Category: AI Governance

AB-900, Agentic AI, AI Governance, Microsoft Certification June 27, 2026

Monitor agents, including usage, operational insights, and agent lifecycle, by working with the Microsoft 365 Admin Center and the Microsoft Power Platform Admin Center (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for agents
      --> Monitor agents, including usage, operational insights, and agent lifecycle, by working with the Microsoft 365 Admin Center and the Microsoft Power Platform Admin Center

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations deploy more Microsoft 365 Copilot agents, effective administration extends beyond simply creating and publishing them. Administrators must continuously monitor agent usage, operational health, adoption, security, and lifecycle to ensure that agents continue to provide business value while meeting organizational governance and compliance requirements.

Microsoft provides two primary administrative portals for monitoring and managing agents:

Microsoft 365 admin center
Microsoft Power Platform admin center

Each portal serves a different purpose. The Microsoft 365 admin center focuses on Microsoft 365 services, Copilot adoption, licensing, and organizational administration, while the Power Platform admin center focuses on environments, Copilot Studio, Power Platform resources, and operational management of custom agents.

For the AB-900 exam, you should understand which portal is used for which administrative tasks, the types of monitoring information available, and the basic lifecycle of an agent.

Why Monitoring Agents Is Important

Monitoring helps administrators answer questions such as:

Are users actually using the agent?
Is the agent providing business value?
Are there operational issues?
Is adoption increasing?
Are users encountering errors?
Should the agent be updated or retired?
Are governance policies being followed?

Without monitoring, organizations cannot determine whether their AI investments are successful.

Administrative Portals

Microsoft 365 Admin Center

The Microsoft 365 admin center provides organization-wide administration for Microsoft 365 services, including Copilot.

Administrators commonly use it to:

View Copilot adoption
Monitor Copilot usage
Assign licenses
Manage users
Manage billing
View service health
Review reports
Monitor tenant-wide administration

It provides a business-level view of how Microsoft 365 Copilot is being used across the organization.

Microsoft Power Platform Admin Center

The Power Platform admin center focuses on the operational management of Power Platform resources, including custom agents created with Copilot Studio.

Administrators use it to:

Manage environments
Monitor agent health
Manage Dataverse resources
Review capacity
Configure security
Manage connectors
Review operational information
Manage Power Platform policies

It provides technical administration for custom AI solutions.

Monitoring Agent Usage

Usage monitoring helps organizations understand adoption.

Common usage metrics include:

Number of users
Active users
Conversations
Sessions
Frequency of use
Popular agents
Usage trends over time

These metrics help determine whether users are benefiting from the deployed agents.

Usage Scenarios

An administrator might monitor:

Daily active users
Weekly adoption growth
Monthly conversation counts
Frequently used agents
Least-used agents

Low adoption may indicate:

Lack of awareness
Poor training
Limited usefulness
Difficult user experience

Operational Insights

Operational insights help administrators understand how agents are performing.

Examples include:

Agent availability
Service status
Response success
Failed requests
Processing errors
Environment health
Connector status
Workflow execution

Operational monitoring focuses on technical performance rather than business adoption.

Examples of Operational Issues

Administrators may investigate:

Failed API connections
Broken Power Automate flows
Authentication failures
Connector problems
Environment capacity limits
Dataverse issues

Identifying these issues early minimizes disruption for users.

Monitoring Agent Lifecycle

Every agent follows a lifecycle from creation to retirement.

Typical lifecycle stages include:

Planning
Design
Development
Testing
Approval
Publishing
Monitoring
Updating
Republishing
Retirement

Administrators monitor agents throughout this lifecycle.

Lifecycle Management Activities

During an agent’s lifecycle, administrators may:

Update instructions
Improve prompts
Add new knowledge sources
Remove outdated content
Modify connectors
Improve security
Publish new versions
Disable obsolete agents
Archive retired agents

Lifecycle management is an ongoing process rather than a one-time task.

Adoption Monitoring

One important responsibility is measuring adoption.

Organizations often monitor:

Licensed users
Active users
Usage growth
Conversation volume
Department adoption
Business impact

High adoption generally indicates that users find the agent valuable.

Performance Monitoring

Performance monitoring focuses on the quality of the user experience.

Administrators may evaluate:

Response times
Reliability
Availability
Error rates
Successful interactions
Failed interactions

Consistent performance builds user confidence in AI solutions.

Security Monitoring

Monitoring also includes security.

Administrators watch for:

Unauthorized access
Permission issues
Authentication failures
Suspicious activity
Compliance alerts
Data access concerns

Security monitoring helps ensure that agents continue to comply with organizational policies.

Governance Monitoring

Governance activities include monitoring:

Approved agents
Published agents
Ownership
Data sources
Permissions
Connector usage
Compliance policies

Organizations should periodically review whether agents still meet governance requirements.

Environment Monitoring

The Power Platform admin center allows administrators to monitor environments that host agents.

Typical information includes:

Environment health
Capacity usage
Storage
Dataverse utilization
Resource allocation

Healthy environments help ensure reliable agent performance.

Monitoring Connectors

Many agents rely on connectors to access business systems.

Administrators may monitor:

Connector availability
Authentication status
Connection errors
Connector permissions
External system connectivity

Problems with connectors often result in incomplete or failed agent responses.

Monitoring User Feedback

Organizations should also gather user feedback.

Useful indicators include:

User satisfaction
Reported issues
Feature requests
Accuracy concerns
Suggested improvements

Feedback helps guide future improvements to the agent.

Retirement of Agents

Not every agent remains useful forever.

Administrators may retire agents when:

Business needs change.
New agents replace older versions.
Information becomes outdated.
Security risks increase.
Adoption declines significantly.

Retired agents should be archived or removed according to organizational governance policies.

Best Practices

Organizations should:

Monitor usage regularly.
Review adoption reports.
Monitor operational health.
Investigate errors promptly.
Review security frequently.
Track lifecycle status.
Keep documentation current.
Update agents regularly.
Remove obsolete agents.
Use both Microsoft 365 and Power Platform administration tools appropriately.

Microsoft 365 Admin Center vs. Power Platform Admin Center

Microsoft 365 Admin Center	Power Platform Admin Center
User administration	Environment administration
License management	Dataverse management
Copilot adoption	Agent operations
Usage reporting	Environment health
Billing	Connector management
Service health	Capacity monitoring
Organization-wide administration	Power Platform governance
Copilot reports	Operational insights

Exam Tips

For the AB-900 exam, remember these key points:

The Microsoft 365 admin center focuses on Microsoft 365 administration, licensing, Copilot usage, adoption, and organizational reporting.
The Power Platform admin center focuses on operational management of custom agents, environments, connectors, Dataverse, and Power Platform resources.
Usage monitoring measures adoption and business value.
Operational insights focus on technical health and performance.
Agents should be monitored throughout their entire lifecycle.
Administrators should regularly review performance, governance, and security after an agent is deployed.

Practice Exam Questions

Question 1

Which administrative portal is primarily used to monitor Microsoft 365 Copilot adoption and licensing?

A. Microsoft 365 admin center

B. Microsoft Defender portal

C. Azure Portal

D. Microsoft Purview portal

Answer: A

Explanation: The Microsoft 365 admin center provides organization-wide administration, including Copilot licensing, adoption reports, and usage monitoring.

Question 2

What is the primary purpose of monitoring agent usage?

A. To increase internet bandwidth

B. To determine adoption and business value

C. To install software updates

D. To configure SharePoint permissions

Answer: B

Explanation: Usage metrics help organizations understand whether agents are delivering value and being actively used.

Question 3

Which portal is primarily responsible for monitoring environments, connectors, and Dataverse resources for custom agents?

A. Microsoft Entra admin center

B. Microsoft Purview portal

C. Microsoft Power Platform admin center

D. Exchange admin center

Answer: C

Explanation: The Power Platform admin center manages environments, Dataverse, connectors, capacity, and operational aspects of custom agents.

Question 4

Which metric best represents agent adoption?

A. CPU utilization

B. Network latency

C. Number of active users

D. Available storage space

Answer: C

Explanation: Active users are a key indicator of how widely an agent is being adopted.

Question 5

Which activity is part of an agent’s lifecycle after publication?

A. Ongoing monitoring and updates

B. Automatic deletion

C. Disabling Microsoft 365

D. Removing all connectors

Answer: A

Explanation: Administrators continuously monitor, update, and improve agents after they are deployed.

Question 6

Which of the following is considered an operational insight?

A. Number of licensed users

B. Employee vacation requests

C. Failed connector authentication

D. SharePoint storage quota purchase

Answer: C

Explanation: Operational insights include technical issues such as connector failures, authentication problems, and service errors.

Question 7

Why should administrators monitor agent performance?

A. To increase hardware prices

B. To ensure reliable responses and a positive user experience

C. To disable audit logs

D. To reduce Microsoft 365 storage

Answer: B

Explanation: Performance monitoring helps ensure agents remain reliable, responsive, and useful.

Question 8

Which administrative activity helps identify agents that are no longer providing business value?

A. Monitoring adoption trends

B. Updating Windows drivers

C. Installing Office applications

D. Configuring printers

Answer: A

Explanation: Declining adoption trends may indicate that an agent should be improved or retired.

Question 9

What should administrators monitor to help identify security concerns related to agents?

A. Desktop wallpaper settings

B. Keyboard layouts

C. Unauthorized access attempts and permission issues

D. Browser home pages

Answer: C

Explanation: Monitoring permissions, authentication failures, and unauthorized access helps maintain security.

Question 10

Which statement best describes the relationship between the Microsoft 365 admin center and the Microsoft Power Platform admin center?

A. Both portals perform exactly the same administrative functions.

B. The Microsoft 365 admin center is used only for Exchange Online.

C. The Power Platform admin center replaces the Microsoft 365 admin center for all administration.

D. The Microsoft 365 admin center focuses on organizational Microsoft 365 administration and Copilot usage, while the Power Platform admin center focuses on environments and operational management of custom agents.

Answer: D

Explanation: The two portals complement one another. The Microsoft 365 admin center provides tenant-wide administration, licensing, and adoption reporting, while the Power Platform admin center provides operational management of environments, connectors, Dataverse resources, and custom agents built with Copilot Studio.

Go to the AB-900 Exam Prep Hub main page

AB-900, Agentic AI, AI, AI Governance, Microsoft Certification June 27, 2026

Understand the approval process for agents (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for agents
      --> Understand the approval process for agents

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly adopt Microsoft 365 Copilot and AI-powered agents, governance becomes just as important as functionality. Without proper oversight, users could inadvertently create agents that expose sensitive information, perform unintended actions, or fail to comply with organizational policies.

For this reason, Microsoft provides an approval process that enables organizations to review, validate, and govern agents before they are made available to users. While the exact approval workflow depends on the type of agent, the organization’s governance policies, and the deployment platform (such as Microsoft Copilot Studio), administrators should understand how approval processes help ensure that agents are secure, compliant, and aligned with business requirements.

For the AB-900 exam, you are not expected to know every detailed configuration step, but you should understand why approvals exist, when they are required, who participates in the approval process, and what happens before and after an agent is approved.

Why Agent Approval is Important

Unlike general-purpose Microsoft 365 Copilot experiences, custom agents often:

Access organizational knowledge
Connect to business systems
Trigger automated workflows
Perform business-specific tasks
Use sensitive organizational data

Because of these capabilities, organizations typically require an approval process before an agent is published to production.

