Category: security

AB-900, AI Governance, AI Security, Data Governance, Microsoft Certification, security

Run a data access governance report in SharePoint (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify and monitor oversharing in SharePoint in Microsoft 365
      --> Run a data access governance report in SharePoint

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

That is an excellent next topic for the AB-900 exam because it combines SharePoint governance, Microsoft Purview, and Copilot data security. Although the feature continues to evolve, the exam focuses on understanding what the report is, when to use it, and what problems it helps administrators solve, rather than memorizing every UI step.

Why Data Access Governance Matters

One of the largest security challenges in Microsoft 365 is oversharing. Over time, organizations accumulate millions of files, thousands of SharePoint sites, and numerous Microsoft Teams workspaces. Permissions often become increasingly complex as users:

  • Share files externally
  • Create anonymous sharing links
  • Grant access to “Everyone”
  • Add guests to Teams
  • Break inheritance on folders
  • Forget to remove temporary permissions

As organizations adopt Microsoft 365 Copilot, overshared content becomes an even greater concern because Copilot can surface information that a user already has permission to access—even if that access was unintentionally granted.

Microsoft provides Data Access Governance (DAG) capabilities in SharePoint to help administrators discover, understand, and remediate excessive access before it becomes a security issue.

What is Data Access Governance?

Data Access Governance is a collection of reporting and analysis capabilities within SharePoint Advanced Management that helps administrators answer questions such as:

  • Which sites are accessible by everyone?
  • Which files are overshared?
  • Which sites have external users?
  • Which sites contain highly sensitive information?
  • Which permissions may expose confidential content?
  • Which sites should be reviewed?

Rather than examining permissions one site at a time, administrators receive organization-wide visibility.

Primary Goals of Data Access Governance

Data Access Governance helps organizations:

  • Discover overshared sites
  • Review permissions
  • Reduce excessive access
  • Identify high-risk collaboration
  • Improve Microsoft 365 security posture
  • Prepare for Microsoft 365 Copilot deployment
  • Reduce accidental data exposure
  • Support compliance initiatives

Why It Is Important for Microsoft 365 Copilot

Microsoft 365 Copilot never ignores permissions.

Instead, it retrieves content using the same security model that governs Microsoft 365.

If a user has permission to open a document manually, Copilot can potentially reference that document when generating responses.

For example:

Suppose Human Resources accidentally grants the entire company read access to salary spreadsheets.

Without Copilot:

  • Most employees may never discover the files.

With Copilot:

A user might ask:

“Summarize employee compensation data.”

Because the files are already accessible, Copilot could retrieve them.

The problem is not Copilot—it is the underlying permissions.

Data Access Governance helps identify these permission problems before they become security risks.

What the Data Access Governance Report Shows

The report provides administrators with visibility into SharePoint permissions and sharing configurations across the tenant.

Common information includes:

  • Site owners
  • Site sensitivity
  • External sharing status
  • Number of members
  • Anonymous links
  • Organization-wide access
  • Guest access
  • Sharing activity
  • Permission inheritance
  • Access patterns
  • High-risk sites
  • Overshared content indicators

Rather than searching manually, administrators can prioritize the highest-risk locations.

Types of Oversharing That Can Be Identified

The report can identify situations such as:

Organization-wide access

Sites accessible by:

  • Everyone
  • Everyone except external users
  • Large security groups

These sites often expose more content than intended.

Anonymous Links

Files shared through links that require no authentication.

These links may remain active long after they are needed.

Guest Access

Sites containing:

  • External users
  • Partner accounts
  • Vendor accounts

Administrators can verify whether guest access is still appropriate.

Excessive Sharing

Examples include:

  • Large numbers of shared files
  • Broad sharing permissions
  • Public document libraries
  • Open collaboration spaces

Sensitive Sites

The report can identify sites that contain:

  • Financial information
  • HR records
  • Legal documents
  • Intellectual property
  • Customer information

Combined with Microsoft Purview sensitivity labels, administrators gain better visibility into where important information resides.

Typical Workflow

Administrators generally follow this process:

Step 1

Open SharePoint administration tools.

Step 2

Generate or review a Data Access Governance report.

Step 3

Review identified risks.

Examples:

  • Overshared sites
  • External sharing
  • Everyone permissions
  • Sensitive content

Step 4

Investigate high-risk sites.

Questions include:

  • Does this access need to exist?
  • Are guests still required?
  • Is inheritance broken?
  • Should permissions be reduced?

Step 5

Take corrective action.

Possible actions include:

  • Remove permissions
  • Restrict sharing
  • Apply sensitivity labels
  • Disable anonymous links
  • Reduce guest access
  • Educate site owners

Step 6

Run reports regularly to verify improvements.

Relationship with Microsoft Purview

Data Access Governance works alongside Microsoft Purview.

Purview answers questions such as:

  • What sensitive data exists?
  • How is it classified?
  • Which labels are applied?
  • Are DLP policies triggered?

SharePoint Data Access Governance answers:

  • Who can access the data?
  • Is the data overshared?
  • Which sites expose information?
  • Which permissions should be reviewed?

Together they provide both:

  • Content awareness
  • Permission awareness

Relationship with Microsoft 365 Copilot

Data Access Governance helps administrators prepare for Copilot by reducing permission-related risks.

Benefits include:

  • Finding overshared SharePoint sites
  • Identifying unnecessary permissions
  • Reducing broad access
  • Reviewing guest sharing
  • Protecting confidential information
  • Improving search security
  • Supporting Zero Trust principles

Best Practices

Microsoft recommends that organizations:

  • Review sharing reports regularly.
  • Audit external access periodically.
  • Minimize “Everyone” permissions.
  • Remove unused guest accounts.
  • Apply sensitivity labels to important sites.
  • Use Microsoft Purview DLP alongside SharePoint governance.
  • Educate site owners on responsible sharing.
  • Review high-risk collaboration sites before deploying Copilot broadly.
  • Follow the principle of least privilege.
  • Continuously monitor permission changes.

Common Exam Tips

Remember these key points:

  • Data Access Governance focuses on permissions and access, not document content.
  • It helps identify oversharing across SharePoint.
  • It is especially valuable before deploying Microsoft 365 Copilot.
  • Copilot respects existing Microsoft 365 permissions.
  • Oversharing is a permissions problem, not a Copilot problem.
  • Reports help administrators prioritize high-risk sites for remediation.
  • Data Access Governance complements Microsoft Purview rather than replacing it.

Practice Exam Questions

Question 1

Why would an administrator run a Data Access Governance report in SharePoint?

A. To update SharePoint servers

B. To identify overshared sites and permission risks

C. To encrypt all documents automatically

D. To generate Microsoft 365 licenses

Correct Answer: B

Explanation: Data Access Governance helps administrators identify sites with excessive permissions, external sharing, and other access-related risks.

Question 2

Which issue is Data Access Governance primarily designed to identify?

A. SQL database corruption

B. Printer failures

C. Oversharing of SharePoint content

D. Network latency

Correct Answer: C

Explanation: The primary purpose is to detect oversharing and excessive permissions across SharePoint.

Question 3

Why is Data Access Governance especially important before deploying Microsoft 365 Copilot?

A. Copilot automatically changes permissions.

B. Copilot ignores SharePoint security.

C. Copilot copies all SharePoint files.

D. Copilot can reference content users already have permission to access.

Correct Answer: D

Explanation: Copilot honors existing permissions. Overshared content may therefore appear in Copilot responses if users already have legitimate access.

Question 4

Which type of access represents a potential oversharing risk?

A. Anonymous sharing links

B. Azure subscription ownership

C. Exchange mailbox size

D. Microsoft Teams background images

Correct Answer: A

Explanation: Anonymous links allow access without authentication and should be reviewed carefully.

Question 5

What question does Data Access Governance primarily help answer?

A. Which users have excessive access to SharePoint content?

B. Which Windows updates are missing?

C. Which devices need antivirus software?

D. Which Microsoft 365 licenses should be purchased?

Correct Answer: A

Explanation: Data Access Governance focuses on permissions, sharing, and access to SharePoint content.

Question 6

Which Microsoft 365 principle is supported by regularly reviewing Data Access Governance reports?

A. Unlimited collaboration

B. Least privilege

C. Maximum storage allocation

D. Unlimited guest access

Correct Answer: B

Explanation: Regular reviews help ensure users have only the permissions necessary to perform their work.

Question 7

Which type of SharePoint site would likely appear as higher risk in a Data Access Governance report?

A. A private HR site with restricted access

B. A site shared with only one administrator

C. A site containing sensitive files that is accessible to everyone

D. A newly created empty site

Correct Answer: C

Explanation: Sensitive information combined with broad permissions represents a significant oversharing risk.

Question 8

How does Data Access Governance complement Microsoft Purview?

A. Both products only classify documents.

B. Data Access Governance focuses on permissions, while Purview focuses on data protection and governance.

C. They perform identical functions.

D. Purview replaces SharePoint permissions.

Correct Answer: B

Explanation: Purview governs and protects data, while Data Access Governance helps administrators understand who has access to that data.

Question 9

Which action should an administrator consider after identifying an overshared SharePoint site?

A. Delete all documents immediately.

B. Disable Microsoft 365 Copilot.

C. Purchase additional SharePoint storage.

D. Review and reduce unnecessary permissions.

Correct Answer: D

Explanation: The appropriate response is to evaluate existing permissions and remove excessive or unnecessary access while maintaining business needs.

Question 10

Which statement about Microsoft 365 Copilot and Data Access Governance is true?

A. Data Access Governance prevents all Copilot responses.

B. Copilot bypasses SharePoint permissions when generating answers.

C. Data Access Governance helps reduce the risk of Copilot surfacing overshared information by identifying excessive permissions.

D. Copilot encrypts all SharePoint documents before using them.

Correct Answer: C

Explanation: By identifying and remediating overshared permissions, Data Access Governance helps ensure Copilot only surfaces information that users are appropriately authorized to access.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI, AI Governance, AI Security, Microsoft Certification, security

Discover and manage AI activity by using DSPM for AI (Part 2) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Part 1, you learned how Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations discover AI activity, identify sensitive data exposure, detect oversharing, and provide visibility into how AI interacts with Microsoft 365 data.

This section (Part 2) focuses on how DSPM for AI helps administrators manage AI-related risks, integrates with other Microsoft security and compliance services, and supports secure AI adoption.

Security Recommendations Generated by DSPM for AI

One of DSPM for AI’s most valuable capabilities is providing actionable security recommendations rather than simply identifying problems.

After analyzing an organization’s AI environment, DSPM highlights areas that should be improved to reduce the likelihood of accidental data exposure or compliance violations.

Examples of recommendations include:

  • Reduce excessive SharePoint permissions.
  • Apply sensitivity labels to unclassified confidential files.
  • Configure Data Loss Prevention (DLP) policies.
  • Limit external sharing.
  • Protect highly confidential document libraries.
  • Enable auditing for AI-related activities.
  • Improve data governance before expanding AI deployments.

These recommendations help administrators prioritize improvements based on potential business impact and security risk.

Risk Prioritization

Not every security finding represents the same level of risk.

DSPM helps prioritize remediation efforts by evaluating factors such as:

  • Amount of sensitive data exposed
  • Number of users with access
  • Business importance of the data
  • Existing protection mechanisms
  • AI usage patterns
  • Permission inheritance
  • Regulatory implications

This enables administrators to address the highest-risk issues first.

For example:

RiskPriority
Public access to executive financial reportsHigh
Sensitive HR documents lacking labelsHigh
Marketing presentations shared internallyMedium
Public training documentsLow

Discovering AI-Related Data Exposure

Organizations often ask:

“If we enable Microsoft 365 Copilot today, what sensitive information could users potentially discover?”

DSPM helps answer this question.

It analyzes:

  • Existing permissions
  • Data classifications
  • Sharing configurations
  • Microsoft Graph relationships
  • Collaboration patterns

This provides insight into which sensitive data could become more discoverable through AI-assisted searches and summaries.

Remember:

Copilot does not bypass security permissions. It only accesses information that the signed-in user is already authorized to access. DSPM helps identify situations where those permissions may already be too broad.

Remediation Recommendations

After identifying risks, DSPM recommends remediation steps.

Common recommendations include:

Reduce Oversharing

Examples include:

  • Remove unnecessary SharePoint permissions.
  • Restrict Microsoft Teams membership.
  • Remove Everyone access.
  • Limit guest sharing.

Improve Data Classification

Examples include:

  • Apply sensitivity labels.
  • Enable automatic labeling.
  • Use trainable classifiers.
  • Configure sensitive information types.

Better classification improves downstream protections across Microsoft Purview.

Strengthen Data Protection Policies

DSPM may recommend:

  • Creating DLP policies
  • Encrypting confidential documents
  • Restricting downloads
  • Blocking external sharing
  • Applying retention labels

Review AI Access

Administrators may decide to:

  • Limit AI rollout to selected departments
  • Review permissions before enabling Copilot broadly
  • Reduce access to legacy repositories
  • Remove stale user accounts

Integration with Microsoft Purview

DSPM for AI does not operate as an isolated product.

Instead, it complements several Microsoft Purview solutions.

Understanding these relationships is important for the AB-900 exam.

Microsoft Purview Information Protection

Information Protection classifies and protects data.

DSPM benefits from these classifications.

For example:

A document labeled:

  • Highly Confidential
  • Internal Only
  • Financial
  • Legal

helps DSPM understand the sensitivity of AI-accessible content.

Without labels, DSPM has less context when evaluating risk.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents sensitive information from being shared inappropriately.

DSPM identifies potential risks.

DLP helps enforce policies to prevent those risks from becoming incidents.

Example workflow:

  1. DSPM discovers sensitive payroll files.
  2. DLP prevents external sharing.
  3. Organization reduces AI-related exposure.

Microsoft Purview Insider Risk Management

DSPM identifies risky data exposure.

Insider Risk Management identifies risky user behavior.

Together they help answer two different questions:

DSPM asks:

“What sensitive data could AI access?”

