This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
--> Understand the Microsoft 365 security principles
--> Understand Authorization
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
In Microsoft 365 security, protecting resources involves two closely related concepts:
- Authentication
- Authorization
Although these terms are often confused, they serve different purposes.
- Authentication answers the question: “Who are you?”
- Authorization answers the question: “What are you allowed to do?”
For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding authorization is important because Microsoft 365 relies heavily on permissions, roles, and policies to determine what users can access.
What Is Authorization?
Authorization is the process of determining whether an authenticated user has permission to access a resource or perform an action.
Examples of resources include:
- Email messages
- SharePoint sites
- Teams channels
- Files and folders
- Applications
- Administrative settings
Authorization occurs after authentication.
Authentication vs. Authorization
These concepts work together but perform different functions.
| Authentication | Authorization |
|---|---|
| Verifies identity | Determines access rights |
| Answers “Who are you?” | Answers “What can you do?” |
| Usually requires credentials | Uses permissions and policies |
| Happens first | Happens second |
Example
- A user signs in with their Microsoft 365 account.
- Microsoft verifies their identity (authentication).
- Microsoft checks whether they are allowed to access a file (authorization).
Real-World Example
Imagine entering an office building.
Authentication
Showing your employee badge proves who you are.
Authorization
Your badge determines:
- Which floors you may enter.
- Which rooms you can access.
- Whether you can enter the server room.
Not every employee receives the same level of access.
Why Authorization Is Important
Authorization helps organizations:
- Protect sensitive information.
- Limit insider threats.
- Enforce security policies.
- Support compliance requirements.
- Implement the Zero Trust model.
Without authorization controls, every authenticated user would have unrestricted access to organizational data.
Authorization in Microsoft 365
Microsoft 365 uses authorization to control access to:
SharePoint
- Sites
- Libraries
- Files
- Folders
Microsoft Teams
- Teams
- Channels
- Meetings
Exchange Online
- Mailboxes
- Distribution groups
- Shared mailboxes
Copilot Experiences
- Documents
- Emails
- Teams conversations
- Knowledge sources
Permissions
Permissions are the primary mechanism used to implement authorization.
Permissions define what actions users can perform.
Examples include:
- Read
- Edit
- Create
- Delete
- Full Control
Different users may receive different permissions for the same resource.
Role-Based Access Control (RBAC)
Microsoft 365 uses Role-Based Access Control (RBAC) to assign permissions according to job responsibilities.
Instead of assigning permissions individually to every user, permissions are grouped into roles.
Examples include:
| Role | Purpose |
|---|---|
| Global Administrator | Manage the entire Microsoft 365 tenant |
| User Administrator | Manage user accounts |
| SharePoint Administrator | Manage SharePoint Online |
| Teams Administrator | Manage Microsoft Teams |
| Exchange Administrator | Manage Exchange Online |
RBAC simplifies administration and supports the principle of least privilege.
Least Privilege and Authorization
Authorization supports the Zero Trust principle of Least Privileged Access.
Users should receive only the permissions necessary to perform their work.
Example:
- HR employees can access HR documents.
- Finance employees can access financial reports.
- Marketing employees cannot view payroll files.
Restricting access reduces the impact of compromised accounts.
Group-Based Authorization
Permissions are often assigned through groups rather than individual users.
Examples:
- Microsoft 365 Groups
- Security Groups
- SharePoint Groups
Benefits include:
- Easier administration
- Consistent access
- Reduced errors
- Simplified onboarding
When a user joins a group, they inherit the group’s permissions.
SharePoint Authorization
SharePoint permissions determine who can:
- View documents
- Edit content
- Upload files
- Manage sites
Common permission levels include:
| Permission Level | Capabilities |
|---|---|
| Read | View content |
| Edit | Modify content |
| Full Control | Manage settings and permissions |
A user without permission cannot access the content even if they know the file location.
Teams Authorization
Microsoft Teams uses authorization to determine:
- Team membership
- Channel access
- Meeting permissions
- App availability
For example:
- Members of a team can participate in discussions.
- Users outside the team cannot access conversations.
- Private channels restrict access to selected members.
Exchange Online Authorization
Authorization determines access to:
- Mailboxes
- Shared mailboxes
- Calendars
- Distribution groups
Example:
An executive assistant may be granted permission to manage another user’s mailbox.
Conditional Access and Authorization
Conditional Access can add requirements before access is granted.
Examples include:
- Requiring Multi-Factor Authentication (MFA)
- Blocking risky sign-ins
- Restricting access from unmanaged devices
Conditional Access combines identity signals with authorization decisions.
