Review the Microsoft Information Security Administrator (SC-401) scope, Microsoft Purview, DLP, sensitivity labels, retention, eDiscovery, audit, insider risk, and data-security traps before practicing.
SC-401 centers on protecting information through Microsoft Purview and related compliance controls. Use this cheat sheet to separate classification, protection, retention, investigation, and risk monitoring before practicing.
Use this with practice. Review the information-security checkpoints, then return to the SC-401 exam page for sample questions and update tracking.
| Field | Detail |
|---|---|
| Issuer | Microsoft |
| Certification lane | Microsoft Information Security Administrator |
| Exam code | SC-401 |
| Main scope | Microsoft Purview information protection, DLP, records, audit, eDiscovery, and insider-risk controls |
| IT Mastery status | Sample questions available |
| Area | What to know | Common trap |
|---|---|---|
| Sensitivity labels | Classification, encryption, access restrictions, markings, containers, and user experience | Assuming a label automatically solves retention or DLP |
| DLP | Sensitive information types, conditions, actions, policy tips, endpoint controls, and exceptions | Blocking everything without considering false positives or business workflow |
| Retention and records | Retention labels, policies, record declaration, disposition, and lifecycle | Confusing retention with backup |
| eDiscovery and audit | Search, hold, review, export, audit evidence, and legal workflows | Deleting content before preserving evidence |
| Insider risk and communication compliance | Risk indicators, privacy-aware workflow, review, escalation, and remediation | Treating investigation as public accusation |
| Information barriers | Communication and collaboration restrictions for regulated separation needs | Using team membership alone when communication boundaries are required |
| Distinction | How to decide |
|---|---|
| Classification vs protection | Classification identifies sensitivity; protection enforces encryption, access, or visual marking. |
| DLP vs retention | DLP controls risky movement; retention controls how long information is kept or deleted. |
| Retention label vs sensitivity label | Retention labels manage lifecycle; sensitivity labels manage information protection and classification. |
| Audit vs eDiscovery | Audit records activity; eDiscovery supports legal search, hold, review, and export. |
| Policy tip vs block | A policy tip educates or warns; a block prevents the action unless overridden or allowed. |
| Insider risk vs DLP | Insider risk looks for behavior patterns; DLP detects sensitive-content movement. |
For SC-401 misses, name the data-control category first: label, DLP, retention, eDiscovery, audit, insider risk, or barrier. Then decide whether the scenario is about protecting content, preventing movement, keeping records, investigating activity, or restricting collaboration.