AB-900, Agentic AI, AI, Generative AI, Microsoft Certification

Identify which Copilot features can be enabled or disabled (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Understand features and capabilities of Copilot and agents
      --> Identify which Copilot features can be enabled or disabled

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the primary responsibilities of a Microsoft 365 Copilot administrator is understanding which Copilot features can be controlled through administrative settings. Organizations often have different security, compliance, and business requirements, so Microsoft provides administrators with the ability to enable or disable various Copilot capabilities at the tenant, service, and user levels.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand:

  • Which Copilot capabilities administrators can control
  • Where these controls are configured
  • Why organizations may enable or disable specific features
  • Which capabilities are always governed by Microsoft 365 permissions rather than simple on/off settings
  • How licensing affects feature availability

Why Organizations Control Copilot Features

Organizations don’t always want every AI capability immediately available to every employee.

Common reasons include:

  • Meeting regulatory requirements
  • Protecting sensitive information
  • Conducting pilot deployments
  • Managing licensing costs
  • Limiting access to experimental features
  • Preventing users from accessing external AI services
  • Reducing organizational risk

Microsoft allows administrators to gradually introduce Copilot while maintaining governance.

Administrative Control Layers

Copilot features can be managed through several layers.

Control LayerPurpose
LicensingDetermines who is entitled to use Copilot
Microsoft 365 Admin CenterEnables or disables Copilot services and manages user assignments
Microsoft Entra IDControls user and group access
Microsoft PurviewApplies compliance, DLP, retention, sensitivity labels, and governance
SharePoint Advanced ManagementControls content access and oversharing protection
Microsoft DefenderProtects against threats affecting Copilot-accessible content
Individual Microsoft 365 AppsMay provide application-specific Copilot settings

These controls work together rather than independently.

Features That Can Be Enabled or Disabled

Administrators can control several Copilot capabilities.

1. Microsoft 365 Copilot Licenses

The most fundamental control is license assignment.

Without a license:

  • Users cannot access Microsoft 365 Copilot.
  • Copilot chat within Microsoft 365 apps is unavailable.
  • AI-powered productivity experiences remain disabled.

Administrators assign or remove licenses through the Microsoft 365 Admin Center.

2. Copilot Chat Availability

Organizations can choose whether users have access to:

  • Microsoft 365 Copilot Chat
  • Enterprise data grounding
  • AI conversations within Microsoft 365

This allows phased deployments.

Example:

  • IT department enabled
  • Executive team enabled
  • Finance enabled later
  • Entire organization enabled after testing

3. Copilot in Individual Microsoft 365 Apps

Copilot experiences exist across multiple applications, including:

  • Word
  • Excel
  • PowerPoint
  • Outlook
  • Teams
  • OneNote

Organizations may decide when to introduce Copilot features within these workloads depending on readiness and licensing.

4. Intelligent Meeting Features

Some Teams AI features can be managed by administrators, including:

  • Intelligent meeting recap
  • AI-generated meeting summaries
  • Suggested action items
  • Meeting notes
  • Transcript availability

Organizations handling confidential meetings may choose to limit some AI-generated meeting experiences.

5. Plugins and Connectors

Administrators can manage:

  • Microsoft Graph connectors
  • Third-party plugins
  • Custom connectors
  • Agent access to external systems

Disabling unnecessary plugins reduces security risk.

6. Copilot Agents

Administrators can control:

  • Which agents are available
  • Who can create agents
  • Who can publish agents
  • Which departments can access specific agents

For example:

Human Resources might publish an HR Benefits Agent while Finance publishes an Expense Policy Agent.

7. Web Grounding

Some Copilot experiences include information from:

  • Microsoft Graph
  • Public web content
  • Organizational content

Organizations may configure which experiences are available depending on licensing and organizational policies.

Features That Cannot Simply Be “Turned Off”

Some Copilot behaviors are governed by Microsoft 365 security rather than feature switches.

Examples include:

Microsoft Graph Permissions

Copilot never ignores permissions.

If a user lacks permission to a file:

  • Copilot cannot retrieve it.
  • There is no setting that overrides SharePoint permissions.

SharePoint Permissions

Copilot always honors:

  • Site permissions
  • Folder permissions
  • File permissions
  • Restricted SharePoint sites

Administrators manage access by changing SharePoint permissions—not Copilot settings.

Microsoft Purview Policies

If Microsoft Purview blocks data through:

  • Sensitivity labels
  • DLP policies
  • Retention policies

Copilot follows those controls automatically.

Microsoft Defender Policies

Security policies continue protecting data regardless of Copilot.

Examples include:

  • Safe Links
  • Safe Attachments
  • Threat protection
  • Malware detection

Copilot cannot bypass Defender protections.

Enabling Copilot Through Licensing

Most Copilot functionality depends on licensing.

Typical process:

  1. Purchase licenses.
  2. Assign licenses.
  3. Configure organizational settings.
  4. Enable users or groups.
  5. Monitor adoption.
  6. Expand deployment gradually.

Removing the license immediately removes access.

Feature Rollout Strategies

Many organizations deploy Copilot in phases.

Example rollout:

PhaseUsers
PilotIT department
Early adoptersBusiness champions
Department rolloutHR, Finance, Sales
Enterprise rolloutEntire organization

This minimizes disruption and allows administrators to gather feedback.

