Below are the free Exam Prep Hubs currently available on The Data Community. Bookmark the hubs you are interested in and use them to ensure you are fully prepared for the respective exam.
Each hub contains:
The topic-by-topic (from the official study guide) coverage of the material, making it easy for you to ensure you are covering all aspects of the exam material.
Practice exam questions for each section.
Bonus material to help you prepare
Two (2) Practice Exams with 60 questions each, or Four (4) Practice Exams with 30 questions each – along with answers.
Links to useful resources, such as Microsoft Learn content, YouTube video series, and more.
WARNING: AI-900 will retire on June 30, 2026. It will be replaced with AI-901. You can continue to earn this certification after AI-900 retires by passing AI-901.
Welcome to The Data Community! A great online resource for information centered around the broad and important topic of “data”. Thank you for visiting and participating.
Welcome to the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub!
Welcome to the one-stop hub with information for preparing for the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals certification exam. The content for this exam helps prepare you to “understand Microsoft 365 services, admin tools, core objects, core security features, and modern AI-driven IT management practices”. Upon successful completion of the exam, you earn the Microsoft 365 Certified: Copilot and Agent Administration Fundamentals certification.
This hub provides information directly here (topic-by-topic as outlined in the official study guide), links to a number of external resources, tips for preparing for the exam, practice tests, and section questions to help you prepare. Bookmark this page and use it as a guide to ensure that you are fully covering all relevant topics for the AB-900 exam and making use of as many of the resources available as possible.
Audience profile (from Microsoft’s site)
As a candidate for this Microsoft Certification, you should be familiar with Microsoft 365, including core services, security, identity and access, data protection, and governance, along with Microsoft 365 Copilot and agents.
Additionally, you should be familiar with the admin centers used to access Microsoft 365 workloads, such as Exchange Online, SharePoint in Microsoft 365, Microsoft Teams, Microsoft Entra, and Microsoft Purview. You need to have experience with AI-driven productivity tools and modern IT management practices.
You must be able to identify the roles of the core features and objects available in Microsoft 365, such as users, groups, teams, sites, and libraries. Plus, you should understand the core security features of Microsoft 365, such as authentication methods, conditional access policies, and single sign-on (SSO).
Courses: There are several highly rated courses for AB-900 on Udemy:
Check out the previews of each course to decide which trainer is best for you. And a tip for you … if your timeline allows it, wait for the occasional Udemy sale and buy your course(s) then.
A company plans to deploy Microsoft 365 Copilot to all employees. Before assigning licenses, the IT department wants to verify that users have the required Microsoft 365 subscription.
Which action should the administrator perform first?
A. Enable Microsoft Defender for all users.
B. Verify that users have an eligible Microsoft 365 base license.
C. Create a custom agent for each department.
D. Configure Microsoft Purview retention labels.
Correct Answer: B
Explanation
Microsoft 365 Copilot requires users to have an eligible Microsoft 365 subscription (such as Microsoft 365 E3 or E5, or other qualifying plans) before a Copilot license can be assigned.
A improves security but is not a licensing prerequisite.
C is unrelated to licensing.
D governs data but does not determine Copilot eligibility.
Question 2 (Multiple Answer)
Which THREE Microsoft 365 workloads commonly provide organizational data that Microsoft 365 Copilot can use to generate responses?
A. SharePoint Online
B. Exchange Online
C. Microsoft Teams
D. Windows Registry
E. Azure Virtual Machines
Choose THREE answers.
Correct Answers
✅ A
✅ B
✅ C
Explanation
Microsoft 365 Copilot works across Microsoft Graph and retrieves information from workloads such as:
SharePoint Online
Exchange Online
Microsoft Teams
OneDrive (not listed)
Windows Registry and Azure Virtual Machines are not Microsoft 365 content sources for Copilot.
Question 3 (Single Answer)
Which Microsoft service is primarily responsible for storing and managing user identities used by Microsoft 365?
A. Microsoft Defender XDR
B. Microsoft Purview
C. Microsoft Entra ID
D. Microsoft Intune
Correct Answer: C
Explanation
Microsoft Entra ID provides identity, authentication, authorization, and access management for Microsoft 365 users.
The other services perform security, governance, or device management functions.
Question 4 (Fill in the Blank)
Complete the sentence.
Microsoft 365 Copilot uses Microsoft __________ to securely retrieve organizational information across Microsoft 365 services.
A. Defender
B. Graph
C. Fabric
D. Power BI
Correct Answer: B
Explanation
Microsoft Graph provides a unified API and data layer that enables Microsoft 365 Copilot to access emails, meetings, files, chats, calendars, and other Microsoft 365 data while respecting existing permissions.
Question 5 (Scenario-Based Single Answer)
An administrator wants to identify users who have begun using Microsoft 365 Copilot but are rarely returning after their first week.
Which solution provides this information?
A. Microsoft Intune
B. Microsoft Defender
C. Copilot Analytics
D. Exchange Admin Center
Correct Answer: C
Explanation
Copilot Analytics provides insights into user adoption, repeat usage, engagement trends, and feature utilization.
The remaining tools do not provide Copilot adoption analytics.
Question 6 (Matching)
Match each Microsoft solution with its primary purpose.
Microsoft Solution
Purpose
1. Microsoft Purview
A. Identity management
2. Microsoft Entra ID
B. Compliance and governance
3. Microsoft Defender XDR
C. Threat detection and response
Correct Matching
1 → B
2 → A
3 → C
Explanation
Each Microsoft solution has a specialized role:
Microsoft Purview manages compliance and governance.
Microsoft Entra ID manages identities.
Microsoft Defender XDR provides security monitoring and response.
Question 7 (Scenario-Based Multiple Answer)
A company wants to reduce the risk of Microsoft 365 Copilot exposing overshared files after deployment.
Which TWO actions should administrators take?
A. Review SharePoint permissions.
B. Run SharePoint Data Access Governance Reports.
C. Disable Microsoft Teams.
D. Use Microsoft Purview DSPM for AI to identify risks.
E. Delete Microsoft Graph.
Choose TWO answers.
Correct Answers
✅ B
✅ D
Explanation
SharePoint Data Access Governance Reports identify overshared content, while Microsoft Purview DSPM for AI identifies AI-related exposure risks and recommends remediation.
Reviewing SharePoint permissions is a useful administrative practice, but these two tools are specifically designed for discovering and assessing oversharing risks.
Question 8 (Single Answer)
Which statement correctly describes Microsoft 365 Copilot?
A. It ignores Microsoft 365 permissions when generating responses.
B. It only searches internet content.
C. It respects existing Microsoft 365 permissions and organizational policies.
D. It automatically grants access to restricted SharePoint sites.
Correct Answer: C
Explanation
Microsoft 365 Copilot always respects Microsoft 365 permissions and compliance controls. It cannot retrieve information users are not authorized to access.
The other statements are incorrect.
Question 9 (Scenario-Based Single Answer)
An organization is investigating the accidental sharing of confidential project documents.
Which Microsoft Purview feature should administrators use to locate those files across Exchange, SharePoint, and OneDrive?
A. Content Search
B. Microsoft Defender Antivirus
C. Azure Cost Management
D. Windows Event Viewer
Correct Answer: A
Explanation
Content Search allows investigators to search across Microsoft 365 workloads for emails, documents, Teams messages, and other content during investigations.
The remaining tools are unrelated.
Question 10 (Multiple Answer)
Which THREE capabilities are available in SharePoint Advanced Management?
A. Restricted Site Access
B. Data Access Governance Reports
C. Oversharing insights
D. Windows Update management
E. BIOS configuration
Choose THREE answers.
Correct Answers
✅ A
✅ B
✅ C
Explanation
SharePoint Advanced Management provides capabilities that help organizations secure SharePoint content before and after deploying Microsoft 365 Copilot, including:
Restricted Site Access
Data Access Governance Reports
Oversharing insights and governance capabilities
Windows Update management and BIOS configuration are unrelated.
Question 11 (Scenario-Based Single Answer)
A compliance officer needs to locate all emails and Teams messages related to a legal investigation across Microsoft 365.
Which tool should be used?
A. Microsoft Purview Content Search B. Microsoft Defender for Endpoint C. Microsoft Entra ID sign-in logs D. Microsoft Intune compliance policies
Correct Answer: A
Explanation
Microsoft Purview Content Search allows administrators to search across Exchange, SharePoint, OneDrive, and Teams for investigation and compliance purposes.
Other options are unrelated to content discovery.
Question 12 (Multiple Answer)
Which THREE capabilities are part of Microsoft Purview Data Loss Prevention (DLP)?
A. Detect sensitive information in emails and documents B. Block or restrict sharing of sensitive data C. Automatically increase Copilot licensing D. Apply policies across Microsoft 365 workloads E. Replace Microsoft Entra ID authentication
Choose THREE answers.
Correct Answers
✅ A ✅ B ✅ D
Explanation
DLP helps:
Identify sensitive data
Prevent accidental sharing
Apply policies across Microsoft 365 services
It does not manage licensing or identity.
Question 13 (Single Answer)
Which Microsoft service enforces identity-based access control for Microsoft 365 Copilot users?
A. Microsoft Defender B. Microsoft Entra ID C. Microsoft Purview D. Microsoft Fabric
Correct Answer: B
Explanation
Microsoft Entra ID manages authentication and authorization, ensuring users only access resources they are permitted to use, including Copilot.
Question 14 (Fill in the Blank)
Microsoft 365 Copilot relies on Microsoft __________ to access organizational data securely.
A. Graph B. Sentinel C. Intune D. Power Automate
Correct Answer: A
Explanation
Microsoft Graph is the API layer that connects Copilot to Microsoft 365 data while enforcing permissions and security controls.
Question 15 (Scenario-Based Single Answer)
A company wants to ensure that confidential HR documents are not included in Copilot responses until they are reviewed.
Which solution should they use?
A. SharePoint Restricted Site Access B. Microsoft Teams Channels C. Windows Firewall D. Azure DevOps Pipelines
Correct Answer: A
Explanation
Restricted Site Access in SharePoint Advanced Management can temporarily block Copilot and search indexing from accessing sensitive sites.
Question 16 (Matching)
Match each Copilot-related feature with its purpose.
Feature
Purpose
1. Copilot Analytics
A. Build custom business assistants
2. Custom Agents
B. Measure adoption and usage
3. Prompt Management
C. Save and reuse prompts
Correct Matching
1 → B
2 → A
3 → C
Question 17 (Multiple Answer)
Which TWO actions can administrators perform in Copilot prompt management?
A. Save prompts B. Share prompts C. Encrypt Azure VMs D. Delete prompts E. Disable Microsoft Graph
Correct Answers
✅ A ✅ B
Explanation
Prompt management allows users to save and share prompts for reuse and productivity. Deletion may be available depending on configuration, but encryption and Graph changes are unrelated.
