Category: security

AB-900, Cybersecurity, Microsoft Certification, security June 27, 2026

Identify the role of Privileged Identity Management (PIM) in an organization (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Identify the role of Privileged Identity Management (PIM) in an organization

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Organizations using Microsoft 365 and Microsoft Entra ID must protect administrative accounts because these accounts have elevated permissions that can affect users, data, applications, and security settings. Permanent administrator access creates unnecessary risk because compromised accounts can be used to perform harmful actions.

Privileged Identity Management (PIM) is a Microsoft Entra feature that helps organizations manage, control, and monitor privileged access. PIM provides just-in-time (JIT) access to administrative roles so users receive elevated permissions only when they need them and only for a limited period.

For the AB-900 exam, it is important to understand the purpose, benefits, and key capabilities of PIM rather than the detailed configuration steps.

What Is Privileged Identity Management (PIM)?

Microsoft Entra Privileged Identity Management is a service that enables organizations to:

Discover privileged accounts
Assign roles securely
Require approval before activation
Limit how long elevated access remains active
Audit administrative activities
Reduce standing privileges

Instead of granting users permanent administrator rights, PIM allows them to activate privileged roles temporarily when needed.

Example

Without PIM:

Alice is permanently assigned the Global Administrator role.

With PIM:

Alice is eligible for the Global Administrator role.
She activates the role only when performing administrative work.
The role automatically expires after a defined period.

This approach follows the principle of least privilege and supports a Zero Trust security model.

Why Organizations Use PIM

Administrative accounts are attractive targets for attackers because they can:

Reset passwords
Change security settings
Access sensitive data
Create new accounts
Disable protections

PIM helps organizations:

Reduce Security Risks

Users have elevated permissions only when necessary.

Limit Exposure Time

Temporary access decreases the amount of time privileged accounts can be exploited.

Increase Visibility

Organizations can monitor who activated roles and when.

Improve Compliance

Audit records help demonstrate compliance with regulatory requirements.

Support Zero Trust

PIM assumes no account should have continuous privileged access.

Just-in-Time (JIT) Access

One of the most important concepts in PIM is Just-in-Time access.

Traditional Access

User → Permanent Administrator Role

PIM Access

User → Eligible Role → Temporary Activation → Automatic Expiration

With JIT access:

Permissions are granted only when needed.
Access automatically expires after a specified duration.
The attack surface is reduced.

Eligible vs. Active Assignments

PIM uses two assignment types.

Eligible Assignment

The user:

Can activate the role when needed.
Does not have permissions until activation occurs.

Example:

John is eligible for the Exchange Administrator role but normally has no Exchange administrative permissions.

Active Assignment

The user:

Immediately possesses the role.
Does not need to activate it.

Active assignments are sometimes used for emergency or service accounts but should be minimized whenever possible.

Role Activation Process

When users need elevated permissions, they activate their eligible role.

Activation can require:

Multifactor authentication (MFA)
A business justification
Approval from another administrator
A ticket number
Time restrictions

After approval:

The role becomes active.
Permissions are available temporarily.
Access expires automatically.

Approval Workflows

Organizations may require managers or security administrators to approve privileged access requests.

Example workflow:

User requests activation.
PIM sends approval request.
Approver reviews the request.
Access is granted for a limited time.
Role expires automatically.

Approval workflows add another layer of protection.

Time-Limited Access

PIM allows organizations to define activation durations.

Examples:

Role	Duration
Global Administrator	1 hour
Exchange Administrator	4 hours
SharePoint Administrator	2 hours

Benefits include:

Reduced attack windows
Automatic removal of privileges
Better administrative control

Multifactor Authentication (MFA) for Role Activation

Organizations can require MFA before privileged access is activated.

This ensures:

The user is verified.
Stolen passwords alone cannot activate privileged roles.
Additional security protects sensitive operations.

Example:

A Global Administrator may need to:

Sign in.
Complete MFA.
Enter a justification.
Activate the role.

Audit Logs and Activity Tracking

PIM records privileged activities, including:

Role assignments
Activation requests
Approval actions
Expiration events
Administrative changes

Audit logs help organizations:

Investigate incidents.
Meet compliance requirements.
Understand who performed sensitive actions.

