AB-900, Microsoft Certification

Explain the core Zero Trust principles (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Understand the Microsoft 365 security principles
      --> Explain the core Zero Trust principles

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations face increasingly sophisticated cyber threats. Traditional security models assumed that users and devices inside the corporate network could automatically be trusted. However, with cloud computing, remote work, mobile devices, and AI-powered services, this approach is no longer sufficient.

Zero Trust is Microsoft’s modern security strategy that assumes no user, device, application, or network should be automatically trusted. Instead, every access request must be verified before access is granted.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding the core Zero Trust principles is essential because Microsoft 365 security capabilities are built around this model.

What Is Zero Trust?

Zero Trust is a security model based on the idea:

“Never trust, always verify.”

Instead of assuming that users inside the network are trustworthy, Zero Trust continuously validates:

  • Identity
  • Device health
  • Location
  • Risk level
  • Access requirements

The goal is to minimize unauthorized access and reduce the impact of security breaches.

Why Traditional Security Models Are Insufficient

Older security models relied on a network perimeter.

Example:

Outside Network = Untrusted
Inside Network = Trusted

This approach becomes ineffective when:

  • Users work remotely.
  • Data resides in the cloud.
  • Devices connect from multiple locations.
  • Attackers compromise user credentials.

Zero Trust assumes that threats can exist both inside and outside the organization.

The Three Core Zero Trust Principles

Microsoft defines three fundamental Zero Trust principles:

  1. Verify Explicitly
  2. Use Least Privileged Access
  3. Assume Breach

These principles work together to strengthen security.

Principle 1: Verify Explicitly

“Always authenticate and authorize based on all available data.”

Every access request should be evaluated using multiple signals.

Examples include:

  • User identity
  • Device status
  • Location
  • Application being accessed
  • User risk level
  • Data sensitivity

Access is granted only after verification.

Multi-Factor Authentication (MFA)

MFA is one example of explicit verification.

Instead of relying only on passwords, users provide additional evidence such as:

  • Authenticator app approval
  • Text message code
  • Hardware token
  • Biometrics

MFA significantly reduces the risk of compromised credentials.

Conditional Access

Microsoft Entra Conditional Access evaluates signals before granting access.

Examples:

  • Require MFA outside the corporate network.
  • Block high-risk sign-ins.
  • Restrict access from unmanaged devices.

Conditional Access supports the Verify Explicitly principle.

Principle 2: Use Least Privileged Access

“Grant only the minimum access necessary.”

Users should receive only the permissions required to perform their work.

Least privilege reduces the potential damage caused by:

  • Human error
  • Compromised accounts
  • Insider threats

Examples of Least Privilege

Example 1

A finance employee receives access only to finance documents.

Example 2

An HR employee cannot view confidential engineering files.

Example 3

Most users do not receive administrator privileges.

Role-Based Access Control (RBAC)

RBAC assigns permissions according to job roles.

Examples:

RoleTypical Permissions
Global AdministratorFull tenant administration
User AdministratorUser management only
SharePoint AdministratorSharePoint administration only
Teams AdministratorTeams administration only

RBAC prevents excessive permissions.

Just-In-Time (JIT) Access

Administrative access can be granted temporarily when needed.

Benefits include:

  • Reduced attack surface.
  • Lower risk of privileged account abuse.
  • Improved auditing.

Principle 3: Assume Breach

“Operate as though an attacker is already present.”

Zero Trust assumes that security incidents may occur despite preventive measures.

Organizations should:

  • Limit the spread of attacks.
  • Detect suspicious activity quickly.
  • Respond rapidly to incidents.

Segmentation

Resources are divided into smaller areas.

Examples:

  • HR data separated from Finance data.
  • Department-specific SharePoint sites.
  • Restricted Teams channels.

Segmentation prevents attackers from moving freely across the environment.

Monitoring and Logging

Continuous monitoring helps detect:

  • Unusual sign-ins.
  • Excessive file downloads.
  • Suspicious device behavior.

Microsoft security solutions analyze these signals to identify threats.

Incident Response

Organizations should have plans for:

  • Investigating attacks.
  • Containing compromised accounts.
  • Recovering services.
  • Restoring operations.

Zero Trust focuses not only on prevention but also on resilience.

Zero Trust Pillars

Microsoft extends Zero Trust across several areas:

Identities

Verify users and administrators.

Devices

Ensure devices meet security requirements.

Applications

Protect access to applications.

Data

Secure sensitive information.

Infrastructure

Protect servers and workloads.

Networks

Secure communication paths.

These pillars work together to provide layered protection.

Zero Trust in Microsoft 365

Microsoft 365 incorporates Zero Trust through features such as:

  • Microsoft Entra ID
  • Multi-Factor Authentication (MFA)
  • Conditional Access
  • Microsoft Defender
  • Microsoft Purview
  • Role-Based Access Control
  • Data Loss Prevention (DLP)

These capabilities help organizations implement Zero Trust without building custom solutions.