Question 18 (Scenario-Based Single Answer)
An organization wants to understand whether employees are using Copilot effectively and frequently returning to it after initial adoption.
Which tool should they use?
A. Microsoft Entra ID logs B. Copilot Analytics C. Azure Monitor D. Microsoft Defender for Cloud
Correct Answer: B
Explanation
Copilot Analytics provides adoption, engagement, and retention metrics for Microsoft 365 Copilot usage.
Question 19 (Single Answer)
Which of the following best describes a custom agent in Microsoft 365 Copilot?
A. A tool that replaces Microsoft Teams B. A browser extension for Edge C. A specialized assistant built for organizational tasks and data sources D. A security policy enforcement engine
Correct Answer: C
Explanation
Custom agents extend Copilot by providing tailored assistance based on organizational data, workflows, and knowledge sources.
Question 20 (Scenario-Based Multiple Answer)
An organization is preparing to deploy Microsoft 365 Copilot and wants to reduce data exposure risks in SharePoint.
Which TWO actions should the administrator take?
A. Run SharePoint Data Access Governance Reports B. Enable Restricted Site Access C. Disable Microsoft Entra ID D. Remove Microsoft Purview policies E. Turn off Microsoft Teams
Choose TWO answers.
Correct Answers
✅ A ✅ B
Explanation
To reduce oversharing risk:
Governance Reports identify risky sites
Restricted Site Access limits Copilot and search access to sensitive sites
Disabling identity or collaboration services is not appropriate.
Question 21 (Scenario-Based Single Answer)
A company wants to deploy Microsoft 365 Copilot but only pay for usage instead of assigning full user licenses.
Which billing model should they consider?
A. Pay-as-you-go B. Per-device licensing C. Free trial licensing only D. Windows Enterprise licensing
Correct Answer: A
Explanation
Pay-as-you-go allows organizations to be billed based on usage rather than assigning full Copilot licenses to every user.
Other options are not valid Copilot billing models.
Question 22 (Single Answer)
Which requirement must be met before a user can be assigned a Microsoft 365 Copilot license?
A. They must be a SharePoint administrator B. They must have an eligible Microsoft 365 base license C. They must install Microsoft Edge extensions D. They must disable Multi-Factor Authentication
Correct Answer: B
Explanation
Copilot requires a qualifying Microsoft 365 subscription (such as E3 or E5) before a Copilot license can be assigned.
Question 23 (Scenario-Based Multiple Answer)
An organization wants to monitor the health, usage, and lifecycle of agents deployed in Microsoft 365.
Which TWO admin centers should they use?
A. Microsoft 365 admin center B. Microsoft Power Platform admin center C. Azure DevOps admin center D. Microsoft Word desktop app E. Windows Control Panel
Choose TWO answers.
Correct Answers
✅ A ✅ B
Explanation
Microsoft 365 admin center provides tenant-level monitoring and management of Copilot and agents.
Power Platform admin center provides insights into agent lifecycle, usage, and governance for built agents.
Question 24 (Single Answer)
Which Copilot feature is designed to perform in-depth research across enterprise and web sources to produce structured insights?
A. Analyst B. Designer C. Outlook Copilot D. Windows Recall
Correct Answer: A
Explanation
The Analyst agent is designed for advanced data analysis and structured insights.
Question 25 (Fill in the Blank)
Microsoft 365 Copilot agents are managed throughout their __________ lifecycle.
A. hardware B. billing C. application D. email
Correct Answer: C
Explanation
Agents follow an application lifecycle: creation, deployment, monitoring, updating, and retirement.
Question 26 (Matching)
Match each Copilot capability with its description.
Capability
Description
1. Researcher
A. Builds structured insights from data analysis
2. Analyst
B. Performs deep research across enterprise data
3. Pay-as-you-go
C. Usage-based billing model
Correct Matching
1 → B
2 → A
3 → C
Question 27 (Scenario-Based Single Answer)
A company wants to allow employees to use Copilot without assigning full licenses to everyone, but still wants to track usage costs.
What should they configure?
A. Microsoft Entra Domain Services B. Pay-as-you-go billing for Copilot C. Windows Autopilot D. Microsoft Defender ATP
Correct Answer: B
Explanation
Pay-as-you-go enables usage-based billing, allowing organizations to track and control costs without assigning full licenses to all users.
Question 28 (Multiple Answer)
Which THREE actions are part of managing Microsoft 365 Copilot agents?
A. Monitor usage analytics B. Manage lifecycle stages C. Assign physical hardware D. Control access permissions E. Delete Microsoft Graph
Hardware management and Graph deletion are unrelated.
Question 29 (Scenario-Based Single Answer)
An administrator wants to review which employees are actively using Copilot and how often they interact with it across departments.
Which tool provides this visibility?
A. Microsoft Intune B. Copilot Analytics C. Azure Key Vault D. Microsoft Defender Firewall
Correct Answer: B
Explanation
Copilot Analytics provides adoption, usage frequency, and engagement metrics across departments and users.
Question 30 (Single Answer)
Which statement best describes Microsoft 365 Copilot agents?
A. They replace Microsoft Entra ID authentication B. They are hardware devices installed on user machines C. They extend Copilot with task-specific and organizational knowledge capabilities D. They are only used for security monitoring
Correct Answer: C
Explanation
Copilot agents extend Copilot functionality by providing specialized, task-oriented capabilities based on organizational data and workflows.
A company plans to deploy Microsoft 365 Copilot to 300 employees. Before deployment, administrators want to reduce the possibility that Copilot will surface documents that were unintentionally shared with a broad audience.
Which action should administrators perform FIRST?
A. Increase mailbox storage quotas.
B. Run SharePoint Advanced Management reports to identify oversharing.
C. Assign Copilot licenses to all users.
D. Enable Microsoft Defender for Endpoint.
Correct Answer
B
Explanation
SharePoint Advanced Management provides reports that identify overshared sites and content. Reviewing and correcting permissions before deployment reduces the risk of Copilot surfacing sensitive information to users who already have access.
A is unrelated.
C deploys Copilot before addressing governance concerns.
D improves endpoint security but does not address oversharing.
Question 2 (Multiple Response)
Which THREE Microsoft 365 services commonly provide organizational data that Microsoft 365 Copilot can use through Microsoft Graph?
(Choose three.)
A. SharePoint Online
B. Exchange Online
C. Microsoft Teams
D. Azure Kubernetes Service
Correct Answers
A, B, and C
Explanation
Microsoft Graph connects Microsoft 365 services, including:
SharePoint Online
Exchange Online
Microsoft Teams
Outlook
OneDrive
Calendar
Azure Kubernetes Service is an Azure infrastructure service and is not a Microsoft 365 productivity workload used as a primary grounding source.
Question 3 (Scenario)
A compliance administrator wants to investigate whether users have recently used Microsoft 365 Copilot to access files containing credit card numbers.
Which Microsoft Purview capability is MOST appropriate?
A. Activity Explorer
B. Microsoft Defender XDR
C. Microsoft Intune
D. Azure Monitor
Correct Answer
A
Explanation
Activity Explorer helps administrators investigate user activities involving sensitive information, including Copilot interactions when supported by Microsoft Purview auditing and compliance features.
The remaining services focus on endpoint management, security operations, or Azure monitoring.
Question 4 (Best Answer)
An organization wants to find every document and email related to “Project Orion” across Exchange Online, SharePoint Online, and OneDrive.
Which Microsoft Purview feature should be used?
A. Data Loss Prevention
B. Activity Explorer
C. Content Search (eDiscovery)
D. Communication Compliance
Correct Answer
C
Explanation
Content Search enables administrators to search across Microsoft 365 workloads for emails, files, Teams messages, and other supported content.
Activity Explorer monitors activities rather than searching stored content.
Question 5 (Matching)
Match each administrative tool with its primary purpose.
Tool
Purpose
1. Copilot Analytics
A. Discover AI-related risks
2. DSPM for AI
B. Measure Copilot adoption
3. Microsoft 365 Admin Center
C. Assign licenses and manage users
Choose the correct answer.
A.
1-B
2-A
3-C
B.
1-A
2-C
3-B
C.
1-C
2-B
3-A
D.
1-B
2-C
3-A
Correct Answer
A
Explanation
Copilot Analytics measures adoption and usage.
DSPM for AI identifies AI-related security and governance risks.
Microsoft 365 Admin Center manages users, licenses, and Microsoft 365 services.
Question 6 (Scenario)
An organization wants a conversational assistant that answers only Human Resources questions using approved HR documentation.
Which solution best satisfies this requirement?
A. Microsoft Purview eDiscovery
B. Exchange Online
C. Custom agent
D. Microsoft Defender for Cloud Apps
Correct Answer
C
Explanation
A custom agent can be configured with:
Specific instructions
Approved knowledge sources
Department-specific behaviors
Controlled user access
This makes it ideal for HR, Finance, Legal, or IT support scenarios.
Question 7 (Multiple Response)
Which TWO statements correctly describe Microsoft 365 Copilot licensing?
(Choose two.)
A. Copilot licenses are assigned to individual users.
B. Some Copilot services support pay-as-you-go billing.
C. Every Copilot capability requires monthly licensing.
D. Copilot licensing automatically grants Global Administrator permissions.
Correct Answers
A and B
Explanation
Microsoft supports:
Per-user licensing for Microsoft 365 Copilot.
Consumption-based (pay-as-you-go) billing for certain Copilot experiences and services.
Licensing never grants administrative permissions.
Question 8 (Scenario)
An administrator wants to understand how frequently employees are using Copilot in Word, Excel, Outlook, and Teams.
Which tool provides this information?
A. Microsoft Defender Portal
B. Copilot Analytics
C. Exchange Admin Center
D. Microsoft Intune
Correct Answer
B
Explanation
Copilot Analytics provides reporting on:
Active users
Adoption trends
Usage by application
Organizational engagement
Return on investment insights
Question 9 (Fill in the Blank)
Microsoft 365 Copilot retrieves organizational context through the __________ while respecting existing security permissions.
A. Azure Virtual Network
B. Windows Registry
C. Microsoft Graph
D. SQL Server Agent
Correct Answer
C
Explanation
Microsoft Graph securely connects Microsoft 365 applications and organizational data. Copilot uses Microsoft Graph to retrieve business context while honoring existing permissions.
Question 10 (Scenario-Based Case Study)
A company has completed a pilot deployment of Microsoft 365 Copilot. Administrators notice that some employees rarely use Copilot while others use it daily.
Management asks the IT department to identify:
adoption trends,
frequently used Microsoft 365 applications,
active users,
opportunities to improve adoption.
Which solution BEST meets these requirements?