Feature Controls for Copilot Agents

Agent administrators can typically control:

  • Agent publishing
  • Agent availability
  • Knowledge sources
  • Connector permissions
  • Agent sharing
  • Agent lifecycle
  • Agent retirement

These settings help prevent unauthorized AI experiences.

Managing Experimental Features

Microsoft periodically releases:

  • Preview capabilities
  • Experimental AI experiences
  • Early-access functionality

Organizations can often choose whether these features are available.

Many enterprises disable preview features until internal testing is complete.

Monitoring Enabled Features

Administrators should monitor:

  • License assignments
  • Usage reports
  • Adoption metrics
  • Agent activity
  • Security alerts
  • Compliance reports
  • AI interactions (where supported)

Monitoring helps determine whether enabled features are providing value while remaining compliant.

Best Practices

Microsoft recommends:

  • Start with a pilot group.
  • Assign licenses only to intended users.
  • Review SharePoint permissions before deployment.
  • Apply Microsoft Purview protection policies first.
  • Enable only required plugins.
  • Monitor adoption regularly.
  • Review security settings before enabling new AI capabilities.
  • Use least-privilege access.
  • Periodically review agent permissions.
  • Train users before broad rollout.

Exam Tips

For the AB-900 exam, remember these key points:

  • Licensing is the primary method of enabling Microsoft 365 Copilot.
  • Administrators can enable or disable access for users and groups.
  • Copilot always respects Microsoft Graph permissions.
  • Microsoft Purview protections continue to apply to Copilot.
  • SharePoint permissions cannot be bypassed by Copilot.
  • Administrators can manage plugins, connectors, and agents.
  • Many organizations use phased deployments.
  • Security and governance controls remain in effect regardless of Copilot features.

10 Practice Exam Questions

Question 1

What is the primary requirement for a user to access Microsoft 365 Copilot?

A. Membership in the Global Readers group

B. Assignment of an appropriate Microsoft 365 Copilot license

C. Creation of a Copilot agent

D. A Microsoft Teams Premium license

Correct Answer: B

Explanation: A Microsoft 365 Copilot license is required before users can access Copilot experiences.

Question 2

An administrator wants to introduce Copilot to only the IT department before rolling it out company-wide. What is the recommended approach?

A. Disable Microsoft Graph

B. Remove SharePoint permissions

C. Assign Copilot licenses only to the IT department

D. Create separate Microsoft 365 tenants

Correct Answer: C

Explanation: Administrators commonly pilot Copilot by assigning licenses only to selected users or groups.

Question 3

Which security principle does Microsoft 365 Copilot always follow?

A. It ignores file permissions for administrators.

B. It grants temporary access to files during conversations.

C. It respects existing Microsoft Graph and Microsoft 365 permissions.

D. It automatically shares documents across departments.

Correct Answer: C

Explanation: Copilot only accesses content the user already has permission to view.

Question 4

Which capability can administrators commonly control?

A. Whether users can access Copilot agents

B. Whether Copilot can ignore sensitivity labels

C. Whether Microsoft Graph indexes SharePoint

D. Whether SharePoint stores documents

Correct Answer: A

Explanation: Administrators can manage agent availability, publication, and access permissions.

Question 5

What happens if a user’s Microsoft 365 Copilot license is removed?

A. Existing AI conversations become public.

B. SharePoint permissions are deleted.

C. Copilot access is removed from that user.

D. Microsoft Graph stops indexing organizational content.

Correct Answer: C

Explanation: Removing the Copilot license removes the user’s entitlement to Copilot services.

Question 6

Which Microsoft technology automatically continues enforcing sensitivity labels when users work with Copilot?

A. Microsoft Defender for Endpoint

B. Microsoft Purview

C. Microsoft Intune

D. Microsoft Planner

Correct Answer: B

Explanation: Microsoft Purview applies data protection controls, including sensitivity labels, regardless of whether Copilot is used.

Question 7

Why might an organization disable certain Copilot plugins?

A. To reduce security risks from unnecessary external integrations

B. To increase Microsoft Graph indexing speed

C. To improve Outlook mailbox quotas

D. To eliminate SharePoint storage limits

Correct Answer: A

Explanation: Limiting plugins reduces the organization’s attack surface and helps maintain governance.

Question 8

Which feature continues protecting documents even after Copilot is enabled?

A. Microsoft Graph indexing

B. Microsoft Purview DLP policies

C. Copilot prompts

D. AI-generated summaries

Correct Answer: B

Explanation: Data Loss Prevention policies remain fully enforced when Copilot accesses organizational data.

Question 9

What is a common best practice when deploying Microsoft 365 Copilot?

A. Enable every Copilot feature for all employees immediately.

B. Remove SharePoint permissions before deployment.

C. Begin with a pilot deployment and expand gradually.

D. Disable Microsoft Purview during rollout.

Correct Answer: C

Explanation: A phased rollout allows administrators to validate security, governance, and user adoption before organization-wide deployment.

Question 10

Which statement about SharePoint permissions and Copilot is correct?

A. Copilot can temporarily bypass SharePoint permissions.

B. Copilot automatically grants access to related files.

C. Administrators can disable SharePoint permissions while keeping Copilot enabled.

D. Copilot only accesses SharePoint content the user is already authorized to view.

Correct Answer: D

Explanation: Copilot always honors existing SharePoint permissions and cannot access content beyond the user’s authorized access.

Go to the AB-900 Exam Prep Hub main page

Leave a comment