SC-400 Microsoft Information Protection Administrator Questions and Answers

To block users from sending emails containing information subject to the Payment Card Industry Data Security Standard (PCI DSS), you can create a Data Loss Prevention (DLP) policy in Microsoft Exchange Online. Here’s how:

Create a Custom DLP Policy:

Log in to the Microsoft Exchange Online admin center.

Navigate to Data loss prevention > Policy.

Create a new custom policy specifically for PCI DSS compliance.

Define Conditions:

In the policy settings, define conditions that identify sensitive data related to PCI DSS. For example:

Keywords: Include terms like “credit card,” “debit card,” or specific card number formats.

Regular Expressions (Regex): Craft expressions to match credit card patterns (e.g., \b\d{4}-\d{4}-\d{4}-\d{4}\b for Visa/Mastercard).

Sensitive Information Types: Use built-in or custom sensitive information types related to payment cards.

Choose Actions:

Specify the actions to take when sensitive data is detected in emails:

Block: Prevent the email from being sent.

Notify Sender: Inform the sender that sensitive data is not allowed via email.

Add Disclaimer/Watermark: Optionally add a disclaimer or watermark to the email.

Apply the Policy to Emails Only:

Ensure that the policy is configured to apply only to emails (not other communication channels).

Exclude internal communication if necessary.

Test and Monitor:

Enable the policy in test mode initially to validate its effectiveness.

Monitor logs and adjust the policy as needed.

To allow the U.S. Sales group to store files containing information subject to the General Data Protection Regulation (GDPR) in their OneDrive accounts while keeping other GDPR restrictions intact, follow these steps:

Create a Security Group:

Log in to the Microsoft 365 admin center.

Navigate to Groups and create a new security group called “U.S. Sales”.

Configure OneDrive Sharing Settings:

Go to the Settings > Org settings page.

On the Services tab, select Microsoft 365 on the web.

Choose whether to let users open files stored in third-party storage services in Microsoft 365 on the web. Ensure this setting aligns with your organization’s GDPR requirements1.

Set Specific Sharing Permissions:

Set the default OneDrive share type to “Specific People” under the Sharing menu in the OneDrive admin area.

Right-click the folder in OneDrive online, click Share.

Click the more button (three dots) in the Send Link header.

Click Manage Access.

Click Grant Access, then add the “U.S. Sales” security group. This access will apply only to that group2.

By following these steps, the U.S. Sales group will be able to store GDPR-related files in their OneDrive accounts while maintaining compliance with other GDPR restrictions

To create a label that adds a watermark of “Project Falcon” in red, size-12 font diagonally across the documents, follow these steps:

Create a Sensitivity Label:

Log in to the Microsoft Purview portal or the Microsoft Purview compliance portal as an admin.

Navigate to Sensitivity labels and create a new label called “Project Falcon”.

Specify the appropriate settings for this label, including encryption, content markings, and permissions.

Configure Content Markings (Watermark):

When creating the label, configure the content markings section.

Choose “Watermark” and set the text to “Project Falcon”.

Select the color as red and font size as 12.

Set the watermark position to diagonal across the document.

Assign the Label:

Assign the “Project Falcon” label to the relevant documents within the Falcon project.

Users who apply this label will automatically add the specified watermark to their documents.

Create a Custom Content Type:

Go to your SharePoint Online site.

Click on Settings (gear icon) and select Site settings.

Under Web Designer Galleries, choose Site content types.

Create a new content type (e.g., “Product1 Classification”) based on the Document parent content type.

Add a custom column (e.g., “Classification”) to this content type.

Apply the Content Type to Document Libraries:

Navigate to the document library where the files are stored.

Click on Library settings.

Under General Settings, select Advanced settings.

Choose Yes for “Allow management of content types.”

Add your custom content type (“Product1 Classification”) to the library.

Manually Classify Files:

Upload or edit a file in the library.

In the file properties, select the Classification field and set it to “Product1.”

Permissions and Encryption:

Ensure that all authenticated users have at least View permissions on the library.

For encryption, SharePoint Online automatically encrypts files at rest using BitLocker disk-level encryption.

