AB-900, Microsoft Certification

Identify the appropriate roles and permissions for sites in SharePoint in Microsoft 365 (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core objects of Microsoft 365 services
      --> Identify the appropriate roles and permissions for sites in SharePoint in Microsoft 365

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Security and collaboration are two of the most important aspects of SharePoint Online. Organizations need users to easily access and share information while ensuring that sensitive content remains protected.

SharePoint permissions and roles determine who can:

  • View information.
  • Edit documents.
  • Create content.
  • Manage sites.
  • Share files with others.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand the common SharePoint roles, permission levels, inheritance concepts, and how permissions affect access to information used by Microsoft 365 services and Microsoft 365 Copilot.

Why Permissions Matter

SharePoint sites often contain:

  • Policies
  • Financial reports
  • Project documents
  • Human resources files
  • Meeting materials

Permissions ensure that users can only access information they are authorized to see.

This principle is known as least privilege, which means users should receive only the access necessary to perform their jobs.

SharePoint Security Model

SharePoint security is based on:

  1. Users
  2. Groups
  3. Roles
  4. Permission levels

Access is granted through permission assignments rather than by storing permissions directly on every file.

Understanding SharePoint Roles

A role defines what a user is allowed to do within a site.

Common roles include:

  • Site Owners
  • Site Members
  • Site Visitors

These roles are typically implemented through SharePoint groups.

Site Owners

Site Owners have the highest level of permissions on a site.

Owners can:

  • Add or remove users.
  • Change permissions.
  • Create libraries and lists.
  • Modify site settings.
  • Manage content.

Owners are responsible for maintaining and administering the site.

Example

The manager of a department may be assigned as a Site Owner.

Site Members

Site Members are contributors to the site.

Members can typically:

  • Create files.
  • Upload documents.
  • Edit existing content.
  • Delete content they have permission to manage.

Members help maintain and collaborate on information.

Example

Employees working on a project may be Members of the project site.

Site Visitors

Site Visitors generally have read-only access.

Visitors can:

  • View pages.
  • Open documents.
  • Read information.

Visitors cannot:

  • Modify files.
  • Upload documents.
  • Change settings.

Example

Executives reviewing reports may be assigned Visitor access.

Default Permission Levels

SharePoint provides several built-in permission levels.

Full Control

Allows users to:

  • Manage permissions.
  • Configure settings.
  • Create content.
  • Delete content.

Typically assigned to Site Owners.

Edit

Allows users to:

  • Add content.
  • Modify content.
  • Delete content.

Commonly assigned to Members.

Read

Allows users to:

  • View documents.
  • Open pages.
  • Download files.

Usually assigned to Visitors.

Contribute

Allows users to:

  • Add and edit content.

Contribute permissions are similar to Edit permissions but provide fewer management capabilities.

SharePoint Groups

Permissions are commonly assigned through groups rather than individual users.

Examples:

GroupTypical Permission
Site OwnersFull Control
Site MembersEdit
Site VisitorsRead

Using groups simplifies administration and improves consistency.

Permission Inheritance

SharePoint objects inherit permissions from their parent object.

Example:

Site
Library
Folder
File

By default:

  • Libraries inherit from sites.
  • Folders inherit from libraries.
  • Files inherit from folders.

This inheritance model simplifies permission management.

Breaking Permission Inheritance

Administrators can stop an object from inheriting permissions.

For example:

A Human Resources library may require unique permissions that differ from the rest of the site.

Benefits include:

  • Protecting confidential information.
  • Restricting access to sensitive content.
  • Supporting departmental separation.

However, excessive unique permissions can increase administrative complexity.

Library-Level Permissions

Document libraries may have permissions that differ from the parent site.

Example:

Finance Site

Libraries:

  • Budgets
  • Payroll
  • Policies

The Payroll library may only be accessible to HR personnel.

Folder-Level Permissions

Folders can also have unique permissions.

Example:

Projects Library
Project Alpha Folder

Only members of Project Alpha may receive access.

While possible, Microsoft generally recommends avoiding excessive folder-level permissions because they can become difficult to manage.

File-Level Permissions

Individual files can have unique permissions.

Example:

A confidential contract document may only be accessible to executives.

File-level permissions provide flexibility but should be used sparingly.

Sharing vs Permissions

Users often confuse sharing with permissions.

Permissions

Determine who has access.

Sharing

Provides a method to grant access.

When a user shares a file, SharePoint updates the permissions accordingly.

Internal Sharing

Internal sharing allows employees within the organization to access content.

This is the most common sharing scenario.

External Sharing

Organizations may allow collaboration with:

  • Customers
  • Vendors
  • Partners
  • Contractors

External users can receive access to:

  • Sites
  • Libraries
  • Files
  • Folders

Administrators can control external sharing settings in the SharePoint admin center.

