Microsoft · SC-401
Plan and implement information security of sensitive data using Microsoft Purview and related services. Covers information protection, data loss prevention, retention, and managing risks and alerts.
Questions
939
Duration
100 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2026
Use this SC-401 practice exam to prepare for Administering Information Security in Microsoft 365 (SC-401) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 939 questions for Microsoft SC-401, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The SC-401 exam, Administering Information Security in Microsoft 365, validates a candidate's ability to plan and implement information security for sensitive data using Microsoft Purview and related Microsoft services. The exam covers a broad set of data security disciplines including information protection, data loss prevention (DLP), data lifecycle retention, and insider risk management—all within the Microsoft 365 ecosystem. It also addresses the increasingly critical domain of protecting data used by AI services, reflecting Microsoft's focus on securing AI-driven workloads through tools like Data Security Posture Management (DSPM) for AI.
Passing SC-401 earns the Microsoft Certified: Information Security Administrator Associate certification, which replaced the retired SC-400 (Information Protection and Compliance Administrator) certification as of May 31, 2025. The exam encompasses deep technical skills across Microsoft Purview's sensitivity labels, exact data match classifiers, trainable classifiers, endpoint DLP, adaptive scopes, insider risk policies, and audit capabilities—as well as integration points with Microsoft Defender for Cloud Apps, Microsoft Defender XDR, and Microsoft Entra. Candidates must demonstrate proficiency not only in configuring these tools but also in interpreting policy precedence, managing alerts and cases, and responding to security incidents.
This certification is designed for information security administrators and compliance professionals who work primarily within Microsoft 365 environments. Ideal candidates hold roles such as Information Security Administrator, Compliance Specialist, Security Analyst, Microsoft 365 Security Engineer, or Governance and Risk Consultant. These professionals are responsible for designing and enforcing data protection policies, responding to DLP and insider risk alerts, and collaborating with workload administrators, business application owners, and governance stakeholders to implement organization-wide security controls.
The certification is particularly well-suited for mid-career professionals who already have hands-on experience with Microsoft 365 services and are looking to formalize and advance their expertise in the data security and compliance space. It also serves as a stepping stone toward the expert-level Microsoft Certified: Cybersecurity Architect Expert credential.
Microsoft does not enforce formal prerequisites for SC-401, but strong familiarity with the Microsoft 365 platform is essential for success. Candidates should have working knowledge of Microsoft Purview services (including sensitivity labels, DLP policies, retention policies, and insider risk management), Microsoft Entra (formerly Azure AD), the Microsoft Defender portal, and Microsoft Defender for Cloud Apps. Comfort with PowerShell for administrative scripting is also expected, as some exam topics involve command-line management of Purview components.
In terms of experience, Microsoft recommends that candidates have practical, hands-on experience administering information security within a Microsoft 365 tenant. Familiarity with data governance concepts such as data classification, information barriers, records management, and regulatory compliance frameworks will provide important context. Candidates who previously held the SC-400 certification (now retired) will find much of the foundational content familiar, though SC-401 expands coverage into AI data security and updated Purview features.
SC-401 is a proctored exam administered through Pearson VUE and can be taken online or at a testing center. Candidates are given 100 minutes to complete the assessment. The exam contains approximately 65 questions, including a case study with approximately 4 questions and a set of yes/no (binary choice) questions. No performance-based lab (PBT) questions are included. Question types typically include multiple choice, multiple select, drag-and-drop scenario questions, and case study-based items.
The exam is scored on a scale of 1–1000, and a passing score of 700 is required. Scores are reported immediately upon completion. Candidates who fail may retake the exam after 24 hours; subsequent retakes have a variable waiting period per Microsoft's retake policy. The exam is available in English, Portuguese (Brazil), French, German, Japanese, Chinese (Simplified), and Spanish. Non-English speakers may request an additional 30 minutes if taking the exam in a non-native language.
Earning the Microsoft Certified: Information Security Administrator Associate through SC-401 positions professionals for high-demand roles at the intersection of cybersecurity, compliance, and data governance. Certified individuals typically qualify for titles such as Information Security Administrator, Compliance Specialist, Security Analyst, Microsoft 365 Security Engineer, and Governance and Risk Consultant. According to industry salary data for 2025, certified information security administrators in Microsoft environments can expect annual compensation ranging from approximately $90,000 to $120,000 depending on experience, geography, and organization size—with senior and consulting roles commanding higher figures.
