AB-900, Microsoft Certification

AB-900 Practice Exam #1

AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Practice Exam

This practice exam is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.

Question 1 (Single Answer)

A company is preparing to deploy Microsoft 365 Copilot. The IT administrator wants to ensure Copilot can generate responses using organizational documents stored in Microsoft 365 while still respecting existing security permissions.

Which statement is correct?

A. Copilot ignores Microsoft 365 permissions and searches all tenant data.

B. Copilot only accesses documents that have sensitivity labels.

C. Copilot only returns information the signed-in user already has permission to access.

D. Copilot automatically grants temporary access to files needed to answer prompts.

Correct Answer

C

Explanation

Microsoft 365 Copilot honors existing Microsoft 365 security, identity, and permission models. Users only receive information they are already authorized to access.

  • A is incorrect because Copilot never bypasses permissions.
  • B is incorrect because permissions—not sensitivity labels alone—determine access.
  • D is incorrect because Copilot does not modify permissions.

Question 2 (Multiple Answer)

Which TWO Microsoft 365 services commonly provide grounding data for Microsoft 365 Copilot?

(Choose two.)

A. SharePoint Online

B. Exchange Online

C. Azure DevOps

D. Windows Registry

Correct Answers

A and B

Explanation

Microsoft 365 Copilot retrieves business context from Microsoft Graph, which includes services such as:

  • SharePoint Online
  • Exchange Online
  • Teams
  • OneDrive
  • Outlook
  • Calendar

Azure DevOps is not a core Microsoft 365 workload for Copilot grounding, and the Windows Registry is unrelated.

Question 3 (Scenario)

A compliance administrator wants to determine whether employees are using Copilot to summarize documents that contain sensitive information.

Which Microsoft Purview feature provides visibility into these AI interactions?

A. eDiscovery Content Search

B. Data Loss Prevention

C. Activity Explorer

D. SharePoint Version History

Correct Answer

C

Explanation

Microsoft Purview Activity Explorer displays user activities involving sensitive information, including activities related to Microsoft 365 Copilot and AI usage.

  • eDiscovery searches stored content.
  • DLP protects sensitive information.
  • Version History tracks document revisions.

Question 4 (Fill in the Blank)

Complete the following sentence.

Microsoft 365 Copilot retrieves organizational context primarily through the __________.

A. Azure Resource Manager

B. Microsoft Graph

C. Microsoft Defender Portal

D. Azure Key Vault

Correct Answer

B

Explanation

Microsoft Graph securely connects Microsoft 365 workloads and provides Copilot with organizational context while respecting user permissions.

Question 5 (Matching)

Match each Microsoft Purview capability with its primary purpose.

CapabilityPurpose
1. Activity ExplorerA. Investigate files and emails
2. Content SearchB. Monitor sensitive activities
3. DSPM for AIC. Identify AI-related risks

Choose the correct mapping.

A.
1-B
2-A
3-C

B.
1-C
2-B
3-A

C.
1-A
2-C
3-B

D.
1-B
2-C
3-A

Correct Answer

A

Explanation

  • Activity Explorer monitors user activities.
  • Content Search locates emails and files.
  • DSPM for AI identifies AI-related security and data risks.

Question 6 (Scenario)

An organization recently enabled Microsoft 365 Copilot. Leadership is concerned that employees may unintentionally expose confidential documents because SharePoint permissions were configured too broadly years ago.

Which Microsoft solution is specifically designed to identify oversharing risks?

A. Exchange Admin Center

B. Azure Cost Management

C. Microsoft Teams Admin Center

D. SharePoint Advanced Management

Correct Answer

D

Explanation

SharePoint Advanced Management provides reports and tools that help identify overshared content and manage site permissions before or after deploying Copilot.

The other options do not analyze SharePoint oversharing.

Question 7 (Multiple Answer)

Which TWO statements about Microsoft 365 Copilot licensing are true?

(Choose two.)

A. Copilot can be licensed through a per-user monthly subscription.

B. Some Copilot capabilities also support pay-as-you-go billing.

C. Every Copilot feature requires a pay-as-you-go model.

D. SharePoint agents cannot use pay-as-you-go billing.

Correct Answers

A and B

Explanation

Microsoft supports both:

  • Per-user monthly licensing
  • Pay-as-you-go consumption for certain Copilot experiences, including some SharePoint-related capabilities

The remaining statements are incorrect.

Question 8 (Best Answer)

Which administrative portal is primarily used to assign Microsoft 365 Copilot licenses?

A. Microsoft Entra Admin Center

B. Microsoft 365 Admin Center

C. Azure Portal

D. Microsoft Purview Portal

Correct Answer

B

Explanation

Administrators assign Microsoft 365 Copilot licenses through the Microsoft 365 Admin Center under Users > Active Users > Licenses and Apps.