Insider Risk asks:

“Is someone attempting to misuse sensitive data?”

These products complement one another.

Microsoft Purview Activity Explorer

Activity Explorer provides visibility into user interactions with sensitive information.

DSPM can use Activity Explorer insights to better understand:

  • Sensitive file access
  • Label usage
  • DLP events
  • Data movement

Administrators gain a clearer understanding of how protected information is being used across Microsoft 365.

Microsoft Purview Compliance Manager

Compliance Manager focuses on regulatory compliance.

DSPM focuses on AI data governance.

Together they help organizations:

  • Reduce compliance risk
  • Improve governance
  • Meet regulatory requirements
  • Protect sensitive information used by AI

Microsoft Defender

Microsoft Defender protects identities, endpoints, applications, and cloud resources.

DSPM complements Defender by focusing specifically on AI-related data risks.

Examples:

Microsoft Defender detects:

  • Malware
  • Credential theft
  • Phishing
  • Device compromise

DSPM identifies:

  • Overshared files
  • AI exposure
  • Sensitive data visibility
  • Permission risks

AI Governance Dashboard

DSPM provides dashboards that help administrators understand their organization’s AI posture.

Typical dashboard information includes:

  • AI adoption trends
  • Sensitive data exposure
  • High-risk repositories
  • Oversharing statistics
  • AI application inventory
  • Policy recommendations
  • Governance posture

Rather than investigating individual files, administrators receive a broad organizational view.

Discovering AI Applications

DSPM helps organizations understand:

  • Which AI tools are in use
  • Which departments use them
  • Adoption trends
  • AI usage over time

Examples include:

  • Microsoft 365 Copilot
  • Microsoft Copilot Chat
  • Supported third-party AI services

This visibility helps organizations establish AI governance policies.

Investigating AI Risks

Administrators typically investigate findings by asking questions such as:

  • Which sensitive files are accessible?
  • Who has access?
  • Why do they have access?
  • Is the data properly labeled?
  • Are permissions appropriate?
  • Is the data externally shared?
  • Should additional protection be applied?

DSPM helps surface this information so administrators can make informed decisions.

Typical Investigation Workflow

A simplified investigation might follow these steps:

Step 1

DSPM identifies an overshared SharePoint site.

Step 2

Administrator reviews permissions.

Step 3

Sensitive files are discovered.

Step 4

Sensitivity labels are applied.

Step 5

Permissions are reduced.

Step 6

DLP policies are enabled.

Step 7

Risk is reduced before broader Copilot deployment.

Best Practices

Organizations implementing Microsoft 365 Copilot should follow several best practices.

Review Permissions Before AI Rollout

Avoid enabling Copilot before understanding existing permissions.

Classify Sensitive Data

Use Microsoft Purview Information Protection to classify important documents.

Apply Least Privilege

Users should only have access to information required for their job.

Reduce Oversharing

Review:

  • SharePoint permissions
  • Teams memberships
  • OneDrive sharing
  • External sharing

Enable DLP

Prevent accidental sharing of confidential information.

Monitor AI Adoption

Understand:

  • Who uses AI
  • Which departments use AI
  • What information AI accesses

Regularly Review Recommendations

DSPM continuously evaluates the environment.

Administrators should regularly review new recommendations as data, permissions, and AI usage evolve.

Licensing Considerations

For the AB-900 exam, you are not expected to memorize licensing details, as licensing can change over time.

However, you should understand these general principles:

  • DSPM for AI is part of the Microsoft Purview family.
  • Advanced governance and AI security capabilities may require appropriate Microsoft licensing.
  • Organizations should verify current licensing requirements before deployment.

Common Exam Scenarios

You may encounter questions like:

Scenario 1

An organization wants to know whether Microsoft 365 Copilot could expose confidential HR documents because of existing permissions.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 2

Administrators want recommendations to reduce AI-related data exposure before deploying Copilot.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 3

Security administrators want visibility into AI adoption across Microsoft 365.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 4

Administrators want to identify overshared SharePoint sites that AI could access.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 5

An organization wants to understand where sensitive information may be exposed through AI.

Relevant technology:

Microsoft Purview DSPM for AI

Common Misconceptions

Misconception 1

DSPM blocks AI prompts.

Incorrect.

DSPM primarily discovers, assesses, and helps reduce AI-related data risks. It is not a prompt-filtering or AI-blocking solution.

Misconception 2

Copilot ignores permissions.

Incorrect.

Copilot always respects the signed-in user’s existing Microsoft 365 permissions.

Misconception 3

DSPM replaces Microsoft Purview DLP.

Incorrect.

DSPM identifies risks, while DLP enforces policies that help prevent inappropriate sharing of sensitive data.

Misconception 4

DSPM replaces Microsoft Defender.

Incorrect.

Defender focuses on threats and attacks, whereas DSPM focuses on AI-related data exposure and governance.

Misconception 5

DSPM automatically fixes security issues.

Incorrect.

DSPM provides visibility, recommendations, and guidance. Administrators remain responsible for implementing changes such as adjusting permissions, applying labels, or configuring policies.

AB-900 Exam Tips

Focus on these key concepts:

  • Microsoft Purview DSPM for AI is an AI governance and visibility solution.
  • It helps organizations discover AI usage, identify sensitive data exposure, and reduce AI-related risks.
  • DSPM does not bypass or modify Microsoft 365 permissions.
  • It works alongside Information Protection, DLP, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • One of its primary goals is to identify oversharing before it becomes a business risk.
  • DSPM provides recommendations, not automatic remediation.
  • It supports organizations throughout the AI adoption lifecycle by helping them continuously improve their security posture.

Chapter Summary

Microsoft Purview DSPM for AI enables organizations to adopt AI confidently by providing visibility into how AI interacts with organizational data. It discovers AI usage, inventories AI applications, identifies oversharing, evaluates sensitive data exposure, and recommends actions to strengthen governance.

Rather than replacing existing Microsoft Purview or Microsoft Defender capabilities, DSPM for AI enhances them by adding AI-specific insights. It integrates with Information Protection, Data Loss Prevention, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender to create a comprehensive approach to AI governance.

For the AB-900 exam, remember that DSPM for AI is fundamentally about discovering, assessing, and managing AI-related data risks. It helps administrators understand where AI could expose sensitive information due to existing permissions and governance gaps, enabling organizations to improve their security posture before and during Microsoft 365 Copilot deployment.

Practice Exam Questions

Question 1

A company plans to deploy Microsoft 365 Copilot across all departments. Before deployment, administrators want to determine whether confidential documents are overly accessible due to existing SharePoint permissions.

Which Microsoft solution should they use?

A. Microsoft Entra Domain Services

B. Microsoft Defender for Endpoint

C. Microsoft Intune

D. Microsoft Purview Data Security Posture Management (DSPM) for AI

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI helps organizations discover overshared content, evaluate AI-related data exposure, and identify permission risks before deploying AI solutions such as Microsoft 365 Copilot.

  • A is correct because DSPM for AI analyzes permissions and identifies AI-related security risks.
  • B is incorrect because Defender for Endpoint protects devices.
  • C is incorrect because Intune manages devices and applications.
  • D is incorrect because Entra Domain Services provides managed domain services rather than AI governance.

Question 2

An administrator wants to understand which departments are actively using Microsoft 365 Copilot and other approved AI applications.

Which capability best addresses this requirement?

A. Microsoft Purview Information Protection

B. Microsoft Purview DSPM for AI

C. Microsoft Defender for Cloud Apps

D. Microsoft Entra Conditional Access

Correct Answer: B

Explanation

DSPM for AI provides visibility into AI adoption, AI application inventory, and usage trends across the organization.

  • B is correct because DSPM for AI discovers AI activity and AI adoption.
  • A classifies and protects data.
  • C monitors cloud applications but is not specifically designed for AI governance.
  • D controls authentication conditions.

Question 3

Which statement best describes how Microsoft 365 Copilot accesses organizational data?

A. It bypasses Microsoft 365 permissions when generating responses.

B. It can access all documents stored in Microsoft 365 regardless of permissions.

C. It only accesses content the signed-in user is already authorized to access.

D. It only accesses files created after Copilot was enabled.

Correct Answer: C

Explanation

Copilot respects existing Microsoft 365 permissions. It never bypasses authorization.

  • C is correct because Copilot only retrieves content the current user can already access.
  • A and B incorrectly imply that Copilot ignores permissions.
  • D is incorrect because file creation date is irrelevant.

Question 4

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Prevent all AI-generated responses

B. Replace Microsoft Defender

C. Automatically encrypt all Microsoft 365 data

D. Discover AI activity and identify AI-related data risks

Correct Answer: D

Explanation

DSPM for AI provides visibility into AI usage and helps identify governance and security risks.

  • D is correct because discovering AI activity and assessing AI-related risks are its primary objectives.
  • A, B, and C describe capabilities DSPM does not provide.

Question 5

An organization discovers that hundreds of employees can access executive financial reports because of inherited SharePoint permissions.

What type of risk has DSPM for AI identified?

A. Malware infection

B. Oversharing

C. Identity synchronization failure

D. Device compliance failure

Correct Answer: B

Explanation

Oversharing occurs when users have broader access to information than intended.

  • B is correct because excessive permissions increase AI-related exposure.
  • A, C, and D are unrelated to data governance.

Question 6

Which Microsoft technology provides much of the contextual relationship information that helps DSPM for AI understand user access to Microsoft 365 content?

A. Microsoft SQL Server

B. Microsoft Defender XDR

C. Microsoft Graph

D. Azure Kubernetes Service

Correct Answer: C

Explanation

Microsoft Graph provides relationships between users, files, emails, Teams, SharePoint, and other Microsoft 365 resources.

  • C is correct because DSPM uses Microsoft Graph signals to understand data access.
  • The remaining options do not provide organizational relationship data.

Question 7

Which Microsoft Purview solution works alongside DSPM for AI by preventing inappropriate sharing of sensitive information?

A. Microsoft Purview Data Loss Prevention (DLP)

B. Microsoft Entra ID Protection

C. Microsoft Intune

D. Windows Autopilot

Correct Answer: A

Explanation

DLP enforces policies that prevent sensitive information from being shared improperly.

  • A is correct because DLP complements DSPM by enforcing protection policies.
  • B, C, and D serve different purposes.

Question 8

An administrator wants recommendations for reducing AI-related security risks before expanding Microsoft 365 Copilot deployment.

What should they use?

A. Microsoft Defender Antivirus

B. Microsoft Purview DSPM for AI

C. Exchange Online Protection

D. Microsoft Entra Connect

Correct Answer: B

Explanation

DSPM for AI evaluates AI-related risks and recommends improvements such as reducing oversharing, improving data classification, and strengthening governance.

  • B is correct because providing security recommendations is one of its core capabilities.
  • The other products address different areas of Microsoft security.

Question 9

Which action would most effectively reduce AI-related data exposure identified by DSPM for AI?

A. Disable Microsoft Teams

B. Increase mailbox quotas

C. Review permissions and apply sensitivity labels to confidential data

D. Upgrade Windows devices

Correct Answer: C

Explanation

Reducing excessive permissions and properly classifying sensitive information significantly reduces AI-related exposure.

  • C is correct because both permission management and data classification are recommended remediation actions.
  • A, B, and D do not directly address AI governance.

Question 10

Which statement best summarizes Microsoft’s approach to AI governance with DSPM for AI?

A. DSPM automatically blocks all AI interactions involving confidential information.

B. DSPM replaces Microsoft Purview Information Protection.

C. DSPM eliminates the need for Microsoft Defender.

D. DSPM provides visibility, identifies risks, and recommends actions that help organizations securely adopt AI.

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI is designed to improve organizational AI security posture by discovering AI usage, identifying risks, and recommending governance improvements.

  • D is correct because it accurately reflects the purpose of DSPM for AI.
  • A is incorrect because DSPM is primarily a discovery and governance solution rather than an AI-blocking mechanism.
  • B is incorrect because Information Protection remains responsible for classifying and protecting data.
  • C is incorrect because Microsoft Defender continues to provide threat protection and complements, rather than is replaced by, DSPM for AI.

Key Takeaways for the AB-900 Exam

After studying this topic, you should be able to:

  • Explain the purpose of Microsoft Purview DSPM for AI.
  • Describe how DSPM for AI helps organizations discover and govern AI activity.
  • Understand that Microsoft 365 Copilot always respects existing user permissions.
  • Explain the concept of oversharing and why it is a significant AI-related risk.
  • Describe how Microsoft Graph provides context that enables DSPM for AI to evaluate data access.
  • Identify how DSPM for AI integrates with Microsoft Purview Information Protection, Data Loss Prevention (DLP), Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • Recognize that DSPM for AI provides visibility, risk assessment, and recommendations, but administrators remain responsible for implementing remediation actions.
  • Apply DSPM for AI concepts to common AB-900 scenario-based questions involving Microsoft 365 Copilot deployments and AI governance.

These concepts form an important part of the “Identify data protection and governance risks for Microsoft 365 and Copilot” objective and are frequently tested through scenario-based questions that assess your understanding of secure AI adoption and governance.

Go to the AB-900 Exam Prep Hub main page

AB-900, Data Security, Microsoft Certification, security

Identify user activities reported by Microsoft Purview Activity Explorer (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify user activities reported by Microsoft Purview Activity Explorer

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand how Microsoft Purview Activity Explorer helps administrators investigate user activities involving sensitive information. Activity Explorer provides visibility into how sensitive data is accessed, shared, modified, labeled, or protected across Microsoft 365 services. It is an important investigative tool for identifying potential data protection and governance risks.

What Is Microsoft Purview Activity Explorer?

Microsoft Purview Activity Explorer is an investigation tool that displays activities involving sensitive information and Microsoft Purview protection technologies across Microsoft 365.

Rather than preventing actions, Activity Explorer helps administrators answer questions such as:

  • Who accessed sensitive information?
  • Which files contained sensitive data?
  • Was a sensitivity label applied or removed?
  • Did a Data Loss Prevention (DLP) policy trigger?
  • Was confidential information shared externally?
  • When did a particular activity occur?

