Back to blog
Study Tips9 min read

How to Pass the Microsoft SC-401 Exam in 2026: An 8-Week Study Plan for the New Information Security Administrator Certification

SC-401 replaced the retired SC-400 and is now Microsoft's information security admin exam. This 8-week study plan breaks down the three Purview-heavy domains, the exam format and exactly what to revise each week so you pass first time.

C

CertCrush Team

2 July 2026

If you are wondering how to pass SC-401 in 2026, you are looking at the newest exam in Microsoft's security certification line, and the one that quietly replaced SC-400. Passing it earns you the Microsoft Certified: Information Security Administrator Associate credential, and it is fast becoming a core cert for anyone who protects data inside Microsoft 365.

This guide gives you a realistic 8-week study plan, a clear breakdown of the three exam domains, and the exact focus areas that trip candidates up. Follow it week by week and you will walk into the test centre knowing exactly what to expect.

What Is the SC-401 Exam?

SC-401, officially titled Administering Information Security in Microsoft 365, tests your ability to protect sensitive data using Microsoft Purview and related security services. It sits at the associate level and is aimed at information security administrators who plan, implement and manage data protection across a Microsoft 365 tenant.

The exam launched to replace SC-400, the old Information Protection Administrator exam. Microsoft retired SC-400, its related exam and its renewal assessments on 31 May 2025, so SC-401 is now the only route to this certification. If you passed SC-400 previously, your credential stayed valid for a period after retirement, but new candidates and renewers now sit SC-401.

The single biggest shift is scope. SC-400 leaned heavily on compliance, data lifecycle and regulatory adherence. SC-401 reframes the role around active information security: protecting data, preventing loss, mitigating insider risk and responding to threats, including protecting content in AI-driven environments.

Exam Tip: If you are choosing between the wider Microsoft security exams, read our guide on AZ-500 vs SC-500 first, then slot SC-401 in as your data-protection specialism.

SC-401 Exam Format and Key Facts

Before you build a study plan, you need to know exactly what you are preparing for. Here are the current SC-401 exam facts.

DetailSC-401 specification
Full exam nameAdministering Information Security in Microsoft 365
Certification earnedMicrosoft Certified: Information Security Administrator Associate
LevelAssociate
Number of questionsApproximately 40 to 60
Time allowed120 minutes
Passing score700 out of 1000 (scaled)
Standard exam cost165 USD (varies by country and currency)
ReplacesSC-400 (retired 31 May 2025)

A scaled passing score of 700 out of 1000 does not mean you need 70 percent of the questions correct. Microsoft scales scores across question difficulty, so treat 700 as a comfortable-but-not-crushing bar and aim to master every domain rather than scraping through one.

Exam Tip: Expect a mix of question styles, including standard multiple choice, multiple response, drag-and-drop ordering, and case studies. The case studies carry several questions each and reward candidates who can apply Purview settings to a business scenario, not just recall a definition.

The Three SC-401 Domains Explained

SC-401 is built around three skill areas, each weighted at roughly 30 to 35 percent. That near-even split matters: there is no single domain you can safely ignore. Here is what each one covers.

Domain 1: Implement Information Protection (30 to 35%)

This domain is the foundation of the exam. You need to be fluent in data classification and how sensitive information is discovered and labelled across a tenant.

Core topics include:

  • Sensitive information types, trainable classifiers and exact data match
  • Sensitivity labels, label policies and auto-labelling
  • Encryption and protection settings applied through labels
  • Applying labels across Microsoft 365 apps, SharePoint, Exchange and endpoints
  • Protecting content used in Microsoft 365 Copilot and other AI scenarios

If you are shaky on classification, start here. Almost everything else in the exam assumes you understand how data gets identified and labelled first.

Domain 2: Implement Data Loss Prevention and Retention (30 to 35%)

This is where information protection turns into active control. You must be able to design, deploy and troubleshoot data loss prevention (DLP) policies, plus manage retention.

Core topics include:

  • Designing DLP policies from business requirements
  • Endpoint DLP and adaptive protection
  • DLP policy tuning, alerts and false-positive management
  • Roles and permissions for DLP administration
  • Retention labels, retention policies and records management

DLP is the domain candidates most often underestimate. It is not enough to know a policy exists; you need to know where it applies, in what order rules evaluate, and how to interpret an alert when a policy fires.

Domain 3: Manage Risks, Alerts and Activities (30 to 35%)

The final domain is about detection, investigation and response, with Insider Risk Management (IRM) at its heart.

Core topics include:

  • Designing and deploying Insider Risk Management policies
  • Investigating IRM alerts, activities and cases
  • Collecting forensic evidence and managing activity investigations
  • Auditing and monitoring information security activities
  • Responding to information security alerts across Purview

This domain rewards hands-on familiarity. Reading about IRM is far less effective than clicking through the Purview portal, triggering a test alert and following the investigation workflow end to end.

