Category: AI Security

Understand how Copilot uses permissions and other controls in Microsoft 365, Microsoft Purview, and Microsoft Defender to protect against risks (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand data security implications of Copilot
      --> Understand how Copilot uses permissions and other controls in Microsoft 365, Microsoft Purview, and Microsoft Defender to protect against risks


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important security concepts for the AB-900 exam is understanding how Microsoft 365 Copilot protects organizational data. Because Copilot can access and summarize information from across Microsoft 365, organizations must ensure that sensitive information remains protected and that users only receive information they are authorized to access.

Microsoft 365 Copilot does not operate independently of an organization’s security framework. Instead, it inherits and respects the security, compliance, governance, and protection controls already configured in Microsoft 365. These controls come primarily from:

  • Microsoft 365 permissions
  • Microsoft Entra ID
  • Microsoft Purview
  • Microsoft Defender
  • SharePoint and OneDrive security
  • Teams security controls

Together, these technologies ensure that Copilot delivers useful responses while minimizing the risk of unauthorized access, data leakage, compliance violations, and insider threats.


The Security Foundation of Copilot

Microsoft 365 Copilot is built on three key principles:

  1. Access only authorized data
  2. Respect existing security controls
  3. Apply compliance and governance policies automatically

Copilot does not create new permissions.

Instead, it uses the permissions already assigned to users and resources throughout Microsoft 365.

This means that if a user cannot access a file directly, they also cannot access that file through Copilot.


Permission Trimming: The Core Security Mechanism

The most important security concept related to Copilot is permission trimming.

Permission trimming ensures that Copilot only retrieves information the user is authorized to access.

When a user submits a prompt:

  1. Microsoft Graph searches organizational data.
  2. Existing permissions are evaluated.
  3. Unauthorized content is excluded.
  4. Only authorized information is sent to the large language model.

For example:

  • HR files are accessible only to HR employees.
  • Finance reports are accessible only to finance personnel.
  • Confidential legal documents remain restricted to legal teams.

If another employee asks Copilot about those documents, the information is not included in the response.


How Microsoft 365 Permissions Protect Data

Microsoft 365 permissions form the first layer of Copilot security.

Permissions are inherited from services such as:

  • SharePoint Online
  • OneDrive for Business
  • Microsoft Teams
  • Exchange Online
  • Microsoft Loop

Examples include:

SharePoint Permissions

Users can only access sites, libraries, folders, and files for which they have permissions.

OneDrive Permissions

Users can access their own files and content explicitly shared with them.

Teams Permissions

Copilot respects team membership and channel access.

Exchange Permissions

Emails and calendar data are only available to authorized users.

Because Copilot uses Microsoft Graph, these permissions are automatically enforced.


Role of Microsoft Entra ID

Microsoft Entra ID provides identity and access management for Microsoft 365.

Copilot relies on Entra ID to verify:

  • User identity
  • Group membership
  • Role assignments
  • Conditional Access policies
  • Authentication status

Entra ID ensures that only authenticated and authorized users can access Microsoft 365 resources.

Examples

A Conditional Access policy may require:

  • Multifactor authentication (MFA)
  • Compliant devices
  • Approved locations

If requirements are not met, users may be blocked from accessing Microsoft 365 resources and Copilot.


How Microsoft Purview Protects Data Used by Copilot

Microsoft Purview provides compliance, governance, and data protection controls.

Because Copilot works with organizational content, Purview protections automatically apply to data used by Copilot.


Sensitivity Labels

Sensitivity labels classify and protect content.

Common labels include:

  • Public
  • General
  • Confidential
  • Highly Confidential

Labels can enforce:

  • Encryption
  • Access restrictions
  • Watermarking
  • Content markings

If a document is protected by a sensitivity label, Copilot respects those protections.


Data Loss Prevention (DLP)

DLP policies help prevent sensitive information from being exposed.

Examples include:

  • Credit card numbers
  • Social Security numbers
  • Healthcare records
  • Financial information

DLP policies can:

  • Detect sensitive data
  • Block sharing
  • Generate alerts
  • Notify administrators

Copilot interactions remain subject to DLP protections.


Data Classification

Microsoft Purview can automatically classify content based on:

  • Sensitive information types
  • Trainable classifiers
  • Custom classifications

This classification helps organizations understand what information exists and where risks may be present.


Retention Policies

Retention policies ensure information is retained or deleted according to organizational requirements.

Copilot only works with content that remains available within Microsoft 365 according to retention settings.


Data Security Posture Management (DSPM) for AI

DSPM for AI helps organizations identify and reduce AI-related risks.

DSPM can:

  • Discover overshared content
  • Identify risky permissions
  • Detect exposure of sensitive data
  • Recommend remediation actions

This is especially important because Copilot may reveal risks that already exist due to improper permissions.


How Microsoft Defender Protects Copilot Environments

Microsoft Defender provides threat detection, prevention, and response capabilities.

Defender helps protect both the data Copilot accesses and the users interacting with Copilot.


Microsoft Defender XDR

Microsoft Defender XDR provides:

  • Cross-domain threat detection
  • Incident correlation
  • Security investigation
  • Automated response

It helps security teams identify attacks that may affect Copilot-accessible data.


Identity Protection

Microsoft Defender and Entra ID can detect:

  • Risky sign-ins
  • Credential theft
  • Impossible travel events
  • Suspicious account activity

Compromised identities can be blocked before attackers access Copilot.


Endpoint Protection

Microsoft Defender for Endpoint protects devices used to access Copilot.

It helps detect:

  • Malware
  • Ransomware
  • Unauthorized access attempts
  • Device compromise

Threat Intelligence

Microsoft Defender uses global threat intelligence to identify:

  • Known malicious actors
  • Emerging threats
  • Attack techniques

This helps reduce the likelihood that attackers gain access to sensitive organizational information.


Oversharing Risks and Copilot

Copilot does not create oversharing problems.

However, it can expose existing oversharing issues more efficiently.

For example:

If a confidential SharePoint folder has accidentally been shared with all employees:

  • Employees may not discover the folder manually.
  • Copilot may locate relevant content and summarize it.

Because of this, organizations should regularly review:

  • File permissions
  • Site permissions
  • Group memberships
  • Sharing settings

DSPM for AI helps identify these risks.


Security Controls Working Together

The protection of Copilot data relies on multiple layers:

Security LayerPurpose
Microsoft Entra IDIdentity verification and access control
Conditional AccessRestrict access based on risk and conditions
Microsoft 365 PermissionsControl resource access
Microsoft GraphApplies permission trimming
Microsoft PurviewGovernance, compliance, and data protection
Microsoft DefenderThreat detection and response
DSPM for AIAI-specific risk identification

These controls work together to create a secure AI environment.


Key Exam Tips

For the AB-900 exam, remember the following:

  • Copilot does not bypass existing permissions.
  • Permission trimming ensures users only see authorized content.
  • Microsoft Graph enforces access controls during data retrieval.
  • Microsoft Entra ID provides identity and access management.
  • Conditional Access can restrict Copilot access based on organizational policies.
  • Microsoft Purview protects data through sensitivity labels, DLP, classification, retention, and DSPM for AI.
  • Microsoft Defender protects identities, endpoints, and organizational resources from threats.
  • Copilot may reveal existing oversharing risks but does not create them.
  • DSPM for AI helps organizations identify and remediate AI-related data exposure risks.

Practice Exam Questions

Question 1

What security mechanism ensures that Copilot only retrieves information a user is authorized to access?

A. Endpoint isolation
B. Data retention
C. Data replication
D. Permission trimming

Answer: D

Explanation: Permission trimming evaluates a user’s permissions and excludes unauthorized content from Copilot responses.


Question 2

A user asks Copilot about a confidential HR document they do not have permission to view. What will happen?

A. Copilot summarizes the document anyway
B. Copilot requests administrator approval automatically
C. The document is excluded from the response due to permission trimming
D. The document is copied into the user’s OneDrive

Answer: C

Explanation: Copilot respects existing permissions and cannot retrieve content users are not authorized to access.


Question 3

Which Microsoft service provides the identity platform that Copilot relies on for authentication and authorization?

A. Microsoft Defender XDR
B. Microsoft Entra ID
C. Microsoft Purview Insider Risk Management
D. Microsoft Intune

Answer: B

Explanation: Microsoft Entra ID manages identities, authentication, authorization, and access controls for Microsoft 365 services.


Question 4

Which Microsoft Purview capability helps prevent sensitive information such as credit card numbers from being improperly shared?

A. Retention policies
B. Conditional Access
C. Privileged Identity Management
D. Data Loss Prevention (DLP)

Answer: D

Explanation: DLP policies detect and protect sensitive information by blocking or monitoring risky sharing activities.


Question 5

What is the primary purpose of sensitivity labels in Microsoft Purview?

A. Manage operating system updates
B. Monitor network performance
C. Classify and protect content based on sensitivity levels
D. Create backup copies of documents

Answer: C

Explanation: Sensitivity labels classify content and can apply protections such as encryption and access restrictions.


Question 6

Which Microsoft Purview solution helps organizations discover overshared content that may present AI-related risks?

A. Data Security Posture Management (DSPM) for AI
B. Microsoft Planner
C. Exchange Online Protection
D. Windows Defender Firewall

Answer: A

Explanation: DSPM for AI identifies sensitive data exposure risks and recommends remediation actions.


Question 7

How does Microsoft Defender help protect environments that use Copilot?

A. By creating user accounts automatically
B. By replacing Microsoft Entra ID permissions
C. By detecting threats, compromised identities, and suspicious activities
D. By bypassing DLP policies

Answer: C

Explanation: Microsoft Defender provides threat detection, investigation, and response capabilities that protect organizational resources.


Question 8

Which statement best describes the relationship between Copilot and oversharing?

A. Copilot automatically fixes overshared content
B. Copilot creates oversharing by default
C. Copilot ignores shared permissions entirely
D. Copilot may reveal existing oversharing issues because it can efficiently locate accessible content

Answer: D

Explanation: Copilot does not create oversharing problems but can make improperly shared content easier to discover.


Question 9

Which security control can require multifactor authentication before a user accesses Microsoft 365 resources and Copilot?

A. SharePoint version history
B. Conditional Access
C. Retention labels
D. Exchange journaling

Answer: B

Explanation: Conditional Access policies can require MFA, compliant devices, or other conditions before granting access.


Question 10

Which statement about Copilot security is correct?

A. Copilot has unrestricted access to all tenant data.
B. Copilot ignores Microsoft Purview protections.
C. Copilot only follows Microsoft Defender policies.
D. Copilot inherits existing Microsoft 365 permissions and compliance controls.

Answer: D

Explanation: Copilot respects permissions, security settings, compliance policies, and governance controls already configured within Microsoft 365.


Go to the AB-900 Exam Prep Hub main page

Understand how Copilot accesses data (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand data security implications of Copilot
      --> Understand how Copilot accesses data


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important concepts for the AB-900 exam is understanding how Microsoft 365 Copilot accesses and uses organizational data. Many organizations are excited about the productivity benefits of Copilot but also want assurance that sensitive information remains protected.

Microsoft 365 Copilot is designed to work within an organization’s existing Microsoft 365 security, compliance, identity, and permission boundaries. Rather than creating a separate copy of organizational data, Copilot accesses information that users already have permission to access.

Understanding how Copilot retrieves, processes, and presents data is critical for administrators responsible for security, governance, and compliance.


What Is Microsoft 365 Copilot?

Microsoft 365 Copilot is an AI-powered assistant that combines:

  • Large Language Models (LLMs)
  • Microsoft Graph
  • Microsoft 365 applications
  • Organizational data

Copilot helps users:

  • Draft documents
  • Summarize meetings
  • Analyze data
  • Generate presentations
  • Answer questions
  • Perform business tasks more efficiently

The intelligence of Copilot comes from combining AI reasoning with an organization’s business data.


The Three Main Components of Copilot Data Access

Microsoft 365 Copilot relies on three major components:

Large Language Models (LLMs)

LLMs provide:

  • Natural language understanding
  • Reasoning capabilities
  • Content generation
  • Summarization

The LLM interprets the user’s prompt and generates responses.


Microsoft Graph

Microsoft Graph serves as the bridge between Copilot and organizational data.