Activity Explorer provides a searchable history of events so administrators can investigate potential compliance and security incidents.

Purpose of Activity Explorer

The primary purpose of Activity Explorer is to provide visibility into how organizational data is being used and protected.

It helps organizations:

  • Investigate compliance incidents
  • Monitor sensitive information usage
  • Validate Microsoft Purview policy effectiveness
  • Support audits
  • Identify risky user behavior
  • Understand how sensitive data moves throughout Microsoft 365

How Activity Explorer Fits into Microsoft Purview

Activity Explorer works alongside several Microsoft Purview solutions.

Microsoft Purview SolutionPurpose
Information ProtectionApplies sensitivity labels
Data Loss Prevention (DLP)Prevents inappropriate sharing of sensitive data
Data ClassificationIdentifies sensitive information
Insider Risk ManagementInvestigates risky user behavior
Activity ExplorerDisplays activities involving protected or sensitive content

Think of Activity Explorer as the investigation dashboard that brings many of these activities together.

User Activities Reported by Activity Explorer

Activity Explorer records many different activities related to sensitive information.

1. Sensitivity Label Activities

Administrators can identify when users:

  • Apply sensitivity labels
  • Remove sensitivity labels
  • Change sensitivity labels
  • Automatically receive labels
  • Manually classify documents

Example:

A user changes a document from Confidential to Public.

Activity Explorer records:

  • User
  • File
  • Previous label
  • New label
  • Time of change

2. Data Loss Prevention (DLP) Activities

Activity Explorer reports when DLP policies detect sensitive information.

Examples include:

  • Email blocked
  • File upload blocked
  • USB copy blocked
  • External sharing blocked
  • Policy warning shown
  • Policy override used

Example:

A user attempts to email customer credit card numbers.

The DLP policy detects the data and Activity Explorer records the event.

3. Sensitive Information Detection

Activity Explorer records when Microsoft identifies sensitive information types such as:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers
  • Healthcare identifiers

The tool helps administrators understand where sensitive information exists.

4. File Activities

Activity Explorer can display events involving files that contain sensitive information.

Examples include:

  • File created
  • File modified
  • File deleted
  • File copied
  • File downloaded
  • File shared
  • File moved

5. Sharing Activities

Administrators can investigate file-sharing behavior.

Examples:

  • Internal sharing
  • External sharing
  • Anonymous sharing links
  • Sharing permission changes
  • Sharing sensitive documents

These activities help identify potential data exposure risks.

6. Email Activities

Activity Explorer can report events involving protected email messages.

Examples include:

  • Email containing sensitive information
  • Protected email
  • Label changes
  • DLP policy matches

7. Teams Activities

Activity Explorer includes activities related to Microsoft Teams when supported by Microsoft Purview policies.

Examples include:

  • Sensitive information shared in Teams chats
  • Files shared in Teams
  • DLP policy matches
  • Protected documents shared

8. SharePoint and OneDrive Activities

Common activities include:

  • Sensitive file uploads
  • Downloads
  • External sharing
  • Label application
  • DLP events
  • File modifications

Information Displayed for Each Activity

Each event typically includes:

  • Date and time
  • User
  • Workload (Exchange, Teams, SharePoint, OneDrive)
  • Activity type
  • Policy involved
  • Sensitive information detected
  • Sensitivity label
  • File name
  • Location
  • Severity (when applicable)

This information helps investigators quickly understand what occurred.

Filtering Activity Explorer

Administrators can filter results by:

  • User
  • Date range
  • Workload
  • Activity type
  • Policy
  • Sensitive information type
  • Sensitivity label
  • Location
  • Service
  • File name

Filtering makes investigations faster and more targeted.

Common Investigation Scenarios

Scenario 1: External File Sharing

Question:

Has confidential information been shared outside the organization?

Activity Explorer allows investigators to:

  • Find externally shared files
  • Identify the user
  • Determine whether a DLP policy triggered
  • Review sensitivity labels

Scenario 2: Sensitive Information Discovery

Question:

Where are customer Social Security numbers stored?

Activity Explorer can identify:

  • Files
  • Users
  • Locations
  • Labels
  • Detection events

Scenario 3: Label Investigation

Question:

Who removed the Confidential label from a document?

Activity Explorer shows:

  • User
  • Time
  • Original label
  • New label
  • File involved

Scenario 4: DLP Policy Review

Question:

Which users triggered the most DLP alerts this week?

Administrators can filter DLP events by:

  • User
  • Policy
  • Date
  • Severity

Relationship to Microsoft 365 Copilot

As organizations deploy Microsoft 365 Copilot, understanding how sensitive information is used becomes increasingly important.

Activity Explorer helps administrators:

  • Verify that sensitivity labels are being applied
  • Review DLP policy activity
  • Monitor how protected information is handled
  • Investigate suspicious sharing activities
  • Support governance for content that Copilot may reference based on users’ existing permissions

Although Activity Explorer does not monitor Copilot prompts or responses directly, it helps administrators understand the underlying data protection activities associated with Microsoft 365 content.

Difference Between Activity Explorer and Audit Logs

These tools are related but serve different purposes.

Activity ExplorerMicrosoft Purview Audit
Focuses on sensitive information activitiesRecords broad user and administrator activities
Highlights DLP and sensitivity label eventsRecords nearly all Microsoft 365 events
Designed for data protection investigationsDesigned for security, compliance, and auditing
Optimized for Microsoft Purview investigationsOptimized for overall audit history

Best Practices

Organizations should:

  • Regularly review Activity Explorer.
  • Investigate repeated DLP policy matches.
  • Monitor external sharing of sensitive files.
  • Review sensitivity label changes.
  • Use filters to focus investigations.
  • Integrate findings with Insider Risk Management when appropriate.
  • Periodically validate that Purview policies are functioning as expected.

AB-900 Exam Tips

Remember these key points for the exam:

  • Activity Explorer is an investigation tool.
  • It reports activities involving sensitive information and Microsoft Purview protections.
  • It displays DLP events, sensitivity label activities, sharing events, and sensitive information detections.
  • It helps administrators investigate compliance and governance risks.
  • Activity Explorer complements Audit logs but focuses specifically on data protection activities.
  • Administrators can filter activities by user, workload, policy, label, activity type, and date.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Activity Explorer?

A. Create Microsoft 365 user accounts

B. Display activities involving sensitive information and Microsoft Purview protections

C. Configure Conditional Access policies

D. Reset user passwords

Correct Answer: B

Explanation: Activity Explorer helps administrators investigate activities involving sensitive information, DLP events, sensitivity labels, and other Microsoft Purview protection technologies.

Question 2

Which activity would most likely appear in Activity Explorer?

A. BIOS firmware updates

B. Windows device driver installation

C. A user applies a Confidential sensitivity label to a document

D. Printer toner replacement

Correct Answer: C

Explanation: Applying or changing sensitivity labels is one of the primary activities tracked by Activity Explorer.

Question 3

Which Microsoft Purview feature commonly generates events that are visible in Activity Explorer?

A. Microsoft Intune

B. Windows Update

C. Active Directory Sites and Services

D. Data Loss Prevention (DLP)

Correct Answer: D

Explanation: Activity Explorer records DLP policy matches, alerts, overrides, and other related events.

Question 4

An administrator wants to determine who shared a sensitive document externally. Which Microsoft Purview tool should they use?

A. Activity Explorer

B. Windows Event Viewer

C. Device Manager

D. Microsoft Paint

Correct Answer: A

Explanation: Activity Explorer displays sharing activities involving sensitive information, including external sharing events.

Question 5

Which information can administrators use to filter Activity Explorer results?

A. CPU temperature

B. Printer model

C. User name, activity type, and date range

D. Network cable type

Correct Answer: C

Explanation: Activity Explorer supports filtering by user, workload, activity type, policy, label, location, and date range.

Question 6

Which statement best describes Activity Explorer?

A. It permanently blocks sensitive file sharing.

B. It investigates activities involving protected or sensitive information.

C. It replaces Microsoft Defender Antivirus.

D. It encrypts every Microsoft 365 file automatically.

Correct Answer: B

Explanation: Activity Explorer is designed for investigation and reporting rather than prevention.

Question 7

Which Microsoft 365 workloads can contribute activities to Activity Explorer?

A. Only Microsoft Excel

B. Only Microsoft Teams

C. Only Exchange Online

D. Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams

Correct Answer: D

Explanation: Activity Explorer collects supported events from multiple Microsoft 365 workloads to provide a comprehensive view of sensitive data activities.

Question 8

What can an administrator determine by reviewing Activity Explorer?

A. Which BIOS version users are running

B. Which sensitive information types were detected in organizational content

C. The amount of available disk space on each device

D. Which printer is the default printer

Correct Answer: B

Explanation: Activity Explorer displays detections of sensitive information types such as credit card numbers, Social Security numbers, and other classified data.

Question 9

How does Activity Explorer differ from Microsoft Purview Audit?

A. Activity Explorer focuses on sensitive information and data protection activities, while Audit records a broader range of Microsoft 365 events.

B. Activity Explorer stores passwords.

C. Audit only records Teams activities.

D. Both tools provide identical information.

Correct Answer: A

Explanation: Activity Explorer specializes in Microsoft Purview-related activities, while Audit provides broader auditing across Microsoft 365.

Question 10

Why is Microsoft Purview Activity Explorer valuable in organizations using Microsoft 365 Copilot?

A. It records every Copilot prompt entered by users.

B. It replaces Copilot security permissions.

C. It helps administrators monitor the protection and handling of sensitive Microsoft 365 content that Copilot may access based on existing permissions.

D. It automatically blocks all Copilot responses.

Correct Answer: C

Explanation: Activity Explorer helps administrators understand how sensitive content is protected and used within Microsoft 365, supporting governance for data that Copilot can access according to user permissions.

Go to the AB-900 Exam Prep Hub main page

Data Security, Data Governance, Microsoft Certification, AI Security, AB-900, security

Identify policy violations generated by Communication Compliance (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify policy violations generated by Communication Compliance

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand how Microsoft Purview Communication Compliance helps organizations detect, investigate, and respond to inappropriate communications that may violate corporate policies, legal requirements, or regulatory standards. You should also understand how administrators review policy matches, investigate alerts, and take appropriate remediation actions.

What is Microsoft Purview Communication Compliance?

Microsoft Purview Communication Compliance is a Microsoft Purview solution that helps organizations detect and investigate inappropriate or risky communications across Microsoft 365 services.

Rather than preventing users from communicating, Communication Compliance monitors communications and alerts authorized reviewers when messages match organizational policies.

It helps organizations detect communications involving:

  • Harassment
  • Discrimination
  • Offensive language
  • Threats
  • Confidential information sharing
  • Regulatory violations
  • Inappropriate behavior
  • Insider risks

Communication Compliance is designed to reduce legal, compliance, and reputational risks while helping organizations meet industry regulations.

Why Communication Compliance Is Important

Organizations communicate constantly using:

  • Microsoft Teams chats
  • Teams channel messages
  • Outlook emails
  • Viva Engage (Yammer)
  • Third-party communication platforms (through supported connectors)

Without monitoring, inappropriate communications may:

  • Create hostile work environments
  • Lead to lawsuits
  • Violate government regulations
  • Expose confidential information
  • Damage an organization’s reputation

Communication Compliance provides visibility into these risks.

What Are Policy Violations?

A policy violation occurs when a communication matches conditions defined within a Communication Compliance policy.

Examples include:

  • Use of offensive language
  • Bullying or harassment
  • Sharing confidential customer information
  • Threatening another employee
  • Insider trading discussions
  • Regulatory compliance violations
  • Sharing protected intellectual property

A policy violation does not automatically mean misconduct occurred.

Instead, it means the communication requires human review.

How Communication Compliance Works

The workflow follows several stages.

Step 1: Create a Policy

Administrators create policies that define:

  • Users or groups to monitor
  • Communication locations
  • Types of violations
  • Detection conditions
  • Review workflow

Step 2: Monitor Communications

Communication Compliance continuously analyzes supported communications.

Examples include:

  • Teams messages
  • Emails
  • Viva Engage posts

Content is evaluated against policy conditions.

Step 3: Generate Alerts

If content matches a policy:

  • An alert is generated.
  • The alert appears in the Communication Compliance dashboard.
  • Reviewers receive notification.

Step 4: Human Review

Authorized reviewers investigate:

  • Original message
  • Conversation context
  • Users involved
  • Severity
  • Previous incidents

Reviewers determine whether the communication truly violated policy.

Step 5: Resolution

Reviewers choose an appropriate action, such as:

  • Resolve as compliant
  • Confirm violation
  • Escalate investigation
  • Notify HR
  • Notify legal
  • Train employee
  • Document findings

Common Types of Policy Violations

Harassment

Detects communications containing:

  • Insults
  • Bullying
  • Abusive language
  • Threats

Example:

“You’re completely useless and should quit.”

Discrimination

Detects language involving:

  • Race
  • Gender
  • Religion
  • Disability
  • Age
  • Protected characteristics

Offensive Language

Identifies:

  • Profanity
  • Hate speech
  • Offensive expressions

Sensitive Information Sharing

Detects messages containing:

  • Credit card numbers
  • Social Security numbers
  • Customer information
  • Financial records
  • Medical information

Regulatory Compliance Violations

Organizations in regulated industries monitor communications involving:

  • Insider trading
  • Market manipulation
  • Financial misconduct
  • Unauthorized disclosures

Confidential Information

Detects unauthorized sharing of:

  • Trade secrets
  • Product designs
  • Internal reports
  • Source code
  • Financial forecasts

Policy Alerts

A Communication Compliance alert contains information such as:

  • Policy name
  • Date and time
  • Severity
  • User involved
  • Communication type
  • Matched rule
  • Review status

Alerts help reviewers prioritize investigations.

Alert Severity

Organizations often classify alerts as:

Low

Minor language concerns.

Example:

A mildly inappropriate joke.

Medium

Behavior that may violate company policy.