A. Microsoft Purview Audit
B. Microsoft Defender XDR
C. Microsoft Entra ID
D. Copilot Analytics
Correct Answer
D
Explanation
Copilot Analytics is specifically designed to provide insights into:
Adoption rates
User engagement
Application usage
Organizational trends
Opportunities to increase Copilot adoption
The other services are designed for auditing, security, or identity management rather than adoption reporting.
Question 11 (Single Answer)
A Microsoft 365 administrator wants to determine whether users are actively using Microsoft 365 Copilot after licenses have been assigned.
Which tool provides adoption and usage metrics specifically for Copilot?
A. Microsoft Entra admin center
B. Copilot Analytics
C. Azure Monitor
D. Microsoft Defender XDR
Correct Answer: B
Explanation
Copilot Analytics provides adoption metrics, usage trends, active users, feature usage, and business insights for Microsoft 365 Copilot.
A is incorrect because Entra manages identities.
C monitors Azure resources.
D focuses on security incidents.
Question 12 (Multiple Answer)
A company wants to reduce oversharing before deploying Microsoft 365 Copilot.
Which TWO tools specifically help identify oversharing?
A. SharePoint Data Access Governance Reports
B. SharePoint Advanced Management
C. Microsoft Word Editor
D. Microsoft Purview DSPM for AI
E. Windows Event Viewer
Choose TWO answers.
Correct Answers:
✅ A
✅ D
Explanation
Data Access Governance Reports identify sites with excessive permissions, while DSPM for AI identifies AI-related exposure risks and recommends remediation.
B helps administer SharePoint but isn’t specifically an oversharing discovery tool by itself.
C and E are unrelated.
Question 13 (Scenario)
A legal department needs to locate every email discussing a confidential acquisition during the last six months.
Which Microsoft Purview feature should the administrator use?
A. Insider Risk Management
B. Communication Compliance
C. Content Search
D. Data Loss Prevention
Correct Answer: C
Explanation
Content Search allows administrators to search Exchange mailboxes, SharePoint, OneDrive, and Teams content for investigations and legal discovery.
The other solutions perform different governance functions.
Question 14 (Fill in the Blank)
Complete the sentence.
Microsoft 365 Copilot only returns information that a user is already __________ to access.
A. configured
B. licensed
C. authorized
D. synchronized
Correct Answer: C
Explanation
Copilot honors existing Microsoft 365 permissions. Users only receive information they are already authorized to access.
Question 15 (Match the Answers)
Match each Microsoft 365 service with its primary purpose.
Service
Purpose
1. Microsoft Entra ID
A. Data governance and compliance
2. Microsoft Purview
B. Identity and authentication
3. Microsoft Defender
C. Threat protection
Correct Matching
1 → B
2 → A
3 → C
Explanation
Microsoft Entra manages identities.
Microsoft Purview manages governance and compliance.
Microsoft Defender protects against threats.
Question 16 (Single Answer)
Which administrator is most likely responsible for configuring Microsoft 365 Copilot licenses?
A. SharePoint Site Owner
B. Exchange User
C. Global Administrator
D. Power BI Viewer
Correct Answer: C
Explanation
Global Administrators (or other appropriately delegated licensing administrators) can assign Copilot licenses.
The remaining roles cannot generally assign organization-wide licenses.
Question 17 (Scenario)
A company wants to monitor which departments are adopting Copilot most rapidly.
Which report would best meet this requirement?
A. Azure Cost Management
B. Copilot Analytics Adoption Report
C. Windows Performance Monitor
D. Exchange Queue Report
Correct Answer: B
Explanation
Copilot Analytics includes organizational adoption trends broken down by departments and user groups.
The other reports are unrelated.
Question 18 (Multiple Answer)
Which actions can administrators perform when managing Microsoft 365 Copilot prompts?
A. Save prompts
B. Share prompts
C. Schedule prompts
D. Permanently modify Microsoft Graph
E. Delete prompts
Choose THREE answers.
Correct Answers
✅ A
✅ B
✅ E
Explanation
Users can:
Save prompts
Share prompts
Delete prompts
While Microsoft continues to expand prompt management capabilities, scheduling depends on the experience and scenario and is not a universal prompt-management capability tested at the AB-900 level.
Modifying Microsoft Graph is unrelated.
Question 19 (Scenario)
An organization wants sensitive SharePoint sites to be inaccessible to Microsoft 365 Copilot until additional review has been completed.
Which SharePoint Advanced Management capability supports this goal?
A. Restricted Site Access
B. Anonymous Sharing
C. Site Templates
D. Version History
Correct Answer: A
Explanation
Restricted Site Access allows administrators to temporarily exclude selected SharePoint sites from organizational search and Copilot experiences while permissions or content are reviewed.
Question 20 (Single Answer)
Which statement correctly describes custom agents?
A. They permanently replace Microsoft 365 Copilot.
B. They only answer questions using internet data.
C. They are designed to automate and assist with organization-specific business scenarios.
D. They require every user to have Global Administrator permissions.
Correct Answer: C
Explanation
Custom agents extend Copilot by providing specialized knowledge, workflows, and automation tailored to an organization’s processes.
They do not replace Copilot.
They are not limited to internet data.
Users do not need Global Administrator permissions to use them.
Question 21 (Scenario-Based Single Answer)
A company plans to deploy Microsoft 365 Copilot to its Finance department. Before enabling Copilot, administrators want to identify SharePoint sites that contain excessive permissions which could expose confidential financial data.
Which Microsoft capability should they use first?
A. Microsoft Defender XDR
B. SharePoint Data Access Governance Reports
C. Microsoft Intune
D. Exchange Online Message Trace
Correct Answer: B
Explanation
Data Access Governance Reports help administrators identify overshared SharePoint sites by analyzing permissions, external sharing, and potentially excessive access. This allows organizations to remediate permissions before enabling Microsoft 365 Copilot.
A focuses on threat detection.
C manages devices.
D tracks email delivery.
Question 22 (Multiple Answer)
Which THREE statements correctly describe Microsoft Purview Data Security Posture Management (DSPM) for AI?
A. It identifies AI-related data exposure risks.
B. It helps discover AI activity across Microsoft 365.
C. It replaces Microsoft Defender Antivirus.
D. It provides recommendations to reduce AI-related risks.
E. It creates Microsoft 365 licenses.
Choose THREE answers.
Correct Answers
✅ A
✅ B
✅ D
Explanation
DSPM for AI helps organizations:
Discover AI usage.
Identify AI-related security risks.
Recommend remediation actions.
It does not replace endpoint protection or manage licensing.
Question 23 (Single Answer)
Which Microsoft 365 administrator role typically has the permissions required to manage Microsoft 365 Copilot settings across the tenant?
A. SharePoint Visitor
B. Billing Reader
C. Global Administrator
D. Teams Meeting Organizer
Correct Answer: C
Explanation
Global Administrators have broad permissions to configure Microsoft 365 services, including Microsoft 365 Copilot administration.
The remaining roles have much more limited permissions.
Question 24 (Scenario-Based Single Answer)
An administrator wants to review the number of active Copilot users, adoption trends, and feature usage across the organization.
Which tool should they use?
A. Microsoft Entra Admin Center
B. Azure Monitor
C. Microsoft Defender Portal
D. Copilot Analytics
Correct Answer: D
Explanation
Copilot Analytics provides insights into:
Adoption
Active users
Feature usage
Organizational trends
Business value indicators
The other tools serve different purposes.
Question 25 (Match the Answers)
Match each Microsoft technology with its primary purpose.
Technology
Purpose
1. Microsoft Purview Content Search
A. Discover content during investigations
2. SharePoint Advanced Management
B. Reduce oversharing risks
3. Copilot Analytics
C. Measure Copilot adoption
Correct Matching
1 → A
2 → B
3 → C
Explanation
Each solution addresses a different administrative responsibility:
A company plans to publish a custom agent for Human Resources.
Which TWO activities should occur before broad deployment?
A. Verify organizational approval requirements.
B. Validate the agent’s knowledge sources.
C. Disable Microsoft Entra ID.
D. Remove Microsoft Purview compliance policies.
E. Delete SharePoint permissions.
Choose TWO answers.
Correct Answers
✅ A
✅ B
Explanation
Before deployment, administrators should:
Complete any approval process.
Verify that the agent uses accurate and authorized knowledge sources.
The remaining options reduce security or are unrelated.
Question 27 (Fill in the Blank)
Microsoft 365 Copilot respects existing __________ when retrieving organizational information.
A. passwords
B. licenses
C. permissions
D. storage quotas
Correct Answer: C
Explanation
Copilot never bypasses Microsoft 365 permissions. Users only receive information they already have permission to access.
Question 28 (Scenario-Based Single Answer)
An organization wants to create an AI assistant that answers internal Human Resources questions using approved HR documentation.
Which solution best meets this requirement?
A. Create a custom agent
B. Enable Windows Copilot
C. Deploy Microsoft Defender
D. Configure Microsoft Intune
Correct Answer: A
Explanation
A custom agent can be built using approved HR documents as its knowledge source, allowing employees to receive accurate answers tailored to organizational policies.
The remaining options do not provide organization-specific conversational AI.
Question 29 (Multiple Answer)
Which THREE activities can administrators perform while monitoring Microsoft 365 agents?
A. Review usage statistics.
B. Monitor operational insights.
C. Track the agent lifecycle.
D. Install Windows updates.
E. Replace Microsoft Graph.
Choose THREE answers.
Correct Answers
✅ A
✅ B
✅ C
Explanation
Administrators can monitor:
Usage
Operational health
Lifecycle status
These capabilities are available through the Microsoft 365 admin center and, for applicable agents, the Microsoft Power Platform admin center.
Windows updates and Microsoft Graph replacement are unrelated.
Question 30 (Scenario-Based Single Answer)
A company has completed a pilot deployment of Microsoft 365 Copilot. Management asks the administrator to determine whether employee adoption is increasing and whether users are regularly interacting with Copilot.
Which solution provides the most appropriate information?
A. Microsoft Defender Secure Score
B. Azure Cost Management
C. Exchange Online Mail Flow Reports
D. Copilot Analytics
Correct Answer: D
Explanation
Copilot Analytics is specifically designed to measure:
User adoption
Active users
Usage frequency
Feature utilization
Organizational trends
The other reporting tools focus on security, cloud spending, or email traffic rather than Copilot adoption.
A company is preparing to deploy Microsoft 365 Copilot. The IT administrator wants to ensure Copilot can generate responses using organizational documents stored in Microsoft 365 while still respecting existing security permissions.
Which statement is correct?
A. Copilot ignores Microsoft 365 permissions and searches all tenant data.
B. Copilot only accesses documents that have sensitivity labels.
C. Copilot only returns information the signed-in user already has permission to access.
D. Copilot automatically grants temporary access to files needed to answer prompts.
Correct Answer
C
Explanation
Microsoft 365 Copilot honors existing Microsoft 365 security, identity, and permission models. Users only receive information they are already authorized to access.