Although Microsoft Entra manages identities, license assignment is typically performed in the Microsoft 365 Admin Center.

Question 9 (Scenario)

A company wants an AI assistant that answers HR questions using only company HR policies and employee handbooks.

Which solution best fits this requirement?

A. Microsoft Defender

B. Microsoft Purview eDiscovery

C. A custom Copilot agent

D. SharePoint Document Library

Correct Answer

C

Explanation

Custom agents can be configured with specialized knowledge sources and instructions, making them ideal for department-specific assistants such as HR, Finance, or IT Help Desk.

The other options are not conversational AI assistants.

Question 10 (Ordering)

A Microsoft 365 administrator wants to investigate a possible data exposure involving Copilot.

Arrange the following actions in the most logical order.

  1. Review Activity Explorer.
  2. Identify unusual AI-related activity.
  3. Review permissions on affected SharePoint sites.
  4. Apply appropriate permission corrections.

A.
1 → 2 → 3 → 4

B.
2 → 1 → 4 → 3

C.
3 → 2 → 1 → 4

D.
1 → 3 → 2 → 4

Correct Answer

A

Explanation

A logical investigation sequence is:

  1. Open Activity Explorer.
  2. Identify suspicious or unusual AI activity.
  3. Review the permissions on the affected content.
  4. Correct any oversharing or permission issues.

This workflow reflects recommended practices when investigating potential oversharing risks in Microsoft 365.

Question 11 (Single Answer)

An administrator wants to locate all emails and SharePoint documents that contain a specific project name as part of an internal investigation.

Which Microsoft Purview feature should the administrator use?

A. Activity Explorer

B. Content Search (eDiscovery)

C. Data Loss Prevention

D. Microsoft Defender XDR

Correct Answer

B

Explanation

Content Search in Microsoft Purview eDiscovery allows administrators to search across Exchange Online mailboxes, SharePoint Online sites, OneDrive accounts, and Microsoft Teams content.

  • A monitors activities but does not perform comprehensive content searches.
  • C prevents data leakage rather than locating historical content.
  • D focuses on security threats rather than content discovery.

Question 12 (Multiple Answer)

Which TWO capabilities are provided by Microsoft Purview Data Security Posture Management (DSPM) for AI?

(Choose two.)

A. Discover AI applications used within the organization

B. Identify AI-related data exposure risks

C. Automatically assign Microsoft 365 licenses

D. Replace Microsoft Entra ID authentication

Correct Answers

A and B

Explanation

DSPM for AI helps organizations:

  • Discover AI applications and services.
  • Identify AI-related security and governance risks.
  • Assess sensitive data exposure.
  • Improve AI governance.

It does not manage licensing or identity services.

Question 13 (Scenario)

A company recently enabled Microsoft 365 Copilot. Management wants to know how frequently employees are using Copilot and which Microsoft 365 applications have the highest adoption.

Which solution should the administrator use?

A. Microsoft Purview Audit

B. Microsoft Entra ID

C. Copilot Analytics

D. SharePoint Admin Center

Correct Answer

C

Explanation

Copilot Analytics provides insights into:

  • Adoption trends
  • Active users
  • Usage by Microsoft 365 application
  • Organizational engagement

The other tools serve different purposes.

Question 14 (Best Answer)

An administrator discovers that a SharePoint site grants access to “Everyone except external users.”

Why could this present a risk after deploying Microsoft 365 Copilot?

A. Copilot automatically republishes files externally.

B. Copilot may surface documents to any employee who already has access.

C. Copilot encrypts every document.

D. Copilot deletes inherited permissions.

Correct Answer

B

Explanation

Copilot honors existing permissions. If a large audience already has access to documents, Copilot may surface those documents during conversations, increasing the visibility of overshared information.

Question 15 (Matching)

Match each administrative portal to its primary responsibility.

PortalResponsibility
1. Microsoft 365 Admin CenterA. Data governance and compliance
2. Microsoft Purview PortalB. User licensing and Microsoft 365 administration
3. Power Platform Admin CenterC. Manage agents and Power Platform environments

Choose the correct answer.

A.
1-C
2-B
3-A

B.
1-B
2-C
3-A

C.
1-B
2-A
3-C

D.
1-A
2-C
3-B

Correct Answer

C

Explanation

  • Microsoft 365 Admin Center manages users, licenses, and Microsoft 365 services.
  • Microsoft Purview manages compliance, governance, and data protection.
  • Power Platform Admin Center manages Power Platform environments and many custom agents.

Question 16 (Scenario)

A business unit wants to deploy a custom agent for employees.

Before the agent becomes broadly available, the organization requires managerial review and approval.

What is the primary purpose of the approval process?