Approval helps ensure that:

The agent performs its intended function.
Security requirements are met.
Compliance policies are followed.
Data access is appropriate.
Users receive a trustworthy AI experience.

Goals of the Approval Process

An effective approval process helps organizations:

Reduce security risks
Prevent accidental oversharing
Ensure regulatory compliance
Improve quality of AI responses
Validate business usefulness
Maintain organizational standards
Establish accountability

Typical Agent Lifecycle

A simplified lifecycle includes:

Design
Build
Configure
Test
Review
Approve
Publish
Monitor
Update
Retire

Approval occurs after testing but before broad deployment.

Typical Approval Workflow

Although every organization may customize the workflow, the process generally follows these steps.

Step 1: Agent Creation

A developer or business user creates the agent.

They configure:

Instructions
Knowledge sources
Actions
Connectors
Conversation flow

Step 2: Initial Testing

Before requesting approval, the creator tests the agent.

Typical testing includes:

Prompt accuracy
Correct responses
Hallucination reduction
Data grounding
Error handling
Business logic

Step 3: Security Review

Security administrators verify that:

Permissions are appropriate.
Data sources are approved.
Authentication is configured correctly.
Sensitive information is protected.
Least-privilege access is maintained.

Step 4: Compliance Review

Compliance teams evaluate whether the agent aligns with organizational governance policies.

Areas reviewed include:

Data Loss Prevention (DLP)
Sensitivity labels
Microsoft Purview policies
Data retention
Regulatory requirements
Audit logging

Step 5: Business Review

Business owners determine whether:

The agent solves the intended problem.
Responses are accurate.
Business terminology is correct.
Processes are followed correctly.
Users will benefit from the solution.

Step 6: Approval

Once reviews are complete, the designated approver authorizes publication.

Only approved agents should become available to end users.

Step 7: Publishing

After approval, the agent can be:

Published
Assigned to users
Shared with groups
Made available in Microsoft Teams
Integrated into Microsoft 365 Copilot

Who May Participate in the Approval Process?

Several roles may be involved depending on the organization.

Agent Creator

Responsible for:

Designing the agent
Testing functionality
Fixing issues
Submitting for review

Business Owner

Responsible for:

Verifying business value
Confirming correct business logic
Approving organizational use

IT Administrator

Responsible for:

Platform administration
Environment configuration
Deployment
User access

Security Administrator

Responsible for:

Permission validation
Identity verification
Connector review
Security assessment

Compliance Administrator

Responsible for:

Governance policies
Data protection
Microsoft Purview compliance
Regulatory alignment

What is Reviewed During Approval?

Reviewers typically examine:

Purpose

Does the agent solve a legitimate business problem?

Instructions

Are system instructions clear?

Do they prevent inappropriate behavior?

Knowledge Sources

Are approved sources used?

Examples include:

SharePoint
Microsoft Graph
Dataverse
Internal documentation

Actions

Can the agent:

Send emails?
Update records?
Trigger workflows?
Access external systems?

Higher-risk actions usually require more careful review.

Permissions

Does the agent only access information users are already authorized to see?

Microsoft 365 security trimming should remain intact.

Connectors

Reviewers verify that external connectors:

Are trusted
Are approved
Meet organizational policies

Privacy

Organizations verify that:

Personal data is protected.
Confidential information is handled appropriately.
AI responses do not expose sensitive content.

Governance During Approval

Agent approval is part of broader AI governance.

Organizations often require:

Data classification
Sensitivity labels
DLP policies
Audit logs
Risk assessments
Periodic reviews

These controls help ensure responsible AI deployment.

Approval vs Publishing

These concepts are different.

Approval means the organization authorizes the agent for deployment.

Publishing makes the approved agent available to users.

An approved agent is not necessarily published immediately.

Likewise, a draft agent cannot be published without completing required approvals (if organizational policies require them).

What Happens After Approval?

Approval is not the end of governance.

Administrators continue to monitor:

Usage
Adoption
Errors
User feedback
Performance
Security events
Compliance alerts

Agents may later be:

Updated
Republished
Disabled
Archived
Deleted

Best Practices

Organizations should:

Define a formal approval workflow.
Require business ownership.
Review data access carefully.
Test before publishing.
Limit permissions using least privilege.
Monitor production usage.
Periodically review existing agents.
Remove unused or outdated agents.
Maintain documentation for governance and auditing.

Exam Tips

For the AB-900 exam, remember these key points:

Approval helps ensure agents are secure, compliant, and useful before deployment.
Multiple stakeholders—including creators, business owners, IT administrators, security administrators, and compliance administrators—may participate in the approval process.
Testing occurs before approval.
Publishing occurs after approval.
Organizations can customize approval workflows based on governance requirements.
Security, permissions, data access, compliance, and business value are common review areas.
Agent governance continues after publication through ongoing monitoring and management.

Practice Exam Questions

Question 1

Why do organizations typically require an approval process before publishing custom agents?

A. To reduce deployment speed

B. To ensure the agent meets security, compliance, and business requirements

C. To prevent Microsoft 365 licensing

D. To disable Microsoft Graph access

Answer: B

Explanation: Approval ensures agents are reviewed for security, compliance, data access, and business value before being made available to users.

Question 2

Which activity normally occurs immediately before an agent is submitted for approval?

A. Assigning licenses

B. Deleting old agents

C. Testing the agent

D. Archiving the environment

Answer: C

Explanation: Creators typically validate the agent through testing before requesting formal approval.

Question 3

Which team is primarily responsible for reviewing whether an agent complies with data governance requirements?

A. Marketing

B. Finance

C. Human Resources

D. Compliance administrators

Answer: D

Explanation: Compliance administrators review governance policies, regulatory requirements, data protection, and Microsoft Purview controls.

Question 4

Which aspect is most likely reviewed during an agent approval process?

A. The color theme of Microsoft Teams

B. The Windows desktop wallpaper

C. The user’s internet browser

D. The agent’s permissions and data sources

Answer: D

Explanation: Reviewers verify that permissions and knowledge sources comply with organizational security policies.

Question 5

What is the primary purpose of reviewing an agent’s knowledge sources?

A. To increase processor speed

B. To ensure the agent uses approved organizational information

C. To update Windows

D. To install Microsoft Office

Answer: B

Explanation: Approved knowledge sources help ensure accurate responses while protecting sensitive information.

Question 6

Which statement correctly describes approval and publishing?

A. Publishing always occurs before approval.

B. Approval and publishing are identical.

C. Approval authorizes deployment, while publishing makes the agent available to users.

D. Approval permanently locks the agent.

Answer: C

Explanation: Approval authorizes the agent for release, while publishing distributes it to its intended audience.

Question 7

Who is primarily responsible for confirming that an agent solves the intended business problem?

A. Business owner

B. Printer administrator

C. Network technician

D. Database operator

Answer: A

Explanation: Business owners validate that the agent provides value and meets organizational objectives.

Question 8

Which security principle should agents follow when accessing organizational information?

A. Unlimited access

B. Anonymous authentication

C. Guest-only permissions

D. Least privilege

Answer: D

Explanation: Agents should only access the information necessary for their intended function, following the principle of least privilege.

Question 9

After an agent has been approved and published, what should administrators continue to do?

A. Disable audit logging

B. Ignore user feedback

C. Monitor usage, performance, and compliance

D. Remove all permissions

Answer: C

Explanation: Ongoing monitoring helps ensure the agent remains secure, compliant, and effective as business needs evolve.

Question 10

Which statement best describes organizational approval workflows for agents?

A. Every Microsoft 365 tenant uses the exact same approval process.

B. Approval is optional for all organizations.

C. Approval workflows are fixed and cannot be customized.

D. Organizations can customize approval workflows to meet their governance requirements.

Answer: D

Explanation: Microsoft provides flexible governance capabilities, allowing organizations to implement approval workflows that align with their security, compliance, and operational policies.

Go to the AB-900 Exam Prep Hub main page

AB-900, Agentic AI, AI Governance, AI Security, Microsoft Certification June 27, 2026

Identify how to configure user access to agents (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for agents
      --> Identify how to configure user access to agents

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Microsoft 365 Copilot, agents are specialized AI assistants designed to perform focused tasks such as answering domain-specific questions, retrieving organizational knowledge, or executing workflows. Because agents can access organizational data and systems, controlling who can use them and under what conditions is a critical administrative responsibility.

Configuring user access ensures that the right users can interact with the right agents while maintaining security, compliance, and least-privilege principles.

1. What “agent access” means

User access to agents determines:

Which users can discover an agent
Which users can interact with or run an agent
Whether an agent is available organization-wide or restricted to specific groups
Whether external or guest users can use agents (if allowed)

Access is typically controlled through a combination of:

Microsoft 365 identity and access controls
Entra ID (Azure AD) group membership
Copilot and agent-specific policies

2. Key methods to configure access to agents

A. Assigning access via Microsoft Entra ID groups

One of the most common approaches is group-based access control.

Administrators can:

Assign an agent to specific security groups or Microsoft 365 groups
Restrict usage to departments (e.g., HR, Finance, IT)
Manage access at scale without assigning users individually

Benefits:

Scalable management
Easier onboarding/offboarding
Centralized governance

B. Tenant-wide vs scoped availability

Agents can be configured as:

1. Tenant-wide agents

Available to all licensed users in the organization
Used for general productivity scenarios (e.g., company policy assistant)

2. Scoped agents

Limited to specific users or groups
Used for sensitive or department-specific data (e.g., HR policy agent)

C. Role-based access control (RBAC)

Some agent administration actions require specific roles in Microsoft 365 or Entra ID:

Global Administrator
AI Administrator / Copilot Administrator
Service-specific admin roles

RBAC ensures:

Only authorized admins can publish or modify agents
Governance over agent deployment lifecycle

D. Conditional Access policies

Conditional Access can indirectly control agent usage by enforcing:

Device compliance requirements
Multi-factor authentication (MFA)
Location-based restrictions
Risk-based sign-in rules

This ensures that even if a user has access to an agent, they must meet security requirements before using it.

E. Application and permission scopes

Agents may require access to:

Microsoft 365 data (SharePoint, Outlook, Teams)
External connectors or APIs
Graph permissions

Administrators control:

What data the agent can access
Whether consent is required
Whether permissions are user-delegated or app-level

3. Lifecycle considerations for agent access

Provisioning

Define target audience (group or tenant-wide)
Assign initial permissions
Validate compliance requirements

Modification

Update group membership to change access
Adjust policies as organizational needs evolve

Deprovisioning

Remove users or groups when no longer needed
Disable or retire the agent if required
Ensure data access is revoked appropriately

4. Governance best practices

To securely manage agent access:

Use least privilege access (only necessary users/groups)
Prefer group-based assignment over individual assignment
Regularly review agent usage and permissions
Restrict sensitive agents to controlled departments
Monitor access logs for unusual activity
Align with Microsoft Purview policies where applicable

5. Common use cases

HR agent accessible only to HR staff
IT helpdesk agent available to all employees
Finance reporting agent restricted to finance team
Executive summary agent limited to leadership group

6. Key exam takeaway

For AB-900, remember:

Agent access is primarily controlled through Entra ID groups, roles, and policies
Access can be tenant-wide or scoped
Security is enforced through RBAC and Conditional Access
Governance ensures agents are only available to the appropriate users

Practice Exam Questions (10)

1.