Microsoft Graph connects to resources such as:

  • Emails
  • Calendars
  • Teams chats
  • Teams meetings
  • SharePoint documents
  • OneDrive files
  • Contacts
  • Tasks

Graph provides context that allows Copilot to generate relevant and personalized responses.


Microsoft 365 Data

Copilot accesses information stored within Microsoft 365 services.

Examples include:

  • Exchange Online mailboxes
  • SharePoint sites
  • OneDrive content
  • Teams conversations
  • Meeting transcripts
  • Microsoft Loop content

This organizational content provides the business context used to answer user requests.


How Copilot Processes a User Request

When a user submits a prompt, several steps occur.

Step 1: User Enters a Prompt

Example:

“Summarize the latest project updates from my team.”


Step 2: Copilot Interprets the Request

The LLM analyzes:

  • User intent
  • Context
  • Required information

Step 3: Microsoft Graph Retrieves Relevant Data

Microsoft Graph searches content the user is authorized to access.

Potential sources include:

  • Emails
  • Documents
  • Teams messages
  • Meeting notes

Step 4: Security Permissions Are Checked

Before data is returned:

  • Existing permissions are evaluated
  • Access controls are enforced
  • Security boundaries remain intact

If a user cannot access content directly, Copilot cannot use it in a response.


Step 5: Response Generation

The LLM combines:

  • User prompt
  • Retrieved business data
  • Organizational context

A response is generated and returned to the user.


Copilot Respects Existing Permissions

One of the most important exam concepts is:

Copilot Does Not Grant Additional Access

Copilot only accesses information a user already has permission to access.

For example:

  • If User A can view a SharePoint document, Copilot may use that document.
  • If User B cannot view the document, Copilot cannot expose it.

Copilot does not bypass:

  • SharePoint permissions
  • OneDrive permissions
  • Teams permissions
  • Microsoft 365 security controls

A common Microsoft phrase is:

“Copilot honors existing permissions.”


Role of Microsoft Graph

Microsoft Graph is central to Copilot’s operation.

Microsoft Graph:

  • Connects Microsoft 365 services
  • Provides contextual information
  • Retrieves relevant content
  • Applies user permissions

Without Microsoft Graph, Copilot would not have access to organizational context.

Think of Microsoft Graph as the intelligence layer that helps Copilot locate relevant business information.


Grounding

A key Copilot concept is grounding.

Grounding means enriching AI responses with organizational data retrieved through Microsoft Graph.

Without grounding:

  • Responses are based primarily on general AI knowledge.

With grounding:

  • Responses include organization-specific information.

Example:

A user asks:

“What decisions were made during yesterday’s budget meeting?”

Copilot can retrieve:

  • Meeting transcripts
  • Notes
  • Shared documents

The response is grounded in actual organizational content.


Data Sources Used by Copilot

Common Microsoft 365 data sources include:

Exchange Online

Provides:

  • Emails
  • Calendars
  • Contacts

SharePoint Online

Provides:

  • Team documents
  • Knowledge repositories
  • Project files

OneDrive

Provides:

  • Personal work files
  • User-owned documents

Microsoft Teams

Provides:

  • Chat messages
  • Meeting transcripts
  • Channel conversations
  • Shared files

Microsoft Loop

Provides:

  • Collaborative workspaces
  • Shared project information

Security Boundaries and Data Access

Copilot operates within existing Microsoft 365 security boundaries.

These include:

  • User permissions
  • Group memberships
  • SharePoint access controls
  • Teams membership
  • Sensitivity labels
  • Conditional Access policies

Security controls continue to function exactly as they would without Copilot.


Copilot and Sensitivity Labels

Sensitivity labels remain effective when Copilot accesses content.

If a document is protected with a sensitivity label:

  • Existing protections remain in place.
  • Access restrictions continue to apply.
  • Users without permission cannot access protected information through Copilot.

This helps maintain compliance and data security.


Copilot and Data Loss Prevention (DLP)

Microsoft Purview DLP policies continue to protect data.

DLP can help:

  • Detect sensitive information
  • Restrict inappropriate sharing
  • Prevent data leakage

Copilot operates within these governance controls.


Copilot and Retention Policies

Retention settings remain active for Copilot-accessed content.

If content:

  • Is retained, Copilot may use it if the user has access.
  • Has been deleted according to retention policies, it generally becomes unavailable for Copilot use.

Organizations should understand that Copilot relies on content already stored in Microsoft 365.


Copilot and Identity Management

Microsoft Entra ID plays a critical role in determining what data Copilot can access.

Entra ID provides:

  • Authentication
  • Authorization
  • User identity verification
  • Access control enforcement

Every Copilot interaction is tied to an authenticated user identity.


Why Permission Management Matters

Because Copilot honors existing permissions, organizations should regularly review:

  • Excessive access rights
  • Oversharing
  • Legacy permissions
  • Inactive accounts
  • SharePoint permissions
  • Teams memberships

Poor permission management can expose information through both traditional access methods and Copilot.

Many organizations conduct permission reviews before deploying Microsoft 365 Copilot.


Data Privacy and Copilot

Microsoft states that organizational prompts, responses, and data used by Microsoft 365 Copilot:

  • Stay within the Microsoft 365 service boundary
  • Are protected by existing Microsoft 365 compliance controls
  • Are not used to train foundation models for other customers

This helps organizations maintain privacy and regulatory compliance.


Common Misconceptions

Misconception 1: Copilot Can See Everything

False.

Copilot only accesses data the current user is authorized to access.


Misconception 2: Copilot Creates New Security Risks by Itself

Not exactly.

Copilot exposes existing permission issues more visibly, but it does not bypass security controls.


Misconception 3: Copilot Stores Separate Copies of All Data

False.

Copilot primarily retrieves information from existing Microsoft 365 sources through Microsoft Graph.


Misconception 4: Copilot Ignores Compliance Controls

False.

Copilot respects:

  • Permissions
  • Sensitivity labels
  • DLP policies
  • Retention policies
  • Identity controls

Key Exam Takeaways

For the AB-900 exam, remember the following:

  • Microsoft 365 Copilot combines LLMs, Microsoft Graph, and Microsoft 365 data.
  • Microsoft Graph retrieves organizational information used to ground responses.
  • Copilot only accesses data a user is authorized to access.
  • Copilot honors existing permissions and access controls.
  • Authentication and authorization are enforced through Microsoft Entra ID.
  • SharePoint, OneDrive, Exchange, Teams, and other Microsoft 365 services provide Copilot’s data sources.
  • Sensitivity labels, DLP policies, and retention policies continue to apply.
  • Copilot does not bypass security boundaries.
  • Permission management is critical for successful Copilot deployments.
  • Grounding improves response quality by incorporating organizational data.

Practice Exam Questions

Question 1

What component connects Microsoft 365 Copilot to organizational data stored across Microsoft 365 services?

A. Microsoft Graph
B. Microsoft Defender XDR
C. Microsoft Intune
D. Azure Virtual Network

Answer: A

Explanation: Microsoft Graph retrieves organizational data and provides context that Copilot uses to generate responses.


Question 2

A user asks Copilot to summarize a document stored in SharePoint. What determines whether Copilot can access the document?

A. The user’s existing permissions to the document
B. Whether the document is larger than 100 MB
C. Whether Microsoft Defender is enabled
D. Whether the document was created in Word

Answer: A

Explanation: Copilot honors existing permissions and can only access content the user is already authorized to view.


Question 3

Which Microsoft 365 service is commonly used as a source of files that Copilot can reference?

A. Active Directory Domain Services
B. Hyper-V
C. SharePoint Online
D. DNS Manager

Answer: C

Explanation: SharePoint Online is a major repository for organizational documents and content accessed by Copilot.


Question 4

What is the purpose of grounding in Microsoft 365 Copilot?

A. Encrypting prompts before submission
B. Backing up user data automatically
C. Monitoring administrator activity
D. Enhancing AI responses with organizational data

Answer: D

Explanation: Grounding enriches AI-generated responses with relevant organizational information retrieved through Microsoft Graph.


Question 5

Which statement best describes how Copilot handles security permissions?

A. It grants temporary access to protected documents.
B. It bypasses SharePoint permissions when necessary.
C. It honors existing Microsoft 365 permissions.
D. It automatically makes all team content available.

Answer: C

Explanation: Copilot respects existing permissions and does not provide access to content users cannot already access.


Question 6

Which Microsoft service provides authentication and authorization for Copilot users?

A. Microsoft Entra ID
B. Microsoft Defender for Endpoint
C. Microsoft Purview Data Map
D. Microsoft Fabric

Answer: A

Explanation: Microsoft Entra ID authenticates users and enforces authorization decisions that determine accessible content.


Question 7

A company applies sensitivity labels to confidential documents. How does Copilot interact with those documents?

A. Copilot removes the labels before processing.
B. Copilot ignores label protections.
C. Copilot can share the documents with any employee.
D. Copilot continues to respect the protections enforced by the labels.

Answer: D

Explanation: Sensitivity labels remain effective and continue governing access to protected content.


Question 8

Which Microsoft 365 workload can provide meeting transcripts that Copilot may use when generating responses?

A. Microsoft Teams
B. Microsoft Project Server
C. Windows Server
D. Microsoft Endpoint Configuration Manager

Answer: A

Explanation: Teams meeting transcripts are one of the organizational data sources that Copilot can use when users have access.


Question 9

What happens when a user asks Copilot about information stored in a file they do not have permission to access?

A. Copilot grants temporary access.
B. Copilot can still summarize the file.
C. Copilot cannot access or expose the file’s contents.
D. Copilot sends an approval request automatically.

Answer: C

Explanation: Copilot enforces existing access controls and cannot retrieve information from content the user is not authorized to access.


Question 10

Why do organizations often review permissions before deploying Microsoft 365 Copilot?

A. Copilot requires every file to be reuploaded.
B. Overshared content may become more discoverable through AI-assisted interactions.
C. Copilot disables SharePoint security.
D. Microsoft Graph cannot function without permission reviews.

Answer: B

Explanation: Because Copilot honors existing permissions, organizations often review and reduce oversharing to ensure users only have access to appropriate information.


Go to the AB-900 Exam Prep Hub main page

Understand features and capabilities of Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Data Security Posture Management (DSPM) for AI, and Microsoft Purview Data Lifecycle Management (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Understand features and capabilities of Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Data Security Posture Management (DSPM) for AI, and Microsoft Purview Data Lifecycle Management


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations adopt Microsoft 365, Copilot, and AI-powered solutions, protecting sensitive information becomes increasingly important. Microsoft provides a unified compliance and governance platform called Microsoft Purview.

Microsoft Purview helps organizations:

  • Protect sensitive information.
  • Prevent accidental or intentional data loss.
  • Manage records and retention.
  • Detect insider risks.
  • Monitor communications.
  • Strengthen AI data governance.
  • Meet regulatory and compliance requirements.

For the AB-900 exam, you should understand the purpose and capabilities of the major Microsoft Purview solutions rather than detailed implementation steps.


What Is Microsoft Purview?

Microsoft Purview is Microsoft’s unified data governance, compliance, and risk management platform.

Purview enables organizations to:

  • Discover and classify data.
  • Protect sensitive information.
  • Govern information throughout its lifecycle.
  • Reduce insider threats.
  • Monitor AI-related risks.
  • Meet legal and regulatory obligations.

Purview works across:

  • Microsoft 365
  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Teams
  • Microsoft Copilot
  • Power Platform
  • Endpoint devices
  • Third-party cloud services

Microsoft Purview Information Protection

Purpose

Microsoft Purview Information Protection (MIP) helps organizations classify and protect sensitive information.

It enables organizations to:

  • Identify sensitive data.
  • Apply sensitivity labels.
  • Encrypt content.
  • Control sharing permissions.
  • Track and monitor protected content.

Sensitivity Labels

Sensitivity labels classify content based on its importance.

Examples:

  • Public
  • General
  • Confidential
  • Highly Confidential

Labels can be applied to:

  • Emails
  • Word documents
  • Excel files
  • PowerPoint presentations
  • SharePoint sites
  • Teams
  • Microsoft 365 Groups

Protection Actions

Sensitivity labels can:

Encrypt Data

Only authorized users can open content.

Restrict Access

Prevent forwarding, printing, or copying.

