AB-900, Agentic AI, AI, AI Governance, Microsoft Certification

Understand the approval process for agents (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for agents
      --> Understand the approval process for agents

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly adopt Microsoft 365 Copilot and AI-powered agents, governance becomes just as important as functionality. Without proper oversight, users could inadvertently create agents that expose sensitive information, perform unintended actions, or fail to comply with organizational policies.

For this reason, Microsoft provides an approval process that enables organizations to review, validate, and govern agents before they are made available to users. While the exact approval workflow depends on the type of agent, the organization’s governance policies, and the deployment platform (such as Microsoft Copilot Studio), administrators should understand how approval processes help ensure that agents are secure, compliant, and aligned with business requirements.

For the AB-900 exam, you are not expected to know every detailed configuration step, but you should understand why approvals exist, when they are required, who participates in the approval process, and what happens before and after an agent is approved.

Why Agent Approval is Important

Unlike general-purpose Microsoft 365 Copilot experiences, custom agents often:

  • Access organizational knowledge
  • Connect to business systems
  • Trigger automated workflows
  • Perform business-specific tasks
  • Use sensitive organizational data

Because of these capabilities, organizations typically require an approval process before an agent is published to production.

Approval helps ensure that:

  • The agent performs its intended function.
  • Security requirements are met.
  • Compliance policies are followed.
  • Data access is appropriate.
  • Users receive a trustworthy AI experience.

Goals of the Approval Process

An effective approval process helps organizations:

  • Reduce security risks
  • Prevent accidental oversharing
  • Ensure regulatory compliance
  • Improve quality of AI responses
  • Validate business usefulness
  • Maintain organizational standards
  • Establish accountability

Typical Agent Lifecycle

A simplified lifecycle includes:

  1. Design
  2. Build
  3. Configure
  4. Test
  5. Review
  6. Approve
  7. Publish
  8. Monitor
  9. Update
  10. Retire

Approval occurs after testing but before broad deployment.

Typical Approval Workflow

Although every organization may customize the workflow, the process generally follows these steps.

Step 1: Agent Creation

A developer or business user creates the agent.

They configure:

  • Instructions
  • Knowledge sources
  • Actions
  • Connectors
  • Conversation flow

Step 2: Initial Testing

Before requesting approval, the creator tests the agent.

Typical testing includes:

  • Prompt accuracy
  • Correct responses
  • Hallucination reduction
  • Data grounding
  • Error handling
  • Business logic

Step 3: Security Review

Security administrators verify that:

  • Permissions are appropriate.
  • Data sources are approved.
  • Authentication is configured correctly.
  • Sensitive information is protected.
  • Least-privilege access is maintained.

Step 4: Compliance Review

Compliance teams evaluate whether the agent aligns with organizational governance policies.

Areas reviewed include:

  • Data Loss Prevention (DLP)
  • Sensitivity labels
  • Microsoft Purview policies
  • Data retention
  • Regulatory requirements
  • Audit logging

Step 5: Business Review

Business owners determine whether:

  • The agent solves the intended problem.
  • Responses are accurate.
  • Business terminology is correct.
  • Processes are followed correctly.
  • Users will benefit from the solution.

Step 6: Approval

Once reviews are complete, the designated approver authorizes publication.

Only approved agents should become available to end users.

Step 7: Publishing

After approval, the agent can be:

  • Published
  • Assigned to users
  • Shared with groups
  • Made available in Microsoft Teams
  • Integrated into Microsoft 365 Copilot

Who May Participate in the Approval Process?

Several roles may be involved depending on the organization.

Agent Creator

Responsible for:

  • Designing the agent
  • Testing functionality
  • Fixing issues
  • Submitting for review

Business Owner

Responsible for:

  • Verifying business value
  • Confirming correct business logic
  • Approving organizational use

IT Administrator

Responsible for:

  • Platform administration
  • Environment configuration
  • Deployment
  • User access

Security Administrator

Responsible for:

  • Permission validation
  • Identity verification
  • Connector review
  • Security assessment

Compliance Administrator

Responsible for:

  • Governance policies
  • Data protection
  • Microsoft Purview compliance
  • Regulatory alignment

What is Reviewed During Approval?

Reviewers typically examine:

Purpose

Does the agent solve a legitimate business problem?

Instructions

Are system instructions clear?

Do they prevent inappropriate behavior?

Knowledge Sources

Are approved sources used?

Examples include:

  • SharePoint
  • Microsoft Graph
  • Dataverse
  • Internal documentation

Actions

Can the agent:

  • Send emails?
  • Update records?
  • Trigger workflows?
  • Access external systems?

Higher-risk actions usually require more careful review.

Permissions

Does the agent only access information users are already authorized to see?

Microsoft 365 security trimming should remain intact.

Connectors

Reviewers verify that external connectors:

  • Are trusted
  • Are approved
  • Meet organizational policies

Privacy

Organizations verify that:

  • Personal data is protected.
  • Confidential information is handled appropriately.
  • AI responses do not expose sensitive content.