What is the most common method used to manage user access to Microsoft 365 agents at scale?

A. Individual user assignment
B. Local device policies
C. Entra ID group-based assignment
D. DNS configuration

Answer: C
Explanation: Entra ID group-based assignment is the scalable and recommended way to manage agent access.

2.

Which configuration limits an agent to only HR department users?

A. Tenant-wide publishing
B. Scoped group assignment
C. Public sharing link
D. Guest user activation

Answer: B
Explanation: Scoped assignment using groups restricts access to specific departments like HR.

3.

Which role is typically required to manage Copilot or agent deployment settings?

A. SharePoint Site Owner
B. Global Administrator
C. Teams Guest User
D. Exchange Recipient User

Answer: B
Explanation: Global Administrators (or similar privileged roles) manage high-level agent deployment settings.

4.

What is the purpose of Conditional Access in relation to agent usage?

A. To increase storage capacity
B. To control data indexing speed
C. To enforce security requirements before access
D. To create new agents automatically

Answer: C
Explanation: Conditional Access ensures users meet security conditions like MFA or device compliance.

5.

What happens when a user is removed from an Entra ID group assigned to an agent?

A. They retain permanent access
B. Their access is automatically revoked
C. The agent is deleted
D. The entire tenant loses access

Answer: B
Explanation: Group membership changes immediately affect access to assigned resources, including agents.

6.

Which access model makes an agent available to all licensed users in a tenant?

A. Scoped access
B. Tenant-wide access
C. External sharing mode
D. Device-based access

Answer: B
Explanation: Tenant-wide access allows all licensed users to use the agent.

7.

Which control helps restrict what data an agent can access?

A. Network firewall rules
B. Permission scopes and Graph permissions
C. Printer access policies
D. Windows registry settings

Answer: B
Explanation: Permission scopes define what data and services an agent can access.

8.

What is a key benefit of using group-based access for agents?

A. It disables auditing
B. It simplifies scalable management
C. It removes the need for authentication
D. It bypasses licensing requirements

Answer: B
Explanation: Group-based access simplifies administration, especially in large organizations.

9.

Which scenario best describes proper agent governance?

A. All users can create unrestricted agents
B. Agents are available without authentication
C. Sensitive agents are limited to specific departments
D. Agents bypass compliance policies

Answer: C
Explanation: Sensitive agents should be restricted to appropriate departments for security and compliance.

10.

What is a recommended best practice when configuring access to agents?

A. Assign access individually to each user
B. Use least privilege access principles
C. Allow anonymous access by default
D. Disable group usage entirely

Answer: B
Explanation: Least privilege ensures users only get the access they need, improving security and governance.

Go to the AB-900 Exam Prep Hub main page

AB-900, Agentic AI, AI Governance, Generative AI, Microsoft Certification June 27, 2026

Manage prompts, in Microsoft Copilot, including saving, sharing, scheduling, and deleting (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for Copilot
      --> Manage prompts, in Microsoft Copilot, including saving, sharing, scheduling, and deleting

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft 365 Copilot allows users to create and reuse prompts to streamline repetitive work such as drafting emails, summarizing documents, generating reports, or analyzing data. From an administrative perspective, understanding how prompts are managed is important for governance, productivity, and consistency across an organization.

Prompts can be treated as reusable productivity assets that users can store, distribute, and manage over time—especially when Copilot is used at scale across Microsoft 365 apps.

1. What are Copilot prompts?

A Copilot prompt is a natural language instruction given to Copilot to generate output. For example:

“Summarize this meeting in five bullet points.”
“Draft a project update email for stakeholders.”
“Analyze this Excel dataset and highlight trends.”

Prompts can be:

One-time (ad hoc usage)
Saved for reuse
Shared across users or teams
Scheduled for recurring execution (in supported scenarios)

2. Saving prompts

Saving prompts allows users to reuse effective instructions without rewriting them.

Key characteristics:

Stored in a user-accessible prompt library or prompt experience
Can be reused across Microsoft 365 apps (Word, Teams, Outlook, etc.)
Helps standardize repetitive business tasks

Benefits:

Increases productivity
Encourages consistent output formatting
Reduces time spent recreating complex prompts

Example:

A finance analyst saves a prompt:

“Summarize quarterly revenue performance and highlight anomalies.”

3. Sharing prompts

Prompts can be shared with other users or teams to promote consistency.

Sharing capabilities include:

Sharing with individuals or groups
Embedding prompts into team workflows
Distributing best-practice prompts across departments

Use cases:

Standard HR onboarding email drafts
Sales proposal templates
IT troubleshooting responses

Governance consideration:

Shared prompts should align with organizational policies to avoid:

Exposure of sensitive instructions
Use of non-compliant content templates

4. Scheduling prompts

Scheduling allows prompts to be executed at defined intervals or triggered conditions (depending on Copilot capabilities and integration context).

Examples of scheduled prompt usage:

Daily summary of emails in Outlook
Weekly project status report generation
Regular data analysis summaries in Excel

Benefits:

Automates repetitive reporting tasks
Ensures timely information delivery
Reduces manual effort

Important note:

Scheduling capabilities may depend on:

Copilot-enabled workflows
Microsoft 365 integrations (Power Automate or agent-based automation)

5. Deleting prompts

Prompts can be deleted when they are no longer needed or are outdated.

Reasons for deletion:

Prompt is obsolete or inaccurate
Organizational standards have changed
Security or compliance concerns
User no longer needs the prompt

Administrative considerations:

Deleted prompts may not be recoverable depending on retention policies
Enterprises may enforce governance policies around prompt lifecycle management

6. Administrative and governance considerations

When managing prompts at scale, administrators should consider:

Security

Prevent sharing of sensitive prompts containing confidential logic
Ensure prompts do not encourage data leakage

Compliance

Align prompt usage with Microsoft Purview policies
Ensure prompts do not bypass organizational controls

Lifecycle management

Define rules for retention, reuse, and deletion
Standardize prompt libraries for departments

User enablement

Provide curated prompt libraries
Encourage adoption of approved prompt templates

7. Key exam takeaway

For AB-900, focus on the fact that Copilot prompt management includes:

Saving prompts for reuse
Sharing prompts across users or teams
Scheduling prompts for recurring tasks (where supported)
Deleting prompts for governance and lifecycle control

These capabilities support productivity while requiring governance oversight in enterprise environments.

Practice Exam Questions (10)

1.

What is the primary benefit of saving Copilot prompts?

A. It increases network bandwidth usage
B. It allows reuse of effective instructions
C. It disables prompt security controls
D. It deletes old conversations automatically

Answer: B
Explanation: Saving prompts enables reuse of effective instructions, improving productivity and consistency.

2.

An organization wants to standardize email drafts across departments. Which feature supports this goal?

A. Prompt deletion
B. Prompt sharing
C. Device enrollment
D. Data loss prevention

Answer: B
Explanation: Sharing prompts allows standardized templates and instructions to be distributed across teams.

3.

Which scenario best represents a scheduled Copilot prompt?

A. A one-time email draft request
B. A manually typed search query
C. A daily summary report generated automatically
D. A deleted conversation thread

Answer: C
Explanation: Scheduled prompts run at defined intervals, such as daily report generation.

4.

Why might an administrator enforce governance rules on shared prompts?

A. To increase storage capacity
B. To reduce CPU usage
C. To prevent exposure of sensitive or non-compliant content
D. To disable Copilot licensing

Answer: C
Explanation: Shared prompts may contain sensitive logic, so governance ensures compliance and security.

5.

What typically happens when a prompt is deleted?

A. It is permanently removed from the prompt library
B. It becomes read-only
C. It is converted into a system alert
D. It is automatically shared with all users

Answer: A
Explanation: Deleting a prompt removes it from the library, although retention policies may affect recoverability.

6.

Which of the following is a valid use case for saved prompts?

A. Running antivirus scans
B. Reusing a formatted project status report request
C. Managing device drivers
D. Configuring network routing

Answer: B
Explanation: Saved prompts are used for repeatable tasks like structured reports or summaries.

7.

What is a key risk of unmanaged prompt sharing?

A. Increased CPU performance
B. Exposure of sensitive instructions or business logic
C. Faster email delivery
D. Reduced storage costs

Answer: B
Explanation: Unmanaged sharing can expose sensitive organizational logic or data-handling instructions.

8.

Which Microsoft 365 principle is most relevant to managing Copilot prompts?

A. Hardware lifecycle management
B. Identity federation
C. Information governance
D. Network segmentation

Answer: C
Explanation: Prompt management relates to information governance, including control over content and usage.

9.

What is a benefit of scheduling prompts in Copilot-enabled workflows?

A. It eliminates user authentication
B. It automates repetitive reporting tasks
C. It disables Microsoft 365 apps
D. It increases manual effort

Answer: B
Explanation: Scheduled prompts automate recurring tasks like reports and summaries.

10.

Which action supports prompt lifecycle management in an enterprise environment?

A. Random prompt duplication
B. Unrestricted external sharing
C. Deleting outdated prompts based on policy
D. Disabling all Copilot features

Answer: C
Explanation: Removing outdated prompts helps maintain compliance and ensures only relevant prompts are retained.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI, AI Governance, AI Strategy, Microsoft Certification June 27, 2026

Monitor Copilot usage and adoption, including Copilot Analytics and Microsoft 365 admin center (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for Copilot
      --> Monitor Copilot usage and adoption, including Copilot Analytics and Microsoft 365 admin center

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Monitoring Microsoft 365 Copilot usage is a key administrative responsibility because it helps organizations understand adoption trends, measure business value, and identify areas where users may need additional training or enablement. Microsoft provides built-in visibility through the Microsoft 365 admin center and Copilot Analytics experiences, which together give insights into how Copilot is being used across apps like Word, Excel, Outlook, Teams, and SharePoint.

1. Why monitoring Copilot usage matters

Administrators monitor Copilot adoption to:

Measure return on investment (ROI) for Copilot licenses
Identify departments or users actively using Copilot
Detect underutilization or lack of adoption
Support training and change management initiatives
Ensure responsible and compliant use of AI tools
Inform licensing and capacity planning decisions

2. Copilot usage data in Microsoft 365 admin center

The Microsoft 365 admin center provides tenant-level reporting for Copilot usage.

Key capabilities include:

Usage reporting dashboards

Admins can view:

Number of licensed users
Active Copilot users over time
Usage trends across Microsoft 365 apps
App-specific usage (Word, Excel, Outlook, Teams)

Adoption insights

New vs returning users
Frequency of Copilot interactions
Organizational adoption trends

License-based visibility

Shows usage segmented by licensed users
Helps identify unused or underused licenses

Export capabilities

Data can be exported for deeper analysis in Power BI or Excel

3. Copilot Analytics (advanced insights)

Copilot Analytics provides deeper behavioral insights beyond basic usage metrics.