Apply Visual Markings

Add:

  • Headers
  • Footers
  • Watermarks

Protect Copilot Data

Copilot respects existing permissions and sensitivity labels.


Benefits

Information Protection helps organizations:

  • Reduce accidental exposure.
  • Meet compliance requirements.
  • Maintain consistent classification.
  • Protect confidential information.

Microsoft Purview Data Loss Prevention (DLP)

Purpose

Data Loss Prevention (DLP) helps prevent sensitive information from being shared improperly.

DLP identifies sensitive information and automatically applies protection actions.


Examples of Sensitive Information

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Healthcare records
  • Financial information

DLP Actions

Policies can:

  • Block email transmission.
  • Prevent file sharing.
  • Warn users before sending data.
  • Generate alerts.
  • Create audit records.

Locations Protected by DLP

DLP policies can protect:

  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Microsoft Teams
  • Endpoint devices

Example

A user attempts to email customer credit card information outside the company.

DLP can:

  1. Detect the information.
  2. Display a warning.
  3. Block the message.

Benefits

DLP helps:

  • Prevent accidental leaks.
  • Support compliance requirements.
  • Educate users with policy tips.
  • Reduce organizational risk.

Microsoft Purview Insider Risk Management

Purpose

Insider Risk Management helps detect risky behavior from internal users.

Risks may be:

  • Accidental
  • Negligent
  • Malicious

Examples of Risky Activities

  • Downloading large amounts of files.
  • Sending confidential information externally.
  • Copying data to USB devices.
  • Unusual file access patterns.
  • Data theft before leaving the company.

Risk Indicators

The solution uses:

  • User activities
  • Behavioral signals
  • Microsoft 365 audit logs

Investigation Capabilities

Administrators can:

  • Review alerts.
  • Analyze activities.
  • Escalate incidents.
  • Document investigations.

Benefits

Insider Risk Management helps:

  • Reduce insider threats.
  • Detect suspicious behavior early.
  • Protect intellectual property.

Microsoft Purview Communication Compliance

Purpose

Communication Compliance helps organizations monitor communications for policy violations.


Content Sources

Communication Compliance can monitor:

  • Microsoft Teams chats
  • Emails
  • Copilot interactions
  • Other communication channels

Violations It Can Detect

Examples include:

  • Harassment
  • Threatening language
  • Offensive content
  • Inappropriate sharing
  • Regulatory violations

Review Process

Flagged communications are:

  1. Detected automatically.
  2. Reviewed by authorized reviewers.
  3. Investigated when necessary.

Benefits

Communication Compliance helps:

  • Promote workplace safety.
  • Meet industry regulations.
  • Reduce legal exposure.
  • Enforce organizational policies.

Microsoft Purview Data Security Posture Management (DSPM) for AI

Purpose

DSPM for AI helps organizations understand and secure how AI systems interact with organizational data.

As AI adoption grows, organizations need visibility into:

  • What data AI tools can access.
  • Which users have access to sensitive information.
  • Potential AI-related risks.

DSPM for AI Capabilities

DSPM for AI helps organizations:

Discover AI Usage

Identify where AI tools are being used.

Assess Data Exposure

Understand whether sensitive data may be exposed.

Monitor Copilot Activity

Gain visibility into AI interactions.

Identify Oversharing Risks

Locate files with excessive permissions.

Strengthen AI Governance

Improve controls around AI usage.


Example

DSPM for AI may discover:

  • A SharePoint site containing confidential files.
  • Excessive permissions on the site.
  • Potential exposure to Copilot responses.

Administrators can then reduce permissions and improve security.


Benefits

DSPM for AI supports:

  • Responsible AI adoption.
  • Reduced oversharing risks.
  • Better governance of AI systems.

Microsoft Purview Data Lifecycle Management

Purpose

Data Lifecycle Management governs information throughout its lifecycle.

It ensures that information is:

  • Retained when required.
  • Deleted when no longer needed.
  • Managed according to regulations.

Retention Policies

Retention policies determine how long content should be kept.

Examples:

Content TypeRetention Period
HR records7 years
Financial documents10 years
General emails3 years

Retention Labels

Labels can assign different retention periods to individual documents.

Example:

  • Contract documents retained for 10 years.
  • Project files retained for 5 years.

Automatic Deletion

When retention periods expire, content can be deleted automatically.

Benefits include:

  • Reduced storage costs.
  • Reduced legal risk.
  • Better compliance.

Records Management

Organizations can designate records that must not be altered or deleted before their retention period ends.


How These Purview Solutions Work Together

SolutionPrimary Goal
Information ProtectionClassify and protect content
DLPPrevent data leakage
Insider Risk ManagementDetect risky user behavior
Communication ComplianceMonitor communications
DSPM for AISecure AI data access
Data Lifecycle ManagementRetain and dispose of data appropriately

Together, these capabilities provide a comprehensive governance framework for Microsoft 365 and Copilot.


Importance for Microsoft 365 Copilot

Copilot respects existing Microsoft 365 permissions and compliance controls.

Purview solutions help ensure:

  • Sensitive content is labeled.
  • Oversharing risks are minimized.
  • AI interactions remain compliant.
  • Records are retained appropriately.
  • Users do not accidentally expose confidential data.

Key Exam Points

Remember these AB-900 concepts:

  • Information Protection uses sensitivity labels to classify and protect content.
  • DLP prevents inappropriate sharing of sensitive data.
  • Insider Risk Management detects risky user behavior.
  • Communication Compliance monitors communications for policy violations.
  • DSPM for AI helps organizations govern AI usage and identify oversharing risks.
  • Data Lifecycle Management controls retention and deletion of information.
  • Microsoft Purview supports Microsoft 365, Copilot, and AI governance.

Practice Exam Questions

Question 1

Which Microsoft Purview solution primarily uses sensitivity labels to classify and protect content?

A. Communication Compliance
B. Data Lifecycle Management
C. Information Protection
D. Insider Risk Management

Correct Answer: C

Explanation: Microsoft Purview Information Protection uses sensitivity labels to classify and secure content.


Question 2

Which Microsoft Purview capability helps prevent users from emailing credit card numbers outside the organization?

A. Insider Risk Management
B. Communication Compliance
C. Data Loss Prevention (DLP)
D. Records Management

Correct Answer: C

Explanation: DLP detects sensitive information and can block or warn users before sharing it.


Question 3

Which solution is designed to identify potentially malicious or risky behavior by internal users?

A. Information Protection
B. Sensitivity Labels
C. Data Lifecycle Management
D. Insider Risk Management

Correct Answer: D

Explanation: Insider Risk Management focuses on identifying risky activities performed by users inside the organization.


Question 4

A company wants to monitor Teams messages for harassment and inappropriate language. Which Microsoft Purview solution should they use?

A. DLP
B. Communication Compliance
C. DSPM for AI
D. Information Protection

Correct Answer: B

Explanation: Communication Compliance analyzes communications for policy violations.


Question 5

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Manage mailbox permissions
B. Secure and govern AI-related data exposure
C. Encrypt documents automatically
D. Replace Conditional Access

Correct Answer: B

Explanation: DSPM for AI provides visibility into AI usage and helps identify oversharing risks.


Question 6

Which Microsoft Purview capability determines how long information should be retained?

A. Insider Risk Management
B. Communication Compliance
C. Data Lifecycle Management
D. Information Protection

Correct Answer: C

Explanation: Data Lifecycle Management uses retention policies and labels to manage content over time.


Question 7

Which action can a sensitivity label perform?

A. Create Teams channels automatically
B. Synchronize users with Active Directory
C. Configure Conditional Access policies
D. Encrypt documents and restrict access

Correct Answer: D

Explanation: Sensitivity labels can apply encryption and restrict how information is used.


Question 8

Which Microsoft Purview solution helps identify oversharing risks that may affect Microsoft Copilot responses?

A. DSPM for AI
B. Communication Compliance
C. Data Lifecycle Management
D. Exchange Online Protection

Correct Answer: A

Explanation: DSPM for AI helps organizations understand how AI systems interact with organizational data and identify excessive permissions.


Question 9

A company must retain financial documents for ten years to meet regulatory requirements. Which capability addresses this need?

A. DLP
B. Insider Risk Management
C. Data Lifecycle Management
D. Communication Compliance

Correct Answer: C

Explanation: Retention policies and labels within Data Lifecycle Management ensure information is preserved for required periods.


Question 10

Which statement best describes the relationship between Microsoft Purview and Microsoft 365 Copilot?

A. Copilot ignores Purview policies.
B. Purview replaces Copilot permissions.
C. Copilot stores all data outside Microsoft 365.
D. Copilot works with existing Purview protections and permissions.

Correct Answer: D

Explanation: Microsoft 365 Copilot honors existing permissions, sensitivity labels, and compliance controls established through Microsoft Purview.


Go to the AB-900 Exam Prep Hub main page

Understand the purpose and benefits of Single Sign-On (SSO) (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand the purpose and benefits of SSO


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations use many applications and services, including Microsoft 365, Teams, SharePoint, Exchange Online, and third-party cloud applications. Without a centralized authentication system, users would need to maintain separate usernames and passwords for every application they use.

Single Sign-On (SSO) simplifies the user experience and improves security by allowing users to authenticate once and then access multiple applications without repeatedly signing in.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding the purpose and benefits of SSO is an important identity and security concept.


What Is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication capability that allows users to sign in one time and gain access to multiple applications and services without entering credentials again for each application.

Instead of managing separate accounts for every service, users rely on a single identity managed through Microsoft Entra ID.

Example

A user signs in once and can then access:

  • Outlook
  • Microsoft Teams
  • SharePoint Online
  • OneDrive
  • Microsoft 365 Copilot
  • Third-party applications integrated with Microsoft Entra

SSO improves both convenience and security.


Why SSO Is Important

Without SSO, users often:

  • Maintain many passwords.
  • Reuse passwords across applications.
  • Forget credentials.
  • Require frequent password resets.

SSO addresses these challenges by providing a centralized authentication experience.


How Single Sign-On Works

The SSO process generally follows these steps:

Step 1: User Signs In

The user authenticates with Microsoft Entra ID.

Step 2: Identity Is Verified

Microsoft Entra confirms the user’s identity.

Step 3: Authentication Token Is Issued

A secure token is generated.

Step 4: Applications Trust the Token

Integrated applications accept the token and grant access without requiring another sign-in.

This process allows users to move seamlessly between applications.


SSO and Microsoft Entra ID

Microsoft Entra ID serves as the identity provider for Microsoft 365.

It provides:

  • Authentication
  • Authorization
  • Identity management
  • Access policies

Because Microsoft 365 services trust Microsoft Entra ID, users can access multiple services after a single sign-in.


Applications That Support SSO

SSO can be used with:

Microsoft 365 Applications

Examples:

  • Outlook
  • Teams
  • SharePoint Online
  • OneDrive
  • Word
  • Excel
  • PowerPoint

Third-Party Applications

Examples:

  • Salesforce
  • ServiceNow
  • Workday
  • Thousands of SaaS applications

Custom Applications

Organizations can integrate internally developed applications with Microsoft Entra.


Benefits of Single Sign-On

Improved User Experience

Users sign in once instead of repeatedly entering passwords.

Benefits include:

  • Less frustration.
  • Faster access to applications.
  • Improved productivity.

Reduced Password Fatigue

Managing many passwords can be difficult.

SSO reduces:

  • Forgotten passwords.
  • Password reuse.
  • User frustration.

Fewer Help Desk Requests

Password resets are one of the most common support issues.

SSO reduces:

  • Password-related tickets.
  • Administrative overhead.
  • Support costs.

Increased Productivity

Employees spend less time signing in and more time working.

Users can move easily between:

  • Teams
  • Outlook
  • SharePoint
  • Copilot

without repeated authentication prompts.


Improved Security

Although SSO simplifies access, security can actually improve because organizations can enforce:

  • Multi-Factor Authentication (MFA)
  • Conditional Access
  • Identity Protection
  • Centralized authentication policies

Centralized Access Management

Administrators can manage identities from one location instead of configuring authentication separately for every application.

Benefits include:

  • Easier administration.
  • Consistent security controls.
  • Faster onboarding and offboarding.

SSO and Multi-Factor Authentication

SSO does not replace MFA.

Instead, they work together.