Access Reviews

PIM supports periodic access reviews.

These reviews help organizations determine:

Whether users still require privileged access.
Whether inactive assignments should be removed.
Whether excessive permissions exist.

Access reviews reduce privilege creep over time.

Alerts and Notifications

PIM can generate alerts for risky situations such as:

Too many Global Administrators.
Permanent role assignments.
Suspicious activation activity.
Administrators not using MFA.

Notifications can also be sent to administrators when:

Roles are activated.
Requests are approved.
Changes occur.

Resources Protected by PIM

PIM can manage privileged access for:

Microsoft Entra Roles

Examples:

Global Administrator
User Administrator
Security Administrator
Exchange Administrator

Azure Resource Roles

Examples:

Owner
Contributor
User Access Administrator

Groups

PIM can manage membership and ownership of privileged groups.

Common Roles Managed by PIM

Examples include:

Role	Purpose
Global Administrator	Full Microsoft 365 administration
Exchange Administrator	Manage Exchange Online
SharePoint Administrator	Manage SharePoint Online
Teams Administrator	Manage Microsoft Teams
Security Administrator	Configure security settings
User Administrator	Manage users and groups

Benefits of PIM

Organizations implementing PIM gain:

Reduced standing privileges
Stronger security
Just-in-time access
Automatic expiration of permissions
Approval workflows
Better auditing
Compliance support
Reduced insider risk
Support for Zero Trust principles

Relationship Between PIM and Zero Trust

PIM aligns closely with Zero Trust principles:

Verify Explicitly

Require MFA and approvals.

Use Least Privilege Access

Grant only necessary permissions.

Assume Breach

Limit exposure if an account becomes compromised.

Because of this alignment, PIM is considered an important security control in Microsoft environments.

Key Exam Points

Remember these AB-900 concepts:

PIM manages privileged access.
PIM reduces permanent administrator permissions.
Just-in-time access grants temporary privileges.
Users can be eligible or active.
MFA can be required before activation.
Approvals and justifications may be required.
Audit logs record privileged activities.
Access reviews help remove unnecessary privileges.
PIM supports Zero Trust and least privilege principles.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Entra Privileged Identity Management?

A. Increase mailbox storage quotas
B. Configure SharePoint sites
C. Synchronize on-premises users with Microsoft 365
D. Manage and secure privileged access to resources

Correct Answer: D

Explanation: PIM helps organizations manage and secure privileged access by providing temporary, controlled administrator permissions.

Question 2

Which security principle is most closely supported by PIM?

A. Permanent administrative access
B. Open access permissions
C. Least privilege access
D. Shared administrator accounts

Correct Answer: C

Explanation: PIM grants elevated permissions only when needed, supporting least privilege.

Question 3

A user who can activate a role when needed but does not currently possess permissions has which type of assignment?

A. Resource assignment
B. Permanent assignment
C. Dynamic assignment
D. Eligible assignment

Correct Answer: D

Explanation: Eligible users activate roles only when necessary.

Question 4

What does Just-in-Time (JIT) access provide?

A. Permanent access to all services
B. Access only after synchronization occurs
C. Access to guest users only
D. Temporary elevated permissions when required

Correct Answer: D

Explanation: JIT access minimizes risk by limiting how long privileged permissions remain active.

Question 5

Which control can be required before a user activates a privileged role?

A. Disk encryption
B. Multifactor authentication
C. SharePoint versioning
D. Mail flow rules

Correct Answer: B

Explanation: MFA is commonly required before privileged access activation.

Question 6

What happens when the activation period ends?

A. Permissions are automatically removed
B. The account is deleted
C. The role becomes permanent
D. The user is blocked from signing in

Correct Answer: A

Explanation: PIM automatically removes elevated permissions after the configured duration expires.

Question 7

Which feature helps determine whether users still require privileged access?

A. Defender for Endpoint
B. Mail flow rules
C. Access reviews
D. Data loss prevention

Correct Answer: C

Explanation: Access reviews help organizations remove unnecessary privileges.

Question 8

Why do organizations prefer eligible assignments over permanent active assignments?

