Microsoft · SC-401
Plan and implement information security of sensitive data using Microsoft Purview and related services. Covers information protection, data loss prevention, retention, and managing risks and alerts.
Questions
939
Duration
100 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2026
Use this SC-401 practice exam to prepare for Administering Information Security in Microsoft 365 (SC-401) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 939 questions for Microsoft SC-401, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The SC-401 exam, Administering Information Security in Microsoft 365, validates a candidate's ability to plan and implement information security for sensitive data using Microsoft Purview and related Microsoft services. The exam covers a broad set of data security disciplines including information protection, data loss prevention (DLP), data lifecycle retention, and insider risk management—all within the Microsoft 365 ecosystem. It also addresses the increasingly critical domain of protecting data used by AI services, reflecting Microsoft's focus on securing AI-driven workloads through tools like Data Security Posture Management (DSPM) for AI.
Passing SC-401 earns the Microsoft Certified: Information Security Administrator Associate certification, which replaced the retired SC-400 (Information Protection and Compliance Administrator) certification as of May 31, 2025. The exam encompasses deep technical skills across Microsoft Purview's sensitivity labels, exact data match classifiers, trainable classifiers, endpoint DLP, adaptive scopes, insider risk policies, and audit capabilities—as well as integration points with Microsoft Defender for Cloud Apps, Microsoft Defender XDR, and Microsoft Entra. Candidates must demonstrate proficiency not only in configuring these tools but also in interpreting policy precedence, managing alerts and cases, and responding to security incidents.
This certification is designed for information security administrators and compliance professionals who work primarily within Microsoft 365 environments. Ideal candidates hold roles such as Information Security Administrator, Compliance Specialist, Security Analyst, Microsoft 365 Security Engineer, or Governance and Risk Consultant. These professionals are responsible for designing and enforcing data protection policies, responding to DLP and insider risk alerts, and collaborating with workload administrators, business application owners, and governance stakeholders to implement organization-wide security controls.
The certification is particularly well-suited for mid-career professionals who already have hands-on experience with Microsoft 365 services and are looking to formalize and advance their expertise in the data security and compliance space. It also serves as a stepping stone toward the expert-level Microsoft Certified: Cybersecurity Architect Expert credential.
Microsoft does not enforce formal prerequisites for SC-401, but strong familiarity with the Microsoft 365 platform is essential for success. Candidates should have working knowledge of Microsoft Purview services (including sensitivity labels, DLP policies, retention policies, and insider risk management), Microsoft Entra (formerly Azure AD), the Microsoft Defender portal, and Microsoft Defender for Cloud Apps. Comfort with PowerShell for administrative scripting is also expected, as some exam topics involve command-line management of Purview components.
In terms of experience, Microsoft recommends that candidates have practical, hands-on experience administering information security within a Microsoft 365 tenant. Familiarity with data governance concepts such as data classification, information barriers, records management, and regulatory compliance frameworks will provide important context. Candidates who previously held the SC-400 certification (now retired) will find much of the foundational content familiar, though SC-401 expands coverage into AI data security and updated Purview features.
SC-401 is a proctored exam administered through Pearson VUE and can be taken online or at a testing center. Candidates are given 100 minutes to complete the assessment. The exam contains approximately 65 questions, including a case study with approximately 4 questions and a set of yes/no (binary choice) questions. No performance-based lab (PBT) questions are included. Question types typically include multiple choice, multiple select, drag-and-drop scenario questions, and case study-based items.
The exam is scored on a scale of 1–1000, and a passing score of 700 is required. Scores are reported immediately upon completion. Candidates who fail may retake the exam after 24 hours; subsequent retakes have a variable waiting period per Microsoft's retake policy. The exam is available in English, Portuguese (Brazil), French, German, Japanese, Chinese (Simplified), and Spanish. Non-English speakers may request an additional 30 minutes if taking the exam in a non-native language.
Earning the Microsoft Certified: Information Security Administrator Associate through SC-401 positions professionals for high-demand roles at the intersection of cybersecurity, compliance, and data governance. Certified individuals typically qualify for titles such as Information Security Administrator, Compliance Specialist, Security Analyst, Microsoft 365 Security Engineer, and Governance and Risk Consultant. According to industry salary data for 2025, certified information security administrators in Microsoft environments can expect annual compensation ranging from approximately $90,000 to $120,000 depending on experience, geography, and organization size—with senior and consulting roles commanding higher figures.