Example:

  1. User signs in once.
  2. User completes MFA.
  3. Access is granted to multiple applications.

This provides:

  • Convenience
  • Strong security

SSO and Conditional Access

Conditional Access policies can still apply even when SSO is used.

Examples:

  • Require MFA outside the corporate network.
  • Block risky sign-ins.
  • Require compliant devices.

SSO and Conditional Access complement each other.


SSO and Zero Trust

Single Sign-On supports Zero Trust when combined with modern security controls.

Verify Explicitly

Authentication still occurs before access is granted.

Use Least Privileged Access

Permissions are still enforced.

Assume Breach

Additional controls such as MFA and Conditional Access continue to evaluate risk.


SSO Does Not Mean Unlimited Access

A common misconception is that SSO gives users access to everything.

This is incorrect.

SSO:

  • Simplifies authentication.

Authorization still determines:

  • Which applications users can access.
  • What permissions they have.
  • Which resources they can view.

Users only receive access to resources they are authorized to use.


SSO and Microsoft 365 Copilot

Microsoft 365 Copilot relies on Microsoft Entra identities and benefits from SSO.

After users authenticate, they can move between:

  • Outlook
  • Teams
  • SharePoint
  • Word
  • Copilot experiences

without repeatedly entering credentials.

Copilot still respects existing permissions and security controls.


SSO vs Multiple Sign-Ins

Without SSOWith SSO
Multiple passwordsOne identity
Repeated sign-insSingle sign-in
Higher password fatigueBetter user experience
More password reset requestsFewer support calls
Greater password reuse riskImproved security

Best Practices

Enable Multi-Factor Authentication

SSO should be combined with MFA for stronger security.

Use Conditional Access

Evaluate sign-in risk and device compliance.

Follow Least Privilege

Users should only access necessary resources.

Centralize Identity Management

Use Microsoft Entra ID to manage users and applications.

Educate Users

Help users understand the difference between authentication and authorization.


Exam Tips

Remember these AB-900 concepts:

  • SSO stands for Single Sign-On.
  • SSO allows one sign-in to access multiple applications.
  • Microsoft Entra ID provides SSO for Microsoft 365.
  • SSO improves productivity and user experience.
  • SSO reduces password fatigue and help desk requests.
  • SSO does not replace authorization.
  • MFA and Conditional Access continue to function with SSO.
  • SSO supports Zero Trust when combined with additional security controls.
  • Microsoft 365 Copilot benefits from SSO.
  • Users only access resources they are authorized to use.

Practice Exam Questions

Question 1

What is the primary purpose of Single Sign-On (SSO)?

A. Encrypt documents automatically
B. Allow one authentication event to provide access to multiple applications
C. Replace authorization controls
D. Eliminate passwords completely

Correct Answer: B

Explanation: SSO enables users to authenticate once and access multiple applications without repeatedly entering credentials.


Question 2

Which Microsoft service provides Single Sign-On capabilities for Microsoft 365?

A. Microsoft Entra ID
B. Exchange Online
C. Microsoft Defender XDR
D. Microsoft Purview

Correct Answer: A

Explanation: Microsoft Entra ID acts as the identity provider for Microsoft 365 applications.


Question 3

Which problem does SSO help reduce?

A. SharePoint storage limitations
B. Teams meeting duration limits
C. Password fatigue
D. Mailbox quotas

Correct Answer: C

Explanation: Users no longer need to remember numerous passwords for different applications.


Question 4

What typically decreases when organizations implement SSO?

A. File version history
B. Help desk password reset requests
C. Device compliance policies
D. Multi-Factor Authentication

Correct Answer: B

Explanation: Fewer passwords usually lead to fewer password-related support requests.


Question 5

Which security control commonly works together with SSO?

A. Multi-Factor Authentication
B. Shared mailboxes
C. Distribution lists
D. Public folders

Correct Answer: A

Explanation: MFA strengthens security while maintaining the convenience of SSO.


Question 6

Does SSO automatically grant users access to every application?

A. Yes, if they know their password.
B. Yes, after one successful sign-in.
C. No, authorization and permissions still determine access.
D. No, unless Teams is installed.

Correct Answer: C

Explanation: SSO simplifies authentication but does not bypass authorization.


Question 7

Which statement best describes the relationship between SSO and Conditional Access?

A. SSO disables Conditional Access.
B. Conditional Access only works without SSO.
C. SSO replaces Conditional Access.
D. SSO and Conditional Access work together to secure access.

Correct Answer: D

Explanation: Conditional Access policies continue to evaluate users and devices even when SSO is used.


Question 8

Which benefit of SSO improves employee productivity?

A. Automatic mailbox backups
B. Elimination of file permissions
C. Reduced repeated sign-ins
D. Increased SharePoint storage

Correct Answer: C

Explanation: Users spend less time authenticating and more time working.


Question 9

Which Microsoft 365 services can benefit from SSO?

A. Outlook only
B. Teams only
C. SharePoint only
D. Outlook, Teams, SharePoint, and other Microsoft 365 applications

Correct Answer: D

Explanation: SSO supports access across multiple Microsoft 365 services.


Question 10

How does Microsoft 365 Copilot use Single Sign-On?

A. Copilot bypasses Microsoft Entra authentication.
B. Copilot requires separate credentials from Microsoft 365.
C. Copilot benefits from the same sign-in experience used by Microsoft 365 services.
D. Copilot disables Multi-Factor Authentication.

Correct Answer: C

Explanation: Copilot relies on Microsoft Entra identities and participates in the same SSO experience as other Microsoft 365 applications.


Go to the AB-900 Exam Prep Hub main page

Understand conditional access policies (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand conditional access policies


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations must secure access to Microsoft 365 resources while still allowing users to work from anywhere and on many different devices. Traditional security models that rely only on usernames and passwords are no longer sufficient.

Conditional Access is one of the most important security features in Microsoft Entra. It helps organizations make intelligent access decisions based on various conditions and risk signals.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand what Conditional Access is, how policies work, and the common controls used to protect Microsoft 365 resources.


What Is Conditional Access?

Conditional Access is a feature of Microsoft Entra ID that evaluates signals and applies access controls before allowing users to access resources.

It is often described as:

“If this condition exists, then perform this action.”

Examples:

  • If a user signs in from outside the company network, require Multi-Factor Authentication.
  • If a device is not compliant, block access.
  • If a sign-in is considered high risk, deny access.

Conditional Access supports Microsoft’s Zero Trust security strategy.


Why Conditional Access Is Important

Conditional Access helps organizations:

  • Strengthen identity security.
  • Reduce unauthorized access.
  • Protect sensitive information.
  • Enable secure remote work.
  • Support compliance requirements.
  • Apply adaptive security controls.

Instead of trusting every sign-in automatically, Conditional Access evaluates each access request individually.


How Conditional Access Works

A Conditional Access policy generally contains three components:

1. Assignments (Who and What?)

Defines:

  • Users or groups
  • Applications
  • Conditions

2. Conditions (When?)

Conditions determine when the policy applies.

Examples:

  • Location
  • Device platform
  • Sign-in risk
  • User risk
  • Client applications

3. Access Controls (What Happens?)

Controls determine the action taken.

Examples:

  • Require MFA
  • Require a compliant device
  • Require password change
  • Block access

Common Components of a Conditional Access Policy

Users and Groups

Policies can target:

  • All users
  • Specific users
  • Security groups
  • Administrative accounts

Organizations often apply stricter policies to privileged users.


Cloud Apps and Resources

Policies can protect:

  • Microsoft 365 applications
  • Teams
  • Exchange Online
  • SharePoint Online
  • Custom applications

Different applications can have different requirements.


Conditions Used by Conditional Access

Location

Policies can evaluate where users are signing in from.

Examples:

  • Trusted corporate locations
  • External networks
  • Specific countries or regions

Example:

If sign-in occurs outside the corporate network,
require MFA.

Device Platform

Policies can apply to:

  • Windows
  • macOS
  • iOS
  • Android

Organizations may choose to treat platforms differently.


Device State

Conditional Access can determine whether devices are:

  • Compliant
  • Hybrid joined
  • Managed

Organizations can block unmanaged devices.


Sign-In Risk

Microsoft evaluates sign-ins for suspicious activity.

Examples:

  • Impossible travel
  • Unusual locations
  • Anonymous IP addresses

Higher-risk sign-ins may trigger additional controls.


User Risk

User risk reflects the likelihood that a user’s account has been compromised.

Examples:

  • Leaked credentials
  • Suspicious behavior

Organizations can require password changes or block access for risky users.


Access Controls

After evaluating conditions, Conditional Access applies controls.

Require Multi-Factor Authentication

One of the most common controls.

Example:

Require MFA for all administrator accounts.

Benefits:

  • Stronger identity protection.
  • Reduced credential theft.

Require Device Compliance

Users must use devices that meet organizational standards.

Examples:

  • Encryption enabled
  • Antivirus installed
  • Latest updates applied

This often integrates with Microsoft Intune.


Require Hybrid Microsoft Entra Joined Devices

Ensures access is granted only to approved organizational devices.


Require Password Change

Used when a user account is considered compromised.


Block Access

The most restrictive control.

Examples:

  • Block high-risk users.
  • Block unsupported devices.
  • Block access from certain locations.

Named Locations

Named locations allow administrators to define trusted locations.

Examples:

  • Corporate offices
  • Specific IP address ranges

Trusted locations can reduce unnecessary MFA prompts while maintaining security.


Conditional Access and Multi-Factor Authentication

Conditional Access frequently works together with MFA.

Examples:

Scenario 1

User signs in from home.

Result:

  • Require MFA.

Scenario 2

User signs in from a trusted office.

Result:

  • Allow access without additional prompts.

This creates a balance between security and user convenience.


Conditional Access and Device Compliance

Organizations often require devices to be:

  • Managed by Intune.
  • Encrypted.
  • Updated.
  • Secure.

If devices fail compliance requirements, access may be denied.


Conditional Access and Zero Trust

Conditional Access directly supports all three Zero Trust principles.

Verify Explicitly

Evaluate identity, device, location, and risk.

Use Least Privileged Access

Restrict access when necessary.

Assume Breach

Continuously evaluate security signals.


Conditional Access and Microsoft 365 Copilot

Microsoft 365 Copilot uses the same identity and access controls that protect Microsoft 365.

Conditional Access policies can affect access to:

  • Microsoft Teams
  • SharePoint Online
  • Exchange Online
  • OneDrive
  • Copilot experiences

Copilot does not bypass Conditional Access requirements.


Best Practices

Enable MFA for All Users

MFA is one of the strongest protections available.

Protect Administrator Accounts

Apply stricter controls to privileged users.

Require Compliant Devices

Reduce risks from unmanaged devices.

Use Trusted Locations Carefully

Avoid creating unnecessary exceptions.

Follow the Principle of Least Privilege

Grant only necessary access.


Benefits of Conditional Access

Organizations gain:

Adaptive Security

Policies adjust based on risk and conditions.

Improved User Experience

Security requirements appear only when necessary.

Stronger Identity Protection

Compromised accounts are easier to detect and control.

Support for Remote Work

Users can work securely from anywhere.

Zero Trust Alignment

Every access request is evaluated individually.


Exam Tips

Remember these key AB-900 concepts:

  • Conditional Access is part of Microsoft Entra.
  • Policies use an if-then approach.
  • Conditions include location, device state, sign-in risk, and user risk.
  • Access controls include requiring MFA, requiring compliant devices, and blocking access.
  • Conditional Access works closely with Intune and Microsoft Entra ID.
  • Named locations define trusted networks.
  • Conditional Access supports Zero Trust principles.
  • Microsoft 365 Copilot respects Conditional Access policies.
  • Administrator accounts typically receive stricter protections.
  • Conditional Access improves both security and usability.

Practice Exam Questions

Question 1

What is the primary purpose of Conditional Access?

A. Increase mailbox quotas
B. Automatically create Teams channels
C. Apply access decisions based on conditions and risk signals
D. Replace Microsoft Defender

Correct Answer: C

Explanation: Conditional Access evaluates various signals and determines whether access should be allowed, restricted, or blocked.


Question 2

Conditional Access is a feature of which Microsoft service?

A. Microsoft Entra ID
B. Exchange Online
C. Microsoft Purview
D. SharePoint Online

Correct Answer: A

Explanation: Conditional Access is provided through Microsoft Entra ID and is used to secure access to resources.


