SC-400: Microsoft Information Protection Administrator Interview Questions and Answers

The SC-400 certification validates your expertise in implementing Microsoft Purview (formerly Microsoft Compliance Center) solutions to manage information protection, data loss prevention, and governance across Microsoft 365 environments.

SC-400 Interview Questions and Answers

Information Protection

1. What is Microsoft Purview Information Protection?
   A unified solution to classify, label, and protect sensitive data across Microsoft 365, endpoints, and third-party platforms.

2. What are sensitivity labels?
   They are tags applied to content to enforce data protection settings like encryption, content marking, and access control.

3. What is a label policy?
   A policy that publishes sensitivity labels to users or groups.

4. How is encryption applied through sensitivity labels?
   By configuring Rights Management settings in a label to restrict access, set expiration, and apply usage rights.

5. What is Double Key Encryption (DKE)?
   An advanced encryption option where Microsoft holds one key and the customer holds the second, keeping full control.

6. Can sensitivity labels be applied automatically?
   Yes, using rules and conditions like keywords, sensitive info types, or trainable classifiers.

7. What’s the difference between manual and auto-labeling?
   Manual requires user action; auto-labeling is triggered by pre-defined rules.

8. What are content markings?
   Visual indicators like headers, footers, and watermarks added by sensitivity labels.

9. What is the Microsoft Information Protection SDK?
   An SDK allowing developers to integrate sensitivity labeling into custom applications.

10. What’s a trainable classifier?
    An AI model trained to detect and label data based on context rather than keywords.

Data Classification

1. What is data classification in Microsoft 365?
   A method of identifying, tagging, and protecting sensitive content using built-in or custom sensitive info types.

2. What are sensitive info types (SITs)?
   Prebuilt or custom patterns used to detect PII, PCI, or other confidential data.

3. What is Exact Data Match (EDM)?
   A classification method using hashed data values for high-accuracy detection of structured data.

4. How is data classification viewed?
   Via the Microsoft Purview compliance portal under Data Classification > Content Explorer or Activity Explorer.

5. Can custom SITs be created?
   Yes, using regex, keyword dictionaries, and validation checks.

6. What are the default SITs available?
   Includes Credit Card, SSN, Passport number, and many more for global compliance needs.

7. How does Content Explorer help?
   It shows labeled and classified content across Microsoft 365, helping in data discovery and validation.

8. What are fingerprinting or document matches?
   Detection of exact copies or near copies of a sample document using document fingerprinting.

9. What is Unified Labeling?
   A system that centralizes labeling across Microsoft 365, including Office apps, Power BI, and endpoints.

10. What is Endpoint labeling?
    Allows labels to be applied and enforced even when documents are on local devices.

Data Loss Prevention (DLP)

1. What is DLP in Microsoft 365?
   A policy framework that detects and prevents unintentional sharing of sensitive data across services like Exchange, Teams, OneDrive, and endpoints.

2. How does DLP work?
   It inspects content for sensitive information and applies actions like alerts, blocking, or user notifications.

3. What workloads does DLP support?
   Exchange Online, Teams, SharePoint, OneDrive, Windows 10/11 endpoints, Power BI.

4. What are DLP policy templates?
   Predefined configurations for industries like healthcare, finance, and GDPR compliance.

5. What’s a DLP policy tip?
   A notification shown to end users when their action violates a policy.

6. What is a DLP incident report?
   A log generated when a policy is triggered, viewable in compliance center or sent via alert.

7. What is endpoint DLP?
   Extends DLP capabilities to Windows devices, monitoring file actions like copy to USB, print, or upload.

8. How can DLP actions be audited?
   Through Microsoft Purview audit logs and activity explorer.

9. What are override justifications in DLP?
   Allowing users to bypass a policy with justification, improving balance between productivity and security.

10. What’s the difference between DLP and retention policies?
    DLP protects data from leakage; retention ensures data is preserved or deleted appropriately.

Insider Risk & Compliance

1. What is Insider Risk Management?
   A Purview solution that detects risky behavior like data theft or security violations from employees.

2. What are indicators of insider risk?
   Includes file downloads, data exfiltration, unusual access patterns, and policy violations.

3. What are sequences in Insider Risk?
   Chains of user activity (e.g., download + USB transfer) that indicate risky behavior.

4. What is Communication Compliance?
   A tool to monitor internal communications (email, Teams) for policy violations like harassment or sensitive data sharing.

5. What are escalation policies?
   They automatically escalate critical incidents to management or compliance officers.

6. Can custom policies be built for Insider Risk?
   Yes, using templates and granular user activity conditions.

7. How does User Risk Score work?
   Combines different activities to give a quantitative score indicating likelihood of insider threat.

8. What’s the difference between alerts and cases?
   Alerts are policy-triggered; cases are containers for investigation and evidence.

9. What are Data Subject Requests (DSR)?
   Part of Microsoft’s GDPR support, DSRs help fulfill individual rights to access, delete, or export personal data.

10. What is Microsoft Compliance Score?
    A measurement of your organization’s compliance with Microsoft and regulatory guidelines.

Administration & Monitoring

1. How do you view audit logs?
   Via the Microsoft Purview compliance portal > Audit > Search Audit Logs.

2. What is Microsoft Defender for Cloud Apps (MCAS)?
   A CASB solution that integrates with SC-400 for extended DLP and threat protection across SaaS.

3. How does Information Barriers work?
   They prevent communication between specific user groups in Teams, SharePoint, and OneDrive.

4. What is Microsoft Purview Data Lifecycle Management?
   Policies and retention labels to retain, archive, or delete content based on rules.

5. What permissions are required to manage DLP?
   Compliance Administrator, DLP Compliance Management, or custom roles via RBAC.

6. What are Advanced eDiscovery cases?
   A solution to collect, review, and export content for legal or investigative purposes.

7. How is Purview integrated with Microsoft 365 services?
   Natively integrated with Exchange, Teams, SharePoint, OneDrive, Power BI, and endpoints.

8. How do you monitor sensitivity label usage?
   Through Content Explorer, Activity Explorer, or Unified Audit Logs.

9. What’s the difference between compliance center and security center?
   Compliance center focuses on data protection & governance; security center focuses on threat protection.

10. Can third-party tools be integrated with Microsoft Purview?
    Yes, via Microsoft Graph API, Microsoft Information Protection SDK, and compliance connectors.

The SC-400 certification prepares professionals to effectively protect organizational data, meet regulatory requirements, and implement governance strategies across Microsoft 365. These 50 questions will give you the confidence to ace your interviews and exams alike.