Files classified as “Product1” will be encrypted and accessible only to authorized users.

To restrict the Confidential - Finance label to only the members of the Finance Team group, follow these steps:

Create a Sensitivity Label:

Log in to the Microsoft Purview portal or the Microsoft Purview compliance portal as an admin.

Navigate to Sensitivity labels and create a new label called “Confidential - Finance”.

Specify the appropriate settings for this label, including encryption, content markings, and permissions1.

Configure Encryption Settings:

When creating the label, ensure that you configure the encryption settings.

Choose either to assign permissions now (where you determine exactly which users get which permissions) or allow users to assign permissions when they apply the label to content2.

Assign the Label to the Finance Team Group:

In the Microsoft Purview portal, go to the Groups section.

Select the Finance Team group.

Under Settings, choose Sensitivity labels.

Add the “Confidential - Finance” label to this group.

Only members of the Finance Team will now have access to this label3.

Test the Configuration:

Verify that only members of the Finance Team can apply the “Confidential - Finance” label to documents, emails, or other content.

To retain all Microsoft Exchange items in Alex Wilber’s mailbox that contain the word “Falcon” and were created in the year 2021, follow these steps:

Create a Retention Policy:

Sign in to the Microsoft 365 compliance center.

Navigate to Policies and click on Retention.

Create a new retention policy (e.g., “Falcon Retention 2021”).

Specify the retention period (e.g., 2 years from the creation date).

Set the condition to include items containing the word “Falcon.”

Apply the Retention Policy to Alex Wilber’s Mailbox:

Assign the retention policy to Alex Wilber’s mailbox.

Ensure that the policy targets items created in the year 2021.

Validate the Policy:

Test the policy thoroughly to ensure it correctly retains the specified items.

Monitor the mailbox to verify that the retention actions are enforced.

To retain all Microsoft Exchange items in Alex Wilber’s mailbox that contain the word “Falcon” and were created in the year 2021, follow these steps:

Create a Retention Policy:

Sign in to the Microsoft 365 compliance center.

Navigate to Policies and click on Retention.

Create a new retention policy (e.g., “Falcon Retention 2021”).

Specify the retention period (e.g., 2 years from the creation date).

Set the condition to include items containing the word “Falcon.”

Apply the Retention Policy to Alex Wilber’s Mailbox:

Assign the retention policy to Alex Wilber’s mailbox.

Ensure that the policy targets items created in the year 2021.

Validate the Policy:

Test the policy thoroughly to ensure it correctly retains the specified items.

Monitor the mailbox to verify that the retention actions are enforced.

To prevent the folder C:\app1\data from being monitored by Endpoint Data Loss Prevention (DLP), follow these steps:

Configure File Path Exclusions:

Open the Microsoft Purview compliance portal.

Navigate to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings.

Look for the File path exclusions section.

Add an exclusion for the path C:\app1\data.

Files within this folder will not be audited or subject to DLP policy enforcement12.

Remember to validate this configuration and ensure that the folder is excluded from DLP monitoring

To set up a retention policy for Microsoft SharePoint files containing the word “Falcon,” follow these steps:

Create a Retention Label:

Retention labels allow you to specify retention periods for content. Go to your SharePoint site or library where you want to apply the policy.

Open the document library settings.

Under “Permissions and Management,” select “Apply label to items in this list or library.”

Choose the retention label that corresponds to the desired retention period (e.g., “Falcon Retention - 2 years”).

Configure the Retention Label:

Specify the retention period (in this case, 2 years).

Define the action to be taken after the retention period (e.g., move to recycle bin).

Apply the Retention Label:

Tag the relevant content (files containing the word “Falcon”) with the retention label.

The policy will automatically retain the files for two years from their creation date and then delete them.

Users must be able to manually select that email messages are sent encrypted. The encryption will use Office 365 Message Encryption (OME) v2. Any email containing an attachment that has the Fabrikam Confidential sensitivity label applied must be encrypted automatically by using OME.

Compliance Data Administrator, Compliance Administrator, and Security Administrator already have the

required permissions to create the labels.