Question 3

Which statement best describes how Conditional Access works?

A. Use an “if condition, then action” model.
B. Always allow access.
C. Disable all external connections.
D. Eliminate authentication requirements.

Correct Answer: A

Explanation: Conditional Access evaluates conditions and applies controls accordingly.


Question 4

Which condition can be evaluated by Conditional Access?

A. Printer model
B. Monitor size
C. Mouse type
D. Sign-in risk

Correct Answer: D

Explanation: Sign-in risk is one of the security signals used when evaluating access requests.


Question 5

Which access control commonly works with Conditional Access to strengthen security?

A. Shared mailboxes
B. Multi-Factor Authentication
C. Distribution lists
D. Document versioning

Correct Answer: B

Explanation: MFA is frequently required through Conditional Access policies.


Question 6

What is the purpose of named locations?

A. Define trusted networks and IP ranges
B. Store SharePoint documents
C. Create Teams channels
D. Manage email retention

Correct Answer: A

Explanation: Named locations identify trusted locations that can influence policy behavior.


Question 7

Which Microsoft solution often works with Conditional Access to evaluate device compliance?

A. Microsoft Lists
B. Microsoft Planner
C. Microsoft Intune
D. Microsoft Forms

Correct Answer: C

Explanation: Intune provides device management and compliance information used by Conditional Access.


Question 8

Which action represents the most restrictive access control?

A. Require MFA
B. Require password change
C. Require compliant device
D. Block access

Correct Answer: D

Explanation: Blocking access completely prevents users from reaching resources.


Question 9

Which Zero Trust principle is most directly supported by Conditional Access?

A. Verify Explicitly
B. Trust Internal Networks
C. Open Access First
D. Eliminate Authentication

Correct Answer: A

Explanation: Conditional Access evaluates multiple signals before granting access, which aligns with Verify Explicitly.


Question 10

How does Microsoft 365 Copilot interact with Conditional Access policies?

A. Copilot bypasses policies.
B. Copilot disables MFA requirements.
C. Copilot ignores device compliance rules.
D. Copilot follows the same Conditional Access requirements as Microsoft 365 resources.

Correct Answer: D

Explanation: Copilot inherits existing identity and access controls and does not bypass security policies.


Go to the AB-900 Exam Prep Hub main page

Understand features and capabilities of Microsoft Entra (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand features and capabilities of Microsoft Entra


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Identity is the foundation of security in Microsoft 365. Before users can access email, Teams, SharePoint, Microsoft 365 Copilot, or other services, their identities must be verified and managed securely.

Microsoft Entra is Microsoft’s family of identity and access solutions that helps organizations secure users, applications, devices, and external identities. Microsoft Entra provides authentication, authorization, identity governance, and access management capabilities that support modern security strategies such as Zero Trust.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding the major capabilities of Microsoft Entra is essential.


What Is Microsoft Entra?

Microsoft Entra is Microsoft’s identity and access product family.

It helps organizations:

  • Manage identities.
  • Authenticate users.
  • Control access to resources.
  • Protect against identity-based attacks.
  • Support Zero Trust security.

Microsoft Entra enables secure access to:

  • Microsoft 365
  • Microsoft Teams
  • SharePoint Online
  • Exchange Online
  • Third-party applications
  • Custom applications

Microsoft Entra ID

The core component of Microsoft Entra is Microsoft Entra ID (formerly Azure Active Directory).

Microsoft Entra ID is a cloud-based identity and access management service that provides:

  • User accounts
  • Group management
  • Authentication services
  • Authorization capabilities
  • Single Sign-On (SSO)
  • Multi-Factor Authentication (MFA)

Microsoft 365 relies on Microsoft Entra ID to manage identities.


Identity and Access Management (IAM)

Identity and Access Management (IAM) ensures that:

  • The correct users are identified.
  • Appropriate access is granted.
  • Access can be controlled and monitored.

IAM helps organizations maintain security while enabling productivity.


Authentication

Authentication verifies identity.

It answers:

Who are you?

Microsoft Entra supports multiple authentication methods, including:

  • Passwords
  • Microsoft Authenticator
  • SMS verification
  • Voice calls
  • FIDO2 security keys
  • Windows Hello for Business

Authentication occurs before authorization.


Authorization

Authorization determines what authenticated users are allowed to access.

It answers:

What are you allowed to do?

Examples include:

  • Accessing SharePoint sites.
  • Reading Exchange mailboxes.
  • Managing Teams settings.

Authorization is commonly controlled through:

  • Roles
  • Permissions
  • Policies

Single Sign-On (SSO)

Single Sign-On allows users to sign in once and access multiple applications without re-entering credentials.

Benefits include:

  • Improved user experience.
  • Reduced password fatigue.
  • Fewer password reset requests.
  • Increased productivity.

Users can access Microsoft 365 applications with one identity.


Multi-Factor Authentication (MFA)

Multi-Factor Authentication requires more than one authentication factor.

Examples:

  1. Password
  2. Microsoft Authenticator approval

Benefits include:

  • Stronger security.
  • Reduced credential theft risk.
  • Better protection against phishing attacks.

MFA is one of Microsoft’s most important security recommendations.


Conditional Access

Conditional Access uses signals to determine whether access should be allowed.

Signals may include:

  • User identity
  • Device status
  • Location
  • Application being accessed
  • Risk level

Examples:

  • Require MFA outside the corporate network.
  • Block high-risk sign-ins.
  • Require compliant devices.

Conditional Access supports the Zero Trust principle of Verify Explicitly.


Role-Based Access Control (RBAC)

Microsoft Entra uses Role-Based Access Control to assign administrative privileges.

Examples of built-in roles include:

  • Global Administrator
  • User Administrator
  • Security Administrator
  • Exchange Administrator

RBAC follows the principle of least privilege by granting only the permissions required.


Groups

Groups simplify administration by allowing permissions and licenses to be assigned to multiple users simultaneously.

Types of groups include:

Security Groups

Used to assign permissions and policies.

Microsoft 365 Groups

Provide collaboration resources such as:

  • Outlook mailbox
  • Teams workspace
  • SharePoint site

Groups help reduce administrative effort.


Self-Service Capabilities

Microsoft Entra supports self-service features such as:

Self-Service Password Reset (SSPR)

Users can reset forgotten passwords without administrator assistance.

Benefits:

  • Reduced help desk workload.
  • Faster account recovery.

Self-Service Group Management

Users can manage group membership when permitted.


Device Identity and Management Integration

Microsoft Entra can recognize devices and work with Microsoft Intune.

This allows organizations to:

  • Register devices.
  • Evaluate compliance.
  • Control access based on device health.

Examples:

  • Require managed devices.
  • Block noncompliant devices.

External Identities

Organizations often collaborate with external users.

Microsoft Entra supports:

  • Guest users
  • Business partners
  • Contractors

External identities allow secure collaboration while maintaining administrative control.


Identity Protection

Microsoft Entra helps detect identity-related threats such as:

  • Credential theft
  • Suspicious sign-ins
  • Impossible travel scenarios
  • Password spray attacks

Identity protection helps organizations respond to risks quickly.


Identity Governance

Identity governance helps organizations manage:

  • Access reviews
  • Lifecycle management
  • Least privilege practices

Governance helps ensure users retain only the access they need.


Passwordless Authentication

Microsoft Entra supports passwordless sign-in methods including:

  • Microsoft Authenticator
  • Windows Hello for Business
  • FIDO2 security keys

Benefits include:

  • Improved user experience.
  • Reduced phishing risks.
  • Stronger security.

Microsoft Entra and Zero Trust

Microsoft Entra supports all three Zero Trust principles.

Verify Explicitly

Evaluate identity and access conditions.

Use Least Privileged Access

Grant only necessary permissions.

Assume Breach

Continuously monitor identity risks.


Microsoft Entra and Microsoft 365 Copilot

Microsoft 365 Copilot relies on Microsoft Entra identities.

Entra controls:

  • User authentication.
  • Authorization.
  • Access policies.
  • Group memberships.
  • Security controls.

Copilot inherits existing permissions and does not grant access to content users are not already authorized to view.


Benefits of Microsoft Entra

Organizations benefit from:

Centralized Identity Management

Manage users from a single platform.

Improved Security

Protect against identity attacks.

Better User Experience

Single Sign-On reduces friction.

Reduced Administrative Effort

Groups and self-service capabilities simplify management.

Support for Zero Trust

Access decisions are based on multiple signals.


Best Practices

Enable Multi-Factor Authentication

Protect identities against compromise.

Use Least Privilege

Assign only required permissions.

Implement Conditional Access

Strengthen access decisions.

Use Self-Service Password Reset

Reduce support costs.

Review Administrative Roles Regularly

Limit excessive privileges.


Exam Tips

Remember these key AB-900 concepts:

  • Microsoft Entra is Microsoft’s identity and access family.
  • Microsoft Entra ID was formerly Azure Active Directory.
  • Authentication verifies identity.
  • Authorization determines access.
  • Single Sign-On provides one login for multiple applications.
  • Multi-Factor Authentication improves security.
  • Conditional Access evaluates multiple signals.
  • RBAC controls administrative privileges.
  • Self-Service Password Reset reduces help desk workload.
  • Microsoft 365 Copilot relies on Microsoft Entra identities and permissions.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Entra?

A. Replace Microsoft Teams meetings
B. Manage identity and access to resources
C. Increase SharePoint storage capacity
D. Provide email hosting

Correct Answer: B

Explanation: Microsoft Entra provides identity and access management capabilities for users, applications, and devices.


Question 2

What was Microsoft Entra ID previously called?

A. Microsoft Intune
B. Azure Active Directory
C. Exchange Online
D. Microsoft Purview

Correct Answer: B

Explanation: Microsoft Entra ID is the new name for Azure Active Directory.


Question 3

Which capability allows users to sign in once and access multiple applications?

A. Multi-Factor Authentication
B. Conditional Access
C. Single Sign-On
D. Identity Governance

Correct Answer: C

Explanation: Single Sign-On improves user experience by reducing repeated sign-ins.


Question 4

Which Microsoft Entra feature allows users to reset forgotten passwords without administrator assistance?

A. Self-Service Password Reset
B. Privileged Identity Management
C. Role-Based Access Control
D. Conditional Access

Correct Answer: A

Explanation: Self-Service Password Reset reduces support requests and speeds account recovery.


Question 5

Which capability uses factors such as location and device compliance when making access decisions?

A. Dynamic Distribution Groups
B. Microsoft Lists
C. Conditional Access
D. Shared Mailboxes

Correct Answer: C

Explanation: Conditional Access evaluates various signals before granting access.


Question 6

What does authentication determine?

A. What permissions users have
B. Who the user is
C. Which Teams channel is created
D. Which files are deleted

Correct Answer: B

Explanation: Authentication verifies a user’s identity.


Question 7

Which principle is supported by Role-Based Access Control (RBAC)?

A. Maximum privilege
B. Open access
C. Unlimited permissions
D. Least privilege

Correct Answer: D

Explanation: RBAC grants only the permissions necessary to perform assigned tasks.


Question 8

Which authentication method strengthens security by requiring multiple verification factors?

A. Single Sign-On
B. Multi-Factor Authentication
C. Shared mailbox access
D. Version history

Correct Answer: B

Explanation: MFA provides stronger identity protection than passwords alone.


Question 9

What type of group provides collaboration resources such as Teams, Outlook mailboxes, and SharePoint sites?

A. Security group
B. Distribution list
C. Microsoft 365 group
D. Mail contact

Correct Answer: C

Explanation: Microsoft 365 groups provide shared collaboration resources.


Question 10

How does Microsoft 365 Copilot use Microsoft Entra?

A. It bypasses user permissions.
B. It replaces authentication requirements.
C. It creates anonymous access.
D. It relies on Entra identities and existing permissions.

Correct Answer: D

Explanation: Copilot respects existing identities, permissions, and security controls managed by Microsoft Entra.


Go to the AB-900 Exam Prep Hub main page

Understand features and capabilities of Microsoft Defender XDR (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Understand the Microsoft 365 security principles
      --> Understand features and capabilities of Microsoft Defender XDR


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Organizations today face attacks that target multiple areas simultaneously, including identities, email, endpoints, cloud applications, and collaboration platforms. Security teams need a unified way to detect, investigate, and respond to these threats.