Governance During Approval

Agent approval is part of broader AI governance.

Organizations often require:

  • Data classification
  • Sensitivity labels
  • DLP policies
  • Audit logs
  • Risk assessments
  • Periodic reviews

These controls help ensure responsible AI deployment.

Approval vs Publishing

These concepts are different.

Approval means the organization authorizes the agent for deployment.

Publishing makes the approved agent available to users.

An approved agent is not necessarily published immediately.

Likewise, a draft agent cannot be published without completing required approvals (if organizational policies require them).

What Happens After Approval?

Approval is not the end of governance.

Administrators continue to monitor:

  • Usage
  • Adoption
  • Errors
  • User feedback
  • Performance
  • Security events
  • Compliance alerts

Agents may later be:

  • Updated
  • Republished
  • Disabled
  • Archived
  • Deleted

Best Practices

Organizations should:

  • Define a formal approval workflow.
  • Require business ownership.
  • Review data access carefully.
  • Test before publishing.
  • Limit permissions using least privilege.
  • Monitor production usage.
  • Periodically review existing agents.
  • Remove unused or outdated agents.
  • Maintain documentation for governance and auditing.

Exam Tips

For the AB-900 exam, remember these key points:

  • Approval helps ensure agents are secure, compliant, and useful before deployment.
  • Multiple stakeholders—including creators, business owners, IT administrators, security administrators, and compliance administrators—may participate in the approval process.
  • Testing occurs before approval.
  • Publishing occurs after approval.
  • Organizations can customize approval workflows based on governance requirements.
  • Security, permissions, data access, compliance, and business value are common review areas.
  • Agent governance continues after publication through ongoing monitoring and management.

Practice Exam Questions

Question 1

Why do organizations typically require an approval process before publishing custom agents?

A. To reduce deployment speed

B. To ensure the agent meets security, compliance, and business requirements

C. To prevent Microsoft 365 licensing

D. To disable Microsoft Graph access

Answer: B

Explanation: Approval ensures agents are reviewed for security, compliance, data access, and business value before being made available to users.

Question 2

Which activity normally occurs immediately before an agent is submitted for approval?

A. Assigning licenses

B. Deleting old agents

C. Testing the agent

D. Archiving the environment

Answer: C

Explanation: Creators typically validate the agent through testing before requesting formal approval.

Question 3

Which team is primarily responsible for reviewing whether an agent complies with data governance requirements?

A. Marketing

B. Finance

C. Human Resources

D. Compliance administrators

Answer: D

Explanation: Compliance administrators review governance policies, regulatory requirements, data protection, and Microsoft Purview controls.

Question 4

Which aspect is most likely reviewed during an agent approval process?

A. The color theme of Microsoft Teams

B. The Windows desktop wallpaper

C. The user’s internet browser

D. The agent’s permissions and data sources

Answer: D

Explanation: Reviewers verify that permissions and knowledge sources comply with organizational security policies.

Question 5

What is the primary purpose of reviewing an agent’s knowledge sources?

A. To increase processor speed

B. To ensure the agent uses approved organizational information

C. To update Windows

D. To install Microsoft Office

Answer: B

Explanation: Approved knowledge sources help ensure accurate responses while protecting sensitive information.

Question 6

Which statement correctly describes approval and publishing?

A. Publishing always occurs before approval.

B. Approval and publishing are identical.

C. Approval authorizes deployment, while publishing makes the agent available to users.

D. Approval permanently locks the agent.

Answer: C

Explanation: Approval authorizes the agent for release, while publishing distributes it to its intended audience.

Question 7

Who is primarily responsible for confirming that an agent solves the intended business problem?

A. Business owner

B. Printer administrator

C. Network technician

D. Database operator

Answer: A

Explanation: Business owners validate that the agent provides value and meets organizational objectives.

Question 8

Which security principle should agents follow when accessing organizational information?

A. Unlimited access

B. Anonymous authentication

C. Guest-only permissions

D. Least privilege

Answer: D

Explanation: Agents should only access the information necessary for their intended function, following the principle of least privilege.

Question 9

After an agent has been approved and published, what should administrators continue to do?

A. Disable audit logging

B. Ignore user feedback

C. Monitor usage, performance, and compliance

D. Remove all permissions

Answer: C

Explanation: Ongoing monitoring helps ensure the agent remains secure, compliant, and effective as business needs evolve.

Question 10

Which statement best describes organizational approval workflows for agents?

A. Every Microsoft 365 tenant uses the exact same approval process.

B. Approval is optional for all organizations.

C. Approval workflows are fixed and cannot be customized.

D. Organizations can customize approval workflows to meet their governance requirements.

Answer: D

Explanation: Microsoft provides flexible governance capabilities, allowing organizations to implement approval workflows that align with their security, compliance, and operational policies.

Go to the AB-900 Exam Prep Hub main page

Leave a comment