Exam SC-401 topic 1 question 3 discussion

Answer should be D. Can do DLP without sensitivity labels and even with out DLP, removing encryption on the sensitivity label itself should prevent unauthorized access.

I used this control at work; its def A. It was in private preview for a while and now is available for DLP polices.

the dlp policy is based on the senstive labels , so the answer is D

o minimize the risk of General Data Protection Regulation (GDPR) data being included in Microsoft 365 Copilot summaries and also exclude private information from summaries. They plan to create a DLP policy that uses the Microsoft 365 Copilot policy location with the Content contains > Sensitivity labels condition to exclude items that have the Personal sensitivity label from being processed in the response summary and also to exclude items that have the Highly Confidential sensitivity label from being processed in the response summary.

Agree with D

Answer D Why the other options are incorrect: A. Data Loss Prevention (DLP): DLP helps prevent data exfiltration (such as emailing sensitive data), but it does not control what Copilot can access or generate in its responses. B. Insider Risk Management: This is used to detect and respond to risky user behavior (like data leaks or misuse), but it does not prevent Copilot from accessing data. C. Information Barriers (IBs): IBs prevent communication and collaboration between certain groups, but they don't apply to Copilot’s data processing directly unless configured very strictly—and still wouldn't control Copilot’s access to a specific channel’s data as precisely as sensitivity labels.

Sensitivity labels (D): You can apply sensitivity labels to documents in Channel1 (such as "Top Secret" or "Highly Confidential"). Sensitivity labels can be configured to block connected experiences like Copilot from processing the content of labeled files, effectively preventing Copilot from including that content in its answers. This is done either through advanced settings (like BlockContentAnalysisServices) or by applying encryption with user-defined permissions

While sensitivity labels (option D) can classify and protect documents, they do not directly control whether Copilot can access or reference them in responses. Microsoft Purview

Sensitivity labels allow you to: Classify and protect content (e.g., "Confidential – R&D"). Restrict access to the labeled files using encryption and permissions. Copilot respects label-based access control, meaning it won’t include content from protected files in responses unless the user has access.

D. Sensitivity labels How Microsoft 365 Copilot works with sensitivity labels and encryption https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-architecture-data-protection-auditing#how-microsoft-365-copilot-works-with-sensitivity-labels-and-encryption

A for me: https://learn.microsoft.com/en-us/purview/dlp-microsoft365-copilot-location-learn-about

I believe this used to be D, however, with the new updates A makes more sense as there is a tickbox to prevent copilot processing this information.

D. Sensitivity labels Sensitivity labels can be applied to documents, emails, Teams sites, and SharePoint sites. They control access to content based on user permissions and integrate with Microsoft 365 Copilot’s data access layer. This ensures that only authorized users can view or interact with the labeled content, preventing unauthorized users from seeing sensitive information in Copilot's responses.

Why Sensitivity Labels? Microsoft Sensitivity Labels allow you to: - Classify and protect files based on their content. - Prevent unauthorized access by defining security settings. - Restrict Copilot's ability to use certain files for generating responses. Why Not the Other Options? - A. Data Loss Prevention (DLP) → Prevents accidental data leakage but doesn't directly control Copilot's access to files. - B. Insider Risk Management → Monitors user behavior for potential security threats but doesn't restrict Copilot's response generation. - C. Information Barriers (IBs) → Blocks communication between specific groups in Microsoft 365, not content visibility to Copilot. To prevent Copilot from revealing sensitive file content, you need to restrict access at the content level, and only Sensitivity Labels provide this type of preemptive, content-aware control — not DLP.

DLP does not control what Microsoft 365 Copilot can access or generate in its responses. It’s designed to prevent data exfiltration, not to restrict internal AI access to content.

✅ Configure DLP policies with "Prevent Copilot from processing content" (Preview) Ensures Copilot does not analyze or generate responses using restricted data. Provides granular control over content visibility within Microsoft 365.

D is correct