Microsoft Defender XDR (Extended Detection and Response) is Microsoft’s integrated security platform that correlates signals across multiple security services to provide comprehensive threat protection.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand the purpose, components, and key capabilities of Microsoft Defender XDR.


What Is Microsoft Defender XDR?

Microsoft Defender XDR is a security platform that:

  • Collects signals from multiple Microsoft security solutions.
  • Correlates related events.
  • Detects attacks across domains.
  • Automates investigations.
  • Supports incident response.

The “XDR” in Defender XDR stands for:

Extended Detection and Response

Unlike isolated security tools, Defender XDR provides a unified view of attacks across the organization.


Why Defender XDR Is Important

Traditional security tools often work independently.

For example:

  • Email security detects phishing.
  • Endpoint security detects malware.
  • Identity security detects suspicious sign-ins.

Without correlation, security teams may miss the fact that these events are part of the same attack.

Defender XDR connects these signals and presents them as a single incident.


Components of Microsoft Defender XDR

Defender XDR integrates several Microsoft Defender products.

Microsoft Defender for Office 365

Protects:

  • Exchange Online
  • Outlook
  • Microsoft Teams
  • SharePoint Online
  • OneDrive

Focus areas:

  • Phishing protection
  • Safe Links
  • Safe Attachments
  • Business email compromise protection

Microsoft Defender for Endpoint

Protects:

  • Windows devices
  • macOS devices
  • Mobile devices

Capabilities include:

  • Endpoint detection
  • Vulnerability management
  • Device monitoring
  • Automated remediation

Microsoft Defender for Identity

Protects user identities by monitoring:

  • Authentication activity
  • Suspicious sign-ins
  • Credential attacks
  • Lateral movement attempts

Microsoft Defender for Cloud Apps

Provides visibility into:

  • SaaS applications
  • Cloud usage
  • Shadow IT
  • Risky behavior

Unified Incident Management

One of Defender XDR’s most important capabilities is incident correlation.

Example

A phishing email causes:

  1. Credential theft.
  2. Suspicious sign-in activity.
  3. Malware installation.

Instead of producing three unrelated alerts, Defender XDR groups them into a single incident.

Benefits include:

  • Faster investigations.
  • Better understanding of attacks.
  • Reduced alert fatigue.

Alerts vs. Incidents

Alert

A single security event.

Examples:

  • Malware detected.
  • Suspicious email.
  • Risky sign-in.

Incident

A collection of related alerts representing an attack.

Security analysts typically investigate incidents rather than individual alerts.


Cross-Domain Visibility

Defender XDR provides visibility across:

DomainExamples
IdentitiesUser accounts and sign-ins
EndpointsComputers and devices
EmailExchange and Outlook
CollaborationTeams and SharePoint
ApplicationsCloud apps and services

This broad visibility helps identify complex attacks.


Automated Investigation and Response (AIR)

Defender XDR can automatically:

  1. Detect suspicious activity.
  2. Investigate evidence.
  3. Recommend actions.
  4. Perform remediation.

Examples include:

  • Isolating compromised devices.
  • Blocking malicious files.
  • Removing phishing emails.

Automation reduces the workload on security teams.


Attack Story and Incident Timeline

Defender XDR presents attacks visually through timelines.

Administrators can see:

  • When the attack started.
  • Which users were affected.
  • Which devices were involved.
  • How the attack progressed.

This helps security teams understand attack paths quickly.


Threat Intelligence

Microsoft Defender XDR uses Microsoft’s global threat intelligence network.

Microsoft analyzes trillions of signals from:

  • Microsoft 365
  • Azure
  • Windows
  • Identity systems
  • Cloud services

Threat intelligence helps identify:

  • Emerging threats
  • Known malicious actors
  • Attack patterns
  • Indicators of compromise

Threat Hunting

Security analysts can proactively search for threats using advanced hunting capabilities.

Threat hunting allows teams to:

  • Search large datasets.
  • Investigate suspicious activity.
  • Discover hidden threats.
  • Validate security concerns.

Rather than waiting for alerts, analysts actively look for attacks.


Automated Attack Disruption

Defender XDR can automatically interrupt attacks in progress.

Examples include:

  • Disabling compromised accounts.
  • Isolating devices.
  • Preventing lateral movement.

This capability helps reduce the impact of attacks before they spread.


Security Recommendations

Defender XDR provides recommendations that help organizations improve security posture.

Examples:

  • Enable Multi-Factor Authentication.
  • Reduce unnecessary permissions.
  • Update vulnerable devices.
  • Strengthen configurations.

These recommendations support Zero Trust principles.


Defender XDR and Zero Trust

Defender XDR supports all three Zero Trust principles.

Verify Explicitly

Analyze identities and sign-in behavior.

Use Least Privileged Access

Reduce attacker opportunities.

Assume Breach

Continuously monitor for suspicious activity.


Defender XDR and Microsoft 365 Copilot

Microsoft 365 Copilot benefits from the existing security protections provided by Defender XDR.

Defender XDR helps secure:

  • Emails
  • Teams conversations
  • SharePoint files
  • User identities
  • Devices

Copilot itself does not bypass security controls and continues to respect existing permissions.


Benefits of Microsoft Defender XDR

Organizations gain:

Unified Security Visibility

Multiple security signals appear in one platform.

Faster Detection

Threats are identified earlier.

Reduced Alert Fatigue

Related alerts are grouped into incidents.

Automated Response

Remediation can occur automatically.

Improved Security Operations

Security teams spend less time correlating events manually.


Best Practices

Enable Multi-Factor Authentication

Protect identities.

Review Incidents Regularly

Prioritize investigations.

Use Automated Investigation

Reduce manual effort.

Follow Security Recommendations

Improve overall posture.

Implement Zero Trust

Assume attacks can occur and prepare accordingly.


Exam Tips

Remember these AB-900 concepts:

  • XDR stands for Extended Detection and Response.
  • Defender XDR combines signals across multiple domains.
  • Alerts represent individual events.
  • Incidents group related alerts together.
  • Defender XDR integrates several Defender products.
  • Automated Investigation and Response (AIR) reduces manual work.
  • Threat intelligence helps identify emerging attacks.
  • Advanced hunting enables proactive investigations.
  • Automated attack disruption can stop attacks in progress.
  • Defender XDR supports Microsoft’s Zero Trust strategy.

Practice Exam Questions

Question 1

What does the “XDR” in Microsoft Defender XDR stand for?

A. Expanded Directory Routing
B. External Device Recovery
C. Exchange Data Replication
D. Extended Detection and Response

Correct Answer: D

Explanation: XDR stands for Extended Detection and Response and provides integrated threat protection across multiple domains.


Question 2

What is the primary purpose of Microsoft Defender XDR?

A. Increase mailbox sizes
B. Provide unified detection and response across security domains
C. Replace Microsoft Teams
D. Create SharePoint sites

Correct Answer: B

Explanation: Defender XDR correlates signals from multiple services to improve threat detection and response.


Question 3

Which Microsoft Defender product focuses on email and collaboration protection?

A. Defender for Endpoint
B. Defender for Identity
C. Defender for Office 365
D. Defender for Cloud Apps

Correct Answer: C

Explanation: Defender for Office 365 protects Exchange Online, Outlook, Teams, and related collaboration services.


Question 4

What is an incident in Microsoft Defender XDR?

A. A single sign-in attempt
B. A licensing error
C. A mailbox migration task
D. A collection of related security alerts

Correct Answer: D

Explanation: Incidents combine multiple related alerts into a single investigation.


Question 5

Which Defender component primarily protects devices?

A. Defender for Cloud Apps
B. Defender for Endpoint
C. Defender for Identity
D. Defender for Office 365

Correct Answer: B

Explanation: Defender for Endpoint provides security for computers and devices.


Question 6

What is the benefit of Automated Investigation and Response (AIR)?

A. Eliminates user accounts
B. Removes all security policies
C. Automates threat analysis and remediation
D. Replaces authentication

Correct Answer: C

Explanation: AIR helps detect, investigate, and respond to threats automatically.


Question 7

Which capability allows analysts to proactively search for hidden threats?

A. Safe Links
B. Threat hunting
C. Shared mailboxes
D. Distribution groups

Correct Answer: B

Explanation: Threat hunting enables analysts to investigate suspicious activity beyond standard alerts.


Question 8

Which Defender component focuses on identity-based attacks?

A. Defender for Identity
B. Defender for Endpoint
C. Defender for Office 365
D. Defender for Cloud Apps

Correct Answer: A

Explanation: Defender for Identity monitors authentication activity and suspicious account behavior.


Question 9

How does Defender XDR help reduce alert fatigue?

A. By deleting alerts automatically
B. By disabling auditing
C. By grouping related alerts into incidents
D. By preventing administrators from viewing alerts

Correct Answer: C

Explanation: Incident correlation allows analysts to investigate attacks more efficiently.


Question 10

Which Microsoft security principle is supported by Defender XDR’s continuous monitoring?

A. Trust Internal Networks
B. Assume Breach
C. Open Collaboration First
D. Disable Authentication

Correct Answer: B

Explanation: Continuous monitoring aligns with the Zero Trust principle of assuming that breaches can occur and detecting them quickly.


Go to the AB-900 Exam Prep Hub main page

Understand threat protection and intelligence (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Understand the Microsoft 365 security principles
      --> Understand threat protection and intelligence


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Cyber threats continue to evolve in complexity and frequency. Organizations using Microsoft 365 must protect users, devices, identities, applications, and data from attacks such as phishing, malware, ransomware, and business email compromise.

Threat protection and threat intelligence are key components of Microsoft 365 security. They help organizations:

  • Detect threats.
  • Prevent attacks.
  • Investigate suspicious activity.
  • Respond to incidents.
  • Learn from global threat intelligence.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding these concepts is essential because Microsoft 365 security capabilities are designed around proactive threat defense.


What Is Threat Protection?

Threat protection refers to the technologies and processes used to:

  • Prevent attacks.
  • Detect malicious activity.
  • Respond to incidents.
  • Minimize the impact of security events.

Threat protection helps secure:

  • User identities
  • Email systems
  • Devices
  • Applications
  • Data

Common Cyber Threats

Organizations face many types of attacks.

Phishing

Attackers send deceptive emails designed to trick users into:

  • Revealing passwords
  • Clicking malicious links
  • Downloading malware

Phishing is one of the most common attack methods.


Malware

Malicious software can:

  • Damage systems
  • Steal information
  • Monitor activity
  • Spread to other devices

Examples include:

  • Viruses
  • Worms
  • Trojans

Ransomware

Ransomware encrypts files and demands payment for their recovery.

Consequences include:

  • Data loss
  • Business interruption
  • Financial damage

Business Email Compromise (BEC)

Attackers impersonate executives or trusted contacts to convince employees to:

  • Transfer money
  • Reveal information
  • Approve fraudulent transactions

Credential Theft

Attackers attempt to steal usernames and passwords through:

  • Phishing
  • Password spraying
  • Brute-force attacks

What Is Threat Intelligence?

Threat intelligence is information gathered about cyber threats and attacker behavior.

Threat intelligence helps organizations:

  • Understand current attack trends.
  • Identify malicious actors.
  • Detect suspicious activity.
  • Improve security defenses.

Microsoft collects signals from billions of sources worldwide to build its threat intelligence capabilities.


Microsoft Security Signals

Microsoft analyzes signals from:

  • Microsoft 365
  • Azure
  • Windows devices
  • Email traffic
  • Authentication events
  • Cloud applications

These signals help identify emerging threats and provide organizations with actionable insights.


Microsoft Defender

Microsoft Defender is Microsoft’s threat protection platform.

It provides security across:

  • Email
  • Endpoints
  • Identities
  • Applications
  • Cloud workloads

Microsoft Defender helps organizations:

  • Prevent attacks.
  • Detect threats.
  • Investigate incidents.
  • Automate responses.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 protects:

  • Exchange Online
  • Outlook
  • Microsoft Teams
  • SharePoint Online
  • OneDrive

Its primary focus is protecting users from email-based attacks.


Safe Links

Safe Links examines URLs in messages and documents.