A. Eligible assignments require fewer licenses
B. Eligible assignments reduce standing administrative access
C. Eligible assignments eliminate the need for MFA
D. Eligible assignments disable audit logs

Correct Answer: B

Explanation: Temporary access reduces the attack surface and lowers risk.

Question 9

Which information can PIM audit logs capture?

A. Printer usage statistics
B. Browser history
C. Employee salaries
D. Role activations and approvals

Correct Answer: D

Explanation: PIM logs privileged activities such as activations, approvals, and assignments.

Question 10

Which role would commonly be managed through PIM?

A. Marketing Coordinator
B. Sales Representative
C. Global Administrator
D. Receptionist

Correct Answer: C

Explanation: Administrative roles with elevated permissions are ideal candidates for PIM management.

Go to the AB-900 Exam Prep Hub main page

Microsoft Certification, Cybersecurity, AB-900, security June 27, 2026

Use the appropriate tools to review audit logs for user and admin activity (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Use the appropriate tools to review audit logs for user and admin activity

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Monitoring user and administrator actions is an essential part of Microsoft 365 security and governance. Organizations must be able to determine:

Who performed an action.
What action occurred.
When the activity occurred.
Which resource was affected.
Whether the activity was expected or suspicious.

Microsoft 365 provides several audit and logging tools that help administrators investigate security incidents, track administrative changes, support compliance requirements, and troubleshoot user issues.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand the purpose of audit logs and know which tools are used to review user and administrator activity.

What Are Audit Logs?

Audit logs are records of activities performed within Microsoft 365 services.

They help organizations:

Detect suspicious behavior.
Investigate incidents.
Meet regulatory requirements.
Track administrative changes.
Support forensic investigations.
Verify user actions.

Audit logs provide visibility into activities occurring across Microsoft 365 environments.

Types of Activities Recorded

Microsoft 365 audit logs can capture actions such as:

User Activities

Signing in
Accessing files
Sharing documents
Creating Teams messages
Deleting files
Downloading content

Administrator Activities

Resetting passwords
Creating users
Assigning licenses
Modifying policies
Creating groups
Changing permissions

Service Activities

Mailbox operations
SharePoint changes
Teams events
Security configuration changes

Unified Audit Log

The primary audit tool in Microsoft 365 is the Unified Audit Log.

The Unified Audit Log collects events from multiple Microsoft 365 services, including:

Microsoft Entra ID
Exchange Online
SharePoint Online
OneDrive
Microsoft Teams
Microsoft Purview
Microsoft Defender
Power Platform services

Instead of reviewing separate logs for every service, administrators can search centrally.

Microsoft Purview Audit

The Unified Audit Log is accessed through Microsoft Purview.

Administrators can:

Search activities by user.
Search by date range.
Filter by workload.
Filter by activity type.
Export results.

This centralized approach simplifies investigations.

Common Search Filters

Administrators commonly filter audit logs by:

User

Example:

user1@contoso.com

Activity

Examples:

File deleted
Mailbox accessed
User added
Password reset

Date and Time

Investigations often focus on a specific period.

Workload

Examples:

SharePoint
Exchange
Teams
Entra ID

These filters narrow results and improve efficiency.

Microsoft Entra Sign-In Logs

Sign-in logs are separate from the Unified Audit Log and focus specifically on authentication activity.

Sign-in logs record:

Successful sign-ins
Failed sign-ins
IP addresses
Device information
Authentication methods used
Conditional Access results

Sign-in logs are commonly used to troubleshoot access issues and investigate suspicious login attempts.

Audit Logs vs Sign-In Logs

Students frequently confuse these two tools.

Sign-In Logs

Focus on:

Authentication attempts
MFA events
Conditional Access outcomes
Login locations

Audit Logs

Focus on:

User actions after authentication
Administrative changes
File access
Configuration modifications

Both are important, but they serve different purposes.

Examples of Audit Events

Exchange Online

Events may include:

Mailbox access
Email deletions
Mailbox permission changes

SharePoint Online

Events may include:

File creation
File downloads
File sharing

Microsoft Teams

Events may include:

Team creation
Channel creation
Membership changes

Microsoft Entra ID

Events may include:

User creation
Group modifications
Role assignments

Reviewing Administrator Activity

Audit logs help determine:

Which administrator made a change.
When the change occurred.
Which object was affected.