What Copilot Analytics helps you understand:

Business impact signals

Time saved (estimated productivity gains)
Task completion patterns using Copilot
Adoption maturity across teams

Engagement depth

Simple prompts vs advanced multi-step prompts
Frequency of Copilot-assisted document creation
Collaboration patterns influenced by Copilot

Department-level insights

Usage by business unit (e.g., Finance, HR, Sales)
Comparison between teams or regions

Trend analysis

Adoption growth over weeks/months
Seasonal or campaign-driven usage spikes

4. Key Copilot usage metrics to track

Administrators commonly focus on:

Active Copilot users (daily/weekly/monthly)
Copilot interactions per user
Prompt volume and complexity
Most-used Microsoft 365 apps with Copilot
Retention of Copilot usage over time

5. Microsoft 365 apps included in reporting

Copilot usage insights are typically broken down across:

Microsoft Word – document drafting, summarization
Microsoft Excel – data analysis, formula generation
Microsoft Outlook – email summarization and drafting
Microsoft Teams – meeting recap, chat summarization
SharePoint – content summarization and knowledge discovery

6. Administrative use cases for monitoring Copilot

Adoption planning

Identify early adopters to act as champions
Target training for low-adoption teams

Licensing optimization

Reclaim unused licenses
Forecast future licensing needs

Governance oversight

Ensure Copilot is used within acceptable use policies
Monitor for unusual or unexpected usage patterns

Organizational enablement

Measure effectiveness of Copilot rollout campaigns
Improve user enablement programs based on usage patterns

7. Relationship between admin center and Copilot Analytics

Capability	Microsoft 365 Admin Center	Copilot Analytics
Basic usage reporting	Yes	Limited
App-level usage breakdown	Yes	Yes
Behavioral insights	Limited	Yes
Productivity impact insights	No	Yes
Trend reporting	Yes	Yes (more advanced)

8. Key exam takeaway

For AB-900, understand that:

The Microsoft 365 admin center provides baseline usage and adoption reports.
Copilot Analytics provides deeper behavioral and productivity insights.
Together, they help administrators measure adoption, value, and readiness at scale.

Practice Exam Questions (10)

1.

An organization wants to view how many users are actively using Copilot in Microsoft Word and Outlook. Where should the administrator go first?

A. Microsoft Entra admin center
B. Microsoft 365 admin center
C. Microsoft Purview compliance portal
D. Microsoft Defender portal

Answer: B
Explanation: The Microsoft 365 admin center provides Copilot usage reports, including app-level adoption data such as Word and Outlook usage.

2.

Which Copilot Analytics capability provides insight into productivity improvements?

A. License assignment tracking
B. Email delivery monitoring
C. Estimated time saved by users
D. Device compliance reporting

Answer: C
Explanation: Copilot Analytics includes business impact metrics such as estimated time saved through AI-assisted work.

3.

What is a key benefit of combining Microsoft 365 admin center reports with Copilot Analytics?

A. It replaces the need for licensing
B. It enables deeper behavioral and adoption insights
C. It blocks unauthorized Copilot usage
D. It automates license purchasing

Answer: B
Explanation: The admin center provides usage data, while Copilot Analytics adds deeper behavioral and productivity insights.

4.

Which metric is MOST commonly used to measure Copilot adoption?

A. Number of inactive devices
B. Active Copilot users over time
C. Number of Teams channels created
D. Email attachment size

Answer: B
Explanation: Active users over time is a core adoption metric for Copilot usage tracking.

5.

An administrator wants to identify departments with the lowest Copilot usage. Which insight is most relevant?

A. Geographic IP logs
B. User mailbox size
C. Department-level usage reporting
D. DNS resolution reports

Answer: C
Explanation: Copilot Analytics can segment usage by department or business unit.

6.

What type of Copilot usage data is typically available in the Microsoft 365 admin center?

A. Advanced prompt sentiment analysis
B. Basic usage and adoption metrics
C. Source code execution logs
D. Endpoint vulnerability scans

Answer: B
Explanation: The admin center provides high-level usage and adoption metrics, not deep behavioral analysis.

7.

Which Copilot usage trend would indicate strong adoption?

A. Declining active users over time
B. Zero usage across all apps
C. Increasing active users across multiple apps
D. Only one department using Copilot

Answer: C
Explanation: Increasing usage across apps indicates growing adoption and engagement.

8.

Which Microsoft 365 apps are typically included in Copilot usage reporting?

A. Word, Excel, Outlook, Teams
B. SQL Server, Power BI Desktop, Visual Studio
C. Windows Explorer, Notepad, Paint
D. Azure VM, Azure Storage, Azure Functions

Answer: A
Explanation: Copilot usage reporting focuses on Microsoft 365 productivity apps.

9.

What is a common administrative action based on Copilot usage reports?

A. Disabling all user accounts
B. Reclaiming unused licenses
C. Deleting Teams channels
D. Blocking internet access

Answer: B
Explanation: Low usage can indicate unused licenses that may be reassigned or reclaimed.

10.

What does Copilot Analytics primarily provide beyond basic reporting?

A. Network firewall configuration
B. Behavioral and productivity insights
C. Hardware inventory tracking
D. Email encryption keys

Answer: B
Explanation: Copilot Analytics provides deeper insights into user behavior and productivity impact.

Go to the AB-900 Exam Prep Hub main page

AB-900, Agentic AI, AI, AI Governance, Microsoft Certification June 27, 2026

Monitor and manage Copilot Pay-as-You-Go billing policies (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for Copilot
      --> Monitor and manage Copilot Pay-as-You-Go billing policies

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft 365 Copilot pay-as-you-go (PAYG) billing policies allow organizations to consume Copilot-related services based on usage rather than only per-user licensing. This model is commonly used for features such as Copilot in SharePoint or other metered AI capabilities where consumption is tracked and billed through an Azure subscription.

Administrators are responsible for configuring, monitoring, and controlling these billing policies to ensure predictable costs, governance, and proper usage.

What is Copilot pay-as-you-go billing?

Pay-as-you-go billing in Microsoft 365 Copilot scenarios enables:

Usage-based billing instead of fixed per-user licensing
Cost tracking through Azure subscription meters
Flexible adoption for specific workloads (for example, SharePoint-based Copilot experiences)
Centralized financial control via Azure billing tools

This model is typically associated with Microsoft Copilot experiences that rely on Azure-backed metering.

Key components of PAYG billing policies

1. Azure subscription

All PAYG Copilot usage is billed through an Azure subscription. The subscription:

Acts as the billing container
Hosts cost management and usage tracking
Must be linked to the Microsoft 365 tenant

2. Billing policy configuration

Admins define policies that determine:

Which users or groups are enabled for PAYG usage
Which Copilot features are billable under PAYG
Scope of usage (tenant-wide, group-based, or service-specific)

3. Metered services

Pay-as-you-go applies to specific Copilot capabilities such as:

Copilot experiences in SharePoint
AI-powered content generation or summarization in supported workloads
Feature-specific AI consumption events

Each usage event contributes to measurable consumption units.

How administrators monitor PAYG Copilot usage

Azure Cost Management + Billing

Primary tool used to monitor consumption:

Tracks cost per service
Shows usage trends
Provides budget alerts and forecasting

Microsoft 365 admin center

Used for:

Viewing service-level Copilot usage
Monitoring adoption and activity reports
Understanding organizational usage patterns

Usage analytics dashboards

Administrators can review:

Active users consuming PAYG Copilot features
Feature-level consumption breakdown
Trends over time for optimization

Managing PAYG billing policies

1. Create or configure billing policies

Admins define policies to:

Enable PAYG for specific services (e.g., SharePoint Copilot)
Assign eligible user groups
Control feature access scope

2. Assign policies to users or groups

Instead of enabling all users, organizations often:

Assign PAYG access to pilot groups
Restrict usage to departments or projects
Expand gradually based on adoption

3. Set budgets and alerts

Using Azure Cost Management, administrators can:

Set monthly budgets
Configure alerts for threshold breaches
Prevent unexpected overuse

4. Review and optimize usage

Admins regularly:

Identify high-cost usage patterns
Adjust policies to reduce unnecessary consumption
Disable PAYG access for inactive users or groups

Governance and control considerations

Monitoring PAYG Copilot billing is not only financial—it also includes governance:

Ensuring only authorized users can consume metered services
Aligning usage with organizational policies
Applying Microsoft Entra ID group-based access controls
Ensuring compliance with Microsoft Purview policies where applicable

Key differences: PAYG vs per-user Copilot licensing

Model	Description
Per-user licensing	Fixed monthly cost per licensed user
Pay-as-you-go	Usage-based billing tied to Azure consumption

PAYG is typically more flexible but requires closer monitoring to avoid unexpected costs.

Summary

Monitoring and managing Copilot pay-as-you-go billing policies involves configuring Azure-based billing structures, assigning usage scopes through policies, and continuously tracking consumption using Azure Cost Management and Microsoft 365 reporting tools. Administrators must balance flexibility with cost control and governance to ensure efficient and compliant use of Copilot services.

Practice Exam Questions (10)

1.

Where is Copilot pay-as-you-go usage primarily billed?

A. Microsoft Teams admin center
B. Azure subscription
C. Windows Update service
D. Microsoft Defender portal

Answer: B
Explanation: PAYG Copilot usage is billed through an Azure subscription linked to the tenant.

2.

What is the main purpose of a Copilot pay-as-you-go billing policy?

A. To disable Copilot features globally
B. To assign static per-user licenses
C. To control and define usage-based billing scope
D. To store Copilot chat history

Answer: C
Explanation: Billing policies define who can use PAYG features and how usage is tracked.

3.

Which tool is primarily used to monitor PAYG Copilot costs?

A. Microsoft Word
B. Azure Cost Management + Billing
C. PowerPoint Designer
D. OneDrive sync client

Answer: B
Explanation: Azure Cost Management provides cost tracking, alerts, and reporting.

4.

What is a common use case for Copilot PAYG billing?

A. Permanent licensing for all employees
B. SharePoint-based Copilot experiences with metered usage
C. Offline document editing
D. Local file encryption

Answer: B
Explanation: PAYG is often used for metered Copilot features like SharePoint integration.

5.

What should an administrator configure to control which users can use PAYG Copilot features?

A. Microsoft Teams channels
B. Azure DevOps pipelines
C. Billing policies and assigned user groups
D. Windows Registry settings

Answer: C
Explanation: Policies and group assignments define access to PAYG usage.

6.

What is a key benefit of PAYG billing compared to per-user licensing?

A. Unlimited free usage
B. No need for Microsoft 365 accounts
C. Flexible, usage-based cost model
D. Automatic removal of security policies

Answer: C
Explanation: PAYG provides flexibility by charging based on actual usage.

7.

Which action helps prevent unexpected PAYG Copilot costs?

A. Disabling Microsoft Outlook
B. Setting Azure budgets and alerts
C. Removing all SharePoint sites
D. Turning off Microsoft Entra ID

Answer: B
Explanation: Budgeting and alerts help control spending.

8.

What type of identity is required for users consuming PAYG Copilot features?

A. Local Windows account only
B. Microsoft Entra ID identity
C. Anonymous guest browsing
D. External VPN identity only

Answer: B
Explanation: Copilot services require authenticated Microsoft Entra ID users.

9.

What should administrators regularly review in PAYG billing management?

A. Email signatures
B. Usage trends and cost reports
C. Device firmware versions
D. Printer configurations

Answer: B
Explanation: Usage and cost trends help optimize billing policies.

10.

Which statement best describes PAYG Copilot billing?