A is incorrect because Copilot never bypasses permissions.
B is incorrect because permissions—not sensitivity labels alone—determine access.
D is incorrect because Copilot does not modify permissions.
Question 2 (Multiple Answer)
Which TWO Microsoft 365 services commonly provide grounding data for Microsoft 365 Copilot?
(Choose two.)
A. SharePoint Online
B. Exchange Online
C. Azure DevOps
D. Windows Registry
Correct Answers
A and B
Explanation
Microsoft 365 Copilot retrieves business context from Microsoft Graph, which includes services such as:
SharePoint Online
Exchange Online
Teams
OneDrive
Outlook
Calendar
Azure DevOps is not a core Microsoft 365 workload for Copilot grounding, and the Windows Registry is unrelated.
Question 3 (Scenario)
A compliance administrator wants to determine whether employees are using Copilot to summarize documents that contain sensitive information.
Which Microsoft Purview feature provides visibility into these AI interactions?
A. eDiscovery Content Search
B. Data Loss Prevention
C. Activity Explorer
D. SharePoint Version History
Correct Answer
C
Explanation
Microsoft Purview Activity Explorer displays user activities involving sensitive information, including activities related to Microsoft 365 Copilot and AI usage.
eDiscovery searches stored content.
DLP protects sensitive information.
Version History tracks document revisions.
Question 4 (Fill in the Blank)
Complete the following sentence.
Microsoft 365 Copilot retrieves organizational context primarily through the __________.
A. Azure Resource Manager
B. Microsoft Graph
C. Microsoft Defender Portal
D. Azure Key Vault
Correct Answer
B
Explanation
Microsoft Graph securely connects Microsoft 365 workloads and provides Copilot with organizational context while respecting user permissions.
Question 5 (Matching)
Match each Microsoft Purview capability with its primary purpose.
Capability
Purpose
1. Activity Explorer
A. Investigate files and emails
2. Content Search
B. Monitor sensitive activities
3. DSPM for AI
C. Identify AI-related risks
Choose the correct mapping.
A. 1-B 2-A 3-C
B. 1-C 2-B 3-A
C. 1-A 2-C 3-B
D. 1-B 2-C 3-A
Correct Answer
A
Explanation
Activity Explorer monitors user activities.
Content Search locates emails and files.
DSPM for AI identifies AI-related security and data risks.
Question 6 (Scenario)
An organization recently enabled Microsoft 365 Copilot. Leadership is concerned that employees may unintentionally expose confidential documents because SharePoint permissions were configured too broadly years ago.
Which Microsoft solution is specifically designed to identify oversharing risks?
A. Exchange Admin Center
B. Azure Cost Management
C. Microsoft Teams Admin Center
D. SharePoint Advanced Management
Correct Answer
D
Explanation
SharePoint Advanced Management provides reports and tools that help identify overshared content and manage site permissions before or after deploying Copilot.
The other options do not analyze SharePoint oversharing.
Question 7 (Multiple Answer)
Which TWO statements about Microsoft 365 Copilot licensing are true?
(Choose two.)
A. Copilot can be licensed through a per-user monthly subscription.
B. Some Copilot capabilities also support pay-as-you-go billing.
C. Every Copilot feature requires a pay-as-you-go model.
D. SharePoint agents cannot use pay-as-you-go billing.
Correct Answers
A and B
Explanation
Microsoft supports both:
Per-user monthly licensing
Pay-as-you-go consumption for certain Copilot experiences, including some SharePoint-related capabilities
The remaining statements are incorrect.
Question 8 (Best Answer)
Which administrative portal is primarily used to assign Microsoft 365 Copilot licenses?
A. Microsoft Entra Admin Center
B. Microsoft 365 Admin Center
C. Azure Portal
D. Microsoft Purview Portal
Correct Answer
B
Explanation
Administrators assign Microsoft 365 Copilot licenses through the Microsoft 365 Admin Center under Users > Active Users > Licenses and Apps.
Although Microsoft Entra manages identities, license assignment is typically performed in the Microsoft 365 Admin Center.
Question 9 (Scenario)
A company wants an AI assistant that answers HR questions using only company HR policies and employee handbooks.
Which solution best fits this requirement?
A. Microsoft Defender
B. Microsoft Purview eDiscovery
C. A custom Copilot agent
D. SharePoint Document Library
Correct Answer
C
Explanation
Custom agents can be configured with specialized knowledge sources and instructions, making them ideal for department-specific assistants such as HR, Finance, or IT Help Desk.
The other options are not conversational AI assistants.
Question 10 (Ordering)
A Microsoft 365 administrator wants to investigate a possible data exposure involving Copilot.
Arrange the following actions in the most logical order.
Review Activity Explorer.
Identify unusual AI-related activity.
Review permissions on affected SharePoint sites.
Apply appropriate permission corrections.
A. 1 → 2 → 3 → 4
B. 2 → 1 → 4 → 3
C. 3 → 2 → 1 → 4
D. 1 → 3 → 2 → 4
Correct Answer
A
Explanation
A logical investigation sequence is:
Open Activity Explorer.
Identify suspicious or unusual AI activity.
Review the permissions on the affected content.
Correct any oversharing or permission issues.
This workflow reflects recommended practices when investigating potential oversharing risks in Microsoft 365.
Question 11 (Single Answer)
An administrator wants to locate all emails and SharePoint documents that contain a specific project name as part of an internal investigation.
Which Microsoft Purview feature should the administrator use?
A. Activity Explorer
B. Content Search (eDiscovery)
C. Data Loss Prevention
D. Microsoft Defender XDR
Correct Answer
B
Explanation
Content Search in Microsoft Purview eDiscovery allows administrators to search across Exchange Online mailboxes, SharePoint Online sites, OneDrive accounts, and Microsoft Teams content.
A monitors activities but does not perform comprehensive content searches.
C prevents data leakage rather than locating historical content.
D focuses on security threats rather than content discovery.
Question 12 (Multiple Answer)
Which TWO capabilities are provided by Microsoft Purview Data Security Posture Management (DSPM) for AI?
(Choose two.)
A. Discover AI applications used within the organization
B. Identify AI-related data exposure risks
C. Automatically assign Microsoft 365 licenses
D. Replace Microsoft Entra ID authentication
Correct Answers
A and B
Explanation
DSPM for AI helps organizations:
Discover AI applications and services.
Identify AI-related security and governance risks.
Assess sensitive data exposure.
Improve AI governance.
It does not manage licensing or identity services.
Question 13 (Scenario)
A company recently enabled Microsoft 365 Copilot. Management wants to know how frequently employees are using Copilot and which Microsoft 365 applications have the highest adoption.
Which solution should the administrator use?
A. Microsoft Purview Audit
B. Microsoft Entra ID
C. Copilot Analytics
D. SharePoint Admin Center
Correct Answer
C
Explanation
Copilot Analytics provides insights into:
Adoption trends
Active users
Usage by Microsoft 365 application
Organizational engagement
The other tools serve different purposes.
Question 14 (Best Answer)
An administrator discovers that a SharePoint site grants access to “Everyone except external users.”
Why could this present a risk after deploying Microsoft 365 Copilot?
A. Copilot automatically republishes files externally.
B. Copilot may surface documents to any employee who already has access.
C. Copilot encrypts every document.
D. Copilot deletes inherited permissions.
Correct Answer
B
Explanation
Copilot honors existing permissions. If a large audience already has access to documents, Copilot may surface those documents during conversations, increasing the visibility of overshared information.
Question 15 (Matching)
Match each administrative portal to its primary responsibility.
Portal
Responsibility
1. Microsoft 365 Admin Center
A. Data governance and compliance
2. Microsoft Purview Portal
B. User licensing and Microsoft 365 administration
3. Power Platform Admin Center
C. Manage agents and Power Platform environments
Choose the correct answer.
A. 1-C 2-B 3-A
B. 1-B 2-C 3-A
C. 1-B 2-A 3-C
D. 1-A 2-C 3-B
Correct Answer
C
Explanation
Microsoft 365 Admin Center manages users, licenses, and Microsoft 365 services.
Microsoft Purview manages compliance, governance, and data protection.
Power Platform Admin Center manages Power Platform environments and many custom agents.
Question 16 (Scenario)
A business unit wants to deploy a custom agent for employees.
Before the agent becomes broadly available, the organization requires managerial review and approval.
What is the primary purpose of the approval process?
A. Improve network performance
B. Reduce Azure costs
C. Automatically create SharePoint sites
D. Ensure the agent meets organizational governance and compliance requirements
Correct Answer
D
Explanation
Approval workflows help ensure that agents:
Meet security standards.
Follow governance policies.
Use approved data sources.
Comply with organizational requirements.
Question 17 (Multiple Answer)
Which TWO actions can administrators commonly perform for Microsoft 365 Copilot in the Microsoft 365 Admin Center?
(Choose two.)
A. Assign Copilot licenses
B. Review Copilot usage reports
C. Design Power BI semantic models
D. Configure Windows Firewall policies
Correct Answers
A and B
Explanation
The Microsoft 365 Admin Center enables administrators to:
Assign licenses.
View adoption reports.
Manage service settings.
Monitor Copilot usage.
Power BI modeling and Windows Firewall management occur elsewhere.
Question 18 (Fill in the Blank)
Microsoft 365 Copilot respects existing __________ when retrieving organizational content.
A. Azure subscriptions
B. SharePoint branding
C. Microsoft 365 permissions
D. Windows registry settings
Correct Answer
C
Explanation
Copilot only retrieves information users are already authorized to access through Microsoft 365 permissions.
It never bypasses existing security controls.
Question 19 (Scenario)
An administrator wants to identify which custom agents are actively being used, how frequently they are accessed, and whether some should be retired.
Which combination of administrative capabilities best supports this objective?
A. Review operational insights and lifecycle information in the Microsoft 365 Admin Center and Power Platform Admin Center.
B. Configure Microsoft Defender Antivirus.
C. Run Windows Event Viewer.
D. Review Exchange transport rules.
Correct Answer
A
Explanation
Administrators can monitor:
Agent usage
Operational health
Adoption
Lifecycle status
Publishing status
through the Microsoft 365 Admin Center and Power Platform Admin Center.
The remaining options are unrelated.
Question 20 (Case Study)
A financial services organization has enabled Microsoft 365 Copilot for 500 employees.
After deployment, administrators discover that several sensitive documents appear in Copilot responses more often than expected. Investigation reveals that the documents reside in a SharePoint site with broad internal permissions.
Which sequence of actions represents the BEST response?
A.
Delete Microsoft 365 Copilot.
Restore SharePoint.
Recreate documents.
Reassign licenses.