Examples include:

Password resets.
License assignments.
Group membership changes.
Conditional Access policy modifications.

This provides accountability and supports change tracking.

Reviewing User Activity

Audit logs can help answer questions such as:

Did a user delete a file?
Was a document downloaded?
Was information shared externally?
When did the action occur?

This information is valuable during investigations and compliance reviews.

Audit Logs and Microsoft 365 Copilot

Microsoft 365 Copilot relies on Microsoft 365 data sources.

Audit capabilities help organizations monitor:

User access to content.
Sharing activities.
Administrative changes affecting Copilot environments.
Compliance investigations involving AI-related workflows.

Copilot itself uses the same Microsoft 365 security and compliance framework.

Microsoft Defender XDR and Advanced Investigations

Microsoft Defender XDR can correlate events across:

Identities
Devices
Email
Applications

This provides a broader security perspective when investigating incidents.

While audit logs show individual events, Defender XDR helps connect related activities.

Retention of Audit Logs

Audit logs are retained for a specific period depending on:

Subscription level.
Licensing.
Service configuration.

Organizations with advanced compliance licensing may receive extended retention periods.

For AB-900, understand that retention periods can vary by license type.

Exporting Audit Results

Administrators can export audit results for:

Incident response.
Compliance reporting.
External investigations.
Long-term analysis.

Exported data can be reviewed using spreadsheets or SIEM solutions.

Best Practices

Review Logs Regularly

Continuous monitoring helps detect issues early.

Use Filters

Filtering speeds investigations.

Protect Administrator Accounts

Administrative actions should always be auditable.

Enable MFA

Secure accounts that have access to audit data.

Maintain Least Privilege

Limit who can access sensitive logs.

Retain Logs Appropriately

Ensure audit records meet organizational requirements.

Important Exam Tips

Remember these AB-900 concepts:

The Unified Audit Log is the primary Microsoft 365 audit tool.
Microsoft Purview provides access to audit searches.
Audit logs track actions performed after authentication.
Sign-in logs focus on authentication events.
Audit logs support investigations and compliance.
Administrator changes are recorded.
User activities can be searched and reviewed.
Microsoft 365 Copilot relies on the same audit and compliance framework.
Exporting logs supports reporting and analysis.
Retention periods vary by license.

Practice Exam Questions

Question 1

Which Microsoft 365 feature provides centralized auditing across multiple services?

A. Microsoft Planner
B. Windows Event Viewer
C. Unified Audit Log
D. Microsoft Lists

Correct Answer: C

Explanation: The Unified Audit Log aggregates events from multiple Microsoft 365 services into a single searchable location.

Question 2

Which portal is commonly used to access audit searches?

A. Exchange admin center
B. Teams admin center
C. Microsoft Purview
D. SharePoint admin center

Correct Answer: C

Explanation: Microsoft Purview provides access to auditing and compliance features, including audit searches.

Question 3

Which activity would typically appear in an audit log?

A. Administrator resets a user’s password.
B. Monitor brightness changes.
C. Printer toner replacement.
D. CPU temperature fluctuations.

Correct Answer: A

Explanation: Administrative actions such as password resets are recorded in audit logs.

Question 4

Which log type focuses primarily on authentication events?

A. Microsoft Entra sign-in logs
B. SharePoint recycle bin logs
C. Unified Audit Log
D. Exchange message trace logs

Correct Answer: A

Explanation: Sign-in logs capture authentication attempts, MFA information, and Conditional Access outcomes.

Question 5

Which Microsoft 365 service records file downloads and sharing activities?

A. SharePoint Online audit events
B. Windows Registry
C. BIOS settings
D. Active Directory Sites and Services

Correct Answer: A

Explanation: SharePoint audit events track document-related activities.

Question 6

An administrator wants to determine who changed a Conditional Access policy. Which tool should be used?

