πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 2
Domain 2 β€” Module 5 of 8 63%
13 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 2: Implement DLP and Retention Premium ⏱ ~13 min read

Endpoint DLP: Advanced Rules & Monitoring

Go beyond basic blocks. Create advanced DLP rules for specific device activities, monitor endpoint events in Activity Explorer, and fine-tune policies based on real-world device behaviour.

Advanced device rules

β˜• Simple explanation

Basic Endpoint DLP says β€œblock sensitive files from going to USB.” Advanced rules say β€œblock sensitive files from going to USB unless it’s a company-encrypted USB, and only warn if the user is in the Finance group, and audit everything else.”

Advanced DLP rules for devices let you build nuanced, context-aware policies. Instead of blanket blocks, you can configure different actions for different activities, specific device types, specific apps, network locations, and more.

Advanced DLP rules for devices extend beyond basic block/warn/audit by allowing granular control over specific endpoint activities. You can configure different actions for each activity type (copy to USB, print, upload, clipboard, network share access, access by unallowed app), apply conditions based on device groups, network status, and file properties, and use service domains to differentiate between corporate and personal cloud services.

Endpoint activities you can control

Each DLP rule for devices can configure actions for individual endpoint activities:

ActivityWhat It DetectsTypical Action
Copy to removable mediaUSB drives, external hard drives, SD cardsBlock or JIT encrypt
Copy to network shareFiles copied to SMB/NFS sharesAudit or block for non-corporate shares
Upload to cloud serviceFiles uploaded via browser or sync clientBlock personal cloud, allow corporate
PrintSending sensitive files to any printerBlock or warn
Copy to clipboardCopy-paste of sensitive content between appsAudit or block
Access by unallowed appsUnallowed applications attempting to open sensitive filesBlock the application
Access by unallowed Bluetooth appsBluetooth transfer of sensitive filesBlock
RDP accessAccessing sensitive files via Remote Desktop sessionAudit or block
Upload to restricted service domainUploading to specific blocked domainsBlock

Service domains β€” corporate vs personal

A powerful advanced feature is service domain classification. You define which domains are corporate (allowed) and which are personal/restricted:

Domain TypeExampleDLP Action
Allowed service domainonedrive.com, sharepoint.com, box.com/companyAllow upload
Restricted service domaindropbox.com/personal, drive.google.com/personalBlock or warn
UnclassifiedAny domain not in either listApply default action

This lets you block uploads to personal Dropbox while allowing uploads to the corporate Box instance.

Device groups

Create device groups to apply different rules to different device types:

Device GroupExample DevicesRule
Clinical workstationsNursing stations, doctor devicesBlock all USB + block printing of patient data
Executive devicesC-suite laptopsWarn on external sharing, audit USB
Developer machinesEngineering teamBlock personal cloud upload, allow corporate GitHub
Shared kiosksReception, waiting room devicesBlock all sensitive file activities
πŸ’‘ Scenario: Priya creates device-specific rules

Priya configures advanced rules at Meridian Financial:

Trading floor devices:

  • Copy to USB: Hard block β€” no financial data leaves on removable media
  • Print: Block β€” no paper copies of trading data
  • Upload to cloud: Block personal cloud, allow corporate SharePoint
  • Clipboard: Audit β€” log copy-paste of financial data between apps

Wealth management devices:

  • Copy to USB: Block with override β€” occasionally needed for client presentations
  • Print: Warn β€” policy tip explaining the risk
  • Upload to cloud: Block personal, allow corporate

Different rules for different teams, same policy framework.

Monitoring endpoint activities

Activity Explorer for endpoints

Activity Explorer shows a timeline of all DLP-related endpoint events:

EventWhat You See
DLP rule matchedWhich rule, which file, which activity, which user
File copied to removable mediaDevice name, USB device ID, file name, SIT matches
File printedPrinter name, file name, user, SIT matches
File uploaded via browserDomain, file name, browser used, SIT matches
App access blockedApplication name, file name, user, policy rule

Investigating endpoint events

Investigation StepToolWhat You Learn
1. Check Activity ExplorerPurview portal β†’ Data classification β†’ Activity ExplorerWhat activities are happening, which users, which files
2. Filter by activity typeFilter on β€œCopy to removable media” or β€œFile printed”Focus on specific risk activities
3. Drill into eventsClick individual events for detailsExact file, SIT matches, device, policy rule
4. Export reportExport events for further analysisTrend analysis, reporting to management

Key metrics to monitor

MetricWhat It Tells YouAction
High USB copy volumeUser copying many files to removable mediaInvestigate β€” potential data exfiltration
Frequent override usageUsers consistently overriding DLP blocksReview if policy is too strict or users are circumventing
Unallowed app access attemptsBlocked applications trying to open sensitive filesVerify app blocks are correct, investigate shadow IT
Print volume spikesUnusual printing of sensitive documentsCorrelate with Insider Risk signals
πŸ’‘ Exam tip: endpoint monitoring data flow

Endpoint DLP events flow into two places:

  1. Activity Explorer in the Purview portal β€” the primary investigation surface
  2. DLP alerts in the Purview compliance portal β€” for policy matches that generate alerts

If the exam asks where to view endpoint DLP activities, the answer is Activity Explorer. If it asks where to triage DLP alerts, the answer is the DLP alerts page in the Purview portal or Microsoft Defender XDR (for integrated alerting).

Question

What are service domains in Endpoint DLP, and why are they important?

Click or press Enter to reveal answer

Answer

Service domains classify cloud services as corporate (allowed) or personal (restricted). This lets DLP block uploads to personal Dropbox while allowing uploads to the corporate Box instance β€” same cloud service, different enforcement based on whether it is the corporate or personal version.

Click to flip back
Question

Name four endpoint activities that DLP can monitor and control.

Click or press Enter to reveal answer

Answer

1. Copy to removable media (USB, external drives). 2. Print to any printer. 3. Upload to cloud services via browser. 4. Access by unallowed applications. Also: copy to network share, clipboard operations, Bluetooth transfer, and RDP access.

Click to flip back
Question

Where do you view endpoint DLP activity events?

Click or press Enter to reveal answer

Answer

Activity Explorer in the Microsoft Purview portal (Data classification β†’ Activity Explorer). You can filter by activity type, user, device, date range, and policy to investigate specific endpoint behaviours.

Click to flip back
Knowledge Check

Zara at Atlas Global wants to block employees from uploading sensitive files to personal Dropbox but allow uploads to the corporate Dropbox instance. How should she configure this?
Knowledge Check

Dr. Liam notices in Activity Explorer that a nurse at St. Harbour Health has copied 350 files containing patient identifiers to a USB drive over the past week. Endpoint DLP is set to 'warn' for USB copies. What should Dr. Liam do?

🎬 Video coming soon

Next up: Retention: Plan Your Data Lifecycle β€” shift from protecting data in motion to managing data through its entire lifecycle.

← Previous

Endpoint DLP: Setup & Configuration

Next β†’

Retention: Plan Your Data Lifecycle

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.