B.
Disable Microsoft Graph.
Create a new tenant.
Restore OneDrive.
Reinstall Microsoft 365.
C.
Increase Copilot licenses.
Publish more SharePoint sites.
Enable guest access.
Run Copilot Analytics.
D.
Review SharePoint permissions.
Use SharePoint Advanced Management reports to identify oversharing.
Restrict access where appropriate.
Continue monitoring through Microsoft Purview and Copilot Analytics.
Correct Answer
D
Explanation
This follows Microsoft’s recommended governance approach:
Review permissions.
Identify oversharing.
Correct access controls.
Continue monitoring with governance and analytics tools.
Deleting Copilot or rebuilding the tenant would not solve the underlying permissions issue.
Question 21 (Single Answer)
A company wants to provide Microsoft 365 Copilot only to employees in the Finance department during a pilot deployment.
What is the simplest way to accomplish this?
A. Assign Microsoft 365 Copilot licenses only to Finance users.
B. Disable Microsoft Graph for all other users.
C. Create a separate Microsoft 365 tenant.
D. Disable SharePoint Online for everyone except Finance.
Correct Answer
A
Explanation
Assigning Copilot licenses only to Finance users is the recommended and simplest method for piloting Microsoft 365 Copilot. No additional tenant or service changes are required.
Question 22 (Multiple Answer)
Which TWO administrative tasks can be performed for Microsoft 365 Copilot using the Microsoft 365 Admin Center?
(Choose two.)
A. Assign Copilot licenses.
B. View Copilot adoption and usage reports.
C. Configure Microsoft Defender Antivirus policies.
D. Create Microsoft Fabric workspaces.
Correct Answers
A and B
Explanation
The Microsoft 365 Admin Center enables administrators to:
Assign and remove licenses.
Monitor Copilot adoption and usage.
Manage users and Microsoft 365 services.
Defender and Microsoft Fabric are managed in separate administration portals.
Question 23 (Scenario)
An organization wants to understand why Microsoft 365 Copilot is surfacing sensitive documents during conversations.
Which issue is MOST likely responsible?
A. Copilot is bypassing Microsoft Entra ID.
B. Copilot has been granted Global Administrator permissions.
C. Existing SharePoint permissions allow users to access those documents.
D. Microsoft Graph automatically expands user permissions.
Correct Answer
C
Explanation
Copilot never bypasses existing security. If users can already access sensitive documents because of broad SharePoint permissions, Copilot can include those documents in responses.
Question 24 (Best Answer)
Which Microsoft Purview capability helps administrators understand AI-related risks across organizational data?
A. SharePoint Version History
B. Data Security Posture Management (DSPM) for AI
C. Microsoft Planner
D. Exchange Mail Flow Rules
Correct Answer
B
Explanation
DSPM for AI helps organizations:
Discover AI usage.
Identify sensitive data exposure.
Assess AI-related risks.
Improve governance.
The other options do not provide AI governance capabilities.
Question 25 (Matching)
Match each feature with its primary purpose.
Feature
Purpose
1. Copilot Analytics
A. Monitor adoption and usage
2. Activity Explorer
B. Review user activities involving sensitive data
3. SharePoint Advanced Management
C. Identify oversharing risks
Choose the correct mapping.
A.
1-A
2-B
3-C
B.
1-C
2-A
3-B
C.
1-B
2-C
3-A
D.
1-A
2-C
3-B
Correct Answer
A
Explanation
Copilot Analytics monitors adoption and usage.
Activity Explorer tracks sensitive data activities.
A newly created custom agent is available only to its creator.
The administrator wants everyone in the Human Resources department to use the agent.
What should the administrator do?
A. Delete and recreate the agent.
B. Assign the appropriate user access permissions to the HR users or group.
C. Purchase additional Microsoft 365 licenses.
D. Enable Microsoft Defender for Office 365.
Correct Answer
B
Explanation
Administrators control which users or groups can access custom agents. Sharing or assigning permissions to the HR group makes the agent available to authorized users.
Question 27 (Multiple Answer)
Which TWO statements accurately describe Microsoft 365 Copilot prompts?
(Choose two.)
A. Users can save prompts for future use.
B. Users can share prompts with others when supported.
C. Prompts permanently modify SharePoint permissions.
D. Prompts automatically create new Microsoft 365 users.
Correct Answers
A and B
Explanation
Microsoft 365 Copilot allows users to:
Save prompts.
Reuse prompts.
Share prompts where supported.
Schedule certain prompts in supported experiences.
Prompts never modify permissions or user accounts.
Question 28 (Scenario)
A company wants to understand whether newly deployed agents are actively being used and whether some agents should be retired.
Which information should administrators review?
A. Windows Performance Monitor
B. Azure Resource Health
C. Operational insights and agent lifecycle information
D. Exchange mailbox quotas
Correct Answer
C
Explanation
Agent lifecycle information includes:
Usage
Adoption
Operational health
Publication status
Lifecycle stage
These metrics help determine whether agents continue to provide business value.
Question 29 (Fill in the Blank)
Microsoft 365 Copilot never grants users additional permissions because it always respects existing __________.
A. licensing assignments
B. Microsoft 365 security permissions
C. Power Platform environments
D. Exchange transport rules
Correct Answer
B
Explanation
One of the most important concepts for the AB-900 exam is that Microsoft 365 Copilot respects existing Microsoft 365 permissions. It does not elevate privileges or expose information users cannot already access.
Question 30 (Comprehensive Scenario)
A global organization plans to deploy Microsoft 365 Copilot to thousands of employees.
Before expanding deployment, administrators want to:
identify overshared SharePoint content,
monitor AI adoption,
investigate AI-related activities,
manage user licenses,
monitor custom agent usage.
Which combination of Microsoft tools BEST satisfies all of these requirements?
A.
Microsoft Defender
Azure Portal
Windows Admin Center
B.
Exchange Admin Center
Azure Cost Management
Microsoft Intune
C.
Microsoft Purview Activity Explorer
Microsoft 365 Admin Center
Copilot Analytics
SharePoint Advanced Management
Power Platform Admin Center
D.
Microsoft Planner
Power BI Desktop
Visual Studio Code
Correct Answer
C
Explanation
This combination provides complete administrative coverage:
Microsoft Purview Activity Explorer monitors AI-related activities involving sensitive information.
Microsoft 365 Admin Center manages users, licensing, and Microsoft 365 administration.
Copilot Analytics measures Copilot adoption and usage.
SharePoint Advanced Management identifies oversharing risks and governance issues.
Power Platform Admin Center manages many custom agents and their lifecycle.
The other options do not collectively address governance, administration, analytics, licensing, and agent management.
This post is a part of the AB-900:Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub. This topic falls under these sections: Perform basic administrative tasks for Copilot and agents (25–30%) --> Perform basic administrative tasks for agents --> Monitor agents, including usage, operational insights, and agent lifecycle, by working with the Microsoft 365 Admin Center and the Microsoft Power Platform Admin Center
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
As organizations deploy more Microsoft 365 Copilot agents, effective administration extends beyond simply creating and publishing them. Administrators must continuously monitor agent usage, operational health, adoption, security, and lifecycle to ensure that agents continue to provide business value while meeting organizational governance and compliance requirements.
Microsoft provides two primary administrative portals for monitoring and managing agents:
Microsoft 365 admin center
Microsoft Power Platform admin center
Each portal serves a different purpose. The Microsoft 365 admin center focuses on Microsoft 365 services, Copilot adoption, licensing, and organizational administration, while the Power Platform admin center focuses on environments, Copilot Studio, Power Platform resources, and operational management of custom agents.
For the AB-900 exam, you should understand which portal is used for which administrative tasks, the types of monitoring information available, and the basic lifecycle of an agent.
Why Monitoring Agents Is Important
Monitoring helps administrators answer questions such as:
Are users actually using the agent?
Is the agent providing business value?
Are there operational issues?
Is adoption increasing?
Are users encountering errors?
Should the agent be updated or retired?
Are governance policies being followed?
Without monitoring, organizations cannot determine whether their AI investments are successful.
Administrative Portals
Microsoft 365 Admin Center
The Microsoft 365 admin center provides organization-wide administration for Microsoft 365 services, including Copilot.
Administrators commonly use it to:
View Copilot adoption
Monitor Copilot usage
Assign licenses
Manage users
Manage billing
View service health
Review reports
Monitor tenant-wide administration
It provides a business-level view of how Microsoft 365 Copilot is being used across the organization.
Microsoft Power Platform Admin Center
The Power Platform admin center focuses on the operational management of Power Platform resources, including custom agents created with Copilot Studio.
Administrators use it to:
Manage environments
Monitor agent health
Manage Dataverse resources
Review capacity
Configure security
Manage connectors
Review operational information
Manage Power Platform policies
It provides technical administration for custom AI solutions.
These metrics help determine whether users are benefiting from the deployed agents.
Usage Scenarios
An administrator might monitor:
Daily active users
Weekly adoption growth
Monthly conversation counts
Frequently used agents
Least-used agents
Low adoption may indicate:
Lack of awareness
Poor training
Limited usefulness
Difficult user experience
Operational Insights
Operational insights help administrators understand how agents are performing.
Examples include:
Agent availability
Service status
Response success
Failed requests
Processing errors
Environment health
Connector status
Workflow execution
Operational monitoring focuses on technical performance rather than business adoption.
Examples of Operational Issues
Administrators may investigate:
Failed API connections
Broken Power Automate flows
Authentication failures
Connector problems
Environment capacity limits
Dataverse issues
Identifying these issues early minimizes disruption for users.
Monitoring Agent Lifecycle
Every agent follows a lifecycle from creation to retirement.
Typical lifecycle stages include:
Planning
Design
Development
Testing
Approval
Publishing
Monitoring
Updating
Republishing
Retirement
Administrators monitor agents throughout this lifecycle.
Lifecycle Management Activities
During an agent’s lifecycle, administrators may:
Update instructions
Improve prompts
Add new knowledge sources
Remove outdated content
Modify connectors
Improve security
Publish new versions
Disable obsolete agents
Archive retired agents
Lifecycle management is an ongoing process rather than a one-time task.
Adoption Monitoring
One important responsibility is measuring adoption.
Organizations often monitor:
Licensed users
Active users
Usage growth
Conversation volume
Department adoption
Business impact
High adoption generally indicates that users find the agent valuable.
Performance Monitoring
Performance monitoring focuses on the quality of the user experience.
Administrators may evaluate:
Response times
Reliability
Availability
Error rates
Successful interactions
Failed interactions
Consistent performance builds user confidence in AI solutions.
Security Monitoring
Monitoring also includes security.
Administrators watch for:
Unauthorized access
Permission issues
Authentication failures
Suspicious activity
Compliance alerts
Data access concerns
Security monitoring helps ensure that agents continue to comply with organizational policies.