A. Fixed monthly cost per organization
B. Free usage for all Microsoft 365 users
C. One-time purchase for lifetime access
D. Consumption-based billing through Azure

Answer: D
Explanation: PAYG is based on measured usage and billed via Azure.

Go to the AB-900 Exam Prep Hub main page

Data Security, Data Governance, Microsoft Certification, AI Governance, AI Security, AB-900 June 27, 2026

Understand features and capabilities of SharePoint Advanced Management, including restricted site access (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify and monitor oversharing in SharePoint in Microsoft 365
      --> Understand features and capabilities of SharePoint Advanced Management, including restricted site access

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly rely on Microsoft 365, SharePoint Online, Microsoft Teams, and Microsoft 365 Copilot, protecting organizational data has become more important than ever. While collaboration is essential, unrestricted sharing can expose confidential information to unintended users.

To help organizations better govern SharePoint content, Microsoft offers SharePoint Advanced Management (SAM), a collection of advanced governance, reporting, security, and lifecycle management capabilities designed to improve the security of SharePoint and OneDrive environments.

One of its most important features is Restricted Site Access, which allows administrators to temporarily limit access to specific SharePoint sites that may contain highly sensitive or potentially overshared information.

For the AB-900 exam, you should understand the purpose of SharePoint Advanced Management, its major capabilities, and how Restricted Site Access helps reduce data exposure.

What is SharePoint Advanced Management?

SharePoint Advanced Management is a set of administrative capabilities that extends the standard SharePoint Online administration experience.

Its goals include:

Improving governance
Reducing oversharing
Enhancing visibility into permissions
Strengthening data protection
Supporting Microsoft 365 Copilot readiness
Helping organizations adopt Zero Trust security principles

Rather than replacing Microsoft Purview or Microsoft Defender, SharePoint Advanced Management complements these services by focusing specifically on SharePoint and OneDrive administration.

Why SharePoint Advanced Management Is Important

Organizations often have:

Thousands of SharePoint sites
Millions of documents
Numerous external users
Complex permission structures
Years of accumulated sharing links

As these environments grow, administrators face challenges such as:

Overshared files
Forgotten external sharing
Stale permissions
Sensitive documents accessible by too many users
Inactive or abandoned sites

SharePoint Advanced Management provides tools to identify and address these issues before they become security incidents.

Key Capabilities of SharePoint Advanced Management

SharePoint Advanced Management includes several capabilities designed to improve governance.

1. Data Access Governance Reporting

Administrators can:

Identify overshared sites
Review sharing activity
Analyze permission configurations
Discover external access
Locate high-risk collaboration sites

These reports provide visibility into who can access organizational content.

2. Site Lifecycle Management

Organizations frequently create project sites that remain active long after projects end.

SharePoint Advanced Management helps administrators:

Identify inactive sites
Review site ownership
Archive or delete unused sites
Reduce unnecessary content exposure

Proper lifecycle management reduces security risks while improving overall governance.

3. Oversharing Insights

Administrators can identify:

Sites shared broadly
Anonymous sharing links
Guest access
Sensitive sites with excessive permissions
Large-scale permission inheritance issues

These insights are particularly valuable before deploying Microsoft 365 Copilot.

4. Site Ownership Management

SharePoint sites require responsible owners.

Advanced Management helps administrators identify:

Sites without owners
Inactive owners
Ownership inconsistencies

Proper ownership improves accountability and ensures permissions are reviewed regularly.

5. Sharing Governance

Administrators can evaluate:

External sharing
Anonymous links
Organization-wide access
Sharing policies
Guest permissions

This helps organizations reduce unnecessary collaboration risks.

6. Restricted Site Access

One of the most important SharePoint Advanced Management capabilities is Restricted Site Access.

What is Restricted Site Access?

Restricted Site Access allows administrators to temporarily limit access to a SharePoint site.

When enabled:

Most users lose access to the site.
Only designated administrators or approved users can access the content.
Copilot and Microsoft Search continue to respect the updated permissions because they always honor Microsoft 365 security trimming.

This feature is useful when a site contains highly sensitive information or requires investigation.

Why Use Restricted Site Access?

Organizations may need to immediately reduce access when:

Sensitive information has been overshared.
A security investigation is underway.
Legal or regulatory reviews are occurring.
Confidential merger or acquisition documents are stored.
Human Resources investigations are active.
Executive leadership documents require additional protection.
Sensitive intellectual property is being reviewed.

Rather than deleting the site, administrators can quickly restrict access while remediation occurs.

How Restricted Site Access Works

The feature temporarily changes access behavior by allowing only explicitly authorized users to access the site.

Typical workflow:

Administrator identifies a high-risk site.
Restricted Site Access is enabled.
Only approved users retain access.
Administrators investigate permissions.
Oversharing issues are corrected.
Normal access is restored when appropriate.

Benefits of Restricted Site Access

Organizations gain several advantages:

Rapid Risk Reduction

Potential data exposure is reduced immediately.

Supports Investigations

Investigators can examine permissions without widespread user access.

Improves Governance

Administrators gain time to review sharing settings before reopening access.

Protects Sensitive Information

Highly confidential documents remain accessible only to authorized personnel.

Supports Compliance

Temporary restrictions can assist with legal, regulatory, or internal compliance reviews.

Relationship with Microsoft 365 Copilot

Microsoft 365 Copilot respects Microsoft 365 permissions.

If a site becomes restricted:

Copilot cannot retrieve information from that site for users who no longer have permission.
Microsoft Search also honors the updated permissions.
Other Microsoft 365 services continue using the same security model.

Restricted Site Access therefore reduces the likelihood that Copilot will surface sensitive content from that site.

Relationship with Microsoft Purview

SharePoint Advanced Management and Microsoft Purview work together.

Microsoft Purview focuses on:

Data classification
Sensitivity labels
Data Loss Prevention (DLP)
Insider Risk Management
Data Lifecycle Management
Compliance

SharePoint Advanced Management focuses on:

Site governance
Permissions
Oversharing
Site administration
Access analysis
Restricted Site Access

Together they provide comprehensive protection for Microsoft 365 data.

Relationship with Microsoft Defender

Microsoft Defender identifies threats such as:

Compromised accounts
Suspicious user activity
Malware
Phishing attacks

If Defender identifies suspicious activity involving a SharePoint site, administrators may choose to enable Restricted Site Access while investigating the incident.

Best Practices

Microsoft recommends the following practices:

Regularly review Data Access Governance reports.
Minimize broad “Everyone” permissions.
Review external sharing frequently.
Assign active site owners.
Archive inactive sites.
Apply sensitivity labels to sensitive content.
Use Restricted Site Access only when necessary.
Review restricted sites periodically and restore normal access when appropriate.
Combine SharePoint Advanced Management with Microsoft Purview and Microsoft Defender for layered protection.
Follow the principle of least privilege.

Exam Tips

Remember these key points for the AB-900 exam:

SharePoint Advanced Management focuses on governance and security for SharePoint and OneDrive.
It helps identify and remediate oversharing.
Restricted Site Access temporarily limits access to sensitive SharePoint sites.
Copilot always respects SharePoint permissions, including restricted sites.
Restricted Site Access is useful during investigations or when sensitive information has been overshared.
SharePoint Advanced Management complements Microsoft Purview rather than replacing it.
Proper site ownership and lifecycle management reduce long-term security risks.

Practice Exam Questions

Question 1

Which primary problem does SharePoint Advanced Management help organizations address?

A. Windows operating system updates

B. Oversharing and governance of SharePoint content

C. SQL Server performance tuning

D. Microsoft Teams meeting scheduling

Correct Answer: B

Explanation: SharePoint Advanced Management provides governance tools that help identify oversharing, manage permissions, and improve the security of SharePoint and OneDrive environments.

Question 2

What is the purpose of Restricted Site Access?

A. Permanently delete SharePoint sites

B. Encrypt every document within a site

C. Temporarily limit access to a SharePoint site for authorized users only

D. Automatically archive inactive sites

Correct Answer: C

Explanation: Restricted Site Access allows administrators to temporarily restrict access to a site while investigating or protecting sensitive information.

Question 3

Why is SharePoint Advanced Management valuable before deploying Microsoft 365 Copilot?

A. It increases Copilot response speed.

B. It upgrades Microsoft Graph.

C. It removes all external users automatically.

D. It helps identify overshared content that Copilot could otherwise access based on existing permissions.

Correct Answer: D

Explanation: Since Copilot honors existing permissions, reducing oversharing before deployment helps minimize the risk of exposing sensitive information.

Question 4

Which capability is included in SharePoint Advanced Management?

A. Azure virtual machine backup

B. Microsoft Intune device enrollment

C. Data Access Governance reporting

D. Windows Server patch management

Correct Answer: C

Explanation: Data Access Governance reporting is a core capability that helps administrators analyze permissions and identify overshared content.

Question 5

What happens when Restricted Site Access is enabled?

A. Microsoft 365 Copilot ignores the restriction.

B. Only approved users and administrators retain access to the site.

C. All SharePoint sites become read-only.

D. External sharing is permanently disabled across the tenant.

Correct Answer: B

Explanation: Restricted Site Access limits access to authorized users, and Copilot continues to respect those permissions.

Question 6

Which Microsoft service primarily complements SharePoint Advanced Management by classifying and protecting sensitive information?

A. Microsoft Purview

B. Microsoft Paint

C. Windows Defender Firewall

D. Microsoft Project

Correct Answer: A

Explanation: Microsoft Purview provides data classification, labeling, DLP, and compliance capabilities that complement SharePoint governance features.

Question 7

Which scenario is an appropriate use case for Restricted Site Access?

A. Scheduling recurring Teams meetings

B. Updating Microsoft 365 licenses

C. Protecting a SharePoint site containing confidential merger documents during negotiations

D. Increasing SharePoint storage capacity

Correct Answer: C

Explanation: Restricting access to highly confidential content during sensitive business activities helps reduce the risk of accidental exposure.

Question 8

Which governance activity helps reduce long-term security risks in SharePoint?

A. Creating additional anonymous sharing links

B. Allowing all users full control of every site

C. Disabling Microsoft Search

D. Reviewing inactive sites and assigning active site owners

Correct Answer: D

Explanation: Proper site ownership and lifecycle management reduce abandoned sites and improve ongoing governance.

Question 9

How does Microsoft 365 Copilot interact with a site that has Restricted Site Access enabled?

A. Copilot bypasses the restriction for administrators only.

B. Copilot ignores SharePoint permissions.

C. Copilot respects the updated permissions and cannot retrieve content for unauthorized users.

D. Copilot copies restricted files into Microsoft Graph.

Correct Answer: C

Explanation: Copilot always honors Microsoft 365 permissions. If a user cannot access a restricted site, Copilot cannot use its content in responses for that user.

Question 10

Which statement best describes SharePoint Advanced Management?

A. It replaces Microsoft Purview entirely.

B. It is focused on SharePoint and OneDrive governance, permissions, lifecycle management, and oversharing protection.

C. It functions as an antivirus solution.

D. It manages Microsoft Entra ID authentication policies.

Correct Answer: B

Explanation: SharePoint Advanced Management provides advanced governance capabilities for SharePoint and OneDrive, including oversharing detection, site lifecycle management, permission analysis, and Restricted Site Access.