Administrative Roles
Administrative roles provide authorization for management tasks.
Examples:
Global Administrator
Can manage nearly every Microsoft 365 service.
Teams Administrator
Can manage Teams settings but not Exchange settings.
SharePoint Administrator
Can manage SharePoint but not user licensing.
This separation helps implement least privilege.
Authorization and Microsoft 365 Copilot
Microsoft 365 Copilot relies entirely on existing authorization controls.
Copilot:
- Does not bypass permissions.
- Cannot expose restricted information.
- Only retrieves content users are already authorized to access.
Example
Suppose:
- Alice has access to Finance documents.
- Bob does not.
If Bob asks Copilot for salary reports, Copilot cannot retrieve them because Bob lacks authorization.
Authorization in Zero Trust
Authorization supports all three Zero Trust principles:
Verify Explicitly
Access decisions consider identity and context.
Use Least Privileged Access
Users receive only necessary permissions.
Assume Breach
Limiting permissions reduces the impact of attacks.
Best Practices
Assign Roles Carefully
Avoid excessive privileges.
Use Groups Instead of Individual Permissions
Simplify management.
Follow Least Privilege
Grant only required access.
Review Permissions Regularly
Remove outdated permissions.
Use MFA and Conditional Access
Strengthen authorization decisions.
Exam Tips
Remember these key AB-900 concepts:
- Authentication verifies identity.
- Authorization determines access rights.
- Authorization occurs after authentication.
- Permissions define what users can do.
- RBAC assigns permissions through roles.
- Least privilege limits unnecessary access.
- Groups simplify permission management.
- Conditional Access can influence authorization decisions.
- Microsoft 365 Copilot respects existing permissions.
- Users cannot access resources without authorization.
Practice Exam Questions
Question 1
Which question does authorization answer?
A. Where is the data stored?
B. Which password should be used?
C. What resources is the user allowed to access?
D. Is the device encrypted?
Correct Answer: C
Explanation: Authorization determines what actions an authenticated user is permitted to perform.
Question 2
Which process occurs first in Microsoft 365?
A. Authorization
B. Authentication
C. Auditing
D. Encryption
Correct Answer: B
Explanation: Users must first prove their identity before access rights can be evaluated.
Question 3
What is the primary purpose of Role-Based Access Control (RBAC)?
A. Encrypt files automatically
B. Create mailboxes
C. Assign permissions according to job responsibilities
D. Replace authentication
Correct Answer: C
Explanation: RBAC groups permissions into roles that align with organizational responsibilities.
Question 4
Which Microsoft 365 principle is directly supported by limiting permissions to only what users need?
A. External collaboration
B. Shared responsibility
C. Multi-tenancy
D. Least privilege
Correct Answer: D
Explanation: Least privilege minimizes unnecessary access and reduces security risks.
Question 5
A user signs in successfully but cannot open a SharePoint file. What is the most likely reason?
A. Authentication failed.
B. The user lacks authorization to the file.
C. The file was encrypted.
D. The device lacks internet access.
Correct Answer: B
Explanation: Successful authentication does not guarantee permission to access resources.
Question 6
Which mechanism is commonly used to simplify authorization management?
A. Distribution lists
B. Version history
C. Group-based permissions
D. Mail flow rules
Correct Answer: C
Explanation: Assigning permissions to groups is easier and more consistent than assigning permissions individually.
Question 7
Which Microsoft 365 administrative role can manage SharePoint Online but does not automatically manage Teams or Exchange?
A. Global Administrator
B. SharePoint Administrator
C. User Administrator
D. Billing Administrator
Correct Answer: B
Explanation: SharePoint Administrators are responsible specifically for SharePoint services.
Question 8
How does Microsoft 365 Copilot use authorization?
A. It ignores permissions to improve productivity.
B. It temporarily grants access to hidden documents.
C. It bypasses SharePoint security.
D. It only retrieves information users are already authorized to access.
Correct Answer: D
Explanation: Copilot honors existing Microsoft 365 permissions and security boundaries.
Question 9
Which statement best describes authentication and authorization?
A. They are the same process.
B. Authorization occurs before authentication.
C. Authentication verifies identity, and authorization determines access.
D. Authentication controls permissions.
Correct Answer: C
Explanation: Authentication confirms who the user is, while authorization determines what they may access.
Question 10
Which Microsoft capability can require additional conditions, such as MFA, before granting access?
A. Distribution groups
B. Conditional Access
C. Version history
D. Shared mailboxes
Correct Answer: B
Explanation: Conditional Access evaluates signals and can impose additional requirements before authorization is granted.
Go to the AB-900 Exam Prep Hub main page
The Data Community 