Governance Monitoring
Governance activities include monitoring:
Approved agents
Published agents
Ownership
Data sources
Permissions
Connector usage
Compliance policies
Organizations should periodically review whether agents still meet governance requirements.
Environment Monitoring
The Power Platform admin center allows administrators to monitor environments that host agents.
Typical information includes:
Environment health
Capacity usage
Storage
Dataverse utilization
Resource allocation
Healthy environments help ensure reliable agent performance.
Monitoring Connectors
Many agents rely on connectors to access business systems.
Administrators may monitor:
Connector availability
Authentication status
Connection errors
Connector permissions
External system connectivity
Problems with connectors often result in incomplete or failed agent responses.
Monitoring User Feedback
Organizations should also gather user feedback.
Useful indicators include:
User satisfaction
Reported issues
Feature requests
Accuracy concerns
Suggested improvements
Feedback helps guide future improvements to the agent.
Retirement of Agents
Not every agent remains useful forever.
Administrators may retire agents when:
Business needs change.
New agents replace older versions.
Information becomes outdated.
Security risks increase.
Adoption declines significantly.
Retired agents should be archived or removed according to organizational governance policies.
Best Practices
Organizations should:
Monitor usage regularly.
Review adoption reports.
Monitor operational health.
Investigate errors promptly.
Review security frequently.
Track lifecycle status.
Keep documentation current.
Update agents regularly.
Remove obsolete agents.
Use both Microsoft 365 and Power Platform administration tools appropriately.
Microsoft 365 Admin Center vs. Power Platform Admin Center
Microsoft 365 Admin Center
Power Platform Admin Center
User administration
Environment administration
License management
Dataverse management
Copilot adoption
Agent operations
Usage reporting
Environment health
Billing
Connector management
Service health
Capacity monitoring
Organization-wide administration
Power Platform governance
Copilot reports
Operational insights
Exam Tips
For the AB-900 exam, remember these key points:
The Microsoft 365 admin center focuses on Microsoft 365 administration, licensing, Copilot usage, adoption, and organizational reporting.
The Power Platform admin center focuses on operational management of custom agents, environments, connectors, Dataverse, and Power Platform resources.
Usage monitoring measures adoption and business value.
Operational insights focus on technical health and performance.
Agents should be monitored throughout their entire lifecycle.
Administrators should regularly review performance, governance, and security after an agent is deployed.
Practice Exam Questions
Question 1
Which administrative portal is primarily used to monitor Microsoft 365 Copilot adoption and licensing?
A. Microsoft 365 admin center
B. Microsoft Defender portal
C. Azure Portal
D. Microsoft Purview portal
Answer: A
Explanation: The Microsoft 365 admin center provides organization-wide administration, including Copilot licensing, adoption reports, and usage monitoring.
Question 2
What is the primary purpose of monitoring agent usage?
A. To increase internet bandwidth
B. To determine adoption and business value
C. To install software updates
D. To configure SharePoint permissions
Answer: B
Explanation: Usage metrics help organizations understand whether agents are delivering value and being actively used.
Question 3
Which portal is primarily responsible for monitoring environments, connectors, and Dataverse resources for custom agents?
A. Microsoft Entra admin center
B. Microsoft Purview portal
C. Microsoft Power Platform admin center
D. Exchange admin center
Answer: C
Explanation: The Power Platform admin center manages environments, Dataverse, connectors, capacity, and operational aspects of custom agents.
Question 4
Which metric best represents agent adoption?
A. CPU utilization
B. Network latency
C. Number of active users
D. Available storage space
Answer: C
Explanation: Active users are a key indicator of how widely an agent is being adopted.
Question 5
Which activity is part of an agent’s lifecycle after publication?
A. Ongoing monitoring and updates
B. Automatic deletion
C. Disabling Microsoft 365
D. Removing all connectors
Answer: A
Explanation: Administrators continuously monitor, update, and improve agents after they are deployed.
Question 6
Which of the following is considered an operational insight?
A. Number of licensed users
B. Employee vacation requests
C. Failed connector authentication
D. SharePoint storage quota purchase
Answer: C
Explanation: Operational insights include technical issues such as connector failures, authentication problems, and service errors.
Question 7
Why should administrators monitor agent performance?
A. To increase hardware prices
B. To ensure reliable responses and a positive user experience
Which statement best describes the relationship between the Microsoft 365 admin center and the Microsoft Power Platform admin center?
A. Both portals perform exactly the same administrative functions.
B. The Microsoft 365 admin center is used only for Exchange Online.
C. The Power Platform admin center replaces the Microsoft 365 admin center for all administration.
D. The Microsoft 365 admin center focuses on organizational Microsoft 365 administration and Copilot usage, while the Power Platform admin center focuses on environments and operational management of custom agents.
Answer: D
Explanation: The two portals complement one another. The Microsoft 365 admin center provides tenant-wide administration, licensing, and adoption reporting, while the Power Platform admin center provides operational management of environments, connectors, Dataverse resources, and custom agents built with Copilot Studio.
This post is a part of the AB-900:Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub. This topic falls under these sections: Perform basic administrative tasks for Copilot and agents (25–30%) --> Perform basic administrative tasks for agents --> Understand the approval process for agents
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
As organizations increasingly adopt Microsoft 365 Copilot and AI-powered agents, governance becomes just as important as functionality. Without proper oversight, users could inadvertently create agents that expose sensitive information, perform unintended actions, or fail to comply with organizational policies.
For this reason, Microsoft provides an approval process that enables organizations to review, validate, and govern agents before they are made available to users. While the exact approval workflow depends on the type of agent, the organization’s governance policies, and the deployment platform (such as Microsoft Copilot Studio), administrators should understand how approval processes help ensure that agents are secure, compliant, and aligned with business requirements.
For the AB-900 exam, you are not expected to know every detailed configuration step, but you should understand why approvals exist, when they are required, who participates in the approval process, and what happens before and after an agent is approved.
Why Agent Approval is Important
Unlike general-purpose Microsoft 365 Copilot experiences, custom agents often:
Access organizational knowledge
Connect to business systems
Trigger automated workflows
Perform business-specific tasks
Use sensitive organizational data
Because of these capabilities, organizations typically require an approval process before an agent is published to production.
Approval helps ensure that:
The agent performs its intended function.
Security requirements are met.
Compliance policies are followed.
Data access is appropriate.
Users receive a trustworthy AI experience.
Goals of the Approval Process
An effective approval process helps organizations:
Reduce security risks
Prevent accidental oversharing
Ensure regulatory compliance
Improve quality of AI responses
Validate business usefulness
Maintain organizational standards
Establish accountability
Typical Agent Lifecycle
A simplified lifecycle includes:
Design
Build
Configure
Test
Review
Approve
Publish
Monitor
Update
Retire
Approval occurs after testing but before broad deployment.
Typical Approval Workflow
Although every organization may customize the workflow, the process generally follows these steps.
Step 1: Agent Creation
A developer or business user creates the agent.
They configure:
Instructions
Knowledge sources
Actions
Connectors
Conversation flow
Step 2: Initial Testing
Before requesting approval, the creator tests the agent.
Typical testing includes:
Prompt accuracy
Correct responses
Hallucination reduction
Data grounding
Error handling
Business logic
Step 3: Security Review
Security administrators verify that:
Permissions are appropriate.
Data sources are approved.
Authentication is configured correctly.
Sensitive information is protected.
Least-privilege access is maintained.
Step 4: Compliance Review
Compliance teams evaluate whether the agent aligns with organizational governance policies.
Areas reviewed include:
Data Loss Prevention (DLP)
Sensitivity labels
Microsoft Purview policies
Data retention
Regulatory requirements
Audit logging
Step 5: Business Review
Business owners determine whether:
The agent solves the intended problem.
Responses are accurate.
Business terminology is correct.
Processes are followed correctly.
Users will benefit from the solution.
Step 6: Approval
Once reviews are complete, the designated approver authorizes publication.
Only approved agents should become available to end users.
Step 7: Publishing
After approval, the agent can be:
Published
Assigned to users
Shared with groups
Made available in Microsoft Teams
Integrated into Microsoft 365 Copilot
Who May Participate in the Approval Process?
Several roles may be involved depending on the organization.
Agent Creator
Responsible for:
Designing the agent
Testing functionality
Fixing issues
Submitting for review
Business Owner
Responsible for:
Verifying business value
Confirming correct business logic
Approving organizational use
IT Administrator
Responsible for:
Platform administration
Environment configuration
Deployment
User access
Security Administrator
Responsible for:
Permission validation
Identity verification
Connector review
Security assessment
Compliance Administrator
Responsible for:
Governance policies
Data protection
Microsoft Purview compliance
Regulatory alignment
What is Reviewed During Approval?
Reviewers typically examine:
Purpose
Does the agent solve a legitimate business problem?
Instructions
Are system instructions clear?
Do they prevent inappropriate behavior?
Knowledge Sources
Are approved sources used?
Examples include:
SharePoint
Microsoft Graph
Dataverse
Internal documentation
Actions
Can the agent:
Send emails?
Update records?
Trigger workflows?
Access external systems?
Higher-risk actions usually require more careful review.
Permissions
Does the agent only access information users are already authorized to see?
Microsoft 365 security trimming should remain intact.
Connectors
Reviewers verify that external connectors:
Are trusted
Are approved
Meet organizational policies
Privacy
Organizations verify that:
Personal data is protected.
Confidential information is handled appropriately.
AI responses do not expose sensitive content.
Governance During Approval
Agent approval is part of broader AI governance.
Organizations often require:
Data classification
Sensitivity labels
DLP policies
Audit logs
Risk assessments
Periodic reviews
These controls help ensure responsible AI deployment.
Approval vs Publishing
These concepts are different.
Approval means the organization authorizes the agent for deployment.
Publishing makes the approved agent available to users.
An approved agent is not necessarily published immediately.
Likewise, a draft agent cannot be published without completing required approvals (if organizational policies require them).
What Happens After Approval?
Approval is not the end of governance.
Administrators continue to monitor:
Usage
Adoption
Errors
User feedback
Performance
Security events
Compliance alerts
Agents may later be:
Updated
Republished
Disabled
Archived
Deleted
Best Practices
Organizations should:
Define a formal approval workflow.
Require business ownership.
Review data access carefully.
Test before publishing.
Limit permissions using least privilege.
Monitor production usage.
Periodically review existing agents.
Remove unused or outdated agents.
Maintain documentation for governance and auditing.
Exam Tips
For the AB-900 exam, remember these key points:
Approval helps ensure agents are secure, compliant, and useful before deployment.
Multiple stakeholders—including creators, business owners, IT administrators, security administrators, and compliance administrators—may participate in the approval process.
Testing occurs before approval.