Go to the AB-900 Exam Prep Hub main page

Data Governance, Microsoft Certification, AI Governance, AI Security, AB-900, security June 27, 2026

Run a data access governance report in SharePoint (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify and monitor oversharing in SharePoint in Microsoft 365
      --> Run a data access governance report in SharePoint

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

That is an excellent next topic for the AB-900 exam because it combines SharePoint governance, Microsoft Purview, and Copilot data security. Although the feature continues to evolve, the exam focuses on understanding what the report is, when to use it, and what problems it helps administrators solve, rather than memorizing every UI step.

Why Data Access Governance Matters

One of the largest security challenges in Microsoft 365 is oversharing. Over time, organizations accumulate millions of files, thousands of SharePoint sites, and numerous Microsoft Teams workspaces. Permissions often become increasingly complex as users:

Share files externally
Create anonymous sharing links
Grant access to “Everyone”
Add guests to Teams
Break inheritance on folders
Forget to remove temporary permissions

As organizations adopt Microsoft 365 Copilot, overshared content becomes an even greater concern because Copilot can surface information that a user already has permission to access—even if that access was unintentionally granted.

Microsoft provides Data Access Governance (DAG) capabilities in SharePoint to help administrators discover, understand, and remediate excessive access before it becomes a security issue.

What is Data Access Governance?

Data Access Governance is a collection of reporting and analysis capabilities within SharePoint Advanced Management that helps administrators answer questions such as:

Which sites are accessible by everyone?
Which files are overshared?
Which sites have external users?
Which sites contain highly sensitive information?
Which permissions may expose confidential content?
Which sites should be reviewed?

Rather than examining permissions one site at a time, administrators receive organization-wide visibility.

Primary Goals of Data Access Governance

Data Access Governance helps organizations:

Discover overshared sites
Review permissions
Reduce excessive access
Identify high-risk collaboration
Improve Microsoft 365 security posture
Prepare for Microsoft 365 Copilot deployment
Reduce accidental data exposure
Support compliance initiatives

Why It Is Important for Microsoft 365 Copilot

Microsoft 365 Copilot never ignores permissions.

Instead, it retrieves content using the same security model that governs Microsoft 365.

If a user has permission to open a document manually, Copilot can potentially reference that document when generating responses.

For example:

Suppose Human Resources accidentally grants the entire company read access to salary spreadsheets.

Without Copilot:

Most employees may never discover the files.

With Copilot:

A user might ask:

“Summarize employee compensation data.”

Because the files are already accessible, Copilot could retrieve them.

The problem is not Copilot—it is the underlying permissions.

Data Access Governance helps identify these permission problems before they become security risks.

What the Data Access Governance Report Shows

The report provides administrators with visibility into SharePoint permissions and sharing configurations across the tenant.

Common information includes:

Site owners
Site sensitivity
External sharing status
Number of members
Anonymous links
Organization-wide access
Guest access
Sharing activity
Permission inheritance
Access patterns
High-risk sites
Overshared content indicators

Rather than searching manually, administrators can prioritize the highest-risk locations.

Types of Oversharing That Can Be Identified

The report can identify situations such as:

Organization-wide access

Sites accessible by:

Everyone
Everyone except external users
Large security groups

These sites often expose more content than intended.

Anonymous Links

Files shared through links that require no authentication.

These links may remain active long after they are needed.

Guest Access

Sites containing:

External users
Partner accounts
Vendor accounts

Administrators can verify whether guest access is still appropriate.

Excessive Sharing

Examples include:

Large numbers of shared files
Broad sharing permissions
Public document libraries
Open collaboration spaces

Sensitive Sites

The report can identify sites that contain:

Financial information
HR records
Legal documents
Intellectual property
Customer information

Combined with Microsoft Purview sensitivity labels, administrators gain better visibility into where important information resides.

Typical Workflow

Administrators generally follow this process:

Step 1

Open SharePoint administration tools.

Step 2

Generate or review a Data Access Governance report.

Step 3

Review identified risks.

Examples:

Overshared sites
External sharing
Everyone permissions
Sensitive content

Step 4

Investigate high-risk sites.

Questions include:

Does this access need to exist?
Are guests still required?
Is inheritance broken?
Should permissions be reduced?

Step 5

Take corrective action.

Possible actions include:

Remove permissions
Restrict sharing
Apply sensitivity labels
Disable anonymous links
Reduce guest access
Educate site owners

Step 6

Run reports regularly to verify improvements.

Relationship with Microsoft Purview

Data Access Governance works alongside Microsoft Purview.

Purview answers questions such as:

What sensitive data exists?
How is it classified?
Which labels are applied?
Are DLP policies triggered?

SharePoint Data Access Governance answers:

Who can access the data?
Is the data overshared?
Which sites expose information?
Which permissions should be reviewed?

Together they provide both:

Content awareness
Permission awareness

Relationship with Microsoft 365 Copilot

Data Access Governance helps administrators prepare for Copilot by reducing permission-related risks.

Benefits include:

Finding overshared SharePoint sites
Identifying unnecessary permissions
Reducing broad access
Reviewing guest sharing
Protecting confidential information
Improving search security
Supporting Zero Trust principles

Best Practices

Microsoft recommends that organizations:

Review sharing reports regularly.
Audit external access periodically.
Minimize “Everyone” permissions.
Remove unused guest accounts.
Apply sensitivity labels to important sites.
Use Microsoft Purview DLP alongside SharePoint governance.
Educate site owners on responsible sharing.
Review high-risk collaboration sites before deploying Copilot broadly.
Follow the principle of least privilege.
Continuously monitor permission changes.

Common Exam Tips

Remember these key points:

Data Access Governance focuses on permissions and access, not document content.
It helps identify oversharing across SharePoint.
It is especially valuable before deploying Microsoft 365 Copilot.
Copilot respects existing Microsoft 365 permissions.
Oversharing is a permissions problem, not a Copilot problem.
Reports help administrators prioritize high-risk sites for remediation.
Data Access Governance complements Microsoft Purview rather than replacing it.

Practice Exam Questions

Question 1

Why would an administrator run a Data Access Governance report in SharePoint?

A. To update SharePoint servers

B. To identify overshared sites and permission risks

C. To encrypt all documents automatically

D. To generate Microsoft 365 licenses

Correct Answer: B

Explanation: Data Access Governance helps administrators identify sites with excessive permissions, external sharing, and other access-related risks.

Question 2

Which issue is Data Access Governance primarily designed to identify?

A. SQL database corruption

B. Printer failures

C. Oversharing of SharePoint content

D. Network latency

Correct Answer: C

Explanation: The primary purpose is to detect oversharing and excessive permissions across SharePoint.

Question 3

Why is Data Access Governance especially important before deploying Microsoft 365 Copilot?

A. Copilot automatically changes permissions.

B. Copilot ignores SharePoint security.

C. Copilot copies all SharePoint files.

D. Copilot can reference content users already have permission to access.

Correct Answer: D

Explanation: Copilot honors existing permissions. Overshared content may therefore appear in Copilot responses if users already have legitimate access.

Question 4

Which type of access represents a potential oversharing risk?

A. Anonymous sharing links

B. Azure subscription ownership

C. Exchange mailbox size

D. Microsoft Teams background images

Correct Answer: A

Explanation: Anonymous links allow access without authentication and should be reviewed carefully.

Question 5

What question does Data Access Governance primarily help answer?

A. Which users have excessive access to SharePoint content?

B. Which Windows updates are missing?

C. Which devices need antivirus software?

D. Which Microsoft 365 licenses should be purchased?

Correct Answer: A

Explanation: Data Access Governance focuses on permissions, sharing, and access to SharePoint content.

Question 6

Which Microsoft 365 principle is supported by regularly reviewing Data Access Governance reports?

A. Unlimited collaboration

B. Least privilege

C. Maximum storage allocation

D. Unlimited guest access

Correct Answer: B

Explanation: Regular reviews help ensure users have only the permissions necessary to perform their work.

Question 7

Which type of SharePoint site would likely appear as higher risk in a Data Access Governance report?

A. A private HR site with restricted access

B. A site shared with only one administrator

C. A site containing sensitive files that is accessible to everyone

D. A newly created empty site

Correct Answer: C

Explanation: Sensitive information combined with broad permissions represents a significant oversharing risk.

Question 8

How does Data Access Governance complement Microsoft Purview?

A. Both products only classify documents.

B. Data Access Governance focuses on permissions, while Purview focuses on data protection and governance.

C. They perform identical functions.

D. Purview replaces SharePoint permissions.

Correct Answer: B

Explanation: Purview governs and protects data, while Data Access Governance helps administrators understand who has access to that data.

Question 9

Which action should an administrator consider after identifying an overshared SharePoint site?

A. Delete all documents immediately.

B. Disable Microsoft 365 Copilot.

C. Purchase additional SharePoint storage.

D. Review and reduce unnecessary permissions.

Correct Answer: D

Explanation: The appropriate response is to evaluate existing permissions and remove excessive or unnecessary access while maintaining business needs.

Question 10

Which statement about Microsoft 365 Copilot and Data Access Governance is true?

A. Data Access Governance prevents all Copilot responses.

B. Copilot bypasses SharePoint permissions when generating answers.

C. Data Access Governance helps reduce the risk of Copilot surfacing overshared information by identifying excessive permissions.

D. Copilot encrypts all SharePoint documents before using them.

Correct Answer: C

Explanation: By identifying and remediating overshared permissions, Data Access Governance helps ensure Copilot only surfaces information that users are appropriately authorized to access.

Go to the AB-900 Exam Prep Hub main page

AI, Microsoft Certification, AI Governance, AI Security, AB-900, security June 27, 2026

Discover and manage AI activity by using DSPM for AI (Part 2) (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Part 1, you learned how Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations discover AI activity, identify sensitive data exposure, detect oversharing, and provide visibility into how AI interacts with Microsoft 365 data.

This section (Part 2) focuses on how DSPM for AI helps administrators manage AI-related risks, integrates with other Microsoft security and compliance services, and supports secure AI adoption.

Security Recommendations Generated by DSPM for AI

One of DSPM for AI’s most valuable capabilities is providing actionable security recommendations rather than simply identifying problems.

After analyzing an organization’s AI environment, DSPM highlights areas that should be improved to reduce the likelihood of accidental data exposure or compliance violations.

Examples of recommendations include:

Reduce excessive SharePoint permissions.
Apply sensitivity labels to unclassified confidential files.
Configure Data Loss Prevention (DLP) policies.
Limit external sharing.
Protect highly confidential document libraries.
Enable auditing for AI-related activities.
Improve data governance before expanding AI deployments.

These recommendations help administrators prioritize improvements based on potential business impact and security risk.

Risk Prioritization

Not every security finding represents the same level of risk.

DSPM helps prioritize remediation efforts by evaluating factors such as:

Amount of sensitive data exposed
Number of users with access
Business importance of the data
Existing protection mechanisms
AI usage patterns
Permission inheritance
Regulatory implications

This enables administrators to address the highest-risk issues first.

For example:

Risk	Priority
Public access to executive financial reports	High
Sensitive HR documents lacking labels	High
Marketing presentations shared internally	Medium
Public training documents	Low

Discovering AI-Related Data Exposure

Organizations often ask:

“If we enable Microsoft 365 Copilot today, what sensitive information could users potentially discover?”

