SC-400 Exam Overview
Prepare for the Microsoft SC-400 certification exam
with our comprehensive study guide. This study material contains 315 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The SC-400 exam — Microsoft Information Protection Administrator — is offered by Microsoft.
Passing this exam earns you the Microsoft Certified: Information Protection and Compliance Administrator Associate credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-27 to reflect the
most recent exam objectives and content.
About the Microsoft Certified: Information Protection and Compliance Administrator Associate
The Microsoft Certified: Information Protection and Compliance Administrator Associate is awarded by Microsoft
to professionals who demonstrate competence in the skills measured by the SC-400 exam.
According to the
official Microsoft certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Microsoft are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 315 questions from the SC-400 exam.
Try before you buy — purchase the full study guide for all 315 questions with answers and explanations.
Question 223
Your company has a Microsoft 365 tenant that uses a domain named contoso.com.
You are implementing data loss prevention (DLP).
The company's default browser is Microsoft Edge.
During a recent audit, you discover that some users use Firefox and Google Chrome browsers to upload files labeled as Confidential to a third-party Microsoft
SharePoint Online site that has a URL of https://m365x076709.sharepoint.com. Users are blocked from uploading the confidential files to the site from Microsoft
Edge.
You need to ensure that the users cannot upload files labeled as Confidential from Firefox and Google Chrome to any cloud services.
Which two actions should you perform? Each correct answer presents part of the solution. (Choose two.)
NOTE: Each correct selection is worth one point.
A. From the Microsoft 365 Endpoint data loss prevention (Endpoint) DLP settings, add m365x076709.sharepoint.com as a blocked service domain.
B. Create a DLP policy that applies to the Devices location.
C. From the Microsoft 365 Endpoint data loss prevention (Endpoint DLP) settings, add Firefox and Google Chrome to the unallowed browsers list.
D. From the Microsoft 365 compliance center, onboard the devices.
E. From the Microsoft 365 Endpoint data loss prevention (Endpoint) DLP settings, add contoso.com as an allowed service domain.
Show Answer
Correct Answer: C, D
Explanation:
To prevent uploads of Confidential files from Firefox and Chrome to any cloud service, Endpoint DLP must be enforced on devices and those browsers must be blocked. Devices must be onboarded to Microsoft 365 Endpoint DLP for controls to take effect. Then, adding Firefox and Google Chrome to the unallowed browsers list ensures sensitive files cannot be uploaded from those browsers to any cloud service, while Edge remains the managed browser.
Question 233
You have a Microsoft 365 tenant that uses Microsoft Exchange Online.
You need to recover deleted email messages from a user's mailbox.
Which two PowerShell cmdlets should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Restore-RecoverableItems
B. Get-MailboxRestoreRequest
C. Restore-Mailbox
D. Get-RecoverableItems
E. Set-MailboxRestoreRequest
Show Answer
Correct Answer: A, D
Explanation:
In Exchange Online, deleted messages are stored in the Recoverable Items folder. The Get-RecoverableItems cmdlet is used to locate and identify deleted items within this folder, and the Restore-RecoverableItems cmdlet is then used to recover those items back to the mailbox. The other cmdlets relate to mailbox restore requests, not individual deleted message recovery.
Question 50
HOTSPOT
-
You have a Microsoft 365 subscription.
You need to use PowerShell to enable multiple segment support for information barriers (IBs).
How should you complete the PowerShell command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Set-PolicyConfig
-InformationBarrierMode 'MultiSegment'
Explanation:
Multiple segment support for Information Barriers is enabled by setting the tenant policy configuration. The correct cmdlet is Set-PolicyConfig with the parameter -InformationBarrierMode set to 'MultiSegment'.
Question 198
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You receive the data loss prevention (DLP) alert shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: delivered immediately
was uninvolved in the override process
Explanation:
The DLP event shows **Actions taken: GenerateAlert** and **User override policy: Yes**, with no block or quarantine action, so the email was delivered immediately. The justification text "Manager approved" is user-provided override text; no approval workflow occurred, so the sender’s manager was not involved.
Question 200
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You have the alerts shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: File1.docx: Investigating, Dismissed, and Resolved
File2.docx: Active, Investigation, and Dismissed
Explanation:
File1.docx shows an Active alert, which can be moved to any non-active terminal or in-progress state. File2.docx shows a Resolved alert, which can be reopened to Active or moved to Investigation or Dismissed.
Question 342
You have a Microsoft 365 tenant that contains the users shown in the following table.
You configure a retention label to trigger a disposition review at the end of the retention period.
Which users can access the Disposition tab in the Microsoft 365 compliance center to review the content?
A. User1 only
B. User2 only
C. User3 only
D. User1 and User3
E. User3 and User4
Show Answer
Correct Answer: C
Explanation:
Access to the Disposition tab in the Microsoft 365 compliance center requires the **Disposition Management** role. This role is granted by default to users who are **Compliance Administrators** (and Compliance Data Administrators), but it is **not** granted by default to Global Administrators or other admin roles. Based on the users listed in the table, only **User3** has the Compliance Administrator role, so only User3 can access the Disposition tab to review content.
Question 29
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You plan to use the Microsoft Purview compliance portal to map human resources (HR) data for use with insider risk management policies.
You need to add a data connector to import the HR data.
What should you do first, and in which format should you import the data? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Register an app in Microsoft Entra ID.