Microsoft 365 Groups and Permissions

Many Team Sites are associated with Microsoft 365 Groups.

Membership in the Microsoft 365 Group automatically grants access to the connected:

  • SharePoint site
  • Outlook group
  • Teams workspace
  • Shared resources

This simplifies collaboration management.

SharePoint Admin Roles vs Site Roles

It is important to distinguish between:

SharePoint Administrator

A Microsoft 365 administrative role that manages SharePoint across the tenant.

Site Owner

A site-level role that manages one specific site.

SharePoint Administrators have broader authority than Site Owners.

How Permissions Affect Microsoft 365 Copilot

Microsoft 365 Copilot respects existing SharePoint permissions.

Copilot:

  • Does not bypass security.
  • Cannot reveal information users are not authorized to access.
  • Uses the same permissions already configured in Microsoft 365.

For example:

If User A cannot access a confidential HR folder, Copilot cannot retrieve content from that folder for User A.

Best Practices

Use Groups Instead of Individual Users

Group-based permissions are easier to maintain.

Apply Least Privilege

Grant only the access required.

Minimize Unique Permissions

Too many exceptions create complexity.

Periodically Review Access

Remove unnecessary permissions when roles change.

Use Owners Carefully

Only trusted individuals should receive Full Control.

Exam Tips

Remember these key AB-900 concepts:

  • Site Owners usually have Full Control.
  • Site Members typically have Edit permissions.
  • Site Visitors generally have Read permissions.
  • Permissions are usually assigned through groups.
  • Objects inherit permissions from parent objects.
  • Libraries, folders, and files can have unique permissions.
  • Sharing grants access by modifying permissions.
  • SharePoint Administrators manage the service tenant-wide.
  • Site Owners manage individual sites.
  • Microsoft 365 Copilot respects SharePoint security permissions.

Practice Exam Questions

Question 1

Which SharePoint role normally has Full Control permissions?

A. Site Visitors
B. Site Members
C. Site Owners
D. External Users

Correct Answer: C

Explanation: Site Owners have the highest level of permissions and can manage settings, content, and permissions.

Question 2

Which permission level allows users to view documents without modifying them?

A. Read
B. Edit
C. Full Control
D. Contribute

Correct Answer: A

Explanation: Read permissions allow users to view content while preventing modifications.

Question 3

What is the primary advantage of assigning permissions through SharePoint groups?

A. Increased storage capacity
B. Simplified administration and consistency
C. Faster document uploads
D. Automatic licensing

Correct Answer: B

Explanation: Groups allow administrators to manage permissions efficiently without assigning access individually.

Question 4

By default, what happens to permissions on a newly created document library?

A. Permissions are disabled.
B. Full Control is granted to everyone.
C. The library receives random permissions.
D. The library inherits permissions from the parent site.

Correct Answer: D

Explanation: SharePoint uses inheritance by default so child objects receive permissions from parent objects.

Question 5

A department wants a confidential library accessible only to HR staff. What should be done?

A. Delete the parent site.
B. Convert the site to OneDrive.
C. Break permission inheritance for the library.
D. Disable version history.

Correct Answer: C

Explanation: Unique permissions can be applied by stopping inheritance from the parent site.

Question 6

Which role typically allows users to create and edit documents?

A. Site Visitors
B. Site Members
C. External Guests
D. Auditors

Correct Answer: B

Explanation: Members commonly receive Edit permissions that allow collaboration.

Question 7

Which statement about Microsoft 365 Copilot and SharePoint permissions is true?

A. Copilot bypasses security settings.
B. Copilot ignores file permissions.
C. Copilot grants temporary access to restricted files.
D. Copilot respects existing permissions.

Correct Answer: D

Explanation: Copilot can only access information users are already authorized to see.

Question 8

What is the difference between sharing and permissions?

A. Sharing grants access by modifying permissions.
B. Permissions are only used in OneDrive.
C. Sharing removes security settings.
D. Permissions are unrelated to sharing.

Correct Answer: A

Explanation: Sharing is a mechanism that changes permissions to allow access.

Question 9

Which object normally inherits permissions from a document library?

A. Microsoft Entra group
B. Mailbox
C. Folder
D. Exchange distribution group

Correct Answer: C

Explanation: Folders inherit permissions from their parent library unless inheritance is broken.

Question 10

Which statement correctly distinguishes a SharePoint Administrator from a Site Owner?

A. Site Owners manage the entire Microsoft 365 tenant.
B. SharePoint Administrators manage SharePoint across the organization, while Site Owners manage individual sites.
C. Site Owners automatically become Global Administrators.
D. SharePoint Administrators only manage a single site.

Correct Answer: B

Explanation: SharePoint Administrators have tenant-wide SharePoint authority, whereas Site Owners are responsible for specific sites only.

Go to the AB-900 Exam Prep Hub main page

Leave a comment