A. Windows Device Manager
B. Unified Audit Log
C. Outlook rules wizard
D. Microsoft Paint

Correct Answer: B

Explanation: Administrative changes are captured within Microsoft 365 audit records.

Question 7

What is a major difference between audit logs and sign-in logs?

A. Audit logs only store Exchange events.
B. Sign-in logs are used exclusively for Teams.
C. Audit logs track actions after authentication, while sign-in logs track authentication attempts.
D. Sign-in logs cannot be searched.

Correct Answer: C

Explanation: Sign-in logs focus on access attempts, while audit logs record actions performed after access is granted.

Question 8

Which filter can help narrow audit search results?

A. User name
B. Date range
C. Activity type
D. All of the above

Correct Answer: D

Explanation: Audit searches support multiple filters to improve investigation efficiency.

Question 9

Why are audit logs important for compliance investigations?

A. They increase internet bandwidth.
B. They provide records of user and administrator actions.
C. They automatically block attacks.
D. They create Conditional Access policies.

Correct Answer: B

Explanation: Audit records provide evidence of activities that occurred within Microsoft 365.

Question 10

Which statement about Microsoft 365 Copilot and auditing is correct?

A. Copilot bypasses audit logging.
B. Copilot disables Microsoft Purview.
C. Copilot uses a separate audit system unrelated to Microsoft 365.
D. Copilot operates within the existing Microsoft 365 compliance and auditing framework.

Correct Answer: D

Explanation: Microsoft 365 Copilot relies on the same security, compliance, and audit infrastructure used throughout Microsoft 365.

Go to the AB-900 Exam Prep Hub main page

AB-900, Cybersecurity, Microsoft Certification, security June 27, 2026

Interpret Identity Secure Score in Microsoft Entra ID (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Interpret Identity Secure Score in Microsoft Entra ID

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Modern organizations face increasing identity-related threats such as password attacks, credential theft, phishing, and unauthorized access attempts. To help organizations measure and improve their identity security posture, Microsoft provides Identity Secure Score within Microsoft Entra ID.

Identity Secure Score gives administrators a numerical representation of how well identity security best practices are being implemented. It also provides actionable recommendations that can strengthen security and reduce risk.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand:

What Identity Secure Score is.
Where it is located.
How scores are calculated.
What recommendations are provided.
How administrators can use the score to improve identity security.

What Is Identity Secure Score?

Identity Secure Score is a feature in Microsoft Entra ID that measures the effectiveness of an organization’s identity security controls.

It:

Evaluates current identity configurations.
Assigns points for implemented security controls.
Provides recommendations for improvements.
Helps organizations prioritize security actions.
Tracks progress over time.

Identity Secure Score focuses specifically on identity-related security rather than overall Microsoft 365 security.

Purpose of Identity Secure Score

The primary goals are to:

Reduce identity-based risks.
Encourage adoption of security best practices.
Provide visibility into security weaknesses.
Help administrators prioritize improvements.
Measure progress over time.

Identity Secure Score serves as both an assessment tool and a roadmap for improving identity security.

Where to Find Identity Secure Score

Identity Secure Score is available in the Microsoft Entra admin center.

Administrators can:

Open Microsoft Entra admin center.
Navigate to Protection.
Select Identity Secure Score.

The dashboard displays:

Current score
Maximum possible score
Percentage achieved
Improvement actions
Trends over time

How the Score Is Calculated

The score is based on the implementation of recommended identity security controls.

Examples include:

Enabling multifactor authentication (MFA)
Using Conditional Access policies
Eliminating legacy authentication
Protecting privileged accounts
Registering authentication methods
Using passwordless authentication

Each completed recommendation contributes points toward the overall score.

Example

Suppose an organization:

Enables MFA for administrators.
Disables legacy authentication.
Implements Conditional Access.

These completed actions increase the Identity Secure Score.

Understanding the Score

A higher score generally indicates stronger identity protection.

However:

Identity Secure Score is not a guarantee of security.
A lower score does not necessarily mean the organization is compromised.
The score should be viewed as guidance rather than a compliance requirement.

The goal is continuous improvement rather than achieving a perfect score.

Improvement Actions

Identity Secure Score provides recommendations called improvement actions.