DSPM helps answer this question.

It analyzes:

Existing permissions
Data classifications
Sharing configurations
Microsoft Graph relationships
Collaboration patterns

This provides insight into which sensitive data could become more discoverable through AI-assisted searches and summaries.

Remember:

Copilot does not bypass security permissions. It only accesses information that the signed-in user is already authorized to access. DSPM helps identify situations where those permissions may already be too broad.

Remediation Recommendations

After identifying risks, DSPM recommends remediation steps.

Common recommendations include:

Reduce Oversharing

Examples include:

Remove unnecessary SharePoint permissions.
Restrict Microsoft Teams membership.
Remove Everyone access.
Limit guest sharing.

Improve Data Classification

Examples include:

Apply sensitivity labels.
Enable automatic labeling.
Use trainable classifiers.
Configure sensitive information types.

Better classification improves downstream protections across Microsoft Purview.

Strengthen Data Protection Policies

DSPM may recommend:

Creating DLP policies
Encrypting confidential documents
Restricting downloads
Blocking external sharing
Applying retention labels

Review AI Access

Administrators may decide to:

Limit AI rollout to selected departments
Review permissions before enabling Copilot broadly
Reduce access to legacy repositories
Remove stale user accounts

Integration with Microsoft Purview

DSPM for AI does not operate as an isolated product.

Instead, it complements several Microsoft Purview solutions.

Understanding these relationships is important for the AB-900 exam.

Microsoft Purview Information Protection

Information Protection classifies and protects data.

DSPM benefits from these classifications.

For example:

A document labeled:

Highly Confidential
Internal Only
Financial
Legal

helps DSPM understand the sensitivity of AI-accessible content.

Without labels, DSPM has less context when evaluating risk.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents sensitive information from being shared inappropriately.

DSPM identifies potential risks.

DLP helps enforce policies to prevent those risks from becoming incidents.

Example workflow:

DSPM discovers sensitive payroll files.
DLP prevents external sharing.
Organization reduces AI-related exposure.

Microsoft Purview Insider Risk Management

DSPM identifies risky data exposure.

Insider Risk Management identifies risky user behavior.

Together they help answer two different questions:

DSPM asks:

“What sensitive data could AI access?”

Insider Risk asks:

“Is someone attempting to misuse sensitive data?”

These products complement one another.

Microsoft Purview Activity Explorer

Activity Explorer provides visibility into user interactions with sensitive information.

DSPM can use Activity Explorer insights to better understand:

Sensitive file access
Label usage
DLP events
Data movement

Administrators gain a clearer understanding of how protected information is being used across Microsoft 365.

Microsoft Purview Compliance Manager

Compliance Manager focuses on regulatory compliance.

DSPM focuses on AI data governance.

Together they help organizations:

Reduce compliance risk
Improve governance
Meet regulatory requirements
Protect sensitive information used by AI

Microsoft Defender

Microsoft Defender protects identities, endpoints, applications, and cloud resources.

DSPM complements Defender by focusing specifically on AI-related data risks.

Examples:

Microsoft Defender detects:

Malware
Credential theft
Phishing
Device compromise

DSPM identifies:

Overshared files
AI exposure
Sensitive data visibility
Permission risks

AI Governance Dashboard

DSPM provides dashboards that help administrators understand their organization’s AI posture.

Typical dashboard information includes:

AI adoption trends
Sensitive data exposure
High-risk repositories
Oversharing statistics
AI application inventory
Policy recommendations
Governance posture

Rather than investigating individual files, administrators receive a broad organizational view.

Discovering AI Applications

DSPM helps organizations understand:

Which AI tools are in use
Which departments use them
Adoption trends
AI usage over time

Examples include:

Microsoft 365 Copilot
Microsoft Copilot Chat
Supported third-party AI services

This visibility helps organizations establish AI governance policies.

Investigating AI Risks

Administrators typically investigate findings by asking questions such as:

Which sensitive files are accessible?
Who has access?
Why do they have access?
Is the data properly labeled?
Are permissions appropriate?
Is the data externally shared?
Should additional protection be applied?

DSPM helps surface this information so administrators can make informed decisions.

Typical Investigation Workflow

A simplified investigation might follow these steps:

Step 1

DSPM identifies an overshared SharePoint site.

↓

Step 2

Administrator reviews permissions.

↓

Step 3

Sensitive files are discovered.

↓

Step 4

Sensitivity labels are applied.

↓

Step 5

Permissions are reduced.

↓

Step 6

DLP policies are enabled.

↓

Step 7

Risk is reduced before broader Copilot deployment.

Best Practices

Organizations implementing Microsoft 365 Copilot should follow several best practices.

Review Permissions Before AI Rollout

Avoid enabling Copilot before understanding existing permissions.

Classify Sensitive Data

Use Microsoft Purview Information Protection to classify important documents.

Apply Least Privilege

Users should only have access to information required for their job.

Reduce Oversharing

Review:

SharePoint permissions
Teams memberships
OneDrive sharing
External sharing

Enable DLP

Prevent accidental sharing of confidential information.

Monitor AI Adoption

Understand:

Who uses AI
Which departments use AI
What information AI accesses

Regularly Review Recommendations

DSPM continuously evaluates the environment.

Administrators should regularly review new recommendations as data, permissions, and AI usage evolve.

Licensing Considerations

For the AB-900 exam, you are not expected to memorize licensing details, as licensing can change over time.

However, you should understand these general principles:

DSPM for AI is part of the Microsoft Purview family.
Advanced governance and AI security capabilities may require appropriate Microsoft licensing.
Organizations should verify current licensing requirements before deployment.

Common Exam Scenarios

You may encounter questions like:

Scenario 1

An organization wants to know whether Microsoft 365 Copilot could expose confidential HR documents because of existing permissions.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 2

Administrators want recommendations to reduce AI-related data exposure before deploying Copilot.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 3

Security administrators want visibility into AI adoption across Microsoft 365.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 4

Administrators want to identify overshared SharePoint sites that AI could access.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 5

An organization wants to understand where sensitive information may be exposed through AI.

Relevant technology:

Microsoft Purview DSPM for AI

Common Misconceptions

Misconception 1

DSPM blocks AI prompts.

Incorrect.

DSPM primarily discovers, assesses, and helps reduce AI-related data risks. It is not a prompt-filtering or AI-blocking solution.

Misconception 2

Copilot ignores permissions.

Incorrect.

Copilot always respects the signed-in user’s existing Microsoft 365 permissions.

Misconception 3

DSPM replaces Microsoft Purview DLP.

Incorrect.

DSPM identifies risks, while DLP enforces policies that help prevent inappropriate sharing of sensitive data.

Misconception 4

DSPM replaces Microsoft Defender.

Incorrect.

Defender focuses on threats and attacks, whereas DSPM focuses on AI-related data exposure and governance.

Misconception 5

DSPM automatically fixes security issues.

Incorrect.

DSPM provides visibility, recommendations, and guidance. Administrators remain responsible for implementing changes such as adjusting permissions, applying labels, or configuring policies.

AB-900 Exam Tips

Focus on these key concepts:

Microsoft Purview DSPM for AI is an AI governance and visibility solution.
It helps organizations discover AI usage, identify sensitive data exposure, and reduce AI-related risks.
DSPM does not bypass or modify Microsoft 365 permissions.
It works alongside Information Protection, DLP, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
One of its primary goals is to identify oversharing before it becomes a business risk.
DSPM provides recommendations, not automatic remediation.
It supports organizations throughout the AI adoption lifecycle by helping them continuously improve their security posture.

Chapter Summary

Microsoft Purview DSPM for AI enables organizations to adopt AI confidently by providing visibility into how AI interacts with organizational data. It discovers AI usage, inventories AI applications, identifies oversharing, evaluates sensitive data exposure, and recommends actions to strengthen governance.

Rather than replacing existing Microsoft Purview or Microsoft Defender capabilities, DSPM for AI enhances them by adding AI-specific insights. It integrates with Information Protection, Data Loss Prevention, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender to create a comprehensive approach to AI governance.

For the AB-900 exam, remember that DSPM for AI is fundamentally about discovering, assessing, and managing AI-related data risks. It helps administrators understand where AI could expose sensitive information due to existing permissions and governance gaps, enabling organizations to improve their security posture before and during Microsoft 365 Copilot deployment.

Practice Exam Questions

Question 1

A company plans to deploy Microsoft 365 Copilot across all departments. Before deployment, administrators want to determine whether confidential documents are overly accessible due to existing SharePoint permissions.

Which Microsoft solution should they use?

A. Microsoft Entra Domain Services

B. Microsoft Defender for Endpoint

C. Microsoft Intune

D. Microsoft Purview Data Security Posture Management (DSPM) for AI

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI helps organizations discover overshared content, evaluate AI-related data exposure, and identify permission risks before deploying AI solutions such as Microsoft 365 Copilot.

A is correct because DSPM for AI analyzes permissions and identifies AI-related security risks.
B is incorrect because Defender for Endpoint protects devices.
C is incorrect because Intune manages devices and applications.
D is incorrect because Entra Domain Services provides managed domain services rather than AI governance.

Question 2

An administrator wants to understand which departments are actively using Microsoft 365 Copilot and other approved AI applications.

Which capability best addresses this requirement?

A. Microsoft Purview Information Protection

B. Microsoft Purview DSPM for AI

C. Microsoft Defender for Cloud Apps

D. Microsoft Entra Conditional Access

Correct Answer: B

Explanation

DSPM for AI provides visibility into AI adoption, AI application inventory, and usage trends across the organization.

B is correct because DSPM for AI discovers AI activity and AI adoption.
A classifies and protects data.
C monitors cloud applications but is not specifically designed for AI governance.
D controls authentication conditions.

Question 3

Which statement best describes how Microsoft 365 Copilot accesses organizational data?

A. It bypasses Microsoft 365 permissions when generating responses.

B. It can access all documents stored in Microsoft 365 regardless of permissions.

C. It only accesses content the signed-in user is already authorized to access.

D. It only accesses files created after Copilot was enabled.

Correct Answer: C

Explanation

Copilot respects existing Microsoft 365 permissions. It never bypasses authorization.

C is correct because Copilot only retrieves content the current user can already access.
A and B incorrectly imply that Copilot ignores permissions.
D is incorrect because file creation date is irrelevant.

Question 4

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Prevent all AI-generated responses

B. Replace Microsoft Defender

C. Automatically encrypt all Microsoft 365 data

D. Discover AI activity and identify AI-related data risks

Correct Answer: D

Explanation

DSPM for AI provides visibility into AI usage and helps identify governance and security risks.

D is correct because discovering AI activity and assessing AI-related risks are its primary objectives.
A, B, and C describe capabilities DSPM does not provide.

Question 5

An organization discovers that hundreds of employees can access executive financial reports because of inherited SharePoint permissions.

What type of risk has DSPM for AI identified?

A. Malware infection

B. Oversharing

C. Identity synchronization failure

D. Device compliance failure

Correct Answer: B

Explanation

Oversharing occurs when users have broader access to information than intended.

B is correct because excessive permissions increase AI-related exposure.
A, C, and D are unrelated to data governance.

Question 6

Which Microsoft technology provides much of the contextual relationship information that helps DSPM for AI understand user access to Microsoft 365 content?