Benefits:

  • Blocks malicious websites.
  • Protects against phishing attacks.
  • Evaluates links when users click them.

Safe Attachments

Safe Attachments analyzes files before users open them.

Suspicious files are:

  • Isolated
  • Scanned
  • Blocked if malicious

This helps prevent malware infections.


Anti-Phishing Protection

Anti-phishing policies help identify:

  • Spoofed senders
  • Impersonation attempts
  • Suspicious domains

These protections reduce credential theft risks.


Microsoft Defender for Endpoint

Microsoft Defender for Endpoint protects devices such as:

  • Windows computers
  • macOS devices
  • Mobile devices

Capabilities include:

  • Threat detection
  • Vulnerability management
  • Device monitoring
  • Automated investigation

Microsoft Defender for Identity

Defender for Identity monitors identity-related threats.

Examples include:

  • Password attacks
  • Suspicious sign-ins
  • Lateral movement attempts

It helps protect user identities and privileged accounts.


Microsoft Defender for Cloud Apps

Defender for Cloud Apps helps organizations:

  • Monitor cloud applications.
  • Detect risky behavior.
  • Discover shadow IT.
  • Protect sensitive information.

Automated Investigation and Response (AIR)

Microsoft security solutions can automatically:

  1. Detect suspicious activity.
  2. Investigate the event.
  3. Recommend or perform remediation actions.

Automation reduces response times and improves efficiency.


Threat Detection and Alerts

Security systems continuously monitor activity.

Alerts may be generated for:

  • Unusual sign-ins
  • Malware detections
  • Excessive file downloads
  • Phishing attempts

Administrators can investigate alerts and determine appropriate actions.


Security Incidents

Multiple related alerts may be grouped into an incident.

An incident provides:

  • A timeline of events.
  • Affected users.
  • Devices involved.
  • Recommended remediation steps.

Grouping alerts simplifies investigations.


Threat Hunting

Threat hunting is the proactive search for hidden threats within an environment.

Rather than waiting for alerts, analysts actively look for:

  • Suspicious activity
  • Abnormal behavior
  • Potential compromise indicators

Threat Protection and Zero Trust

Threat protection supports all Zero Trust principles.

Verify Explicitly

Analyze identity and access signals.

Use Least Privileged Access

Limit attacker capabilities.

Assume Breach

Continuously monitor and investigate suspicious activity.


Threat Protection and Microsoft 365 Copilot

Microsoft 365 Copilot inherits Microsoft 365 security protections.

Copilot itself does not:

  • Bypass security controls.
  • Override permissions.
  • Expose unauthorized content.

Threat protection mechanisms continue to protect:

  • Emails
  • Files
  • Teams conversations
  • SharePoint content

Benefits of Threat Intelligence

Threat intelligence helps organizations:

Detect Attacks Earlier

Identify malicious activity before damage occurs.

Improve Security Decisions

Use real-world intelligence to strengthen defenses.

Respond Faster

Automated investigation reduces response times.

Reduce Risk

Continuous monitoring improves overall security posture.


Best Practices

Enable Multi-Factor Authentication

Protect accounts from credential theft.

Use Microsoft Defender Solutions

Implement layered protection.

Educate Users About Phishing

Human awareness remains important.

Review Security Alerts Regularly

Investigate suspicious activity promptly.

Keep Systems Updated

Reduce vulnerabilities attackers can exploit.


Exam Tips

Remember these key AB-900 concepts:

  • Threat protection prevents, detects, and responds to attacks.
  • Threat intelligence provides information about emerging threats.
  • Phishing attacks target users through deceptive communications.
  • Ransomware encrypts files and demands payment.
  • Microsoft Defender provides integrated threat protection.
  • Safe Links protects against malicious URLs.
  • Safe Attachments protects against harmful files.
  • Alerts identify suspicious activity.
  • Multiple alerts may be grouped into incidents.
  • Threat protection supports Microsoft’s Zero Trust strategy.

Practice Exam Questions

Question 1

What is the primary purpose of threat protection?

A. Increase mailbox storage quotas
B. Prevent, detect, and respond to cyber threats
C. Create SharePoint sites automatically
D. Manage software licenses

Correct Answer: B

Explanation: Threat protection helps organizations identify and respond to attacks while minimizing their impact.


Question 2

Which attack attempts to trick users into revealing credentials or clicking malicious links?

A. Phishing
B. Compression attacks
C. Data deduplication
D. Versioning

Correct Answer: A

Explanation: Phishing uses deceptive communications to steal information or deliver malware.


Question 3

What is ransomware designed to do?

A. Improve email performance
B. Increase authentication speed
C. Encrypt files and demand payment
D. Create backup copies automatically

Correct Answer: C

Explanation: Ransomware locks data and attempts to extort victims for recovery access.


Question 4

What is threat intelligence?

A. A type of file storage
B. A SharePoint permission model
C. A Teams collaboration feature
D. Information about threats and attacker behavior

Correct Answer: D

Explanation: Threat intelligence helps organizations understand current threats and improve defenses.


Question 5

Which Microsoft security solution provides broad threat protection across identities, devices, and applications?

A. Microsoft Defender
B. Microsoft Lists
C. Microsoft Forms
D. Microsoft Planner

Correct Answer: A

Explanation: Microsoft Defender is Microsoft’s integrated security platform.


Question 6

Which Microsoft Defender for Office 365 feature evaluates URLs when users click them?

A. Safe Attachments
B. Conditional Access
C. Safe Links
D. Windows Hello

Correct Answer: C

Explanation: Safe Links checks URLs to protect users from malicious websites.


Question 7

Which feature analyzes files before users open them?

A. Safe Attachments
B. RBAC
C. External Access
D. Dynamic Groups

Correct Answer: A

Explanation: Safe Attachments helps prevent malware infections by scanning files before delivery.


Question 8

What can happen when several related security alerts are detected?

A. They are deleted automatically.
B. They are combined into a security incident.
C. They are converted into Teams messages only.
D. They are ignored after 24 hours.

Correct Answer: B

Explanation: Grouping alerts into incidents provides a broader view of attacks.


Question 9

What is the purpose of threat hunting?

A. Increasing mailbox sizes
B. Managing distribution lists
C. Proactively searching for hidden threats
D. Assigning user licenses

Correct Answer: C

Explanation: Threat hunting involves actively investigating environments for suspicious activity.


Question 10

Which Microsoft Defender for Office 365 capability helps identify impersonation and spoofing attempts?

A. Safe Attachments
B. Device Compliance Policies
C. SharePoint Permissions
D. Anti-Phishing Protection

Correct Answer: D

Explanation: Anti-phishing policies help detect impersonation attacks and suspicious senders.


Go to the AB-900 Exam Prep Hub main page

Understand authentication methods (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Understand the Microsoft 365 security principles
      --> Understand authentication methods


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Authentication is one of the foundational security concepts in Microsoft 365. Before users can access email, files, Teams conversations, or Microsoft 365 Copilot experiences, the system must first verify their identity.

Authentication answers the question:

“Who are you?”

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, it is important to understand the various authentication methods available in Microsoft 365 and how they help secure organizational resources.


What Is Authentication?

Authentication is the process of verifying a user’s identity before granting access to Microsoft 365 resources.

When users sign in, Microsoft Entra ID (formerly Azure Active Directory) validates their credentials and determines whether they are who they claim to be.

Authentication occurs before authorization.

Example

  1. User enters credentials.
  2. Microsoft verifies identity.
  3. Authorization determines what resources the user can access.

Authentication vs. Authorization

Although closely related, these are different concepts.

AuthenticationAuthorization
Verifies identityDetermines access rights
Answers “Who are you?”Answers “What can you do?”
Occurs firstOccurs second
Uses credentials and identity factorsUses permissions and policies

Why Authentication Is Important

Authentication helps organizations:

  • Prevent unauthorized access.
  • Protect sensitive data.
  • Reduce credential theft risks.
  • Support Zero Trust security.
  • Enable secure remote work.

Without authentication, Microsoft 365 resources would be exposed to anyone.


Authentication Factors

Authentication methods are based on one or more factors.

Something You Know

Examples:

  • Passwords
  • PINs
  • Security questions

Something You Have

Examples:

  • Smartphone
  • Hardware token
  • Security key

Something You Are

Examples:

  • Fingerprint
  • Facial recognition
  • Biometrics

Using multiple factors increases security.


Single-Factor Authentication (SFA)

Single-factor authentication requires only one credential.

Typically:

Username + Password

Advantages:

  • Simple
  • Familiar

Disadvantages:

  • Vulnerable to phishing attacks.
  • Password theft can lead to account compromise.

Because passwords alone are risky, organizations increasingly use stronger authentication methods.


Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) requires two or more authentication factors.

Example:

  1. User enters a password.
  2. User approves a request in Microsoft Authenticator.

Benefits include:

  • Stronger protection against compromised passwords.
  • Reduced account takeover risk.
  • Improved compliance.

Microsoft strongly recommends MFA for all users.


Common MFA Methods in Microsoft 365

Microsoft 365 supports several MFA options.


Microsoft Authenticator App

Users receive:

  • Push notifications
  • Number matching prompts
  • Verification approvals

Advantages:

  • Secure
  • Convenient
  • Widely recommended by Microsoft

Text Message (SMS)

Users receive a verification code by text.

Advantages:

  • Easy to use.

Limitations:

  • Less secure than app-based authentication.
  • Vulnerable to SIM-swapping attacks.

Voice Calls

Users receive an automated phone call with verification instructions.

This method is supported but is generally less secure than app-based options.


Hardware Security Keys

Physical devices such as FIDO2 security keys provide strong authentication.

Benefits:

  • Resistant to phishing attacks.
  • Passwordless capability.
  • Strong protection for privileged accounts.

Passwordless Authentication

Passwordless authentication eliminates traditional passwords.

Instead, users authenticate through:

  • Microsoft Authenticator
  • FIDO2 security keys
  • Windows Hello for Business

Benefits include:

  • Reduced phishing risk.
  • Improved user experience.
  • Fewer password-related support requests.

Passwordless authentication is a key part of Microsoft’s security strategy.


Windows Hello for Business

Windows Hello for Business uses:

  • Facial recognition
  • Fingerprint recognition
  • PINs

Because biometric information remains on the device, this method provides strong security and convenience.


FIDO2 Security Keys

FIDO2 keys are physical authentication devices.

Examples include:

  • USB keys
  • NFC keys

Benefits:

  • Passwordless sign-in.
  • Protection against phishing.
  • Strong authentication for administrators.

Certificate-Based Authentication

Certificate-based authentication uses digital certificates to verify identity.

Organizations commonly use this method for:

  • Highly secure environments
  • Smart cards
  • Specialized devices

Legacy Authentication

Legacy authentication uses older protocols that often rely only on usernames and passwords.

Examples include:

  • POP3
  • IMAP
  • SMTP AUTH (certain scenarios)

These methods do not support modern security controls like MFA.

Because of their security risks, organizations are encouraged to disable legacy authentication whenever possible.


Adaptive Authentication and Conditional Access

Microsoft Entra Conditional Access can require additional authentication based on risk factors.

Examples:

  • Require MFA outside the corporate network.
  • Block risky sign-ins.
  • Require compliant devices.

This supports the Zero Trust principle of Verify Explicitly.


Password Policies

Strong passwords remain important.

Best practices include:

  • Long passwords or passphrases.
  • Avoiding reused passwords.
  • Avoiding predictable information.
  • Enabling MFA.

Microsoft recommends focusing on password quality rather than forcing frequent password changes.


Authentication in Zero Trust

Authentication supports Zero Trust by:

Verifying Identity Continuously

Access requests are evaluated using multiple signals.

Reducing Credential Risks

MFA strengthens security.

Supporting Least Privilege

Only verified users receive access.


Authentication and Microsoft 365 Copilot

Microsoft 365 Copilot relies on existing Microsoft 365 identities.

Users must authenticate before accessing:

  • Outlook
  • Teams
  • SharePoint
  • Word
  • Copilot experiences

Copilot itself does not bypass authentication requirements.


Best Practices

Enable Multi-Factor Authentication

MFA is one of the most effective security controls.

Adopt Passwordless Authentication

Reduce reliance on passwords.

Use Microsoft Authenticator

Prefer app-based verification over SMS.

Disable Legacy Authentication

Reduce exposure to credential attacks.