Zero Trust and Microsoft 365 Copilot

Microsoft 365 Copilot follows Zero Trust principles.

Copilot:

  • Uses existing permissions.
  • Does not bypass security.
  • Only accesses data users are already authorized to view.
  • Respects SharePoint, Teams, and Exchange permissions.

For example:

If a user cannot access an HR document, Copilot cannot retrieve or summarize that document for them.

Benefits of Zero Trust

Organizations implementing Zero Trust gain:

Improved Security

Reduced risk of unauthorized access.

Better Protection Against Credential Theft

MFA and Conditional Access strengthen identity security.

Reduced Attack Surface

Least privilege minimizes exposure.

Faster Threat Detection

Continuous monitoring identifies suspicious activity.

Support for Remote Work

Security is based on identity and context rather than location.

Best Practices

Enable Multi-Factor Authentication

MFA is one of the most effective security controls.

Assign Administrative Roles Carefully

Avoid excessive privileges.

Review Permissions Regularly

Remove unnecessary access.

Monitor Sign-In Activity

Identify abnormal behavior.

Assume Breaches Can Occur

Prepare response plans before incidents happen.

Exam Tips

Remember these AB-900 concepts:

  • Zero Trust means “Never trust, always verify.”
  • Microsoft defines three core principles:
    • Verify Explicitly
    • Use Least Privileged Access
    • Assume Breach
  • MFA supports explicit verification.
  • Role-Based Access Control supports least privilege.
  • Segmentation supports the Assume Breach principle.
  • Conditional Access evaluates signals before granting access.
  • Zero Trust applies to identities, devices, applications, and data.
  • Microsoft 365 Copilot respects existing permissions and security controls.

Practice Exam Questions

Question 1

Which phrase best summarizes the Zero Trust security model?

A. Trust internal users automatically
B. Never trust, always verify
C. Secure only external users
D. Block all remote access

Correct Answer: B

Explanation: Zero Trust assumes that no user or device should be automatically trusted and that every access request should be verified.

Question 2

Which of the following is one of Microsoft’s three core Zero Trust principles?

A. Enable Open Access
B. Trust the Network
C. Assume Breach
D. Ignore Insider Threats

Correct Answer: C

Explanation: Assume Breach is one of the three core principles alongside Verify Explicitly and Use Least Privileged Access.

Question 3

Which Microsoft capability is commonly used to support the Verify Explicitly principle?

A. Document version history
B. SharePoint communication sites
C. Multi-Factor Authentication (MFA)
D. Exchange distribution groups

Correct Answer: C

Explanation: MFA requires additional forms of verification beyond passwords and supports explicit verification.

Question 4

What is the goal of the Least Privileged Access principle?

A. Give users administrator rights by default.
B. Grant only the access users need to perform their jobs.
C. Allow unrestricted file access.
D. Eliminate authentication requirements.

Correct Answer: B

Explanation: Least privilege minimizes risk by limiting permissions to what is necessary.

Question 5

Which concept helps implement least privilege by assigning permissions according to job responsibilities?

A. External sharing
B. Dynamic distribution groups
C. Role-Based Access Control (RBAC)
D. Site collections

Correct Answer: C

Explanation: RBAC assigns permissions based on roles rather than giving broad access to everyone.

Question 6

Under the Assume Breach principle, organizations should operate as though:

A. No attacks are possible.
B. Security controls are unnecessary.
C. Internal networks are always trusted.
D. Attackers may already be present.

Correct Answer: D

Explanation: Zero Trust assumes breaches can occur and focuses on limiting their impact.

Question 7

Which technology evaluates user and device conditions before granting access?

A. Conditional Access
B. Version history
C. Distribution lists
D. Mail contacts

Correct Answer: A

Explanation: Conditional Access uses signals such as device health and location to determine access requirements.

Question 8

How does Microsoft 365 Copilot align with Zero Trust principles?

A. It bypasses SharePoint permissions.
B. It grants temporary administrator rights.
C. It accesses only information users are already authorized to view.
D. It ignores role assignments.

Correct Answer: C

Explanation: Copilot respects existing permissions and cannot expose unauthorized information.

Question 9

Which activity supports the Assume Breach principle?

A. Disabling authentication
B. Continuous monitoring and logging
C. Sharing all documents publicly
D. Removing security policies

Correct Answer: B

Explanation: Monitoring helps organizations detect and respond to suspicious behavior.

Question 10

Which core Zero Trust principle is directly supported by Role-Based Access Control?

A. Verify Explicitly
B. Assume Breach
C. Encrypt Everything
D. Use Least Privileged Access

Correct Answer: D

Explanation: RBAC limits permissions according to job roles, supporting least privilege.

Go to the AB-900 Exam Prep Hub main page

Leave a comment