A. Microsoft SQL Server

B. Microsoft Defender XDR

C. Microsoft Graph

D. Azure Kubernetes Service

Correct Answer: C

Explanation

Microsoft Graph provides relationships between users, files, emails, Teams, SharePoint, and other Microsoft 365 resources.

C is correct because DSPM uses Microsoft Graph signals to understand data access.
The remaining options do not provide organizational relationship data.

Question 7

Which Microsoft Purview solution works alongside DSPM for AI by preventing inappropriate sharing of sensitive information?

A. Microsoft Purview Data Loss Prevention (DLP)

B. Microsoft Entra ID Protection

C. Microsoft Intune

D. Windows Autopilot

Correct Answer: A

Explanation

DLP enforces policies that prevent sensitive information from being shared improperly.

A is correct because DLP complements DSPM by enforcing protection policies.
B, C, and D serve different purposes.

Question 8

An administrator wants recommendations for reducing AI-related security risks before expanding Microsoft 365 Copilot deployment.

What should they use?

A. Microsoft Defender Antivirus

B. Microsoft Purview DSPM for AI

C. Exchange Online Protection

D. Microsoft Entra Connect

Correct Answer: B

Explanation

DSPM for AI evaluates AI-related risks and recommends improvements such as reducing oversharing, improving data classification, and strengthening governance.

B is correct because providing security recommendations is one of its core capabilities.
The other products address different areas of Microsoft security.

Question 9

Which action would most effectively reduce AI-related data exposure identified by DSPM for AI?

A. Disable Microsoft Teams

B. Increase mailbox quotas

C. Review permissions and apply sensitivity labels to confidential data

D. Upgrade Windows devices

Correct Answer: C

Explanation

Reducing excessive permissions and properly classifying sensitive information significantly reduces AI-related exposure.

C is correct because both permission management and data classification are recommended remediation actions.
A, B, and D do not directly address AI governance.

Question 10

Which statement best summarizes Microsoft’s approach to AI governance with DSPM for AI?

A. DSPM automatically blocks all AI interactions involving confidential information.

B. DSPM replaces Microsoft Purview Information Protection.

C. DSPM eliminates the need for Microsoft Defender.

D. DSPM provides visibility, identifies risks, and recommends actions that help organizations securely adopt AI.

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI is designed to improve organizational AI security posture by discovering AI usage, identifying risks, and recommending governance improvements.

D is correct because it accurately reflects the purpose of DSPM for AI.
A is incorrect because DSPM is primarily a discovery and governance solution rather than an AI-blocking mechanism.
B is incorrect because Information Protection remains responsible for classifying and protecting data.
C is incorrect because Microsoft Defender continues to provide threat protection and complements, rather than is replaced by, DSPM for AI.

Key Takeaways for the AB-900 Exam

After studying this topic, you should be able to:

Explain the purpose of Microsoft Purview DSPM for AI.
Describe how DSPM for AI helps organizations discover and govern AI activity.
Understand that Microsoft 365 Copilot always respects existing user permissions.
Explain the concept of oversharing and why it is a significant AI-related risk.
Describe how Microsoft Graph provides context that enables DSPM for AI to evaluate data access.
Identify how DSPM for AI integrates with Microsoft Purview Information Protection, Data Loss Prevention (DLP), Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
Recognize that DSPM for AI provides visibility, risk assessment, and recommendations, but administrators remain responsible for implementing remediation actions.
Apply DSPM for AI concepts to common AB-900 scenario-based questions involving Microsoft 365 Copilot deployments and AI governance.

These concepts form an important part of the “Identify data protection and governance risks for Microsoft 365 and Copilot” objective and are frequently tested through scenario-based questions that assess your understanding of secure AI adoption and governance.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI, AI Governance, AI Security, Data Security, Microsoft Certification June 27, 2026

Discover and Manage AI activity by using DSPM for AI (Part 1) (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and Manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly adopt AI-powered tools such as Microsoft 365 Copilot, administrators face a new challenge: understanding how AI accesses, processes, and exposes organizational data. Traditional security tools focus on protecting users, devices, and data, but AI introduces new considerations. AI assistants can summarize documents, answer questions, generate reports, and analyze data from across an organization’s Microsoft 365 environment. If permissions are overly broad or sensitive information is poorly governed, AI can unintentionally surface information to users who already have access but should not necessarily see it in a summarized or easily discoverable form.

To address these challenges, Microsoft introduced Microsoft Purview Data Security Posture Management (DSPM) for AI, a solution designed to help organizations discover AI usage, identify potential security risks, understand data exposure, and strengthen governance before and during AI adoption.

For the AB-900 exam, you are not expected to configure DSPM for AI. Instead, you should understand:

What DSPM for AI is
Why organizations use it
How it discovers AI activity
How it helps identify risks
How it integrates with Microsoft Purview
The types of recommendations it provides

What Is Microsoft Purview DSPM for AI?

Microsoft Purview DSPM for AI is a governance and security solution that provides visibility into how artificial intelligence applications interact with organizational data.

Rather than preventing AI usage, DSPM for AI helps administrators answer important questions such as:

Which AI applications are employees using?
What sensitive information is being accessed?
Are AI tools exposing confidential content?
Are permissions overly broad?
Are Microsoft 365 Copilot users accessing highly sensitive data?
Where should security controls be strengthened?

Think of DSPM for AI as a risk discovery and governance solution specifically designed for AI workloads.

What Does “Data Security Posture Management” Mean?

The term Data Security Posture Management (DSPM) refers to continuously evaluating an organization’s data environment to identify security weaknesses before they become incidents.

DSPM focuses on questions such as:

Where is sensitive data stored?
Who has access?
Is the data properly classified?
Are security policies protecting it?
Could AI expose it more easily?

When AI is introduced, DSPM expands these questions to include:

Which AI tools are interacting with company data?
Which users are using AI?
What content is AI accessing?
Could AI reveal confidential information?
Are there oversharing risks?

Rather than reacting after a breach occurs, DSPM promotes proactive risk management.

Why Organizations Need DSPM for AI

Many organizations begin using AI before fully understanding their existing data environment.

Common issues include:

Excessive file permissions
Sensitive documents shared too broadly
Unlabeled confidential data
Legacy SharePoint permissions
Public Teams channels
Old collaboration sites
Inactive security policies

Without visibility into these issues, AI may legally retrieve information based on existing permissions—even though administrators were unaware those permissions existed.

DSPM for AI helps organizations discover these weaknesses before they become security problems.

Core Capabilities of DSPM for AI

Microsoft Purview DSPM for AI provides several major capabilities.

1. Discover AI Usage

DSPM identifies where AI is being used throughout the organization.

Examples include:

Microsoft 365 Copilot
Microsoft Copilot Chat
AI-enabled Microsoft services
Supported third-party AI applications

Administrators gain visibility into:

AI adoption
AI usage trends
Departments using AI
Types of AI interactions

This helps organizations understand how quickly AI is being adopted.

2. Discover Sensitive Data Exposure

DSPM evaluates whether AI has access to sensitive organizational data.

Examples include:

Financial reports
HR records
Customer information
Legal documents
Intellectual property
Healthcare information
Personally identifiable information (PII)

The solution identifies locations where sensitive information may be accessible through AI.

3. Identify Oversharing Risks

One of the most important concepts for the AB-900 exam is oversharing.

Oversharing occurs when users have legitimate permissions to data that administrators did not intend them to have.

For example:

A confidential SharePoint library inherits incorrect permissions.
Hundreds of employees can read executive documents.
Microsoft 365 Copilot can summarize those documents for anyone with existing access.

The problem is not Copilot.

The problem is the underlying permissions.

DSPM helps identify these situations.

4. Inventory AI Applications

Organizations often have many AI applications in use.

DSPM helps administrators discover:

Approved AI tools
Newly adopted AI tools
Shadow AI applications
AI usage across departments

This visibility supports governance decisions.

5. Monitor AI Interactions

DSPM can provide insights into how AI interacts with organizational content.

Examples include:

Documents accessed
Sensitive data locations
AI usage frequency
Common AI workflows
Business units using AI

Administrators gain a better understanding of AI usage patterns without reading users’ private prompts or monitoring employee productivity.

How DSPM for AI Discovers AI Activity

DSPM analyzes signals across Microsoft 365 services to understand AI usage.

These signals may include:

User activity
Data access
File classifications
Permissions
Labels
Microsoft Graph relationships
Microsoft Purview metadata

Rather than simply counting AI prompts, DSPM builds a broader picture of how AI interacts with organizational data.

Microsoft Graph’s Role

One important concept for the AB-900 exam is understanding the relationship between Microsoft Graph and DSPM.

Microsoft Graph acts as the intelligence layer connecting Microsoft 365 services.

DSPM uses Microsoft Graph signals to understand:

Which files users can access
Collaboration relationships
SharePoint permissions
Teams memberships
OneDrive access
Email relationships
Microsoft 365 activity

This allows DSPM to identify situations where AI could expose sensitive information because users already possess excessive permissions.

Data Sources Evaluated by DSPM

DSPM evaluates multiple Microsoft 365 services.

Examples include:

SharePoint Online

Sensitive document libraries
Overshared sites
Confidential folders
File permissions

OneDrive

Shared personal files
External sharing
Sensitive documents
Personal work data

Microsoft Teams

Shared files
Team memberships
Collaboration spaces
Shared conversations

Exchange Online

Email data
Mailbox access
Shared mailboxes
Sensitive communications

Microsoft 365 Copilot

DSPM evaluates how Copilot interacts with organizational data by examining:

Available permissions
Data sources
Sensitive information exposure
Governance controls

Types of Risks DSPM Can Identify

DSPM helps identify a variety of AI-related risks.

Overshared Content

Examples include:

Everyone can access HR documents.
Finance reports are visible to the entire company.
Sensitive SharePoint sites inherit incorrect permissions.

Sensitive Information Exposure

Examples include:

Credit card numbers
Passport numbers
Social Security numbers
Customer records
Healthcare data
Intellectual property

Excessive Permissions

Users frequently accumulate permissions over time.

DSPM identifies situations where users have access to more information than necessary.

This supports the principle of least privilege.

Unclassified Sensitive Data

Organizations often possess sensitive information that has never been classified.

DSPM can identify repositories containing:

Unlabeled confidential documents
Sensitive spreadsheets
Legal contracts
Financial reports

This allows administrators to apply Microsoft Purview Information Protection labels.

Shadow AI

Shadow AI refers to employees using AI tools that have not been approved by the organization.

Examples might include:

Public AI chat services
AI writing assistants
AI coding assistants
AI document summarizers

DSPM helps organizations understand where unmanaged AI usage exists so appropriate governance decisions can be made.

Key Exam Tips

For the AB-900 exam, remember these important points:

DSPM for AI is primarily a visibility and governance solution, not an AI blocking solution.
It helps organizations discover, understand, and reduce AI-related risks.
It identifies oversharing, sensitive data exposure, and permission issues.
DSPM works closely with other Microsoft Purview solutions to improve an organization’s overall AI security posture.
Microsoft Graph provides much of the contextual information that enables DSPM to evaluate AI data access and potential risks.
The goal is not to restrict productive AI use, but to ensure that AI operates within an organization’s existing security, compliance, and governance framework.