CSV
Explanation:
Importing HR data for Insider Risk Management requires an HR data connector. The prerequisite is registering an app in Microsoft Entra ID to authenticate the upload process. HR data is uploaded using a supported CSV file format.
Question 117
DRAG DROP
-
You have a Microsoft 365 E5 subscription.
You need to prevent the sharing of sensitive information in Microsoft Teams.
Which entities can you protect by applying a data loss prevention (DLP) policy to each resource? To answer, drag the appropriate activities to the correct entity. Each activity may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: User accounts:
1:1/n chats and private channels only
Microsoft 365 groups:
General chats only
Security groups or distribution lists:
1:1/n chats and private channels only
Explanation:
In Microsoft Teams DLP, the scope depends on the entity type. Policies scoped to user accounts or security groups/distribution lists can protect 1:1, group chats, and private channel messages, but not standard (general) channel messages. Policies scoped to Microsoft 365 groups apply to standard (general) channel messages only, not private channels or 1:1 chats.
Question 19
You have a Microsoft 365 E5 subscription that contains two users named User1 and User2. The subscription has a data loss prevention (DLP) policy named Policy1.
User2 sends an outbound message that generates a false positive for Policy1.
You need to ensure that User1 can download the message that generated the alert. The solution must follow the principle of least privilege.
To which role group should you add User1?
A. Data Investigator
B. Global Reader
C. eDiscovery Manager
D. Security Operator
Show Answer
Correct Answer: A
Explanation:
To download the message that triggered a DLP alert, the user must be able to review and export content associated with DLP incidents. The Data Investigator role in Microsoft Purview includes permissions to investigate DLP alerts and export mailbox or site content returned from DLP-related investigations. It provides the required capability without broader case management or hold permissions, which aligns with the principle of least privilege. eDiscovery Manager has broader permissions than necessary.
Question 125
You have a Microsoft 365 subscription.
You create a new trainable classifier.
You need to train the classifier.
Which source can you use to train the classifier?
A. a Microsoft SharePoint Online site
B. an on-premises Microsoft SharePoint Server site
C. an NFS file share
D. an Azure Files share
Show Answer
Correct Answer: A
Explanation:
Trainable classifiers in Microsoft Purview are trained using seed content stored in Microsoft 365 workloads. SharePoint Online sites are supported sources for uploading and selecting seed documents, whereas on‑premises SharePoint, NFS shares, and Azure Files are not supported for classifier training.
Question 1
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You plan to implement Microsoft Purview insider risk management.
You need to recommend policy templates that meet the following requirements:
• Contain risk indicators and scoring for when a user receives a poor performance review.
• Contain risk indicators and scoring for when a user disables security features on a device.
Which template should you use for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: When a user receives a poor performance review:
Security policy violations by risky users
When a user disables security features:
Security policy violations
Explanation:
Poor performance review is a user risk signal used by the **Security policy violations by risky users** template. Disabling security features (for example, tampering with protections) is monitored under the **Security policy violations** template.
Question 212
HOTSPOT
-
You have a Microsoft 365 E5 subscription.
You have a Microsoft Office 365 Advanced Message Encryption branding template named OME1.
You need to create a Microsoft Exchange Online mail flow rule to apply OME1 to email.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Apply this rule if:
The sender
Is external/internal
To apply custom branding to OME1 messages:
Modify the message security
Explanation:
OME custom branding is applied through an Exchange mail flow rule that targets messages based on sender scope (internal or external) and uses the action under Modify the message security to apply Office 365 Message Encryption with the selected branding template (OME1).
Question 144
You have a Microsoft 365 subscription that contains a user named User1.
You need to assign User1 permissions to search Microsoft Office 365 audit logs.
What should you use?
A. the Azure Active Directory admin center
B. the Microsoft Purview compliance portal
C. the Exchange admin center
D. the Microsoft 365 Defender portal
Show Answer
Correct Answer: B
Explanation:
Permissions to search Microsoft 365 (Office 365) audit logs are managed through the Microsoft Purview compliance portal. Microsoft has deprecated managing Audit permissions in the Exchange admin center and consolidated audit log access and role assignment in Purview, making it the correct and current location to assign audit log search permissions.
Question 103
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1 and a sensitivity label named Label1.
The external sharing settings for Site1 are configured as shown in the Site1 exhibit. (Click the Site1 tab.)
The external sharing settings for Label1 are configured as shown in the Label1 exhibit. (Click the Label1 tab.)
Label1 is applied to Site1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: Yes
No
No
Explanation:
The sensitivity label overrides the site setting and allows sharing with Anyone. Anyone links do not require invitations or sign-in. No conditional access or managed-device restriction is enabled.
Question 245
You create a retention label that has a retention period of seven years.
You need to ensure that documents containing a credit card number are retained for seven years. Other documents must not be retained.
What should you create?
A. a retention label policy of type publish
B. a retention policy that retains files automatically
C. a retention policy that deletes files automatically
D. a retention label policy of type auto-apply
Show Answer
Correct Answer: D
Explanation:
To retain only documents that contain credit card numbers for seven years, you must use a retention label with auto-apply conditions. An auto-apply retention label policy can apply the label based on a sensitive information type (credit card number), ensuring those documents are retained for seven years while other documents are unaffected. Publish-only label policies do not apply labels automatically, and retention policies act broadly rather than conditionally on content.