Publishing occurs after approval.
Organizations can customize approval workflows based on governance requirements.
Security, permissions, data access, compliance, and business value are common review areas.
Agent governance continues after publication through ongoing monitoring and management.
Practice Exam Questions
Question 1
Why do organizations typically require an approval process before publishing custom agents?
A. To reduce deployment speed
B. To ensure the agent meets security, compliance, and business requirements
C. To prevent Microsoft 365 licensing
D. To disable Microsoft Graph access
Answer: B
Explanation: Approval ensures agents are reviewed for security, compliance, data access, and business value before being made available to users.
Question 2
Which activity normally occurs immediately before an agent is submitted for approval?
A. Assigning licenses
B. Deleting old agents
C. Testing the agent
D. Archiving the environment
Answer: C
Explanation: Creators typically validate the agent through testing before requesting formal approval.
Question 3
Which team is primarily responsible for reviewing whether an agent complies with data governance requirements?
A. Marketing
B. Finance
C. Human Resources
D. Compliance administrators
Answer: D
Explanation: Compliance administrators review governance policies, regulatory requirements, data protection, and Microsoft Purview controls.
Question 4
Which aspect is most likely reviewed during an agent approval process?
A. The color theme of Microsoft Teams
B. The Windows desktop wallpaper
C. The user’s internet browser
D. The agent’s permissions and data sources
Answer: D
Explanation: Reviewers verify that permissions and knowledge sources comply with organizational security policies.
Question 5
What is the primary purpose of reviewing an agent’s knowledge sources?
A. To increase processor speed
B. To ensure the agent uses approved organizational information
C. To update Windows
D. To install Microsoft Office
Answer: B
Explanation: Approved knowledge sources help ensure accurate responses while protecting sensitive information.
Question 6
Which statement correctly describes approval and publishing?
A. Publishing always occurs before approval.
B. Approval and publishing are identical.
C. Approval authorizes deployment, while publishing makes the agent available to users.
D. Approval permanently locks the agent.
Answer: C
Explanation: Approval authorizes the agent for release, while publishing distributes it to its intended audience.
Question 7
Who is primarily responsible for confirming that an agent solves the intended business problem?
A. Business owner
B. Printer administrator
C. Network technician
D. Database operator
Answer: A
Explanation: Business owners validate that the agent provides value and meets organizational objectives.
Question 8
Which security principle should agents follow when accessing organizational information?
A. Unlimited access
B. Anonymous authentication
C. Guest-only permissions
D. Least privilege
Answer: D
Explanation: Agents should only access the information necessary for their intended function, following the principle of least privilege.
Question 9
After an agent has been approved and published, what should administrators continue to do?
A. Disable audit logging
B. Ignore user feedback
C. Monitor usage, performance, and compliance
D. Remove all permissions
Answer: C
Explanation: Ongoing monitoring helps ensure the agent remains secure, compliant, and effective as business needs evolve.
Question 10
Which statement best describes organizational approval workflows for agents?
A. Every Microsoft 365 tenant uses the exact same approval process.
B. Approval is optional for all organizations.
C. Approval workflows are fixed and cannot be customized.
D. Organizations can customize approval workflows to meet their governance requirements.
Answer: D
Explanation: Microsoft provides flexible governance capabilities, allowing organizations to implement approval workflows that align with their security, compliance, and operational policies.
This post is a part of the AB-900:Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub. This topic falls under these sections: Perform basic administrative tasks for Copilot and agents (25–30%) --> Perform basic administrative tasks for agents --> Create an agent
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Agents in the Microsoft 365 Copilot ecosystem are AI-powered assistants that extend Copilot’s capabilities by focusing on specific tasks, organizational knowledge, or business processes. Creating an agent involves defining its purpose, selecting its data sources, configuring its behavior, and publishing it so users can interact with it securely within Microsoft 365 apps.
This topic is central to understanding how administrators and power users enable tailored AI experiences using tools such as Microsoft Copilot Studio and the broader Microsoft 365 ecosystem.
1. What an agent is in Microsoft 365
An agent is a configurable AI experience built on top of Microsoft Copilot that can:
Use organizational data securely (SharePoint, Microsoft Graph, Dataverse)
Follow defined instructions and guardrails
Agents can be:
Declarative agents (configured with minimal or no-code settings)
Custom agents (built and extended in Copilot Studio)
Embedded agents (used within apps like Teams or Microsoft 365 Copilot experiences)
2. Where agents are created
Agents can be created in several Microsoft 365-aligned environments:
a. Copilot Studio
The primary tool for building and customizing agents.
Key capabilities:
Define agent purpose and instructions
Connect knowledge sources
Add actions (Power Automate, APIs)
Test and publish agents
b. Microsoft 365 Copilot experience
Admins can enable or manage prebuilt or organizational agents that appear in Copilot surfaces.
c. Power Platform environment (under the hood)
Agents often rely on Power Platform components such as:
Dataverse
Connectors
Power Automate flows
3. Prerequisites for creating an agent
Before creating an agent, ensure:
Appropriate licensing (Copilot and/or Copilot Studio access)
Permissions in the Power Platform environment
Access to organizational data sources (e.g., SharePoint sites)
Governance policies configured in Microsoft Purview
4. Key steps to create an agent
Step 1: Define the agent purpose
Identify the business scenario
Determine scope (e.g., HR helpdesk, IT support, sales assistant)
Step 2: Configure instructions
Provide system-level behavior guidance
Define tone, boundaries, and response rules
Specify what the agent should NOT do (important for compliance)
Step 3: Add knowledge sources
Common sources include:
SharePoint sites
Microsoft Graph data
Uploaded documents
Structured data (Dataverse tables)
Step 4: Add actions (optional)
Actions extend agent capability:
Create tickets in service systems
Trigger workflows via Power Automate
Query external APIs
Step 5: Test the agent
Validate responses in Copilot Studio test environment
Check grounding accuracy and hallucination risk
Adjust prompts or data sources
Step 6: Publish and share
Publish to organizational catalog
Assign user or group access
Make available in Microsoft 365 Copilot or Teams
5. Governance and control considerations
When creating agents, administrators must ensure:
Data access aligns with Microsoft 365 security policies
Sensitive data is protected using Purview labels and DLP rules
Only authorized users can access specific agents
Activity is monitored through Microsoft 365 admin and compliance tools
Agents inherit security trimming, meaning users only see data they already have permission to access.
6. Common exam focus points
You should understand:
Difference between Copilot and custom agents
Role of Copilot Studio in agent creation
Data sources used by agents (SharePoint, Graph, connectors)
Publishing and access control methods
Governance and compliance alignment
Practice Exam Questions (10)
1. Which tool is primarily used to build and customize Microsoft 365 Copilot agents?
A. Microsoft Teams Admin Center B. Copilot Studio C. Microsoft Entra ID D. SharePoint Admin Center
Answer: B Copilot Studio is the primary platform for creating and configuring custom Copilot agents, including instructions, knowledge sources, and actions.
2. What is the primary purpose of defining instructions when creating an agent?
A. To assign licenses to users B. To configure data retention policies C. To control agent behavior and response style D. To enable Power BI integration
Answer: C Instructions define how the agent behaves, including tone, boundaries, and response rules.
3. Which data source is commonly used by agents for organizational knowledge?
A. Microsoft Paint files B. SharePoint sites C. Windows Registry D. Local desktop folders
Answer: B SharePoint is a primary structured knowledge source used by Copilot agents.
4. What is a key benefit of adding actions to an agent?
A. They replace Microsoft 365 licensing requirements B. They allow agents to execute workflows and integrate systems C. They disable security trimming D. They remove the need for testing
Answer: B Actions enable agents to perform tasks such as triggering Power Automate flows or calling APIs.
5. Which platform component is commonly used behind agent workflows?
A. Dataverse B. Windows Defender Firewall C. Internet Information Services (IIS) D. Microsoft Paint
Answer: A Dataverse is often used as part of the Power Platform foundation supporting agents.
6. What happens when an agent is published?
A. It becomes available to assigned users or groups B. It deletes previous versions automatically C. It disables Copilot globally D. It removes SharePoint permissions
Answer: A Publishing makes the agent available for consumption based on assigned access controls.
7. What principle ensures users only see data they are allowed to access through an agent?
A. Data duplication B. Security trimming C. Token caching D. Load balancing
Answer: B Security trimming ensures agents respect existing Microsoft 365 permissions.
8. Which Microsoft service helps enforce compliance for data used in agents?
A. Microsoft Purview B. Microsoft Edge C. Windows Update D. Azure DevTest Labs
Answer: A Microsoft Purview provides governance, labeling, and compliance controls for data used in AI systems.
9. What is the first recommended step when creating a new agent?
A. Publish the agent immediately B. Define the agent’s purpose and scope C. Assign users to the agent D. Add external APIs
Answer: B Defining purpose ensures the agent is scoped correctly before configuration begins.
10. Where can agents be made available to end users after creation?
A. Only in Power BI dashboards B. Only in Outlook desktop client C. Across Microsoft 365 Copilot and integrated apps like Teams D. Only in Azure portal
Answer: C Agents can be deployed across Microsoft 365 Copilot experiences and integrated apps such as Teams.
This post is a part of the AB-900:Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub. This topic falls under these sections: Perform basic administrative tasks for Copilot and agents (25–30%) --> Perform basic administrative tasks for agents --> Identify how to configure user access to agents
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
In Microsoft 365 Copilot, agents are specialized AI assistants designed to perform focused tasks such as answering domain-specific questions, retrieving organizational knowledge, or executing workflows. Because agents can access organizational data and systems, controlling who can use them and under what conditions is a critical administrative responsibility.
Configuring user access ensures that the right users can interact with the right agents while maintaining security, compliance, and least-privilege principles.
1. What “agent access” means
User access to agents determines:
Which users can discover an agent
Which users can interact with or run an agent
Whether an agent is available organization-wide or restricted to specific groups
Whether external or guest users can use agents (if allowed)
Access is typically controlled through a combination of:
Microsoft 365 identity and access controls
Entra ID (Azure AD) group membership
Copilot and agent-specific policies
2. Key methods to configure access to agents
A. Assigning access via Microsoft Entra ID groups
One of the most common approaches is group-based access control.