A. Improve network performance

B. Reduce Azure costs

C. Automatically create SharePoint sites

D. Ensure the agent meets organizational governance and compliance requirements

Correct Answer

D

Explanation

Approval workflows help ensure that agents:

  • Meet security standards.
  • Follow governance policies.
  • Use approved data sources.
  • Comply with organizational requirements.

Question 17 (Multiple Answer)

Which TWO actions can administrators commonly perform for Microsoft 365 Copilot in the Microsoft 365 Admin Center?

(Choose two.)

A. Assign Copilot licenses

B. Review Copilot usage reports

C. Design Power BI semantic models

D. Configure Windows Firewall policies

Correct Answers

A and B

Explanation

The Microsoft 365 Admin Center enables administrators to:

  • Assign licenses.
  • View adoption reports.
  • Manage service settings.
  • Monitor Copilot usage.

Power BI modeling and Windows Firewall management occur elsewhere.

Question 18 (Fill in the Blank)

Microsoft 365 Copilot respects existing __________ when retrieving organizational content.

A. Azure subscriptions

B. SharePoint branding

C. Microsoft 365 permissions

D. Windows registry settings

Correct Answer

C

Explanation

Copilot only retrieves information users are already authorized to access through Microsoft 365 permissions.

It never bypasses existing security controls.

Question 19 (Scenario)

An administrator wants to identify which custom agents are actively being used, how frequently they are accessed, and whether some should be retired.

Which combination of administrative capabilities best supports this objective?

A. Review operational insights and lifecycle information in the Microsoft 365 Admin Center and Power Platform Admin Center.

B. Configure Microsoft Defender Antivirus.

C. Run Windows Event Viewer.

D. Review Exchange transport rules.

Correct Answer

A

Explanation

Administrators can monitor:

  • Agent usage
  • Operational health
  • Adoption
  • Lifecycle status
  • Publishing status

through the Microsoft 365 Admin Center and Power Platform Admin Center.

The remaining options are unrelated.

Question 20 (Case Study)

A financial services organization has enabled Microsoft 365 Copilot for 500 employees.

After deployment, administrators discover that several sensitive documents appear in Copilot responses more often than expected. Investigation reveals that the documents reside in a SharePoint site with broad internal permissions.

Which sequence of actions represents the BEST response?

A.

  1. Delete Microsoft 365 Copilot.
  2. Restore SharePoint.
  3. Recreate documents.
  4. Reassign licenses.

B.

  1. Disable Microsoft Graph.
  2. Create a new tenant.
  3. Restore OneDrive.
  4. Reinstall Microsoft 365.

C.

  1. Increase Copilot licenses.
  2. Publish more SharePoint sites.
  3. Enable guest access.
  4. Run Copilot Analytics.

D.

  1. Review SharePoint permissions.
  2. Use SharePoint Advanced Management reports to identify oversharing.
  3. Restrict access where appropriate.
  4. Continue monitoring through Microsoft Purview and Copilot Analytics.

Correct Answer

D

Explanation

This follows Microsoft’s recommended governance approach:

  • Review permissions.
  • Identify oversharing.
  • Correct access controls.
  • Continue monitoring with governance and analytics tools.

Deleting Copilot or rebuilding the tenant would not solve the underlying permissions issue.

Question 21 (Single Answer)

A company wants to provide Microsoft 365 Copilot only to employees in the Finance department during a pilot deployment.

What is the simplest way to accomplish this?

A. Assign Microsoft 365 Copilot licenses only to Finance users.

B. Disable Microsoft Graph for all other users.

C. Create a separate Microsoft 365 tenant.

D. Disable SharePoint Online for everyone except Finance.

Correct Answer

A

Explanation

Assigning Copilot licenses only to Finance users is the recommended and simplest method for piloting Microsoft 365 Copilot. No additional tenant or service changes are required.

Question 22 (Multiple Answer)

Which TWO administrative tasks can be performed for Microsoft 365 Copilot using the Microsoft 365 Admin Center?

(Choose two.)

A. Assign Copilot licenses.

B. View Copilot adoption and usage reports.

C. Configure Microsoft Defender Antivirus policies.

D. Create Microsoft Fabric workspaces.

Correct Answers

A and B

Explanation

The Microsoft 365 Admin Center enables administrators to:

  • Assign and remove licenses.
  • Monitor Copilot adoption and usage.
  • Manage users and Microsoft 365 services.

Defender and Microsoft Fabric are managed in separate administration portals.

Question 23 (Scenario)

An organization wants to understand why Microsoft 365 Copilot is surfacing sensitive documents during conversations.

Which issue is MOST likely responsible?