The certification carries strong market recognition because it validates expertise in Microsoft Purview, one of the most widely deployed enterprise compliance platforms globally. It directly replaces the retired SC-400 certification, meaning organizations that previously required SC-400 are now looking for SC-401 holders. The credential also integrates well into broader Microsoft security career paths: it builds on the SC-900 foundations and aligns with the SC-100 (Cybersecurity Architect Expert) expert-level certification for those pursuing advanced roles. Microsoft certifications renew annually via a free online assessment on Microsoft Learn, keeping the credential current without requiring a full re-examination.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 939 questions.
Preview — answers shown1. Adatum Corporation is experiencing concerns about former employees who have recently resigned potentially stealing intellectual property before their departure. The organization wants to create a policy that specifically targets this risk scenario. Which policy template should you select to address this requirement?
Explanation
The data leaks by risky users leaving the organization template is specifically designed for scenarios where employees who have handed in their notice might exfiltrate intellectual property before departure. This template includes HR data connector integration to identify departing employees and monitors their data access and transfer activities. Email exfiltration focuses on email-specific scenarios. Critical asset protection is broader and not specifically tailored to departing employee risks. Health record misuse applies to healthcare scenarios. Risky AI usage addresses AI-specific risks. Security policy violations addresses general policy compliance.
2. Fabrikam's compliance officer wants to mark certain documents as regulatory records to prevent label removal and enforce strict retention periods. However, the officer is concerned about the additional restrictions that regulatory records impose. What should the compliance officer understand about regulatory records before implementation?
Explanation
Regulatory records have enhanced controls that prevent label removal and prevent shortening of retention periods, providing strict compliance enforcement. Microsoft recommends using regulatory records only when absolutely necessary due to these restrictions. Regulatory records can be deleted after the retention period expires through the disposition process, but the label cannot be removed before expiration. Microsoft approval is not required for applying regulatory record labels. Encryption and access restrictions are separate DLP and sensitivity label features, not inherent to regulatory records.
3. Litware has a Microsoft 365 E3 deployment and wants to implement message encryption with automatic application to emails sent to external recipients. They have a tight budget and need to deploy this within two weeks using their existing infrastructure. An architect recommends implementing Purview advanced message encryption with custom branding, expiration dates, and revocation capabilities. Which aspect of this recommendation creates a licensing constraint?
Explanation
Advanced message encryption features including custom branding templates, mail expiration capabilities, and message revocation require E5 licensing. Standard Purview message encryption is available with E3 licensing and allows users to manually encrypt emails or automatically encrypt via mail flow rules. However, the advanced capabilities that provide flexible controls over external recipient access and message lifecycle management are E5-exclusive features. Azure Rights Management activation and standard encryption do not require additional licensing beyond the base subscription. SMIME is a separate technology with its own certificate requirements. The basic encrypted message portal is available with standard encryption.
4. Solution: An organization uses Customer Key for Exchange Online and implements a process where the availability key is automatically destroyed after 12 months without customer interaction. The organization plans to use the availability key for data recovery if their root keys are lost. Does this solution meet the goal of maintaining recovery capability while using Customer Key? A. Yes B. No
Explanation
No, this solution does not meet the goal because the availability key should only be destroyed when the customer explicitly requests it as part of the data purge process when exiting the service. Automatically destroying the availability key after 12 months without customer action eliminates the recovery capability that the availability key is designed to provide. If the organization loses access to their root keys and needs to initiate recovery within that 12-month window, the availability key would no longer be available, making data recovery impossible. The availability key is specifically provisioned to provide recovery from unanticipated loss of customer-managed root keys, and destroying it on an automatic schedule defeats this purpose.
5. Contoso's security team needs to validate that their DLP policies are effectively protecting sensitive data across Microsoft 365. They want to understand which DLP rules are triggering most frequently, which types of sensitive information are being detected, and whether policy actions are appropriate (blocking, warning, or allowing). Which Microsoft Purview tools should the security team use to gain these insights? (Choose two)
Multiple correct answersExplanation
DLP alerts provide detailed information about specific policy violations, including which rule triggered, what sensitive information was detected, and what action was taken, enabling security teams to review individual incidents. Activity Explorer provides aggregated views of DLP policy matches across time periods, allowing trend analysis and identification of which policies and sensitive information types generate the most activity. Together, these tools provide both detailed incident review (alerts) and high-level trend analysis (Activity Explorer) needed to validate policy effectiveness. Azure Monitor tracks infrastructure metrics but not Microsoft 365 DLP events. The Audit log captures individual events but lacks the aggregation and filtering capabilities of Activity Explorer. Microsoft Sentinel and Insider Risk Management are designed for different security purposes and don't provide DLP-specific policy effectiveness metrics.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam