🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 1
Domain 1 — Module 7 of 8 88%
7 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 1: Implement Information Protection Premium ⏱ ~12 min read

Email Encryption: Lock Down Messages

Protect email messages so only intended recipients can read them. Compare Microsoft Purview Message Encryption with Advanced Message Encryption — revocation, expiration, and branding.

Why email encryption matters

☕ Simple explanation

Think of sending a postcard vs sending a sealed letter.

A regular email is like a postcard — anyone who handles it along the way can read it. Email encryption puts your message in a sealed, tamper-proof envelope that only the intended recipient can open.

Microsoft Purview Message Encryption works automatically — you apply a label or configure a mail flow rule, and outgoing messages are encrypted. Recipients (even outside your organisation, even without a Microsoft account) can still read them through a secure portal.

Advanced Message Encryption adds more control: revoke access to a message after sending, set expiration dates, and apply custom branding to the encrypted email portal.

Microsoft Purview Message Encryption (OME) enables encrypted email communication with recipients inside and outside your organisation. It uses Azure Rights Management (Azure RMS) as the encryption service. Encrypted messages can be read by any recipient — Microsoft 365 users open them directly, external users authenticate via a one-time passcode or social identity provider to view through the OME portal.

Advanced Message Encryption (available with E5 licensing) adds message revocation, expiration, and multiple custom branding templates. It also supports wrapping encrypted messages sent to external recipients with additional organisation-specific portal experiences.

Message Encryption vs Advanced Message Encryption

Advanced Message Encryption adds revocation, expiration, and branding on top of standard OME
FeatureMessage Encryption (OME)Advanced Message Encryption
Encrypt emails to anyoneYes — internal and external recipientsYes — same capability
External accessOne-time passcode, Microsoft account, or social loginSame — plus custom-branded portal
Sensitivity labels triggerYes — label with 'Encrypt' or 'Do Not Forward'Yes — same
Mail flow rules triggerYes — transport rules can apply encryptionYes — same
Revoke accessNo — once sent, cannot be revokedYes — revoke access to encrypted emails via the portal
Set expirationNo — message remains accessible indefinitelyYes — set an expiry date after which recipients cannot access
Custom brandingOne default branding templateMultiple branding templates — different portals for different audiences
LicensingE3 and aboveE5, E5 Compliance, or E5 Information Protection

How to implement Message Encryption

Method 1: Sensitivity labels (recommended)

The simplest approach — configure encryption settings within a sensitivity label:

Label ActionWhat Happens
EncryptMessage and attachments are encrypted; recipients need to authenticate
Do Not ForwardMessage is encrypted AND recipients cannot forward, print, or copy content
Confidential \ All EmployeesPre-configured Rights Management template — encrypt for internal recipients

Users apply the label in Outlook, and encryption is automatic.

Method 2: Mail flow rules (Exchange transport rules)

For automatic encryption without user action:

Rule ConditionAction
Message contains credit card numbersApply OME encryption
Sent to external domainApply “Do Not Forward”
Subject contains “CONFIDENTIAL”Apply encryption with custom template
Sender is in Finance groupApply Highly Confidential encryption

Mail flow rules are configured in the Exchange admin center or via PowerShell.

Method 3: DLP policy actions

DLP policies can encrypt messages as an enforcement action:

DLP RuleAction
Message contains 5+ credit card numbers (high confidence)Encrypt the message and notify the sender

This combines detection (SITs) with protection (encryption) in a single policy.

💡 Scenario: Priya implements encryption at Meridian

Meridian Financial’s requirements:

  • Client communications: Emails to clients must be encrypted — clients use various email providers (Gmail, corporate Exchange, etc.)
  • Trading floor: “Highly Confidential” emails must not be forwardable
  • Regulatory: Certain regulatory filings must expire after 30 days

Priya’s implementation:

  1. Sensitivity label “Client — Encrypted” with Encrypt action — staff apply manually
  2. Sensitivity label “Trading — Restricted” with Do Not Forward + encryption — prevents forwarding
  3. Advanced Message Encryption with 30-day expiry for regulatory filings — uses E5 features
  4. Mail flow rule as a safety net — any email containing 5+ client account numbers is automatically encrypted even if no label is applied

Advanced Message Encryption — deep dive

Revoking access

With Advanced Message Encryption, admins can revoke access to an encrypted email after it has been sent:

AspectDetail
Who can revokeThe sender or an admin with appropriate permissions
What happensExternal recipients can no longer access the message through the OME portal
Internal recipientsRevocation applies to the portal view — internal M365 users who opened it in Outlook may still have a cached copy
When to useSensitive information sent to the wrong recipient, or a relationship changes after sharing

Setting expiration

AspectDetail
ConfigurationSet in the Advanced Encryption template or via PowerShell
BehaviourAfter expiry, the OME portal denies access to the message
GranularitySet by date or by number of days after sending
Use caseTime-sensitive information — proposals, embargoed data, regulatory filings

Custom branding

FeatureWhat You Customise
Portal logoYour organisation’s logo on the encrypted email portal
Portal coloursBackground and accent colours matching your brand
Disclaimer textCustom legal or informational text
Multiple templatesDifferent branding for different audiences (e.g., clients vs regulators)
💡 Exam tip: revocation scope

The exam tests whether you understand the limitations of email revocation:

  • Revocation only works for emails accessed through the OME portal (external recipients)
  • Internal M365 recipients who opened the message in Outlook may still have a cached copy
  • Revocation is a best-effort control for external access, not a guaranteed recall
  • If the question asks about ensuring an external recipient can no longer access a sensitive email, revocation is the correct answer

Encryption methods comparison

MethodBest ForUser InvolvementCoverage
Sensitivity labelsConsistent, user-driven encryptionUser applies the labelPer-message or per-document
Mail flow rulesAutomatic encryption by policyNone — transparent to usersAll messages matching conditions
DLP policy actionsEncryption triggered by sensitive content detectionNone — policy-drivenMessages with specific SIT matches
Advanced templatesTime-limited or revocable accessAdmin configures, user may applyExternal communications
Question

What is the key difference between 'Encrypt' and 'Do Not Forward' sensitivity label actions?

Click or press Enter to reveal answer

Answer

'Encrypt' restricts who can open the message but allows forwarding if the recipient has access. 'Do Not Forward' encrypts the message AND prevents recipients from forwarding, printing, or copying the content. Both encrypt, but Do Not Forward adds usage restrictions.

Click to flip back
Question

Can you revoke access to an encrypted email sent to an external recipient using standard Message Encryption (OME)?

Click or press Enter to reveal answer

Answer

No. Revocation requires Advanced Message Encryption (E5 licensing). Standard OME does not support post-send revocation. Once an encrypted message is sent with standard OME, the recipient retains access.

Click to flip back
Question

What three methods can trigger email encryption in Microsoft 365?

Click or press Enter to reveal answer

Answer

1. Sensitivity labels — user applies a label with encryption configured. 2. Mail flow rules (Exchange transport rules) — automatically encrypt based on conditions. 3. DLP policy actions — encrypt as a response to sensitive content detection.

Click to flip back
Knowledge Check

Priya at Meridian Financial sent an encrypted email containing a client portfolio to an external auditor. The audit is now complete and Priya wants to ensure the auditor can no longer access the email. Meridian has E5 licensing. What should she do?
Knowledge Check

Dr. Liam wants patient discharge summaries emailed to external doctors to automatically expire after 14 days. St. Harbour Health has E3 licensing. Can he achieve this?

🎬 Video coming soon

Next up: Purview IP Client: Classify Files at Scale — extend classification to Windows devices, file shares, and on-premises data.

← Previous

Sensitivity Labels: Publish & Auto-Apply

Next →

Purview IP Client: Classify Files at Scale

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.