Example:

Repeated offensive language.

High

Serious compliance concern.

Example:

Threats of violence or disclosure of confidential data.

Reviewing Policy Violations

Authorized reviewers access the Communication Compliance portal.

During review they can examine:

  • Conversation history
  • Message participants
  • Attachments
  • Policy triggered
  • Matching keywords
  • Previous incidents
  • Related alerts

Context is important because individual messages may appear harmless without surrounding conversation.

Investigation Workflow

A typical investigation includes:

  1. Open the alert.
  2. Review message details.
  3. Examine conversation context.
  4. Determine whether policy was actually violated.
  5. Assign a review outcome.
  6. Document findings.
  7. Close or escalate the case.

Possible Review Outcomes

Reviewers may classify alerts as:

  • No violation
  • Violation confirmed
  • Needs escalation
  • False positive
  • Resolved

These outcomes help improve future policy effectiveness.

False Positives

Not every alert represents an actual violation.

Examples include:

  • Educational discussions
  • Medical terminology
  • Technical documentation
  • Quoted material
  • Sarcasm
  • Context misunderstood by automated analysis

Human review remains essential.

Improving Detection Accuracy

Organizations can improve policy effectiveness by:

  • Updating keyword dictionaries
  • Using machine learning classifiers
  • Adjusting policy thresholds
  • Creating separate policies for departments
  • Reviewing false positives
  • Refining monitored user groups

Who Reviews Violations?

Communication Compliance uses role-based access control.

Typical reviewers include:

  • Compliance administrators
  • Compliance officers
  • Human Resources
  • Legal teams
  • Risk investigators

Only authorized personnel can review sensitive communications.

Privacy Considerations

Communication Compliance is designed with privacy controls.

Organizations can:

  • Limit reviewer access
  • Use pseudonymization (where supported)
  • Restrict investigations
  • Audit reviewer actions
  • Follow regional privacy laws

Integration with Other Microsoft Security Solutions

Communication Compliance works alongside several Microsoft security solutions.

Microsoft Purview Insider Risk Management

Communication Compliance findings may support insider risk investigations involving suspicious employee behavior.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents unauthorized sharing of sensitive information, while Communication Compliance reviews the content and context of communications.

Microsoft Purview Information Protection

Sensitivity labels applied to documents help reviewers understand the sensitivity of shared information.

Microsoft Defender

Security incidents and user risk signals can complement Communication Compliance investigations.

Communication Compliance and Microsoft 365 Copilot

As organizations adopt Microsoft 365 Copilot, Communication Compliance remains important because users increasingly collaborate through Teams, Outlook, and other Microsoft 365 services that Copilot can reference based on existing permissions.

If inappropriate communications occur, Communication Compliance can:

  • Detect policy violations
  • Assist investigations
  • Support regulatory compliance
  • Help protect organizational reputation
  • Complement broader Microsoft Purview governance capabilities

Best Practices

For the AB-900 exam, remember these best practices:

  • Monitor communications using clearly defined policies.
  • Review alerts promptly.
  • Always investigate message context before making decisions.
  • Use authorized reviewers only.
  • Tune policies to reduce false positives.
  • Protect employee privacy while maintaining compliance.
  • Integrate Communication Compliance with broader Microsoft Purview governance.

AB-900 Exam Tips

Remember these key points:

  • Communication Compliance monitors communications—it does not block them.
  • Policy violations generate alerts, not automatic disciplinary actions.
  • Human reviewers determine whether a true violation occurred.
  • Context matters when reviewing communications.
  • Communication Compliance supports compliance, legal, HR, and risk management teams.
  • Alerts can detect harassment, discrimination, offensive language, regulatory violations, and sensitive information sharing.
  • Communication Compliance works together with Insider Risk Management, DLP, Information Protection, and Microsoft Defender.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Communication Compliance?

A. Encrypt all Microsoft Teams messages

B. Detect and investigate communications that may violate organizational policies

C. Prevent users from sending emails

D. Back up Microsoft 365 communications

Correct Answer: B

Explanation: Communication Compliance monitors supported communications and generates alerts when messages match configured compliance policies.

Question 2

A Communication Compliance alert indicates that a Teams message matched a harassment policy. What should happen next?

A. The user account is automatically disabled.

B. The message is permanently deleted.

C. An authorized reviewer investigates the communication.

D. The policy is automatically removed.

Correct Answer: C

Explanation: Communication Compliance generates alerts for human review rather than taking automatic disciplinary actions.

Question 3

Which type of communication can Microsoft Purview Communication Compliance monitor?

A. BIOS startup messages

B. Local Windows Event Logs

C. Microsoft Teams chats

D. Printer configuration files

Correct Answer: C

Explanation: Teams chats are one of the primary communication sources monitored by Communication Compliance.

Question 4

Why is conversation context important when reviewing alerts?

A. It determines network bandwidth.

B. It identifies device drivers.

C. It encrypts communications.

D. It helps reviewers determine whether a message truly violates policy.

Correct Answer: D

Explanation: Individual messages may appear inappropriate when viewed alone but may be acceptable within the full conversation.

Question 5

Which activity is an example of a Communication Compliance policy violation?

A. Updating Windows patches

B. Sharing vacation schedules

C. Sending offensive or harassing messages to coworkers

D. Resetting a forgotten password

Correct Answer: C

Explanation: Offensive or harassing communications are common scenarios monitored by Communication Compliance.

Question 6

Who should review Communication Compliance alerts?

A. Any employee

B. Only authorized compliance reviewers

C. External customers

D. Guest users

Correct Answer: B

Explanation: Access to Communication Compliance investigations is limited through role-based access control.

Question 7

What is a false positive in Communication Compliance?

A. A communication incorrectly identified as violating policy

B. A deleted user account

C. An expired Microsoft 365 license

D. A successful malware scan

Correct Answer: A

Explanation: False positives occur when automated detection flags communications that are ultimately determined not to violate policy.

Question 8

Which Microsoft Purview solution focuses primarily on preventing sensitive information from leaving the organization?

A. Communication Compliance

B. Insider Risk Management

C. Data Loss Prevention (DLP)

D. Compliance Manager

Correct Answer: C

Explanation: DLP is designed to detect and prevent unauthorized sharing of sensitive information, while Communication Compliance focuses on reviewing communications.

Question 9

What does a Communication Compliance alert indicate?

A. A confirmed policy violation requiring disciplinary action

B. A communication matched a configured policy and should be reviewed

C. The user’s account has been compromised

D. Microsoft 365 licensing has expired

Correct Answer: B

Explanation: Alerts indicate potential policy matches that require investigation; they are not proof of wrongdoing.

Question 10

Which statement best describes Microsoft Purview Communication Compliance?

A. It replaces antivirus software.

B. It automatically blocks every risky message.

C. It permanently archives all Microsoft 365 files.

D. It helps organizations identify, investigate, and respond to inappropriate communications.

Correct Answer: D

Explanation: Communication Compliance helps organizations manage communication-related compliance risks through monitoring, alerting, investigation, and response.

Go to the AB-900 Exam Prep Hub main page

AB-900, Data Governance, Microsoft Certification, security

Identify and respond to alerts generated by Microsoft Purview Data Loss Prevention (DLP) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify and respond to alerts generated by Microsoft Purview Data Loss Prevention (DLP)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft Purview Data Loss Prevention (DLP) helps organizations prevent the accidental or intentional exposure of sensitive information. DLP continuously monitors user activities across Microsoft 365 services and generates alerts when users violate data protection policies.

For the AB-900 exam, you should understand:

  • What Microsoft Purview DLP alerts are
  • When DLP alerts are generated
  • How administrators review alerts
  • Alert severity and prioritization
  • Investigation workflows
  • How to respond to DLP alerts
  • Integration with other Microsoft Purview and Microsoft Defender solutions
  • Best practices for managing alerts

What Is Microsoft Purview Data Loss Prevention (DLP)?

Microsoft Purview Data Loss Prevention (DLP) is a Microsoft Purview solution that helps organizations identify, monitor, and protect sensitive information from unauthorized sharing or exposure.

DLP policies monitor data stored in Microsoft 365 services such as:

  • Microsoft Exchange Online
  • Microsoft SharePoint Online
  • Microsoft OneDrive for Business
  • Microsoft Teams
  • Microsoft Defender for Cloud Apps
  • Endpoint devices (with Endpoint DLP)
  • Power BI (supported scenarios)

When a user performs an action that violates a DLP policy, the system can generate an alert.

What Is a DLP Alert?

A DLP alert is a notification generated when a DLP policy detects activity that violates organizational data protection rules.

Alerts help administrators:

  • Detect risky user behavior
  • Investigate policy violations
  • Respond to incidents quickly
  • Reduce data leakage
  • Demonstrate compliance

Alerts are one of the primary tools compliance administrators use to monitor organizational data protection.

When Are DLP Alerts Generated?

Alerts are generated when users perform actions that violate configured DLP policies.

Examples include:

  • Emailing confidential documents externally
  • Uploading sensitive files to unauthorized cloud storage
  • Copying protected files to USB devices
  • Printing highly confidential documents
  • Sharing files publicly
  • Downloading sensitive files from SharePoint
  • Copying confidential information into unmanaged applications

Not every policy generates an alert. Alert generation depends on the configured policy actions.

How DLP Detects Sensitive Information

Before generating alerts, DLP identifies sensitive content using several methods.

Sensitive Information Types (SITs)

Built-in detectors identify information such as:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers
  • Healthcare identifiers

Sensitivity Labels

Microsoft Purview Information Protection labels can identify:

  • Public
  • General
  • Confidential
  • Highly Confidential

Policies can generate alerts whenever protected documents are shared improperly.

Trainable Classifiers

Machine learning can recognize documents such as:

  • Resumes
  • Contracts
  • Source code
  • Financial reports
  • Legal documents

Exact Data Match (EDM)

Organizations can detect exact records such as:

  • Customer databases
  • Employee IDs
  • Payroll records

Components of a DLP Alert

Each alert contains detailed information to help administrators investigate the incident.

Typical alert details include:

  • User involved
  • Date and time
  • Policy name
  • Rule triggered
  • Sensitive information detected
  • File name
  • File location
  • Service involved
  • Severity level
  • User activity
  • Recommended actions

Alert Severity

DLP alerts are assigned severity levels to help prioritize investigations.

Typical levels include:

Low

Examples:

  • Minor policy violations
  • First-time incidents
  • Low-risk data exposure

Medium

Examples:

  • Multiple policy violations
  • Larger quantities of sensitive information
  • Repeated risky behavior

High

Examples:

  • Large-scale data exfiltration
  • Highly confidential information
  • Repeated attempts to bypass policies
  • Executive or privileged account violations

Administrators generally investigate High severity alerts first.

Reviewing DLP Alerts

Administrators review alerts in the Microsoft Purview portal.

The alert dashboard allows administrators to:

  • View all active alerts
  • Filter alerts
  • Search alerts
  • Sort by severity
  • Review alert details
  • Assign alerts
  • Track investigation status

Information Available During Investigation

Selecting an alert provides additional information.

Examples include:

User Information

  • Username
  • Department
  • Device
  • Location

Activity Timeline

Investigators can review:

  • File creation
  • Downloads
  • Sharing
  • Email activity
  • Printing
  • USB transfers

Policy Information

The alert identifies:

  • Which DLP policy triggered
  • Which rule matched
  • Sensitive information detected
  • Confidence level

File Details

Investigators may see:

  • File name
  • Location
  • File owner
  • Label applied
  • Number of sensitive items detected

Responding to DLP Alerts

After reviewing an alert, administrators choose an appropriate response.

Possible actions include:

Close the Alert

If the activity is determined to be legitimate or a false positive.

Investigate Further

Review:

  • User behavior
  • Related alerts
  • Audit logs
  • Endpoint activities

Escalate

Escalate high-risk alerts to:

  • Security teams
  • Compliance officers
  • Legal departments
  • Human Resources

Adjust Policies

If alerts indicate:

  • Too many false positives
  • Policy gaps
  • Incorrect thresholds

Administrators can modify DLP policies accordingly.

Educate Users

Many violations are accidental.

Organizations often:

  • Notify users
  • Provide training
  • Improve awareness

User Notifications (Policy Tips)

Instead of immediately blocking users, DLP can display Policy Tips.

Policy Tips inform users that:

  • Sensitive information was detected
  • Their action violates policy
  • They should modify their behavior

Examples include:

  • “This email contains confidential information.”
  • “Sharing this document externally violates company policy.”

Policy Tips reduce accidental violations.

Alert Lifecycle

A typical DLP alert progresses through several stages.

  1. Sensitive data is detected.
  2. DLP policy evaluates the activity.
  3. Alert is generated.
  4. Administrator reviews the alert.
  5. Investigation begins.
  6. Response action is taken.
  7. Alert is closed.

Integration with Microsoft Purview Solutions

DLP works closely with other Microsoft Purview capabilities.

Microsoft Purview Information Protection

Sensitivity labels provide additional context for DLP decisions.

Example:

A “Highly Confidential” document shared externally generates a higher-priority alert.

Microsoft Purview Insider Risk Management

Repeated DLP violations can contribute to insider risk investigations.

Example:

An employee repeatedly emailing confidential documents externally may trigger both DLP and Insider Risk Management alerts.

Microsoft Purview Audit

Audit logs provide additional evidence.

Investigators can review:

  • File access
  • Sharing history
  • Administrative changes
  • User activities

Microsoft Purview Compliance Manager

Compliance Manager helps organizations improve their compliance posture by recommending controls that reduce DLP-related risks.

Integration with Microsoft Defender

DLP integrates with Microsoft Defender solutions.

Examples include:

  • Endpoint DLP
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Cloud Apps

These integrations provide additional context, including:

  • Device information
  • Endpoint activities
  • Application usage
  • USB activity
  • Browser uploads

Common DLP Alert Scenarios

Scenario 1

A user emails a spreadsheet containing hundreds of customer credit card numbers to a personal Gmail account.

Result:

A High severity DLP alert is generated.