The certification carries strong market recognition because it validates expertise in Microsoft Purview, one of the most widely deployed enterprise compliance platforms globally. It directly replaces the retired SC-400 certification, meaning organizations that previously required SC-400 are now looking for SC-401 holders. The credential also integrates well into broader Microsoft security career paths: it builds on the SC-900 foundations and aligns with the SC-100 (Cybersecurity Architect Expert) expert-level certification for those pursuing advanced roles. Microsoft certifications renew annually via a free online assessment on Microsoft Learn, keeping the credential current without requiring a full re-examination.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 939 questions.
Preview — answers shown1. Contoso implemented endpoint DLP policies that monitor file activities across Windows 10 and macOS devices. The IT team configured rules to audit and block copying labeled files to USB drives and network shares. Users report that when they attempt to copy Project Bluebook files to a USB drive, they see a notification but can override it. The policy is set to block with override. What should the IT team review to understand which users overrode the policy and when?
Explanation
Activity Explorer is specifically designed to monitor what users do with sensitive information across Office apps and endpoint activities, including USB drive operations and policy override actions. It provides detailed visibility into when users override policies, what files they attempted to copy, and which destinations they targeted. The Alerts section provides notifications but not the detailed activity history needed for investigation. Safe Attachments reports focus on malicious file detection during email transfer, not endpoint file copy activities. Retention label audit logs track record disposal timelines. Archive mailbox reports show email storage movements. Litigation hold reports confirm preservation status, not user override activities.
2. You are investigating a warning for an employee in the Research department who downloaded 15 files, archived them, and uploaded them to a personal cloud storage service within 2 hours. The All Risk Factors tab shows exfiltration activity, but the Activity Explorer tab shows that three of the files were excluded from scoring. Why would excluded files still appear in the risk sequence?
Explanation
Excluded file types may still appear in risk sequences when they contribute to a broader risky pattern. For example, a .png file normally excluded from scoring might be included in an exfiltration sequence if it was used during an obfuscation attempt. The excluded file receives a score of 0 but is displayed to show the complete behavioral context. This is not an audit trail requirement, not an error, and not a false positive—it's a feature that helps investigators understand the full scope of user behavior even when individual items don't trigger scoring. Understanding this distinction prevents investigators from incorrectly dismissing important behavioral patterns.
3. Contoso Corporation needs to detect when employees share sensitive financial documents to external recipients outside the organization. The company requires real-time alerts when these sharing actions occur, not retrospective analysis. The security team must respond immediately to prevent data loss. Which solution should you implement?
Explanation
Activity policies in Microsoft Defender Portal enable real-time alerting when users perform specific actions like external sharing of sensitive content, which directly addresses Contoso's need for immediate detection and response. Insider risk policies detect behavioral patterns over extended periods rather than triggering on specific sharing events, making them unsuitable for immediate alerting. File policies monitor file-level conditions but cannot generate alerts based on user activity patterns like external sharing. Data investigations are retrospective tools designed for analyzing past events, not proactive alerting, which defeats the purpose of preventing data loss in real-time.
4. Contoso has deployed an insider risk policy that uses cumulative exfiltration detection to identify patterns where employees gradually download increasing volumes of files over time. This detection method is designed to catch which type of threat that traditional single-event detection might miss?
Explanation
Cumulative exfiltration detection is specifically designed to identify patterns of gradual data exfiltration where employees deliberately keep individual downloads below thresholds to avoid triggering alerts. This detection method identifies the pattern of increasing activity over time rather than relying on single-event thresholds. Single large file downloads are detected by traditional threshold-based indicators. External file sharing is detected through different indicators focused on sharing activities. Website access monitoring is addressed through browser usage indicators. Cumulative detection addresses the sophisticated threat of incremental exfiltration that might evade single-event monitoring.
5. Tailspin Toys is testing a policy to detect data theft by departing employees. The HR department has provided a list of 50 employees with resignation dates in the next 90 days. What is the recommended approach for this test to ensure accurate policy validation?
Explanation
Testing with a small anonymized group in production allows real-world evaluation of policy effectiveness while protecting privacy and minimizing alert volume. This approach enables threshold refinement based on actual organizational behavior and ensures the policy detects genuine risks without overwhelming analysts. Implementing for all 50 immediately creates excessive alerts and wastes resources. Separate test environments lack real production activity patterns needed for validation. Testing 10 random employees doesn't focus on the actual risk group. Analytics-based selection pre-filters data and prevents comprehensive policy testing. Audit mode without alerts prevents detection validation and doesn't provide feedback on policy performance.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam