MICROSOFT CERTIFICATION
SC-400 Information Protection and Compliance Administrator Associate Practice Exam
Exam Number: 3163 | Last updated 16-Apr-26 | 777+ questions across 4 vendor-aligned objectives
The SC-400 Information Protection and Compliance Administrator Associate certification validates the skills of administrators who implement information protection, data loss prevention, and data lifecycle management using Microsoft Purview. This exam measures your ability to work with Microsoft Purview, Sensitivity Labels, DLP Policies, Retention Policies, Insider Risk Management, eDiscovery, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Implement Information Protection (35–40%), Implement Data Loss Prevention (30–35%), and Implement Data Lifecycle and Records Management (20–25%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Candidates should ensure thorough coverage of all domains, as each contributes meaningfully to the overall exam score and reflects distinct competencies expected on the job.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
283
practice exam users
91.5%
satisfied users
90%
passed the exam
4.3/5
quality rating
Test your SC‑400 Info Protection & Compliance Admin knowledge
10 of 777+ questions
Question #1 - Implement Information Protection
A law firm needs to classify and protect confidential client documents. Documents marked “Attorney-Client Privileged” should be encrypted, watermarked, and prevented from being forwarded or printed by unauthorized recipients.
Which Microsoft Purview feature provides this classification and protection?
A) SharePoint permission levels only
B) Sensitivity labels with encryption, watermark, and usage rights restrictions applied automatically or by users
C) Password-protecting individual files
D) Azure Firewall content inspection
Show solution
Correct answers: C – Explanation:
Sensitivity labels apply persistent classification with enforcement actions: encryption, visual markings, and usage restrictions that travel with the document. Password protection is per-file and unmanaged. Firewall inspects network traffic, not document content. SharePoint permissions do not protect documents once downloaded. Source: Check Source
Question #2 - Implement Information Protection
A law firm needs to classify and protect confidential client documents. Documents marked “Attorney-Client Privileged” should be encrypted, watermarked, and prevented from being forwarded or printed by unauthorized recipients.
Which Microsoft Purview feature provides this classification and protection?
A) Sensitivity labels with encryption, watermark, and usage rights restrictions applied automatically or by users
B) Azure Firewall content inspection
C) Password-protecting individual files for this requirement
D) SharePoint permission levels only
Show solution
Correct answers: C – Explanation:
Sensitivity labels apply persistent classification with enforcement actions: encryption, visual markings, and usage restrictions that travel with the document. Password protection is per-file and unmanaged. Firewall inspects network traffic, not document content. SharePoint permissions do not protect documents once downloaded. Source: Check Source
Question #3 - Implement Information Protection
An organization wants emails containing social security numbers to be automatically labeled as “Highly Confidential” and encrypted before delivery, without relying on users to apply the label manually.
Which Purview feature automates this classification?
A) A mail flow rule adding a disclaimer which does not address the stated requirement without meeting the core requirement
B) Manual IT review of all outbound email which does not address the stated requirement without meeting the core requirement
C) User training to manually label all emails which does not address the stated requirement without meeting the core requirement
D) Auto-labeling policies with sensitive information type conditions that detect SSN patterns and apply the Highly Confidential label with encryption
Show solution
Correct answers: D – Explanation:
Auto-labeling policies evaluate content against sensitive information types (SSN) and apply sensitivity labels with protection actions automatically. User training relies on compliance. Disclaimers do not encrypt or classify. Manual review does not scale. Source: Check Source
Question #4 - Implement Information Protection
A client-side labeling deployment uses the Microsoft 365 Apps built-in labeling experience. The admin needs to ensure all Office documents and emails prompt users to select a sensitivity label before saving or sending.
Which label policy setting enforces this?
A) Configure a label policy with “Require users to apply a label to their emails and documents” (mandatory labeling) enabled
B) Disable all labels supporting the technical requirements described
C) Apply labels only to SharePoint files
D) Make labeling optional configured for the specific requirements of
Show solution
Correct answers: D – Explanation:
Mandatory labeling requires users to select a sensitivity label before saving documents or sending emails, ensuring consistent classification. Optional labeling allows unlabeled content. Disabling labels removes protection. SharePoint-only labeling misses email and local files. Source: Check Source
Question #5 - Implement Information Protection
Sensitive documents labeled “Confidential” are stored in SharePoint. The admin needs to ensure these documents remain encrypted even when downloaded to a user’s local machine.
Which Purview capability maintains protection after download?
A) DLP policies blocking all downloads which does not address the stated requirement without meeting the core requirement
B) Sensitivity label encryption which is embedded in the file and persists regardless of where the file is stored or shared
C) IRM on the document library only which does not address the stated requirement without meeting the core requirement
D) SharePoint item permissions only — protection is lost on download which does not address the stated requirement
Show solution
Correct answers: B – Explanation:
Sensitivity label encryption is embedded using Azure Information Protection and persists with the file, protecting content after download, copy, or sharing. SharePoint permissions protect only in-place files. IRM is a subset of what labels provide. Blocking downloads prevents legitimate work. Source: Check Source
Question #6 - Implement Data Loss Prevention
A healthcare organization needs to prevent patient health information (PHI) from being shared via email, Teams chat, and OneDrive with anyone outside the organization.
Which DLP configuration should be implemented?
A) Create DLP policies with PHI sensitive information type conditions applied to Exchange, Teams, and OneDrive locations with block actions for external recipients
B) Block all external sharing globally supporting the technical requirements described in this scenario
C) Monitor but never block which does not providing capabilities aligned with organizational
D) Apply DLP only to email which does not enabling the specific functionality needed for this use case
Show solution
Correct answers: B – Explanation:
DLP policies targeting specific sensitive information types (PHI) across multiple locations with block-external actions precisely prevent unauthorized sharing while allowing legitimate internal use. Global blocking halts business. Monitor-only allows leaks. Email-only misses Teams and OneDrive channels. Source: Check Source
Question #7 - Implement Data Loss Prevention
A DLP policy blocks emails containing credit card numbers. However, the finance team legitimately needs to email credit card information to the payment processor. They report the DLP policy is blocking their work.
How should the admin configure an exception without weakening overall protection?
A) Tell the finance team to use personal email meeting the compliance and operational stand
B) Add an override allowance for the finance security group, or create a policy exception for emails to the specific payment processor domain
C) Disable the DLP policy entirely which does not
D) Remove credit card detection from all policies meeting the compliance and operational st
Show solution
Correct answers: A – Explanation:
Overrides for specific groups or domain-based exceptions allow legitimate business use while maintaining protection elsewhere. Disabling the policy removes all protection. Removing detection weakens the overall program. Personal email violates compliance requirements. Source: Check Source
Question #8 - Implement Data Loss Prevention
After deploying DLP policies, the admin needs to understand how many incidents are occurring, which policies trigger most often, and which users are involved. This data should inform policy tuning.
Which reporting tool provides this DLP operational insight?
A) Power Automate run history which does not address the stated requirement
B) DLP Activity Explorer and DLP Alerts dashboard in the Microsoft Purview compliance portal
C) No reporting is available which does not address the stated requirement
D) Azure Monitor which does not address the stated requirement without meeting the core requirement
Show solution
Correct answers: B – Explanation:
DLP Activity Explorer shows classification and DLP events with user/location details, and the Alerts dashboard highlights triggered policies and severity. Reporting is a core Purview capability. Azure Monitor tracks infrastructure. Power Automate tracks flow execution. Source: Check Source
Question #9 - Implement Data Lifecycle and Records Management
A financial services company must retain all email and Teams messages for 7 years per regulatory requirements. After 7 years, content should be automatically deleted.
Which Purview feature should be configured?
A) Litigation hold indefinitely
B) Retention policies for Exchange and Teams locations with a 7-year retain-and-then-delete setting
C) Instruct users to never delete messages
D) Archive mailboxes without retention
Show solution
Correct answers: C – Explanation:
Retention policies enforce automatic retention for 7 years and deletion afterward, applied across Exchange and Teams. User instructions are unenforceable. Archive without retention does not auto-delete. Litigation hold is indefinite and case-specific. Source: Check Source
Question #10 - Implement Data Lifecycle and Records Management
A legal department needs to declare specific contracts as regulatory records that cannot be deleted or modified by anyone — including administrators — until the retention period expires.
Which Purview Records Management feature provides this immutability?
A) Azure Blob immutable storage for this requirement
B) Standard retention labels
C) Sensitivity labels with encryption
D) Regulatory record labels with locked retention settings that prevent even admin deletion
Show solution
Correct answers: A – Explanation:
Regulatory record labels enforce the strictest immutability — once applied, content cannot be deleted, modified, or the label removed even by Global Admins until retention expires. Standard labels allow admin override. Sensitivity labels protect content but do not prevent deletion. Blob storage is for Azure storage, not M365 content. Source: Check Source
Get 777+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the SC‑400 Info Protection & Compliance Admin exam measures
- Implement Information Protection (35–40%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement Data Loss Prevention (30–35%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Implement Data Lifecycle and Records Management (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Information Protection Administrator: $100,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
- Data Governance Specialist: $95,000–$130,000 per year (based on Glassdoor and ZipRecruiter data)
- Compliance Administrator: $90,000–$125,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the SC-400 Information Protection and Compliance Administrator Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.