Scenario 2

An employee uploads payroll records to an unauthorized cloud storage provider.

Result:

A DLP alert identifies unauthorized data movement.

Scenario 3

A contractor copies confidential engineering documents onto a USB drive.

Result:

Endpoint DLP generates an alert.

Scenario 4

A user attempts to publicly share a SharePoint folder containing confidential HR records.

Result:

The sharing attempt triggers a DLP alert.

Best Practices

Organizations should:

  • Create well-designed DLP policies
  • Use sensitivity labels
  • Enable Policy Tips
  • Review alerts regularly
  • Prioritize High severity alerts
  • Investigate repeated violations
  • Reduce false positives through policy tuning
  • Integrate DLP with Insider Risk Management
  • Monitor trends over time
  • Train users on proper data handling

Exam Tips

For the AB-900 exam, remember the following:

  • DLP alerts are generated when users violate DLP policies.
  • Alerts help administrators detect potential data leakage.
  • Alerts contain details about users, files, policies, and detected sensitive information.
  • Severity levels help prioritize investigations.
  • Administrators can investigate, escalate, close, or remediate alerts.
  • DLP integrates with Microsoft Purview Information Protection, Insider Risk Management, Audit, Compliance Manager, and Microsoft Defender.
  • Policy Tips help reduce accidental policy violations.
  • Endpoint DLP extends protection to Windows devices.

10 Practice Exam Questions

Question 1

A user attempts to email a document containing multiple credit card numbers to an external recipient. A Microsoft Purview DLP policy blocks the email.

What additional action can the policy perform?

A. Remove the user’s Microsoft 365 license

B. Disable the user’s account

C. Delete the user’s mailbox

D. Automatically create a DLP alert for administrators

Correct Answer: D

Explanation: DLP policies can generate alerts whenever sensitive information triggers configured policy rules, allowing administrators to investigate the incident.

Question 2

Which information is typically included in a Microsoft Purview DLP alert?

A. The organization’s annual revenue

B. The user involved, policy triggered, sensitive information detected, and activity details

C. The user’s payroll information

D. The organization’s Active Directory schema

Correct Answer: B

Explanation: DLP alerts include detailed information such as the user, file, policy, rule, sensitive information detected, and the action that triggered the alert.

Question 3

An administrator wants to focus first on the most critical potential data leakage incidents.

Which alert characteristic should they prioritize?

A. Oldest alert

B. Alphabetical order

C. Alert severity

D. File size

Correct Answer: C

Explanation: Alert severity (Low, Medium, High) helps administrators prioritize investigations based on potential business impact.

Question 4

What is the primary purpose of Policy Tips in Microsoft Purview DLP?

A. Replace DLP policies

B. Notify users that their actions may violate data protection policies

C. Automatically encrypt all files

D. Prevent administrators from reviewing alerts

Correct Answer: B

Explanation: Policy Tips educate users in real time about potential policy violations, reducing accidental exposure of sensitive information.

Question 5

Which Microsoft Purview solution commonly works with DLP by applying sensitivity labels to documents?

A. Microsoft Purview Information Protection

B. Microsoft Intune

C. Microsoft Planner

D. Microsoft Bookings

Correct Answer: A

Explanation: Information Protection applies sensitivity labels that DLP can use when evaluating and protecting sensitive content.

Question 6

What is an appropriate response after reviewing a DLP alert that is determined to be a false positive?

A. Delete the user’s Microsoft account

B. Close the alert and, if necessary, refine the DLP policy

C. Block all external email permanently

D. Remove all DLP policies

Correct Answer: B

Explanation: Administrators should close false-positive alerts and may adjust policy conditions to reduce unnecessary alerts.

Question 7

Which scenario is most likely to generate a High severity DLP alert?

A. A user changes their Teams profile picture

B. A user updates a calendar meeting

C. A user downloads a public marketing brochure

D. A user sends a file containing hundreds of customer Social Security numbers to a personal email account

Correct Answer: D

Explanation: Attempting to send large amounts of highly sensitive personal information externally is a common High severity DLP event.

Question 8

Which Microsoft solution provides additional endpoint information, such as USB activity, that can complement DLP investigations?

A. Microsoft Defender for Endpoint

B. Microsoft Word

C. Microsoft Visio

D. Microsoft Lists

Correct Answer: A

Explanation: Microsoft Defender for Endpoint provides endpoint telemetry that enhances DLP investigations, especially for Endpoint DLP scenarios.

Question 9

What is the first event that typically occurs in the DLP alert lifecycle?

A. An administrator closes the alert

B. A DLP policy detects sensitive information during a monitored user activity

C. Human Resources opens an investigation

D. The user account is suspended

Correct Answer: B

Explanation: The process begins when DLP identifies sensitive information and evaluates the activity against configured policies. If a violation is detected, an alert can be generated.

Question 10

Why would an organization integrate Microsoft Purview Insider Risk Management with DLP?

A. To replace all DLP policies

B. To reduce Microsoft 365 licensing costs

C. To correlate repeated DLP violations with broader patterns of risky user behavior

D. To manage Windows software updates

Correct Answer: C

Explanation: Insider Risk Management can use repeated DLP incidents as signals when identifying users who may present elevated insider risks, helping investigators understand behavior patterns rather than isolated events.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Security, Microsoft Certification, security

Identify risks by using Microsoft Purview Insider Risk Management (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify risks by using Microsoft Purview Insider Risk Management

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft Purview Insider Risk Management (IRM) helps organizations detect, investigate, and respond to insider risks before they result in significant business damage. Unlike external cyberattacks, insider risks originate from individuals who already have authorized access to organizational resources. These individuals may intentionally misuse data or unintentionally expose sensitive information through careless actions.

For the AB-900 exam, you should understand:

  • What Insider Risk Management is
  • The types of risks it helps identify
  • The components used to detect insider risks
  • How risk indicators and policies work
  • How investigations are performed
  • How Insider Risk Management integrates with other Microsoft 365 security solutions
  • Common use cases

What Is Microsoft Purview Insider Risk Management?

Microsoft Purview Insider Risk Management is a Microsoft Purview solution that uses machine learning, analytics, user activity signals, and built-in privacy protections to identify potentially risky user behavior.

Its purpose is not to assume users are malicious. Instead, it identifies behaviors that could indicate:

  • Data theft
  • Intellectual property loss
  • Security violations
  • Compliance violations
  • Accidental data exposure
  • Policy violations

The solution helps security, compliance, HR, and legal teams investigate suspicious activities while respecting employee privacy.

What Is an Insider Risk?

An insider risk is any situation where someone with legitimate access to organizational systems creates risk for the organization.

Examples include:

  • An employee downloading thousands of confidential files before resigning
  • A contractor copying customer information to a USB drive
  • A user emailing sensitive documents to a personal email account
  • An employee sharing confidential information through unauthorized cloud storage
  • A user repeatedly accessing data unrelated to their job responsibilities

Not every insider risk is malicious.

Many incidents are accidental.

Examples include:

  • Sending confidential files to the wrong recipient
  • Uploading sensitive documents to public cloud storage
  • Accidentally sharing confidential Teams files

Types of Insider Risks

Microsoft categorizes insider risks into several common scenarios.

Data Theft

Occurs when users attempt to remove valuable organizational information.

Examples include:

  • Downloading confidential files
  • Copying files to USB devices
  • Printing sensitive documents
  • Emailing proprietary information externally

Data Leakage

Sensitive information leaves the organization unintentionally.

Examples include:

  • Uploading files to personal cloud storage
  • Sending confidential documents externally
  • Sharing protected files publicly

Security Policy Violations

Users violate established organizational security rules.

Examples include:

  • Disabling security controls
  • Using unauthorized applications
  • Circumventing compliance policies

Compliance Violations

Employees violate legal or regulatory requirements.

Examples include:

  • Sharing regulated financial records
  • Mishandling healthcare information
  • Improperly accessing customer records

Departing Employee Risks

A common scenario involves employees preparing to leave the organization.

Potential indicators include:

  • Large file downloads
  • Increased file copying
  • Unusual external sharing
  • Mass printing
  • Accessing previously unused repositories

How Insider Risk Management Works

Insider Risk Management follows a multi-stage process.

Step 1: Collect Activity Signals

Microsoft collects activity information from supported Microsoft 365 services.

Examples include:

  • SharePoint Online
  • OneDrive
  • Exchange Online
  • Microsoft Teams
  • Microsoft Defender
  • Microsoft Entra ID
  • Endpoint activity
  • Microsoft Defender for Endpoint

Step 2: Analyze User Activity

Machine learning compares current activity against:

  • Normal behavior
  • Organizational policies
  • Risk indicators
  • User context

This reduces false positives.

Step 3: Generate Risk Alerts

If suspicious behavior exceeds configured thresholds:

  • An alert is created.
  • The alert receives a severity level.
  • Investigators can review supporting evidence.

Step 4: Investigate

Compliance administrators review:

  • Timeline of events
  • User activities
  • File operations
  • Email actions
  • Device activities
  • Related alerts

Step 5: Respond

Possible actions include:

  • Escalating investigations
  • Assigning cases
  • Collecting evidence
  • Alerting management
  • Applying additional protections
  • Closing false positives

Risk Indicators

Risk indicators are behaviors that contribute to a user’s overall risk score.

Examples include:

File Activities

  • Downloading files
  • Deleting files
  • Printing documents
  • Copying files
  • Uploading files

Email Activities

  • Sending attachments externally
  • Forwarding confidential emails
  • Mass emailing sensitive information

Device Activities

  • USB device usage
  • File transfers
  • Printing
  • Local file copying

Collaboration Activities

  • Sharing Teams files externally
  • Creating anonymous sharing links
  • Public document sharing

User Behavior

Examples include:

  • Working unusual hours
  • Accessing unusual locations
  • Accessing excessive numbers of files
  • Sudden changes in behavior

Insider Risk Policies

Policies determine:

  • Which users are monitored
  • What behaviors are evaluated
  • Alert thresholds
  • Investigation rules

Policies are based on templates.

Common templates include:

  • Data leaks
  • Data theft
  • Security policy violations
  • Departing employees
  • Risky browser usage
  • Priority user monitoring

Policies allow organizations to customize detection based on their business needs.

Risk Scores

Each user activity contributes to a risk score.

Higher scores indicate more concerning activity.

Factors influencing scores include:

  • Number of risky actions
  • Severity of activities
  • Frequency
  • Historical behavior
  • Machine learning analysis

Risk scores help investigators prioritize the most serious incidents.

Alerts

When policy thresholds are exceeded, alerts are created.

Alerts typically include:

  • User involved
  • Policy triggered
  • Activity timeline
  • Risk level
  • Supporting evidence
  • Recommended investigation steps

Alert severity may include:

  • Low
  • Medium
  • High

Cases

Investigators can promote alerts into investigation cases.

Cases centralize:

  • Evidence
  • User activity
  • Timeline
  • Notes
  • Investigation status
  • Assigned investigators

This allows multiple reviewers to collaborate.

Privacy by Design

Microsoft designed Insider Risk Management with employee privacy in mind.

Privacy protections include:

  • Role-based access control
  • User pseudonymization (where supported)
  • Audit logging
  • Configurable privacy settings
  • Limited investigator access

Organizations control who can view personally identifiable information.

Integration with Microsoft 365 Services

Insider Risk Management integrates with many Microsoft security solutions.

Microsoft Purview Data Loss Prevention (DLP)

Provides sensitivity information about protected files.

Example:

A user emailing a document containing credit card numbers may trigger both DLP and Insider Risk Management.

Microsoft Purview Information Protection

Sensitivity labels provide additional context.

Example:

Downloading dozens of “Highly Confidential” documents creates greater risk than downloading public documents.

Microsoft Defender

Endpoint signals include:

  • USB usage
  • File copying
  • Application activity
  • Device events

These signals improve risk detection.

Microsoft Entra ID

Identity information provides context, including:

  • User identity
  • Sign-in behavior
  • Account changes
  • Risk signals

Microsoft 365 Audit Logs

User activities across Microsoft 365 workloads provide evidence for investigations.

AI and Machine Learning

Machine learning helps reduce false positives by:

  • Understanding normal behavior
  • Detecting unusual activity
  • Correlating multiple signals
  • Prioritizing serious incidents

This allows investigators to focus on the highest-risk alerts.

Common Use Cases

Protecting Intellectual Property

Identify employees copying engineering documents before leaving the company.

Detecting Insider Data Theft

Identify users downloading large numbers of confidential files.

Monitoring High-Risk Users

Monitor executives or privileged administrators who have access to sensitive information.

Investigating Data Leaks

Determine how confidential information left the organization.

Supporting HR Investigations

Provide evidence when investigating employee misconduct.

Benefits of Insider Risk Management

Organizations benefit by:

  • Detecting insider threats early
  • Protecting confidential information
  • Reducing compliance violations
  • Improving investigations
  • Prioritizing high-risk incidents
  • Using AI to reduce false positives
  • Integrating with Microsoft Purview and Microsoft Defender
  • Supporting regulatory compliance
  • Protecting intellectual property
  • Providing centralized case management

Exam Tips

For the AB-900 exam, remember these key points:

  • Insider Risk Management focuses on user behavior, not external attackers.
  • It detects both malicious and accidental risky activities.
  • Policies determine what activities are monitored.
  • Machine learning helps reduce false positives.
  • Alerts can be promoted into investigation cases.
  • Insider Risk Management integrates with DLP, Information Protection, Microsoft Defender, Microsoft Entra ID, and Microsoft 365 audit logs.
  • Risk scores help prioritize investigations.
  • Privacy protections are built into the solution.

10 Practice Exam Questions

Question 1

An employee uploads several confidential engineering documents to a personal cloud storage account shortly before resigning.

Which Microsoft Purview solution is specifically designed to investigate this type of behavior?

A. Microsoft Purview eDiscovery

B. Microsoft Purview Insider Risk Management

C. Microsoft Defender for Cloud Apps

D. Microsoft Intune

Correct Answer: B

Explanation: Insider Risk Management is specifically designed to identify potentially risky insider behavior such as data theft, data leakage, and activities performed by departing employees.

