes and the exam tests whether you can pick the right one:

• Content Explorer shows what is labeled where right now (current state of classified content)
• Activity Explorer shows what users did with labeled content over time (user actions on sensitive data)
• Purview Audit logs user and admin activities for compliance investigations (who did what and when)
• Content Search finds specific content across M365 workloads (locate particular documents or messages)

Multiple experience threads say the same thing: not knowing when to use Content Explorer versus Activity Explorer versus Purview Audit versus Content Search causes cascading wrong answers across several questions.

Alert response spans multiple portals. DLP alerts surface in the Purview portal. Insider risk alerts surface in the Purview portal's IRM section. Some alerts also appear in Microsoft Defender XDR. Defender for Cloud Apps file policy alerts have their own response workflow. Scenario questions ask you to identify where to investigate a specific alert type.

DSPM for AI is the newest sub-domain and it carries real weight. It covers protecting data accessed by Microsoft Copilot and other AI services. The prerequisites are specific: devices onboarded to Microsoft Purview, the Purview browser extension deployed, and sensitivity labels applied to content. You need to know how to configure DSPM for AI policies, monitor AI-related activities, and implement controls that prevent Copilot from surfacing sensitive content. A Copilot-generated summary inherits the highest-priority sensitivity label from its source files. Candidates who treated DSPM for AI as a minor bullet point found multiple questions on it.

Where candidates lose points#

The failure reports are consistent on these patterns:

1. No hands-on experience. Candidates who only read documentation without configuring policies in an E5 trial tenant consistently fail scenario questions. The exam doesn't ask "what does a sensitivity label do?" It asks "given these three requirements, which combination of label settings, publishing policy, and auto-labeling policy satisfies all three?" That requires having built these configurations yourself.

2. Treating the three domains as independent silos. The exam tests the enforcement chain: sensitivity labels classify data, DLP policies enforce rules based on labels and content, IRM Adaptive Protection dynamically adjusts DLP enforcement based on user risk levels, and Activity Explorer captures what happened. Questions that span this chain are common. If you studied each domain in isolation, the integration questions will feel unfamiliar.

3. Underestimating Endpoint DLP and DSPM for AI. These are SC-401 additions that weren't in SC-400. Candidates who relied on SC-400 knowledge without explicitly reviewing the new material missed questions on device requirements, the browser extension, just-in-time protection, and Copilot label inheritance.

4. Poor time management. Dwelling on the case study or early difficult questions causes candidates to rush through later items. The yes/no binary-choice format is particularly unforgiving: you must answer definitively and you cannot return to change your answer.

5. Confusing precedence rules across different systems. Retention policies, DLP rules, sensitivity label priority, and audit log retention policies each follow their own precedence logic. Getting them mixed up produces wrong answers on some of the exam's most scenario-heavy questions.

The preparation path#

Start with the official study guide. The SC-401 study guide on Microsoft Learn lists every skill measured with detailed sub-bullets, exact domain weights, and a changelog of recent updates. Print it. Use it as your checklist throughout preparation. Every topic in your study plan should map back to a bullet on this page.

Work through the official learning paths. Microsoft Learn's free self-paced paths cover all three domains: "Implement Microsoft Purview Information Protection," "Prevent Data Loss in Microsoft Purview," "Manage the Data Lifecycle," "Implement Microsoft Purview Insider Risk Management," and "Secure AI Interactions and Environments with Microsoft Purview." They're solid for building conceptual understanding, but they're easier than the real exam. Don't mistake finishing them for being ready.

Complete the official hands-on labs. The MicrosoftLearning/SC-401T00 GitHub repository contains all 13 lab exercises from the official instructor-led course. Everyone who passed this exam quickly had one thing in common: they completed all the labs. Create sensitivity labels end to end, build and test DLP policies, configure an IRM policy, generate alerts, and review them in every relevant portal. There is no substitute for this.

Take practice exams under timed conditions. CertCompanion's SC-401 practice questions are the primary tool for testing readiness. Aim for consistent scores of 80-90% before scheduling. Run at least three full timed sessions under real conditions: no notes, 100 minutes, no pauses.