A. Copilot is bypassing Microsoft Entra ID.

B. Copilot has been granted Global Administrator permissions.

C. Existing SharePoint permissions allow users to access those documents.

D. Microsoft Graph automatically expands user permissions.

Correct Answer

C

Explanation

Copilot never bypasses existing security. If users can already access sensitive documents because of broad SharePoint permissions, Copilot can include those documents in responses.

Question 24 (Best Answer)

Which Microsoft Purview capability helps administrators understand AI-related risks across organizational data?

A. SharePoint Version History

B. Data Security Posture Management (DSPM) for AI

C. Microsoft Planner

D. Exchange Mail Flow Rules

Correct Answer

B

Explanation

DSPM for AI helps organizations:

  • Discover AI usage.
  • Identify sensitive data exposure.
  • Assess AI-related risks.
  • Improve governance.

The other options do not provide AI governance capabilities.

Question 25 (Matching)

Match each feature with its primary purpose.

FeaturePurpose
1. Copilot AnalyticsA. Monitor adoption and usage
2. Activity ExplorerB. Review user activities involving sensitive data
3. SharePoint Advanced ManagementC. Identify oversharing risks

Choose the correct mapping.

A.

1-A

2-B

3-C

B.

1-C

2-A

3-B

C.

1-B

2-C

3-A

D.

1-A

2-C

3-B

Correct Answer

A

Explanation

  • Copilot Analytics monitors adoption and usage.
  • Activity Explorer tracks sensitive data activities.
  • SharePoint Advanced Management identifies oversharing risks.

Question 26 (Scenario)

A newly created custom agent is available only to its creator.

The administrator wants everyone in the Human Resources department to use the agent.

What should the administrator do?

A. Delete and recreate the agent.

B. Assign the appropriate user access permissions to the HR users or group.

C. Purchase additional Microsoft 365 licenses.

D. Enable Microsoft Defender for Office 365.

Correct Answer

B

Explanation

Administrators control which users or groups can access custom agents. Sharing or assigning permissions to the HR group makes the agent available to authorized users.

Question 27 (Multiple Answer)

Which TWO statements accurately describe Microsoft 365 Copilot prompts?

(Choose two.)

A. Users can save prompts for future use.

B. Users can share prompts with others when supported.

C. Prompts permanently modify SharePoint permissions.

D. Prompts automatically create new Microsoft 365 users.

Correct Answers

A and B

Explanation

Microsoft 365 Copilot allows users to:

  • Save prompts.
  • Reuse prompts.
  • Share prompts where supported.
  • Schedule certain prompts in supported experiences.

Prompts never modify permissions or user accounts.

Question 28 (Scenario)

A company wants to understand whether newly deployed agents are actively being used and whether some agents should be retired.

Which information should administrators review?

A. Windows Performance Monitor

B. Azure Resource Health

C. Operational insights and agent lifecycle information

D. Exchange mailbox quotas

Correct Answer

C

Explanation

Agent lifecycle information includes:

  • Usage
  • Adoption
  • Operational health
  • Publication status
  • Lifecycle stage

These metrics help determine whether agents continue to provide business value.

Question 29 (Fill in the Blank)

Microsoft 365 Copilot never grants users additional permissions because it always respects existing __________.

A. licensing assignments

B. Microsoft 365 security permissions

C. Power Platform environments

D. Exchange transport rules

Correct Answer

B

Explanation

One of the most important concepts for the AB-900 exam is that Microsoft 365 Copilot respects existing Microsoft 365 permissions. It does not elevate privileges or expose information users cannot already access.

Question 30 (Comprehensive Scenario)

A global organization plans to deploy Microsoft 365 Copilot to thousands of employees.

Before expanding deployment, administrators want to:

  • identify overshared SharePoint content,
  • monitor AI adoption,
  • investigate AI-related activities,
  • manage user licenses,
  • monitor custom agent usage.

Which combination of Microsoft tools BEST satisfies all of these requirements?

A.

  • Microsoft Defender
  • Azure Portal
  • Windows Admin Center

B.

  • Exchange Admin Center
  • Azure Cost Management
  • Microsoft Intune

C.

  • Microsoft Purview Activity Explorer
  • Microsoft 365 Admin Center
  • Copilot Analytics
  • SharePoint Advanced Management
  • Power Platform Admin Center

D.

  • Microsoft Planner
  • Power BI Desktop
  • Visual Studio Code

Correct Answer

C

Explanation

This combination provides complete administrative coverage:

  • Microsoft Purview Activity Explorer monitors AI-related activities involving sensitive information.
  • Microsoft 365 Admin Center manages users, licensing, and Microsoft 365 administration.
  • Copilot Analytics measures Copilot adoption and usage.
  • SharePoint Advanced Management identifies oversharing risks and governance issues.
  • Power Platform Admin Center manages many custom agents and their lifecycle.

The other options do not collectively address governance, administration, analytics, licensing, and agent management.

Leave a comment