Administrators can:
Assign an agent to specific security groups or Microsoft 365 groups
Restrict usage to departments (e.g., HR, Finance, IT)
Manage access at scale without assigning users individually
Benefits:
Scalable management
Easier onboarding/offboarding
Centralized governance
B. Tenant-wide vs scoped availability
Agents can be configured as:
1. Tenant-wide agents
Available to all licensed users in the organization
Used for general productivity scenarios (e.g., company policy assistant)
2. Scoped agents
Limited to specific users or groups
Used for sensitive or department-specific data (e.g., HR policy agent)
C. Role-based access control (RBAC)
Some agent administration actions require specific roles in Microsoft 365 or Entra ID:
Global Administrator
AI Administrator / Copilot Administrator
Service-specific admin roles
RBAC ensures:
Only authorized admins can publish or modify agents
Governance over agent deployment lifecycle
D. Conditional Access policies
Conditional Access can indirectly control agent usage by enforcing:
Device compliance requirements
Multi-factor authentication (MFA)
Location-based restrictions
Risk-based sign-in rules
This ensures that even if a user has access to an agent, they must meet security requirements before using it.
E. Application and permission scopes
Agents may require access to:
Microsoft 365 data (SharePoint, Outlook, Teams)
External connectors or APIs
Graph permissions
Administrators control:
What data the agent can access
Whether consent is required
Whether permissions are user-delegated or app-level
3. Lifecycle considerations for agent access
Provisioning
Define target audience (group or tenant-wide)
Assign initial permissions
Validate compliance requirements
Modification
Update group membership to change access
Adjust policies as organizational needs evolve
Deprovisioning
Remove users or groups when no longer needed
Disable or retire the agent if required
Ensure data access is revoked appropriately
4. Governance best practices
To securely manage agent access:
Use least privilege access (only necessary users/groups)
Prefer group-based assignment over individual assignment
Regularly review agent usage and permissions
Restrict sensitive agents to controlled departments
Monitor access logs for unusual activity
Align with Microsoft Purview policies where applicable
5. Common use cases
HR agent accessible only to HR staff
IT helpdesk agent available to all employees
Finance reporting agent restricted to finance team
Executive summary agent limited to leadership group
6. Key exam takeaway
For AB-900, remember:
Agent access is primarily controlled through Entra ID groups, roles, and policies
Access can be tenant-wide or scoped
Security is enforced through RBAC and Conditional Access
Governance ensures agents are only available to the appropriate users
Practice Exam Questions (10)
1.
What is the most common method used to manage user access to Microsoft 365 agents at scale?
A. Individual user assignment B. Local device policies C. Entra ID group-based assignment D. DNS configuration
Answer: C Explanation: Entra ID group-based assignment is the scalable and recommended way to manage agent access.
2.
Which configuration limits an agent to only HR department users?
A. Tenant-wide publishing B. Scoped group assignment C. Public sharing link D. Guest user activation
Answer: B Explanation: Scoped assignment using groups restricts access to specific departments like HR.
3.
Which role is typically required to manage Copilot or agent deployment settings?
A. SharePoint Site Owner B. Global Administrator C. Teams Guest User D. Exchange Recipient User
Answer: B Explanation: Global Administrators (or similar privileged roles) manage high-level agent deployment settings.
4.
What is the purpose of Conditional Access in relation to agent usage?
A. To increase storage capacity B. To control data indexing speed C. To enforce security requirements before access D. To create new agents automatically
Answer: C Explanation: Conditional Access ensures users meet security conditions like MFA or device compliance.
5.
What happens when a user is removed from an Entra ID group assigned to an agent?
A. They retain permanent access B. Their access is automatically revoked C. The agent is deleted D. The entire tenant loses access
Answer: B Explanation: Group membership changes immediately affect access to assigned resources, including agents.
6.
Which access model makes an agent available to all licensed users in a tenant?
A. Scoped access B. Tenant-wide access C. External sharing mode D. Device-based access
Answer: B Explanation: Tenant-wide access allows all licensed users to use the agent.
7.
Which control helps restrict what data an agent can access?
A. Network firewall rules B. Permission scopes and Graph permissions C. Printer access policies D. Windows registry settings
Answer: B Explanation: Permission scopes define what data and services an agent can access.
8.
What is a key benefit of using group-based access for agents?
A. It disables auditing B. It simplifies scalable management C. It removes the need for authentication D. It bypasses licensing requirements
Answer: B Explanation: Group-based access simplifies administration, especially in large organizations.
9.
Which scenario best describes proper agent governance?
A. All users can create unrestricted agents B. Agents are available without authentication C. Sensitive agents are limited to specific departments D. Agents bypass compliance policies
Answer: C Explanation: Sensitive agents should be restricted to appropriate departments for security and compliance.
10.
What is a recommended best practice when configuring access to agents?
A. Assign access individually to each user B. Use least privilege access principles C. Allow anonymous access by default D. Disable group usage entirely
Answer: B Explanation: Least privilege ensures users only get the access they need, improving security and governance.
This post is a part of the AB-900:Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub. This topic falls under these sections: Perform basic administrative tasks for Copilot and agents (25–30%) --> Perform basic administrative tasks for Copilot --> Manage prompts, in Microsoft Copilot, including saving, sharing, scheduling, and deleting
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
Microsoft 365 Copilot allows users to create and reuse prompts to streamline repetitive work such as drafting emails, summarizing documents, generating reports, or analyzing data. From an administrative perspective, understanding how prompts are managed is important for governance, productivity, and consistency across an organization.
Prompts can be treated as reusable productivity assets that users can store, distribute, and manage over time—especially when Copilot is used at scale across Microsoft 365 apps.
1. What are Copilot prompts?
A Copilot prompt is a natural language instruction given to Copilot to generate output. For example:
“Summarize this meeting in five bullet points.”
“Draft a project update email for stakeholders.”
“Analyze this Excel dataset and highlight trends.”
Prompts can be:
One-time (ad hoc usage)
Saved for reuse
Shared across users or teams
Scheduled for recurring execution (in supported scenarios)
2. Saving prompts
Saving prompts allows users to reuse effective instructions without rewriting them.
Key characteristics:
Stored in a user-accessible prompt library or prompt experience
Can be reused across Microsoft 365 apps (Word, Teams, Outlook, etc.)
Helps standardize repetitive business tasks
Benefits:
Increases productivity
Encourages consistent output formatting
Reduces time spent recreating complex prompts
Example:
A finance analyst saves a prompt:
“Summarize quarterly revenue performance and highlight anomalies.”
3. Sharing prompts
Prompts can be shared with other users or teams to promote consistency.
Sharing capabilities include:
Sharing with individuals or groups
Embedding prompts into team workflows
Distributing best-practice prompts across departments
Use cases:
Standard HR onboarding email drafts
Sales proposal templates
IT troubleshooting responses
Governance consideration:
Shared prompts should align with organizational policies to avoid:
Exposure of sensitive instructions
Use of non-compliant content templates
4. Scheduling prompts
Scheduling allows prompts to be executed at defined intervals or triggered conditions (depending on Copilot capabilities and integration context).
Examples of scheduled prompt usage:
Daily summary of emails in Outlook
Weekly project status report generation
Regular data analysis summaries in Excel
Benefits:
Automates repetitive reporting tasks
Ensures timely information delivery
Reduces manual effort
Important note:
Scheduling capabilities may depend on:
Copilot-enabled workflows
Microsoft 365 integrations (Power Automate or agent-based automation)
5. Deleting prompts
Prompts can be deleted when they are no longer needed or are outdated.
Reasons for deletion:
Prompt is obsolete or inaccurate
Organizational standards have changed
Security or compliance concerns
User no longer needs the prompt
Administrative considerations:
Deleted prompts may not be recoverable depending on retention policies
Enterprises may enforce governance policies around prompt lifecycle management
6. Administrative and governance considerations
When managing prompts at scale, administrators should consider:
Security
Prevent sharing of sensitive prompts containing confidential logic
Ensure prompts do not encourage data leakage
Compliance
Align prompt usage with Microsoft Purview policies
Ensure prompts do not bypass organizational controls
Lifecycle management
Define rules for retention, reuse, and deletion
Standardize prompt libraries for departments
User enablement
Provide curated prompt libraries
Encourage adoption of approved prompt templates
7. Key exam takeaway
For AB-900, focus on the fact that Copilot prompt management includes:
Saving prompts for reuse
Sharing prompts across users or teams
Scheduling prompts for recurring tasks (where supported)
Deleting prompts for governance and lifecycle control
These capabilities support productivity while requiring governance oversight in enterprise environments.
Practice Exam Questions (10)
1.
What is the primary benefit of saving Copilot prompts?
A. It increases network bandwidth usage B. It allows reuse of effective instructions C. It disables prompt security controls D. It deletes old conversations automatically
Answer: B Explanation: Saving prompts enables reuse of effective instructions, improving productivity and consistency.
2.
An organization wants to standardize email drafts across departments. Which feature supports this goal?
A. Prompt deletion B. Prompt sharing C. Device enrollment D. Data loss prevention
Answer: B Explanation: Sharing prompts allows standardized templates and instructions to be distributed across teams.
3.
Which scenario best represents a scheduled Copilot prompt?
A. A one-time email draft request B. A manually typed search query C. A daily summary report generated automatically D. A deleted conversation thread
Answer: C Explanation: Scheduled prompts run at defined intervals, such as daily report generation.
4.
Why might an administrator enforce governance rules on shared prompts?
A. To increase storage capacity B. To reduce CPU usage C. To prevent exposure of sensitive or non-compliant content D. To disable Copilot licensing
Answer: C Explanation: Shared prompts may contain sensitive logic, so governance ensures compliance and security.
5.
What typically happens when a prompt is deleted?
A. It is permanently removed from the prompt library B. It becomes read-only C. It is converted into a system alert D. It is automatically shared with all users
Answer: A Explanation: Deleting a prompt removes it from the library, although retention policies may affect recoverability.
6.
Which of the following is a valid use case for saved prompts?
A. Running antivirus scans B. Reusing a formatted project status report request C. Managing device drivers D. Configuring network routing
Answer: B Explanation: Saved prompts are used for repeatable tasks like structured reports or summaries.
7.
What is a key risk of unmanaged prompt sharing?
A. Increased CPU performance B. Exposure of sensitive instructions or business logic C. Faster email delivery D. Reduced storage costs
Answer: B Explanation: Unmanaged sharing can expose sensitive organizational logic or data-handling instructions.
8.
Which Microsoft 365 principle is most relevant to managing Copilot prompts?
A. Hardware lifecycle management B. Identity federation C. Information governance D. Network segmentation
Answer: C Explanation: Prompt management relates to information governance, including control over content and usage.
9.
What is a benefit of scheduling prompts in Copilot-enabled workflows?
A. It eliminates user authentication B. It automates repetitive reporting tasks C. It disables Microsoft 365 apps D. It increases manual effort
Answer: B Explanation: Scheduled prompts automate recurring tasks like reports and summaries.
10.
Which action supports prompt lifecycle management in an enterprise environment?
A. Random prompt duplication B. Unrestricted external sharing C. Deleting outdated prompts based on policy D. Disabling all Copilot features
Answer: C Explanation: Removing outdated prompts helps maintain compliance and ensures only relevant prompts are retained.
The Data Community 