Official exam tools worth using:

• Free practice assessment on Microsoft Learn: shorter and easier than the real exam, but essential for experiencing the question format (especially the yes/no binary-choice items)
• Exam Sandbox (aka.ms/examdemo): lets you experience the testing interface before exam day
• Microsoft Purview Ninja Training tracks: deeper technical content organized by product area, good for candidates who want depth beyond exam objectives
• Microsoft Virtual Training Days (Protect Sensitive Information in the AI Era with Microsoft Purview): free Microsoft-hosted sessions that may include discounted exam vouchers in some regions

Study the cross-domain enforcement chain explicitly. Map it out: sensitivity labels classify data → DLP policies enforce rules based on labels and content → IRM monitors behavior and assigns risk levels → Adaptive Protection dynamically adjusts DLP enforcement based on risk → Activity Explorer and Audit capture what happened. Build this chain in your lab environment and trace a sensitive document through the entire flow.

Study timeline by background#

These ranges come from multiple preparation guides and community estimates. No large-scale candidate survey data exists for SC-401, so treat them as directional guidance rather than empirical averages.

On exam day#

Registration: Use a personal Microsoft Account, not a work or school Entra ID account. Exam records tied to organizational accounts can become unrecoverable if your employer changes tenants. Register this way from the start.

Test center vs. online proctoring: Both are available through Pearson VUE. Test center delivery is the safer choice if you have an unreliable internet connection, a shared household, or a work laptop with enterprise security software. Enterprise security tools frequently block the OnVUE secure browser.

If taking online (OnVUE): Run the system compatibility test on the same machine and network you'll use on exam day. Run it again on exam day before check-in. Use a personal computer.

If testing at a center: Arrive 15 minutes early. Bring two forms of valid government-issued photo ID matching your Pearson VUE registration name exactly.

Time management: Flag complex scenario questions after a first pass and return after completing faster items. The case study is non-returnable: once you leave it, you cannot go back. Budget your time accordingly. Yes/no binary-choice questions are also non-returnable; answer each one deliberately before moving on.

The open-book Microsoft Learn feature appears as a split-screen panel. Use it only for targeted lookups on specific syntax or obscure configuration paths. You won't have time to read documentation from scratch during the exam.

Non-English speakers: If you're taking the exam in a non-native language, request the 30-minute time accommodation before scheduling. This must be arranged in advance.

Results: Scores display immediately upon completion. Test center candidates receive a printed score report at the front desk.

What the cert does for you, honestly#

According to Programs.com (aggregating 2025 data from Glassdoor, Indeed, PayScale, and LinkedIn), information security administrator roles earn $73,000 to $128,000 USD annually, with a median around $97,000. Senior and specialized Purview administrator roles trend toward $100,000 to $120,000+. Aerospace and defense sector averages reach $112,619. Pay is roughly 27% higher at the experienced level compared to entry level.

The US market shows approximately 28,700 open security administrator positions as of 2025. Demand is increasing as organizations adopt Microsoft Copilot and need Purview-based controls for AI data access. Roles that list this certification or its skill set include Information Security Administrator, Microsoft 365 Security Administrator, Data Protection Officer, Compliance Analyst, Security Operations Analyst, and Data Governance Specialist. Regulated industries (financial services, healthcare, government, legal) value the specialization most.

Renewal is straightforward: a free online assessment on Microsoft Learn, available in a six-month window before your one-year expiration date. No exam fee, no proctor.

Logical next certifications:

• SC-200 (Security Operations Analyst): Adds Defender XDR, Microsoft Sentinel, and SOC operations. SC-200 plus SC-401 together cover the full Microsoft security stack.
• SC-300 (Identity and Access Administrator): Adds Entra ID, lifecycle workflows, and access governance depth that integrates with Purview and IRM.
• SC-100 (Cybersecurity Architect Expert): Expert-level capstone. SC-401 provides the information protection architecture pillar. Requires SC-200 or SC-300 as an associate-level prerequisite.
• CISSP (ISC2): Vendor-neutral complement for broader market credibility and senior leadership roles.
• CISM (ISACA): Strategic complement for SC-401 holders moving toward security management and governance leadership.