Question 2

Which activity is most likely to increase a user’s insider risk score?

A. Viewing the company homepage

B. Logging into Microsoft Teams during normal working hours

C. Downloading hundreds of confidential files before leaving the company

D. Changing a desktop wallpaper

Correct Answer: C

Explanation: Large-scale downloads of sensitive information—especially by departing employees—are common indicators of insider risk.

Question 3

What is the primary purpose of Insider Risk Management policies?

A. Encrypt all Microsoft 365 data

B. Replace antivirus software

C. Control Microsoft licensing

D. Define which users, activities, and risk indicators should be monitored

Correct Answer: D

Explanation: Policies specify monitored users, monitored activities, thresholds, and investigation settings.

Question 4

Which Microsoft technology helps Insider Risk Management reduce false positives?

A. Static firewall rules

B. Manual investigations only

C. Machine learning and behavioral analytics

D. Network packet inspection

Correct Answer: C

Explanation: Machine learning evaluates user behavior patterns and distinguishes normal activity from potentially risky behavior.

Question 5

What happens after Insider Risk Management determines that user activity exceeds a configured policy threshold?

A. The user account is automatically deleted.

B. The organization’s Microsoft 365 subscription is suspended.

C. All user devices are immediately wiped.

D. An insider risk alert is generated for investigation.

Correct Answer: D

Explanation: Alerts are created when monitored activities exceed policy thresholds and can later be investigated or promoted into cases.

Question 6

Which Microsoft solution provides endpoint signals such as USB usage and local file copying to Insider Risk Management?

A. Microsoft Defender for Endpoint

B. Microsoft Outlook

C. Microsoft Planner

D. Microsoft Bookings

Correct Answer: A

Explanation: Microsoft Defender for Endpoint supplies valuable endpoint telemetry that strengthens insider risk detection.

Question 7

Which statement best describes Microsoft’s approach to employee privacy within Insider Risk Management?

A. Every administrator automatically sees all employee information.

B. Employee privacy protections such as role-based access and pseudonymization are built into the solution.

C. All investigations are anonymous and cannot identify users.

D. Privacy settings cannot be customized.

Correct Answer: B

Explanation: Insider Risk Management incorporates privacy-by-design principles, including role-based access, pseudonymization where supported, and configurable privacy controls.

Question 8

Which scenario is an example of an accidental insider risk?

A. A hacker exploits an internet-facing server.

B. An attacker launches a ransomware attack.

C. An employee mistakenly emails confidential information to the wrong external recipient.

D. A distributed denial-of-service (DDoS) attack targets a website.

Correct Answer: C

Explanation: Insider risks include accidental actions, such as unintentionally sharing sensitive information with unauthorized recipients.

Question 9

What information helps investigators prioritize which alerts should be reviewed first?

A. The user’s mailbox size

B. Microsoft licensing level

C. The user’s department name

D. The insider risk score and alert severity

Correct Answer: D

Explanation: Risk scores and alert severity help investigators focus on the most significant potential threats first.

Question 10

Which Microsoft Purview capability most directly complements Insider Risk Management by identifying and protecting sensitive content through labeling?

A. Microsoft Purview Information Protection

B. Microsoft Exchange Online Protection

C. Microsoft Intune

D. Windows Firewall

Correct Answer: A

Explanation: Microsoft Purview Information Protection classifies and labels sensitive information. Those labels provide valuable context that Insider Risk Management can use when assessing the risk associated with user activities.

Go to the AB-900 Exam Prep Hub main page

Microsoft Certification, Cybersecurity, AB-900, security

Understand data classification in Microsoft Purview (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Understand data classification in Microsoft Purview

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Data is one of an organization’s most valuable assets. However, not all data carries the same level of sensitivity or business value. Some information can be shared publicly, while other information must be protected because it contains financial records, intellectual property, customer data, healthcare information, or confidential business plans.

Microsoft Purview Data Classification helps organizations identify, categorize, and protect sensitive information throughout Microsoft 365. Data classification is a foundational capability that enables organizations to understand their data landscape, apply appropriate protections, meet compliance requirements, and securely adopt AI technologies such as Microsoft 365 Copilot.

For the AB-900 exam, it is important to understand how Microsoft Purview classifies data, the tools involved, and how classification supports security, compliance, governance, and AI readiness.

What Is Data Classification?

Data classification is the process of identifying and categorizing information based on its:

  • Sensitivity
  • Confidentiality
  • Regulatory requirements
  • Business value
  • Risk level

Classification allows organizations to answer questions such as:

  • Which files contain sensitive information?
  • Where is confidential data stored?
  • Who can access regulated data?
  • Which content should be protected or retained?
  • What data can Copilot safely access?

Microsoft Purview automates much of this process through built-in detection technologies.

Why Data Classification Is Important

Without data classification, organizations often struggle to:

  • Identify sensitive information
  • Apply consistent protections
  • Meet compliance requirements
  • Prevent data loss
  • Govern AI access to information

Benefits of data classification include:

  • Improved data visibility
  • Better security controls
  • Regulatory compliance
  • Reduced risk of data breaches
  • More effective data governance
  • Safer use of Microsoft 365 Copilot

Microsoft Purview Data Classification Components

Microsoft Purview uses several components to classify information.

Sensitive Information Types (SITs)

Sensitive Information Types are predefined patterns used to identify sensitive data.

Examples include:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers

Microsoft provides hundreds of built-in SITs covering numerous countries and regions.

Example

A document containing a U.S. Social Security Number may automatically be detected and classified as sensitive content.

Trainable Classifiers

Trainable classifiers use machine learning to identify content based on context rather than exact patterns.

Examples include:

  • Resumes
  • Source code
  • Contracts
  • Financial documents
  • Healthcare records
  • Intellectual property

Unlike SITs, trainable classifiers examine the meaning and context of content.

Example

A contract may be identified even if it does not contain a specific keyword or sensitive number.

Content Explorer

Content Explorer allows administrators to:

  • View classified content
  • See where sensitive data exists
  • Investigate data locations
  • Analyze classification results

This tool helps organizations understand their data environment.

Activity Explorer

Activity Explorer provides visibility into:

  • Labeling activities
  • Classification actions
  • DLP events
  • User interactions with sensitive data

Administrators can investigate how classified information is being used.

Types of Data Classification

Organizations typically classify data into categories such as:

ClassificationDescription
PublicInformation intended for everyone
GeneralEveryday business information
InternalInformation for employees only
ConfidentialSensitive business information
Highly ConfidentialCritical or restricted information

Organizations can customize classifications based on their requirements.

Classification and Sensitivity Labels

Data classification often works together with Sensitivity Labels.

Classification identifies the data.

Sensitivity labels protect the data.

Example

Microsoft Purview detects:

  • Credit card information
  • Customer account numbers

A sensitivity label is then automatically applied:

  • Confidential
  • Highly Confidential

The label can then:

  • Encrypt the file
  • Restrict access
  • Apply watermarks
  • Block unauthorized sharing

Automatic Data Classification

Microsoft Purview can automatically classify information using:

Pattern Matching

Detects predefined sensitive information.

Examples:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers

Machine Learning

Uses trainable classifiers to recognize content types.

Examples:

  • Contracts
  • Legal documents
  • Source code

Keyword Detection

Identifies content based on specific words or phrases.

Examples:

  • Confidential
  • Internal Use Only
  • Proprietary Information

Data Classification and Microsoft 365 Copilot

Data classification is particularly important for Copilot deployments.

Organizations often ask:

What information can Copilot access?

Copilot respects:

  • User permissions
  • Sensitivity labels
  • Compliance controls

Proper data classification helps organizations:

  • Understand their data
  • Identify overshared content
  • Protect confidential information
  • Reduce AI-related risks

Classification improves confidence when deploying AI solutions.

Data Classification and Compliance

Many regulations require organizations to identify and protect sensitive information.

Examples include:

  • GDPR
  • HIPAA
  • PCI DSS
  • SOX
  • Various privacy laws

Microsoft Purview classification helps organizations:

  • Locate regulated data
  • Apply protections
  • Support audits
  • Demonstrate compliance

Data Classification and Data Loss Prevention (DLP)

Data classification works closely with DLP policies.

Process

  1. Purview identifies sensitive content.
  2. Content is classified.
  3. DLP policies evaluate the classification.
  4. Protective actions occur.

Examples:

  • Block file sharing
  • Restrict email transmission
  • Alert administrators
  • Notify users

Without classification, DLP cannot effectively identify sensitive content.

Data Classification and Insider Risk Management

Classified data helps Insider Risk Management identify risky activities involving:

  • Financial records
  • Intellectual property
  • Customer information
  • Confidential business data

This improves risk detection and investigation capabilities.

Common Data Classification Use Cases

Financial Information Protection

Detect:

  • Credit card numbers
  • Banking information
  • Tax records

Apply protection automatically.

Human Resources Data

Identify:

  • Employee records
  • Salary information
  • Performance reviews

Restrict access to authorized personnel.

Healthcare Information

Classify:

  • Patient records
  • Medical identifiers

Support HIPAA compliance.

Legal Documents

Detect:

  • Contracts
  • Legal agreements

Apply confidentiality protections.

Intellectual Property Protection

Identify:

  • Product designs
  • Research data
  • Source code

Prevent unauthorized sharing.

Key Exam Concepts

For the AB-900 exam, remember:

  • Data classification identifies and categorizes information.
  • Sensitive Information Types detect specific data patterns.
  • Trainable classifiers use machine learning and context.
  • Classification supports sensitivity labels and DLP.
  • Content Explorer helps locate classified content.
  • Activity Explorer helps investigate classification activity.
  • Classification is essential for compliance and governance.
  • Microsoft 365 Copilot benefits from proper data classification.
  • Classification enables automated protection policies.
  • Data classification improves organizational visibility into sensitive information.

Practice Exam Questions

Question 1

What is the primary purpose of data classification in Microsoft Purview?

A. To improve internet connectivity
B. To categorize information based on sensitivity and business value
C. To manage Windows updates
D. To configure virtual machines

Answer: B

Explanation: Data classification identifies and categorizes information so organizations can apply appropriate protections and governance controls.

Question 2

Which Microsoft Purview feature identifies information such as Social Security numbers and credit card numbers?

A. Activity Explorer
B. Sensitive Information Types
C. Compliance Manager
D. Insider Risk Management

Answer: B

Explanation: Sensitive Information Types (SITs) are designed to detect structured sensitive data using predefined patterns.

Question 3

Which technology enables Microsoft Purview to recognize contracts and resumes based on context?

A. Firewall policies
B. Sensitivity labels
C. Trainable classifiers
D. Conditional Access

Answer: C

Explanation: Trainable classifiers use machine learning and contextual analysis to identify content types.

Question 4

An administrator wants to see where sensitive information exists across Microsoft 365. Which tool should they use?

A. Microsoft Defender Portal
B. Teams Admin Center
C. Content Explorer
D. Exchange Admin Center

Answer: C

Explanation: Content Explorer provides visibility into classified content and its locations.

Question 5

What is the relationship between data classification and sensitivity labels?

A. They are unrelated technologies
B. Sensitivity labels identify data while classification encrypts it
C. Classification identifies data and labels protect it
D. Classification replaces sensitivity labels

Answer: C

Explanation: Classification discovers and categorizes information, while sensitivity labels apply protection settings.

Question 6

Which statement about Microsoft 365 Copilot is correct?

A. Copilot ignores classified information
B. Copilot respects permissions and protection controls associated with classified data
C. Copilot automatically removes sensitivity labels
D. Copilot bypasses governance policies

Answer: B

Explanation: Copilot honors existing permissions, labels, and compliance controls.

Question 7

Which Microsoft Purview feature allows administrators to investigate labeling and classification events?

A. Activity Explorer
B. Endpoint Manager
C. SharePoint Admin Center
D. Azure Monitor

Answer: A

Explanation: Activity Explorer provides visibility into classification-related activities and events.

Question 8

Which compliance-related benefit does data classification provide?

A. Faster network performance
B. Reduced storage costs only
C. Automatic hardware replacement
D. Easier identification and protection of regulated data

Answer: D

Explanation: Classification helps organizations locate and protect regulated information to support compliance requirements.

Question 9

A Data Loss Prevention (DLP) policy blocks sharing of files containing credit card numbers. What enables the DLP policy to identify those files?

A. Exchange transport rules only
B. Sensitive Information Types and data classification
C. Network firewalls
D. Device encryption

Answer: B

Explanation: DLP relies on classification mechanisms such as Sensitive Information Types to identify protected content.

Question 10

Which statement best describes trainable classifiers?

A. They only detect file names
B. They require manual review of every document
C. They identify information using contextual machine learning models
D. They replace all sensitivity labels

Answer: C

Explanation: Trainable classifiers use machine learning to recognize content such as contracts, source code, and resumes based on context rather than simple pattern matching.

Go to the AB-900 Exam Prep Hub main page

AB-900, Microsoft Certification, security

Identify the use cases for sensitivity labels in Microsoft Purview (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Identify the use cases for sensitivity labels in Microsoft Purview

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction to Microsoft Purview Sensitivity Labels

Microsoft Purview Sensitivity Labels are classification and protection mechanisms that help organizations secure sensitive information across Microsoft 365. Labels enable organizations to identify important data and apply protections automatically or manually.

Sensitivity labels are part of Microsoft Purview Information Protection and support the principles of:

  • Data classification
  • Data protection
  • Compliance
  • Governance
  • Secure collaboration
  • AI readiness for Microsoft 365 Copilot

Instead of securing locations only, sensitivity labels secure the data itself, allowing protections to remain with content wherever it travels.