Your 8-Week SC-401 Study Plan

This plan assumes you can commit around 8 to 10 hours a week. If you already work with Microsoft 365 security daily, you can compress it. If Purview is new to you, protect the full eight weeks and do not skip the labs.

Week 1: Orientation and the Purview Landscape

Read the official Microsoft Learn study guide for SC-401 and download the skills-measured list. Set up a Microsoft 365 developer tenant or a trial so you have a sandbox. Spend this week getting comfortable navigating the Microsoft Purview portal and understanding how information protection, DLP and insider risk fit together.

Week 2: Data Classification Foundations

Focus entirely on Domain 1 groundwork. Learn sensitive information types, trainable classifiers and exact data match. Create a few custom sensitive information types in your tenant and confirm they detect the content you expect.

Week 3: Sensitivity Labels and Auto-Labelling

Stay in Domain 1. Build sensitivity labels, publish label policies and configure encryption and protection settings. Set up auto-labelling policies and test how labels apply across Exchange, SharePoint and endpoints. Note how labels protect content in Copilot scenarios, a modern SC-401 emphasis.

Week 4: Data Loss Prevention Deep Dive

Move into Domain 2. Design DLP policies from sample business requirements, then deploy them across locations. Configure endpoint DLP and adaptive protection. Deliberately trigger a policy so you can read the alert, understand rule precedence and practise tuning out false positives.

Week 5: Retention and Records Management

Finish Domain 2. Configure retention labels and retention policies, and work through records management. Understand the interaction between retention and deletion, and how retention coexists with sensitivity labels on the same content.

Week 6: Insider Risk Management

Enter Domain 3. Build Insider Risk Management policies, generate test activity and investigate the resulting alerts. Walk a case from alert to resolution, and practise collecting forensic evidence. This is the highest-value hands-on week for many candidates.

Week 7: Alerts, Auditing and Response

Complete Domain 3. Work through auditing and monitoring, information security alerts and the response workflows across Purview. Tie the three domains together by tracing a single piece of sensitive data from classification, through a DLP block, to an insider risk alert.

Week 8: Practice Exams and Weak-Spot Revision

Stop learning new material. Sit full-length timed practice exams, review every wrong answer, and revise only your weak domains. Aim to score consistently above the pass mark on practice tests before you book the real thing.

Exam Tip: Do not book your exam date until week 6. By then you will know whether you are on track for week 8 or whether you need a short extension. Booking early creates pressure that leads to guessing rather than mastery.

Common Reasons Candidates Fail SC-401

Most SC-401 failures are not about intelligence, they are about preparation gaps. Watch for these.

  • Reading, not clicking. Purview is a hands-on product. Candidates who only watch videos struggle with scenario questions that require configuration knowledge.
  • Neglecting DLP rule logic. Knowing that DLP exists is not enough. You must understand where policies apply and how rules evaluate.
  • Skimming Insider Risk Management. IRM is a full third of the exam and is unfamiliar to many admins, so it needs real lab time.
  • Ignoring the AI angle. SC-401 explicitly covers protecting content in AI and Copilot contexts, a newer area the retired SC-400 did not stress.

For a wider view of why capable people still fail certification exams, read why most people fail certification exams and adjust your plan accordingly.

Is SC-401 Worth It in 2026?

For anyone administering security and compliance inside Microsoft 365, yes. SC-401 is now the definitive credential for the information security administrator role, and because it replaced SC-400 it carries the full weight of Microsoft's current data-protection stack. Employers running Microsoft 365 E5 and Purview want people who can prove these skills.

It also pairs neatly with the rest of the Microsoft security family. If you already hold or plan to sit SC-900 as a fundamentals base, or one of the SC-200 and SC-300 role exams, SC-401 adds a focused data-protection specialism that rounds out your profile.

If you have a free exam voucher to spend, SC-401 is a strong choice for anyone already working in the Microsoft data-protection space. See our breakdown of the smartest exam to spend a free Microsoft voucher on to compare it against the alternatives.

Ready to Start Practising?

Reading about Purview will only take you so far. The candidates who pass SC-401 first time are the ones who test themselves relentlessly on exam-style questions until the three domains feel automatic.

CertCrush gives you realistic practice questions with full explanations so you can find and fix your weak spots before exam day, not during it. Work through the questions domain by domain, follow the 8-week plan above, and you will walk in ready.

Create your free CertCrush account to start practising for SC-401 today, or browse our full range of Microsoft security courses and practice exams to build your complete study toolkit.

SC-401Microsoft certificationMicrosoft Purviewinformation securitystudy plandata loss preventioninsider risk management

Ready to start practising?

CertCrush gives you realistic exam simulations, domain tracking, and study guides — all in one place.