I took the Microsoft Certified: Information Security Administrator Associate1 exam last weekend and passed it reasonably comfortably. I was offered training on Microsoft Purview through my workplace and thought it was worth testing myself to see how much I had retained.
I will note, before getting into the details, that this particular exam (which was split from the SC-400 in mid-2025) has less clear documentation than other Microsoft exams I’ve sat. It required me to go hunting to find specific information about how the exam works. I still haven’t found any details on the types of questions and how many of them there are, so I’m relying on my own experience for this and not a reference.
The certification
The SC-401: Information Security Administrator Associate is an intermediate level certification that assesses the ability to plan and implement the information security of sensitive data using Microsoft Purview.
A Security Administrator is responsible for mitigating risks to data by protecting it inside collaborative environments managed by Microsoft 365, and developing policies with governance, data, and security management roles to address information security and risk management objectives.
The study guide says you are expected to be familiar with all Microsoft 365 services, PowerShell, Microsoft Entra, the Microsoft Defender portal, and Microsoft Defender for Cloud Apps. While these are certainly helpful, I don’t believe these are actually necessary for this certification. There was no point during the exam where I needed to fall back on something I knew about Microsoft services but hadn’t covered in preparation for this exam.
There are three main domains covered:
- Implement information protection (30–35%)
- Implement and manage data classification
- Implement and manage sensitivity labels in Microsoft Purview
- Implement information protection for Windows, file shares, and Exchange
- Implement data loss prevention and retention (30–35%)
- Create and configure data loss prevention policies
- Implement and monitor Microsoft Purview Endpoint DLP
- Implement and manage retention
- Manage risks, alerts, and activities (30–35%)
- Implement and manage Microsoft Purview Insider Risk Management
- Manage information security alerts and activities
- Protect data used by AI services
Like all other Microsoft certifications, this one has a 12-month lifetime after which it must be renewed.
The exam
The exam goes for 100 minutes and is computer based. There were three main types of questions:
- Multiple choice (reviewable)
- Related problem solution evaluations (not reviewable)
- Case studies (not reviewable)
The first section is multiple choice. Once you have completed this section and reviewed your answers (or not) it can no longer be revisited.
The second section is part of the first section technically but the questions cannot be reviewed—once an answer is submitted, it is final. Each question in this section concerned the same situation and proposed different possible ways to achieve a specified goal.
The final section is case studies. These are scenarios with supporting information about infrastructure and configurations. Questions focus on a particular sub-goal and identifying which options best meets technical requirements of the overall scenario. Questions for the case studies can be reviewed until the overall case is finished, at which point a new case is presented and the completed one can no longer be reviewed.
A passing score is 700 out of 1000.
How did I do
As I mentioned above, I received three days of training over three weeks on using Microsoft Purview through my workplace. While the training wasn’t aimed at this certification, it did cover the full breadth of Microsoft Purview (including sections not covered by this certification). It used the Microsoft approved slideshows and a series of labs to practice using the product. These were very helpful as thinking about how to do something and actually doing it are different. The instructor was also quite knowledgeable and happy to answer questions as they came up.
In addition to these workshops, I used the official practice exam and an exam question site to study. I strongly recommend practice exams because they ensure you have understood the syllabus and how it will be assessed. Exam question sites are also brilliant as the correct answer is often up for vote. This leads to interesting forums and provides plenty of opportunity for learning, especially since the answer can change over time as cloud services change.
After I finished the labs from the workshops, I attempted the official practice exam. I failed it, with only 42% correct. I thought I was across the material but the style of the questions showed I was missing a lot of detail. Many questions were focused on edge cases, which to be fair, is an excellent way to see what you know. This is the main reason I spent most of my time using an exam question site for study. The answer references provided focused study material and kept me on point rather than getting lost in the endless expanse of Microsoft documentation.
When it came to the actual exam, I didn’t have any real problems, although my lowest overall scores were for the Data Loss Prevention section (although still a pass).
My thoughts
While I do understand the principle behind the 12 month expiration period, I’m not looking forward to having to do this exam again. One thing that surprised me was that practice labs are insufficient for this exam. While they teach you to use Microsoft Purview, the exam is focused on testing your understanding how the various components interact with each other and how they operate under specific conditions: which file types are (or aren’t) scanned at various points, are there size limits or other conditions that impact operations, how and when encryption is applied to different files, and when and how labels are applied.
I learned the most from the practice labs, but the practice exam questions taught me the details. Not only were they the same style as the actual exam, tracking down answers in the documentation ensured I actually read up on the minutia of the various components.
Microsoft Purview itself is a phenomenally useful product, and the labs are sufficient for learning to use it. Unfortunately, the details of how every part works together is essential to implementing it correctly and understanding why when it doesn’t work as expected. If you are expected to plan and architect an information protection solution, studying for this exam will be useful.
Check out the study guide2 before deciding if this exam is what you want.