Why Sensitivity Labels Matter

Organizations often handle information with varying levels of confidentiality:

  • Public documents
  • Internal business data
  • Financial records
  • Human resources information
  • Customer data
  • Intellectual property
  • Legal documents

Sensitivity labels provide a consistent method for:

  • Identifying content sensitivity
  • Applying encryption
  • Restricting access
  • Adding visual markings
  • Preventing accidental exposure
  • Supporting compliance requirements

How Sensitivity Labels Work

A sensitivity label can be applied to:

  • Documents
  • Emails
  • Microsoft Teams
  • Microsoft 365 Groups
  • SharePoint sites
  • OneDrive content

Labels can be:

Manually applied

Users choose the appropriate label.

Automatically applied

Microsoft Purview detects sensitive information and assigns labels automatically.

Recommended

Users receive suggestions to apply a label.

Common Label Hierarchies

Organizations frequently create labels such as:

LabelIntended Audience
PublicAnyone
GeneralEmployees
InternalInternal users only
ConfidentialSpecific departments
Highly ConfidentialRestricted users

Labels are customizable and vary by organization.

Core Protection Capabilities

A sensitivity label may configure:

Encryption

Controls who can open content and what actions they can perform.

Examples:

  • View only
  • Edit allowed
  • Print blocked
  • Copy restricted

Content Markings

Visual indicators help users recognize sensitivity.

Examples:

  • Headers
  • Footers
  • Watermarks

Access Restrictions

Limits content access to:

  • Individuals
  • Groups
  • Departments
  • External users

Expiration Settings

Content access can expire after a specified period.

Major Use Cases for Sensitivity Labels

1. Protecting Confidential Documents

Organizations can label:

  • Financial statements
  • Contracts
  • Product designs
  • Strategic plans

Example:

A “Highly Confidential” label encrypts a document and restricts access to executives only.

2. Protecting Email Messages

Labels can secure email communication.

Example:

An HR manager sends salary information using a “Confidential – HR” label that:

  • Encrypts the email
  • Restricts forwarding
  • Prevents printing

3. Supporting Microsoft 365 Copilot

Copilot respects existing permissions and sensitivity labels.

If a document is labeled:

  • Confidential
  • Highly Confidential
  • Executive Only

Copilot only uses content that the user already has permission to access.

Sensitivity labels therefore help organizations prepare data safely for AI experiences.

4. Securing External Collaboration

Organizations can share files externally while maintaining protection.

Example:

A company sends a proposal to a partner:

  • External recipients can read it.
  • Forwarding is blocked.
  • Printing is disabled.

Protection travels with the document.

5. Meeting Regulatory Compliance Requirements

Sensitivity labels help support:

  • GDPR
  • HIPAA
  • Financial regulations
  • Privacy laws
  • Industry-specific requirements

Organizations can demonstrate that sensitive information receives appropriate protection.

6. Preventing Accidental Data Exposure

Users sometimes unintentionally send sensitive information.

Labels provide:

  • Classification awareness
  • Visual reminders
  • Automated protection

Example:

A user sending customer data receives an automatic recommendation to apply a Confidential label.

7. Protecting Intellectual Property

Engineering designs, research documents, and proprietary information can be restricted.

Example:

Only members of the Research department can access files labeled “R&D Confidential.”

8. Applying Visual Classification

Headers, footers, and watermarks immediately show sensitivity.

Examples:

  • INTERNAL USE ONLY
  • CONFIDENTIAL
  • HIGHLY CONFIDENTIAL

These markings help employees recognize handling requirements.

9. Labeling Containers

Sensitivity labels can be applied to:

  • Microsoft Teams
  • Microsoft 365 Groups
  • SharePoint sites

Container labels can control:

  • Guest access
  • Privacy settings
  • External sharing
  • Unmanaged device access

Example:

A Team labeled “Confidential Project” automatically disables guest access.

10. Supporting Data Loss Prevention (DLP)

Sensitivity labels integrate with Microsoft Purview DLP.

Example:

A DLP policy may block external sharing of content labeled “Highly Confidential.”

Labels and DLP together provide layered protection.

Manual vs Automatic Labeling

MethodDescription
Manual labelingUser chooses the label
Recommended labelingSystem suggests labels
Automatic labelingPurview assigns labels automatically

Automatic labeling reduces reliance on users and improves consistency.

Supported Workloads

Sensitivity labels work across:

  • Microsoft Word
  • Excel
  • PowerPoint
  • Outlook
  • Teams
  • SharePoint Online
  • OneDrive
  • Microsoft 365 Groups

Relationship Between Sensitivity Labels and Retention Labels

These labels serve different purposes:

Label TypePurpose
Sensitivity labelProtect and classify data
Retention labelGovern how long data is kept

Sensitivity labels answer:

“Who can access this?”

Retention labels answer:

“How long should we keep this?”

Benefits of Sensitivity Labels

Organizations gain:

  • Stronger data protection
  • Better compliance
  • Secure AI adoption
  • Reduced data leakage
  • Improved collaboration
  • Consistent classification
  • User awareness of sensitive data

AB-900 Exam Tips

Remember these key points:

  • Sensitivity labels protect the content itself, not just the storage location.
  • Labels can apply encryption, markings, and access restrictions.
  • Labels work across Microsoft 365 workloads.
  • Microsoft 365 Copilot honors sensitivity labels and permissions.
  • Labels can be manually or automatically applied.
  • Sensitivity labels and retention labels serve different purposes.
  • Labels integrate with DLP policies for additional protection.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview sensitivity labels?

A. Monitor network traffic
B. Protect and classify data based on sensitivity
C. Manage software updates
D. Create backups

Answer: B

Explanation: Sensitivity labels classify information and apply protections such as encryption and access restrictions.

Question 2

Which Microsoft 365 service respects sensitivity labels when generating responses?

A. Microsoft DHCP
B. Windows Update
C. Hyper-V
D. Microsoft 365 Copilot

Answer: D

Explanation: Copilot honors both user permissions and sensitivity labels.

Question 3

Which capability can sensitivity labels provide?

A. Device firmware updates
B. Password resets
C. Encryption and access control
D. Network routing

Answer: C

Explanation: Labels can encrypt content and define who can access it.

Question 4

A company wants documents to display “CONFIDENTIAL” across every page. Which sensitivity label feature supports this?

A. Authentication logs
B. Retention policies
C. Device compliance
D. Watermarks and content markings

Answer: D

Explanation: Labels can add headers, footers, and watermarks.

Question 5

What type of information is commonly protected with sensitivity labels?

A. Product designs and financial reports
B. Printer drivers only
C. Operating system files only
D. DNS records

Answer: A

Explanation: Sensitive business information is a common use case.

Question 6

Which statement about automatic labeling is correct?

A. Users must always choose labels manually.
B. Labels only work with Outlook.
C. Purview can automatically apply labels based on detected sensitive information.
D. Automatic labeling disables encryption.

Answer: C

Explanation: Purview can detect sensitive content and assign labels automatically.

Question 7

Which object can receive a sensitivity label?

A. Microsoft Teams
B. Documents
C. Emails
D. All of the above

Answer: D

Explanation: Labels support files, emails, Teams, groups, and SharePoint sites.

Question 8

How do sensitivity labels differ from retention labels?

A. They are identical.
B. Sensitivity labels protect data, while retention labels control how long data is kept.
C. Retention labels encrypt content.
D. Sensitivity labels manage software deployment.

Answer: B

Explanation: Protection and lifecycle management are separate functions.

Question 9

Which Microsoft Purview feature commonly works together with sensitivity labels to prevent data leakage?

A. Windows Firewall
B. Azure Virtual Machines
C. Data Loss Prevention (DLP)
D. Active Directory Sites and Services

Answer: C

Explanation: DLP policies can use sensitivity labels to enforce protection rules.

Question 10

Why are sensitivity labels important for Microsoft 365 Copilot adoption?

A. They increase processor speed.
B. They replace permissions.
C. They eliminate identity management.
D. They help ensure AI accesses data according to existing protections.

Answer: D

Explanation: Copilot follows permissions and sensitivity labels, helping organizations safely enable AI experiences.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Security, Cybersecurity, Data Security, Microsoft Certification, security

Understand features and capabilities of Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Data Security Posture Management (DSPM) for AI, and Microsoft Purview Data Lifecycle Management (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Understand features and capabilities of Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Data Security Posture Management (DSPM) for AI, and Microsoft Purview Data Lifecycle Management

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations adopt Microsoft 365, Copilot, and AI-powered solutions, protecting sensitive information becomes increasingly important. Microsoft provides a unified compliance and governance platform called Microsoft Purview.

Microsoft Purview helps organizations:

  • Protect sensitive information.
  • Prevent accidental or intentional data loss.
  • Manage records and retention.
  • Detect insider risks.
  • Monitor communications.
  • Strengthen AI data governance.
  • Meet regulatory and compliance requirements.

For the AB-900 exam, you should understand the purpose and capabilities of the major Microsoft Purview solutions rather than detailed implementation steps.

What Is Microsoft Purview?

Microsoft Purview is Microsoft’s unified data governance, compliance, and risk management platform.

Purview enables organizations to:

  • Discover and classify data.
  • Protect sensitive information.
  • Govern information throughout its lifecycle.
  • Reduce insider threats.
  • Monitor AI-related risks.
  • Meet legal and regulatory obligations.

Purview works across:

  • Microsoft 365
  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Teams
  • Microsoft Copilot
  • Power Platform
  • Endpoint devices
  • Third-party cloud services

Microsoft Purview Information Protection

Purpose

Microsoft Purview Information Protection (MIP) helps organizations classify and protect sensitive information.

It enables organizations to:

  • Identify sensitive data.
  • Apply sensitivity labels.
  • Encrypt content.
  • Control sharing permissions.
  • Track and monitor protected content.

Sensitivity Labels

Sensitivity labels classify content based on its importance.

Examples:

  • Public
  • General
  • Confidential
  • Highly Confidential

Labels can be applied to:

  • Emails
  • Word documents
  • Excel files
  • PowerPoint presentations
  • SharePoint sites
  • Teams
  • Microsoft 365 Groups

Protection Actions

Sensitivity labels can:

Encrypt Data

Only authorized users can open content.

Restrict Access

Prevent forwarding, printing, or copying.

Apply Visual Markings

Add:

  • Headers
  • Footers
  • Watermarks

Protect Copilot Data

Copilot respects existing permissions and sensitivity labels.

Benefits

Information Protection helps organizations:

  • Reduce accidental exposure.
  • Meet compliance requirements.
  • Maintain consistent classification.
  • Protect confidential information.

Microsoft Purview Data Loss Prevention (DLP)

Purpose

Data Loss Prevention (DLP) helps prevent sensitive information from being shared improperly.

DLP identifies sensitive information and automatically applies protection actions.

Examples of Sensitive Information

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Healthcare records
  • Financial information

DLP Actions

Policies can:

  • Block email transmission.
  • Prevent file sharing.
  • Warn users before sending data.
  • Generate alerts.
  • Create audit records.

Locations Protected by DLP

DLP policies can protect:

  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Microsoft Teams
  • Endpoint devices

Example

A user attempts to email customer credit card information outside the company.

DLP can:

  1. Detect the information.
  2. Display a warning.
  3. Block the message.

Benefits

DLP helps:

  • Prevent accidental leaks.
  • Support compliance requirements.
  • Educate users with policy tips.
  • Reduce organizational risk.

Microsoft Purview Insider Risk Management

Purpose

Insider Risk Management helps detect risky behavior from internal users.

Risks may be:

  • Accidental
  • Negligent
  • Malicious

Examples of Risky Activities

  • Downloading large amounts of files.
  • Sending confidential information externally.
  • Copying data to USB devices.
  • Unusual file access patterns.
  • Data theft before leaving the company.

Risk Indicators

The solution uses:

  • User activities
  • Behavioral signals
  • Microsoft 365 audit logs

Investigation Capabilities

Administrators can:

  • Review alerts.
  • Analyze activities.
  • Escalate incidents.
  • Document investigations.

Benefits

Insider Risk Management helps:

  • Reduce insider threats.
  • Detect suspicious behavior early.
  • Protect intellectual property.

Microsoft Purview Communication Compliance

Purpose

Communication Compliance helps organizations monitor communications for policy violations.

Content Sources

Communication Compliance can monitor:

  • Microsoft Teams chats
  • Emails
  • Copilot interactions
  • Other communication channels

Violations It Can Detect

Examples include:

  • Harassment
  • Threatening language
  • Offensive content
  • Inappropriate sharing
  • Regulatory violations

Review Process

Flagged communications are:

  1. Detected automatically.
  2. Reviewed by authorized reviewers.
  3. Investigated when necessary.

Benefits

Communication Compliance helps:

  • Promote workplace safety.
  • Meet industry regulations.
  • Reduce legal exposure.
  • Enforce organizational policies.

Microsoft Purview Data Security Posture Management (DSPM) for AI

Purpose

DSPM for AI helps organizations understand and secure how AI systems interact with organizational data.

As AI adoption grows, organizations need visibility into:

  • What data AI tools can access.
  • Which users have access to sensitive information.
  • Potential AI-related risks.

DSPM for AI Capabilities

DSPM for AI helps organizations:

Discover AI Usage

Identify where AI tools are being used.

Assess Data Exposure

Understand whether sensitive data may be exposed.

Monitor Copilot Activity

Gain visibility into AI interactions.

Identify Oversharing Risks

Locate files with excessive permissions.

Strengthen AI Governance

Improve controls around AI usage.

Example

DSPM for AI may discover:

  • A SharePoint site containing confidential files.
  • Excessive permissions on the site.
  • Potential exposure to Copilot responses.

Administrators can then reduce permissions and improve security.

Benefits

DSPM for AI supports:

  • Responsible AI adoption.
  • Reduced oversharing risks.
  • Better governance of AI systems.

Microsoft Purview Data Lifecycle Management

Purpose

Data Lifecycle Management governs information throughout its lifecycle.

It ensures that information is:

  • Retained when required.
  • Deleted when no longer needed.
  • Managed according to regulations.

Retention Policies

Retention policies determine how long content should be kept.

Examples:

Content TypeRetention Period
HR records7 years
Financial documents10 years
General emails3 years

Retention Labels

Labels can assign different retention periods to individual documents.