Protect Administrator Accounts

Use stronger authentication methods for privileged users.


Exam Tips

Remember these key AB-900 concepts:

  • Authentication verifies identity.
  • Authentication occurs before authorization.
  • Single-factor authentication usually relies on passwords.
  • MFA uses multiple authentication factors.
  • Microsoft Authenticator is a recommended MFA method.
  • Passwordless authentication improves security.
  • Windows Hello for Business supports biometric authentication.
  • FIDO2 security keys provide phishing-resistant authentication.
  • Legacy authentication is less secure because it often does not support MFA.
  • Conditional Access can require additional authentication based on risk.

Practice Exam Questions

Question 1

What question does authentication answer?

A. Who is the user?
B. How much storage is available?
C. What resources can the user access?
D. Which files should be encrypted?

Correct Answer: A

Explanation: Authentication verifies identity and determines whether the user is who they claim to be.


Question 2

Which process occurs before authorization?

A. Authentication
B. Auditing
C. Encryption
D. Data classification

Correct Answer: A

Explanation: Users must first prove their identity before permissions are evaluated.


Question 3

Which example represents multi-factor authentication?

A. Username only
B. Password only
C. PIN only
D. Password and Microsoft Authenticator approval

Correct Answer: D

Explanation: MFA requires multiple authentication factors rather than relying on a single credential.


Question 4

Which authentication factor category includes a fingerprint?

A. Something you know
B. Something you have
C. Something you own
D. Something you are

Correct Answer: D

Explanation: Biometrics are considered “something you are.”


Question 5

Which Microsoft solution provides app-based MFA approvals?

A. Microsoft Authenticator
B. Exchange Online
C. SharePoint Online
D. Microsoft Purview

Correct Answer: A

Explanation: Microsoft Authenticator supports push notifications and secure MFA verification.


Question 6

What is a major advantage of passwordless authentication?

A. Increased mailbox size
B. Reduced phishing risks
C. Automatic role assignments
D. Elimination of permissions

Correct Answer: B

Explanation: Removing passwords helps reduce common attack methods such as phishing.


Question 7

Which authentication method uses facial recognition or fingerprints?

A. FIDO2
B. SMS verification
C. Voice call authentication
D. Windows Hello for Business

Correct Answer: D

Explanation: Windows Hello for Business supports biometric authentication and PIN-based sign-in.


Question 8

Why are legacy authentication protocols considered less secure?

A. They consume more storage.
B. They disable file sharing.
C. They often do not support modern protections such as MFA.
D. They prevent Teams meetings.

Correct Answer: C

Explanation: Legacy authentication protocols typically rely only on usernames and passwords.


Question 9

Which technology can require additional authentication based on risk conditions?

A. Conditional Access
B. Distribution groups
C. Shared mailboxes
D. Version history

Correct Answer: A

Explanation: Conditional Access evaluates signals and can require MFA or block access.


Question 10

Which authentication method provides phishing-resistant, passwordless sign-in through a physical device?

A. SMS codes
B. Security questions
C. Voice calls
D. FIDO2 security keys

Correct Answer: D

Explanation: FIDO2 keys provide strong passwordless authentication and resist phishing attacks.


Go to the AB-900 Exam Prep Hub main page

Understand Authorization (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Understand the Microsoft 365 security principles
      --> Understand Authorization


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Microsoft 365 security, protecting resources involves two closely related concepts:

  • Authentication
  • Authorization

Although these terms are often confused, they serve different purposes.

  • Authentication answers the question: “Who are you?”
  • Authorization answers the question: “What are you allowed to do?”

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, understanding authorization is important because Microsoft 365 relies heavily on permissions, roles, and policies to determine what users can access.


What Is Authorization?

Authorization is the process of determining whether an authenticated user has permission to access a resource or perform an action.

Examples of resources include:

  • Email messages
  • SharePoint sites
  • Teams channels
  • Files and folders
  • Applications
  • Administrative settings

Authorization occurs after authentication.


Authentication vs. Authorization

These concepts work together but perform different functions.

AuthenticationAuthorization
Verifies identityDetermines access rights
Answers “Who are you?”Answers “What can you do?”
Usually requires credentialsUses permissions and policies
Happens firstHappens second

Example

  1. A user signs in with their Microsoft 365 account.
  2. Microsoft verifies their identity (authentication).
  3. Microsoft checks whether they are allowed to access a file (authorization).

Real-World Example

Imagine entering an office building.

Authentication

Showing your employee badge proves who you are.

Authorization

Your badge determines:

  • Which floors you may enter.
  • Which rooms you can access.
  • Whether you can enter the server room.

Not every employee receives the same level of access.


Why Authorization Is Important

Authorization helps organizations:

  • Protect sensitive information.
  • Limit insider threats.
  • Enforce security policies.
  • Support compliance requirements.
  • Implement the Zero Trust model.

Without authorization controls, every authenticated user would have unrestricted access to organizational data.


Authorization in Microsoft 365

Microsoft 365 uses authorization to control access to:

SharePoint

  • Sites
  • Libraries
  • Files
  • Folders

Microsoft Teams

  • Teams
  • Channels
  • Meetings

Exchange Online

  • Mailboxes
  • Distribution groups
  • Shared mailboxes

Copilot Experiences

  • Documents
  • Emails
  • Teams conversations
  • Knowledge sources

Permissions

Permissions are the primary mechanism used to implement authorization.

Permissions define what actions users can perform.

Examples include:

  • Read
  • Edit
  • Create
  • Delete
  • Full Control

Different users may receive different permissions for the same resource.


Role-Based Access Control (RBAC)

Microsoft 365 uses Role-Based Access Control (RBAC) to assign permissions according to job responsibilities.

Instead of assigning permissions individually to every user, permissions are grouped into roles.

Examples include:

RolePurpose
Global AdministratorManage the entire Microsoft 365 tenant
User AdministratorManage user accounts
SharePoint AdministratorManage SharePoint Online
Teams AdministratorManage Microsoft Teams
Exchange AdministratorManage Exchange Online

RBAC simplifies administration and supports the principle of least privilege.


Least Privilege and Authorization

Authorization supports the Zero Trust principle of Least Privileged Access.

Users should receive only the permissions necessary to perform their work.

Example:

  • HR employees can access HR documents.
  • Finance employees can access financial reports.
  • Marketing employees cannot view payroll files.

Restricting access reduces the impact of compromised accounts.


Group-Based Authorization

Permissions are often assigned through groups rather than individual users.

Examples:

  • Microsoft 365 Groups
  • Security Groups
  • SharePoint Groups

Benefits include:

  • Easier administration
  • Consistent access
  • Reduced errors
  • Simplified onboarding

When a user joins a group, they inherit the group’s permissions.


SharePoint Authorization

SharePoint permissions determine who can:

  • View documents
  • Edit content
  • Upload files
  • Manage sites

Common permission levels include:

Permission LevelCapabilities
ReadView content
EditModify content
Full ControlManage settings and permissions

A user without permission cannot access the content even if they know the file location.


Teams Authorization

Microsoft Teams uses authorization to determine:

  • Team membership
  • Channel access
  • Meeting permissions
  • App availability

For example:

  • Members of a team can participate in discussions.
  • Users outside the team cannot access conversations.
  • Private channels restrict access to selected members.

Exchange Online Authorization

Authorization determines access to:

  • Mailboxes
  • Shared mailboxes
  • Calendars
  • Distribution groups

Example:

An executive assistant may be granted permission to manage another user’s mailbox.


Conditional Access and Authorization

Conditional Access can add requirements before access is granted.

Examples include:

  • Requiring Multi-Factor Authentication (MFA)
  • Blocking risky sign-ins
  • Restricting access from unmanaged devices

Conditional Access combines identity signals with authorization decisions.


Administrative Roles

Administrative roles provide authorization for management tasks.

Examples:

Global Administrator

Can manage nearly every Microsoft 365 service.

Teams Administrator

Can manage Teams settings but not Exchange settings.

SharePoint Administrator

Can manage SharePoint but not user licensing.

This separation helps implement least privilege.


Authorization and Microsoft 365 Copilot

Microsoft 365 Copilot relies entirely on existing authorization controls.

Copilot:

  • Does not bypass permissions.
  • Cannot expose restricted information.
  • Only retrieves content users are already authorized to access.

Example

Suppose:

  • Alice has access to Finance documents.
  • Bob does not.

If Bob asks Copilot for salary reports, Copilot cannot retrieve them because Bob lacks authorization.


Authorization in Zero Trust

Authorization supports all three Zero Trust principles:

Verify Explicitly

Access decisions consider identity and context.

Use Least Privileged Access

Users receive only necessary permissions.

Assume Breach

Limiting permissions reduces the impact of attacks.


Best Practices

Assign Roles Carefully

Avoid excessive privileges.

Use Groups Instead of Individual Permissions

Simplify management.

Follow Least Privilege

Grant only required access.

Review Permissions Regularly

Remove outdated permissions.

Use MFA and Conditional Access

Strengthen authorization decisions.


Exam Tips

Remember these key AB-900 concepts:

  • Authentication verifies identity.
  • Authorization determines access rights.
  • Authorization occurs after authentication.
  • Permissions define what users can do.
  • RBAC assigns permissions through roles.
  • Least privilege limits unnecessary access.
  • Groups simplify permission management.
  • Conditional Access can influence authorization decisions.
  • Microsoft 365 Copilot respects existing permissions.
  • Users cannot access resources without authorization.

Practice Exam Questions

Question 1

Which question does authorization answer?

A. Where is the data stored?
B. Which password should be used?
C. What resources is the user allowed to access?
D. Is the device encrypted?

Correct Answer: C

Explanation: Authorization determines what actions an authenticated user is permitted to perform.


Question 2

Which process occurs first in Microsoft 365?

A. Authorization
B. Authentication
C. Auditing
D. Encryption

Correct Answer: B

Explanation: Users must first prove their identity before access rights can be evaluated.


Question 3

What is the primary purpose of Role-Based Access Control (RBAC)?

A. Encrypt files automatically
B. Create mailboxes
C. Assign permissions according to job responsibilities
D. Replace authentication

Correct Answer: C

Explanation: RBAC groups permissions into roles that align with organizational responsibilities.


Question 4

Which Microsoft 365 principle is directly supported by limiting permissions to only what users need?

A. External collaboration
B. Shared responsibility
C. Multi-tenancy
D. Least privilege

Correct Answer: D

Explanation: Least privilege minimizes unnecessary access and reduces security risks.


Question 5

A user signs in successfully but cannot open a SharePoint file. What is the most likely reason?

A. Authentication failed.
B. The user lacks authorization to the file.
C. The file was encrypted.
D. The device lacks internet access.

Correct Answer: B

Explanation: Successful authentication does not guarantee permission to access resources.


Question 6

Which mechanism is commonly used to simplify authorization management?

A. Distribution lists
B. Version history
C. Group-based permissions
D. Mail flow rules

Correct Answer: C

Explanation: Assigning permissions to groups is easier and more consistent than assigning permissions individually.


Question 7

Which Microsoft 365 administrative role can manage SharePoint Online but does not automatically manage Teams or Exchange?

A. Global Administrator
B. SharePoint Administrator
C. User Administrator
D. Billing Administrator

Correct Answer: B

Explanation: SharePoint Administrators are responsible specifically for SharePoint services.


Question 8

How does Microsoft 365 Copilot use authorization?

A. It ignores permissions to improve productivity.
B. It temporarily grants access to hidden documents.
C. It bypasses SharePoint security.
D. It only retrieves information users are already authorized to access.

Correct Answer: D

Explanation: Copilot honors existing Microsoft 365 permissions and security boundaries.


Question 9

Which statement best describes authentication and authorization?

A. They are the same process.
B. Authorization occurs before authentication.
C. Authentication verifies identity, and authorization determines access.
D. Authentication controls permissions.

Correct Answer: C

Explanation: Authentication confirms who the user is, while authorization determines what they may access.


Question 10

Which Microsoft capability can require additional conditions, such as MFA, before granting access?

A. Distribution groups
B. Conditional Access
C. Version history
D. Shared mailboxes

Correct Answer: B

Explanation: Conditional Access evaluates signals and can impose additional requirements before authorization is granted.


Go to the AB-900 Exam Prep Hub main page