What not to study#

Knowing what's out of scope saves real hours:

• Communications Compliance: Explicitly removed from SC-401. Was in SC-400, not here.
• Compliance Manager: Out of scope. Part of a separate compliance track.
• eDiscovery (Core and Premium): Not tested on SC-401 despite being heavily featured in SC-400.
• Information Barriers: Removed.
• Records Management (file plans, event-based retention, disposition review): No longer in scope.
• Deep PowerShell cmdlet memorization: The open-book Microsoft Learn feature makes exact syntax less critical. Know when to use Connect-IPPSSession (for compliance/fingerprinting tasks) versus Connect-ExchangeOnline, but don't memorize every parameter.
• Azure infrastructure security (NSGs, VMs, firewalls): SC-401 focuses exclusively on Purview and M365 data-layer security.

If you're using any material originally written for SC-400, check every topic against the SC-401 study guide before spending time on it.

Recent candidate threads#

Real posts from people preparing for or recently sitting the SC-401. Read these for the unfiltered version of what the exam felt like:

• I Came SAW Failed Sc401 — r/AzureCertification · 15 comments
• 6 Months TO Earn Multiple Microsoft Certs FOR MSP — r/AzureCertification · 23 comments
• Passed Sc401 With Over 800 — r/AzureCertification · 15 comments
• Failed Sc401 KEY Lessons — r/AzureCertification · 14 comments
• Sc401 Fail Pretty Sure — r/AzureCertification · 12 comments

Threads pulled from the Reddit communities most active for Microsoft certifications.

Frequently asked questions#

How hard is SC-401 compared to SC-400? SC-401 covers fewer topic areas but goes deeper into each one, and the newer content (DSPM for AI, Adaptive Protection, Endpoint DLP specifics) has less community documentation to study from. Beta candidates described it as "very long and difficult." Community consensus places it at moderate-to-high difficulty. No official pass rate is published by Microsoft, and limited community data suggests the difficulty catches candidates who relied on SC-400 preparation without studying the new additions.

How many hours should I study for SC-401? Most preparation guides suggest 40-80 hours for M365 professionals with some Purview familiarity, and 80-120+ hours for those newer to the ecosystem. Active Purview administrators may need only 20-40 hours focused on new SC-401 content. These are directional estimates from prep guide authors, not measured candidate averages.

Does SC-401 expire? Yes. The certification is valid for one year. You renew it by passing a free online assessment on Microsoft Learn within the six-month window before expiration. No exam fee, no proctoring.

Are there prerequisites for SC-401? No formal prerequisites. Microsoft recommends working familiarity with M365 services, PowerShell, Entra ID, the Defender portal, and Defender for Cloud Apps. If you lack that baseline, SC-900 provides a useful conceptual foundation.

What is the retake policy? Wait 24 hours after your first failed attempt. A 14-day waiting period applies between subsequent attempts. You cannot take the same exam more than five times within a 12-month period from your first attempt.

Is SC-401 worth it for career advancement? For professionals in or targeting the Microsoft 365 security ecosystem, yes. It validates a specific, in-demand skill set that maps directly to compliance and data protection roles. According to Programs.com (aggregating Glassdoor, Indeed, PayScale, and LinkedIn data), the median salary for security administrator roles is approximately $97,000 USD, with senior roles exceeding $120,000.

Can I use the open-book Microsoft Learn feature during the exam? Yes, but time pressure makes it impractical for routine lookups. Budget it for at most two or three specific queries on syntax or configuration details you genuinely can't recall. Candidates who planned to look up answers as a strategy ran out of time.

What score should I aim for on practice exams before scheduling? Some candidates report passing after reaching consistent scores of 80%+ on practice exams. One pass report mentioned succeeding after running through practice tests twice. The 700/1000 scaled passing score doesn't translate directly to a percentage of correct answers, so aim higher than you think you need.

SC-401 rewards candidates who've done the configuration work, not just the reading. The three domains are interconnected by design: labels feed DLP, risk scores adjust enforcement, and investigation tools tie the whole system together. If you've built policies in a trial tenant and drilled the precedence rules until they're automatic, you're ready. If you've only read about them, give yourself more time.

Start practicing with SC-401 questions on CertCompanion to find your weak domains before exam day.