Example:

  • Contract documents retained for 10 years.
  • Project files retained for 5 years.

Automatic Deletion

When retention periods expire, content can be deleted automatically.

Benefits include:

  • Reduced storage costs.
  • Reduced legal risk.
  • Better compliance.

Records Management

Organizations can designate records that must not be altered or deleted before their retention period ends.

How These Purview Solutions Work Together

SolutionPrimary Goal
Information ProtectionClassify and protect content
DLPPrevent data leakage
Insider Risk ManagementDetect risky user behavior
Communication ComplianceMonitor communications
DSPM for AISecure AI data access
Data Lifecycle ManagementRetain and dispose of data appropriately

Together, these capabilities provide a comprehensive governance framework for Microsoft 365 and Copilot.

Importance for Microsoft 365 Copilot

Copilot respects existing Microsoft 365 permissions and compliance controls.

Purview solutions help ensure:

  • Sensitive content is labeled.
  • Oversharing risks are minimized.
  • AI interactions remain compliant.
  • Records are retained appropriately.
  • Users do not accidentally expose confidential data.

Key Exam Points

Remember these AB-900 concepts:

  • Information Protection uses sensitivity labels to classify and protect content.
  • DLP prevents inappropriate sharing of sensitive data.
  • Insider Risk Management detects risky user behavior.
  • Communication Compliance monitors communications for policy violations.
  • DSPM for AI helps organizations govern AI usage and identify oversharing risks.
  • Data Lifecycle Management controls retention and deletion of information.
  • Microsoft Purview supports Microsoft 365, Copilot, and AI governance.

Practice Exam Questions

Question 1

Which Microsoft Purview solution primarily uses sensitivity labels to classify and protect content?

A. Communication Compliance
B. Data Lifecycle Management
C. Information Protection
D. Insider Risk Management

Correct Answer: C

Explanation: Microsoft Purview Information Protection uses sensitivity labels to classify and secure content.

Question 2

Which Microsoft Purview capability helps prevent users from emailing credit card numbers outside the organization?

A. Insider Risk Management
B. Communication Compliance
C. Data Loss Prevention (DLP)
D. Records Management

Correct Answer: C

Explanation: DLP detects sensitive information and can block or warn users before sharing it.

Question 3

Which solution is designed to identify potentially malicious or risky behavior by internal users?

A. Information Protection
B. Sensitivity Labels
C. Data Lifecycle Management
D. Insider Risk Management

Correct Answer: D

Explanation: Insider Risk Management focuses on identifying risky activities performed by users inside the organization.

Question 4

A company wants to monitor Teams messages for harassment and inappropriate language. Which Microsoft Purview solution should they use?

A. DLP
B. Communication Compliance
C. DSPM for AI
D. Information Protection

Correct Answer: B

Explanation: Communication Compliance analyzes communications for policy violations.

Question 5

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Manage mailbox permissions
B. Secure and govern AI-related data exposure
C. Encrypt documents automatically
D. Replace Conditional Access

Correct Answer: B

Explanation: DSPM for AI provides visibility into AI usage and helps identify oversharing risks.

Question 6

Which Microsoft Purview capability determines how long information should be retained?

A. Insider Risk Management
B. Communication Compliance
C. Data Lifecycle Management
D. Information Protection

Correct Answer: C

Explanation: Data Lifecycle Management uses retention policies and labels to manage content over time.

Question 7

Which action can a sensitivity label perform?

A. Create Teams channels automatically
B. Synchronize users with Active Directory
C. Configure Conditional Access policies
D. Encrypt documents and restrict access

Correct Answer: D

Explanation: Sensitivity labels can apply encryption and restrict how information is used.

Question 8

Which Microsoft Purview solution helps identify oversharing risks that may affect Microsoft Copilot responses?

A. DSPM for AI
B. Communication Compliance
C. Data Lifecycle Management
D. Exchange Online Protection

Correct Answer: A

Explanation: DSPM for AI helps organizations understand how AI systems interact with organizational data and identify excessive permissions.

Question 9

A company must retain financial documents for ten years to meet regulatory requirements. Which capability addresses this need?

A. DLP
B. Insider Risk Management
C. Data Lifecycle Management
D. Communication Compliance

Correct Answer: C

Explanation: Retention policies and labels within Data Lifecycle Management ensure information is preserved for required periods.

Question 10

Which statement best describes the relationship between Microsoft Purview and Microsoft 365 Copilot?

A. Copilot ignores Purview policies.
B. Purview replaces Copilot permissions.
C. Copilot stores all data outside Microsoft 365.
D. Copilot works with existing Purview protections and permissions.

Correct Answer: D

Explanation: Microsoft 365 Copilot honors existing permissions, sensitivity labels, and compliance controls established through Microsoft Purview.

Go to the AB-900 Exam Prep Hub main page

AB-900, Cybersecurity, Microsoft Certification, security

Understand App registrations and Enterprise apps (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Understand App registrations and Enterprise apps

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations rely on applications to access Microsoft 365 resources, integrate with cloud services, and automate business processes. Microsoft Entra ID (formerly Azure Active Directory) provides identity and access management capabilities not only for users but also for applications.

Two important concepts administrators must understand are:

  • App registrations
  • Enterprise applications

Although these terms are closely related, they represent different objects within Microsoft Entra ID. Understanding their purposes and differences is important for the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam.

Why Applications Need Identities

Just as users require identities to sign in and access resources, applications also need identities.

Applications may need to:

  • Access Microsoft Graph APIs.
  • Read SharePoint data.
  • Send email through Exchange Online.
  • Authenticate users.
  • Integrate with Microsoft 365 services.
  • Support Microsoft 365 Copilot and agents.

Microsoft Entra provides these capabilities through app registrations and enterprise applications.

What Is an App Registration?

An App Registration defines an application’s identity within Microsoft Entra ID.

When developers register an application, Entra creates:

  • An Application (client) ID
  • A directory object representing the application
  • Authentication settings
  • Redirect URIs
  • API permissions
  • Secrets or certificates (optional)

Think of an app registration as the blueprint or template for an application.

Common Uses

  • Custom business applications
  • Web applications
  • Mobile applications
  • APIs
  • Microsoft Graph integrations
  • Copilot extensions and agents

Key Components of an App Registration

Application (Client) ID

A globally unique identifier that identifies the application.

Example:

Application ID: 7a12b8c3-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Applications use this ID during authentication.

Directory (Tenant) ID

Identifies the Microsoft Entra tenant where the application resides.

Redirect URI

Specifies where authentication responses are sent after users sign in.

Examples:

Secrets and Certificates

Applications may authenticate themselves using:

  • Client secrets
  • Certificates

These credentials should be protected because they function similarly to passwords.

API Permissions

Applications often require access to Microsoft services.

Examples:

  • Read user profiles
  • Access calendars
  • Read SharePoint files
  • Send email

Permissions can be granted by users or administrators depending on the permission type.

Types of API Permissions

Delegated Permissions

The application acts on behalf of a signed-in user.

Example:

A Teams app reads the user’s calendar using that user’s permissions.

Characteristics:

  • Requires a signed-in user.
  • Limited by the user’s permissions.

Application Permissions

The application runs independently without a user.

Example:

A background process scans SharePoint sites across the organization.

Characteristics:

  • No user sign-in required.
  • Usually requires administrator consent.

What Is an Enterprise Application?

An Enterprise Application is the service principal created from an app registration.

Think of the enterprise application as the instance of the application inside a tenant.

Enterprise applications manage:

  • User assignments
  • Sign-in permissions
  • Single sign-on settings
  • Conditional Access policies
  • Application access controls
  • Monitoring and sign-in logs

Simple Comparison

ObjectPurpose
App RegistrationDefines the application
Enterprise ApplicationRepresents the application inside the tenant

Relationship Between App Registrations and Enterprise Applications

When an application is registered:

  1. An app registration is created.
  2. A corresponding enterprise application (service principal) is created.
  3. Users and permissions are managed through the enterprise application.

One application registration can have multiple enterprise applications across different tenants.

Service Principals

A service principal is the identity used by an application within a specific tenant.

The service principal:

  • Authenticates the application.
  • Receives permissions.
  • Appears as an enterprise application.

For exam purposes:

Enterprise Application = Service Principal

Enterprise Applications and Single Sign-On (SSO)

Enterprise applications support Single Sign-On.

Users can:

  • Sign in once.
  • Access multiple applications.
  • Use Microsoft Entra credentials.

Benefits include:

  • Improved user experience.
  • Reduced password fatigue.
  • Centralized identity management.

Enterprise Applications from External Vendors

Not all enterprise applications originate from your organization.

Examples include:

  • Salesforce
  • ServiceNow
  • Workday
  • Zoom
  • Adobe

These SaaS applications appear as enterprise applications inside Microsoft Entra and can use SSO.

User Assignment

Administrators can control which users may access an enterprise application.

Options include:

Everyone

All users can access the application.

Selected Users or Groups

Only assigned users receive access.

This supports least privilege and Zero Trust principles.

Conditional Access and Enterprise Applications

Conditional Access policies can target applications.

Examples:

  • Require MFA for Salesforce.
  • Block access from unmanaged devices.
  • Restrict access by location.
  • Allow only compliant devices.

This helps secure application access.

Consent and Permissions

Applications request permissions when first used.

Two forms of consent exist:

User Consent

Users approve low-risk delegated permissions.

Example:

Allowing an app to read basic profile information.

Admin Consent

Administrators approve permissions that affect the entire organization.

Example:

Granting an app permission to read all mailboxes.

Admin consent helps protect sensitive organizational data.

Monitoring Enterprise Applications

Administrators can review:

  • Sign-in logs
  • Failed sign-ins
  • User assignments
  • Permission grants
  • Conditional Access results

These tools help troubleshoot and improve security.

Common Administrative Tasks

Administrators frequently:

  • Add enterprise applications.
  • Configure SSO.
  • Assign users and groups.
  • Review permissions.
  • Grant admin consent.
  • Remove unused applications.
  • Investigate sign-in logs.
  • Apply Conditional Access policies.

Security Best Practices

Use Least Privilege

Grant only required permissions.

Review Permissions Regularly

Remove unnecessary permissions.

Require MFA

Protect access to sensitive applications.

Remove Unused Applications

Reduce attack surface.

Use Group Assignments

Simplify management.

Monitor Sign-In Activity

Identify unusual behavior.

App Registrations vs. Enterprise Applications

FeatureApp RegistrationEnterprise Application
Defines application identityYesNo
Contains client IDYesNo
Stores redirect URIsYesNo
Represents app in a tenantNoYes
Supports user assignmentNoYes
Supports SSO configurationNoYes
Receives Conditional Access policiesNoYes
Also known as service principalNoYes

Importance for Microsoft 365 Copilot and Agents

Copilot extensions, plugins, and custom agents often rely on:

  • App registrations
  • Microsoft Graph permissions
  • Enterprise applications
  • User consent
  • Authentication and authorization

Understanding these concepts helps administrators securely deploy AI solutions within Microsoft 365.

Key Exam Points

Remember these AB-900 concepts:

  • App registrations define an application’s identity.
  • Enterprise applications represent applications within a tenant.
  • Enterprise applications are service principals.
  • Delegated permissions act on behalf of users.
  • Application permissions operate without users.
  • Enterprise applications support SSO.
  • Conditional Access policies can target applications.
  • Admin consent is required for high-privilege permissions.
  • User assignments control who can access applications.

Practice Exam Questions

Question 1

Which Microsoft Entra object defines an application’s identity and contains its client ID?

A. App registration
B. Enterprise application
C. Conditional Access policy
D. Security group

Correct Answer: A

Explanation: App registrations define the application and contain identifiers and authentication settings.

Question 2

What is another name for an enterprise application in Microsoft Entra?

A. Managed identity
B. Service principal
C. Tenant object
D. Resource group

Correct Answer: B

Explanation: Enterprise applications are service principals that represent applications inside a tenant.

Question 3

Which permission type allows an application to act on behalf of a signed-in user?

A. Resource permission
B. Admin permission
C. Delegated permission
D. Conditional permission

Correct Answer: C

Explanation: Delegated permissions use the permissions of the signed-in user.

Question 4

Which object is commonly used to configure Single Sign-On for a SaaS application?

A. Security defaults
B. App registration only
C. Mailbox settings
D. Enterprise application

Correct Answer: D

Explanation: SSO settings are configured through enterprise applications.

Question 5

What is the primary purpose of an enterprise application?

A. Define redirect URIs
B. Store the client secret permanently
C. Represent an application inside a tenant and manage access
D. Replace Microsoft Entra users

Correct Answer: C

Explanation: Enterprise applications manage access and represent the app within the tenant.

Question 6

Which permission type usually requires administrator consent because it can affect organizational data?

A. Application permissions
B. Basic profile permissions
C. Redirect permissions
D. Device permissions

Correct Answer: A

Explanation: Application permissions often grant broad access and therefore typically require admin approval.

Question 7

An administrator wants only members of the Finance department to access an application. Which feature should be used?

A. Redirect URIs
B. Client certificates
C. User assignment within the enterprise application
D. Tenant synchronization

Correct Answer: C

Explanation: Enterprise applications allow administrators to assign specific users and groups.

Question 8

Which setting determines where authentication responses are sent after sign-in?

A. Directory ID
B. Redirect URI
C. Conditional Access policy
D. Service principal name

Correct Answer: B

Explanation: Redirect URIs specify where users are returned after successful authentication.

Question 9

A background application that runs without a signed-in user should typically use which permission type?

A. Delegated permissions
B. User permissions
C. Group permissions
D. Application permissions

Correct Answer: D

Explanation: Application permissions enable apps to run independently of users.

Question 10

Why should organizations periodically review enterprise applications and their permissions?

A. To increase mailbox size
B. To reduce unnecessary access and improve security
C. To change domain names automatically
D. To synchronize Teams channels

Correct Answer: B

Explanation: Reviewing applications helps maintain least privilege and reduce security risks.

Go to the AB-900 Exam Prep Hub main page