Each action includes:

Description of the recommendation.
Security benefits.
Number of points available.
Current implementation status.
Links to documentation.

Administrators can prioritize actions with the greatest security impact.

Examples of Improvement Actions

Common recommendations include:

Enable MFA for Administrators

Protects highly privileged accounts from compromise.

Enable MFA for Users

Reduces risks associated with stolen passwords.

Require Authentication Method Registration

Ensures users can complete MFA challenges.

Block Legacy Authentication

Prevents older protocols that bypass modern security controls.

Use Conditional Access Policies

Provides risk-based access control.

Protect Privileged Roles

Adds additional protection to administrator accounts.

Score Categories

Recommendations are grouped into categories such as:

Identity Protection

Improves defenses against compromised identities.

Authentication

Strengthens user sign-in methods.

Privileged Access

Secures administrative accounts.

Access Control

Implements Conditional Access and related protections.

Device Security

Ensures devices meet required standards.

These categories help administrators focus on specific security areas.

Trending and Historical Views

Identity Secure Score tracks changes over time.

Administrators can:

Monitor improvements.
Measure progress after implementing controls.
Demonstrate security enhancements to leadership.
Identify periods when scores decreased.

Historical trends support long-term security planning.

Comparing with Similar Organizations

Microsoft may provide benchmark information showing how an organization’s score compares with similar tenants.

This allows organizations to:

Understand industry averages.
Identify areas needing attention.
Set realistic improvement goals.

These comparisons are informational and should not replace security requirements specific to the organization.

Relationship to Microsoft Secure Score

Students often confuse these two tools.

Identity Secure Score

Focuses specifically on:

Users
Authentication
Identity protection
Conditional Access
Privileged access

Microsoft Secure Score

Measures security across Microsoft 365 services, including:

Identity
Devices
Applications
Data
Email
Collaboration services

Identity Secure Score is therefore a subset of overall security improvement efforts.

Identity Secure Score and Microsoft 365 Copilot

Microsoft 365 Copilot relies on Microsoft Entra identities for access.

Weak identity controls can increase the risk of:

Unauthorized access to Copilot.
Exposure of sensitive organizational data.
Compromised accounts using AI tools improperly.

Improving Identity Secure Score indirectly strengthens the security posture of Microsoft 365 Copilot environments.

Best Practices

Enable Multifactor Authentication

MFA is one of the most valuable security controls.

Protect Administrator Accounts

Privileged users should have additional safeguards.

Eliminate Legacy Authentication

Older protocols often bypass modern protections.

Use Conditional Access

Apply adaptive access policies based on risk.

Review Recommendations Regularly

Identity threats evolve continuously.

Focus on High-Impact Actions First

Not all recommendations provide equal security value.

Important Exam Tips

For AB-900, remember:

Identity Secure Score is found in Microsoft Entra ID.
It measures identity security posture.
Scores increase when recommended controls are implemented.
Improvement actions provide guidance and point values.
Identity Secure Score is different from Microsoft Secure Score.
MFA and Conditional Access commonly improve the score.
The score helps prioritize security improvements.
Historical trends show progress over time.
A perfect score is not required.
Microsoft 365 Copilot security depends on strong identities.

Practice Exam Questions

Question 1

What is the primary purpose of Identity Secure Score?

A. Measure and improve identity security posture
B. Track SharePoint storage usage
C. Monitor Exchange mailbox size
D. Manage Teams channels

Correct Answer: A

Explanation: Identity Secure Score evaluates identity security controls and provides recommendations for improvement.

Question 2

Where can administrators access Identity Secure Score?

A. Teams admin center
B. Exchange admin center
C. Microsoft Entra admin center
D. SharePoint admin center

Correct Answer: C

Explanation: Identity Secure Score is located within the Microsoft Entra admin center under Protection.

Question 3

Which action would typically increase Identity Secure Score?

A. Deleting Teams channels
B. Enabling multifactor authentication
C. Creating additional mailboxes
D. Increasing OneDrive storage

Correct Answer: B

Explanation: MFA is a recommended identity security control and contributes points to the score.

Question 4

What does a higher Identity Secure Score generally indicate?

A. Increased mailbox capacity
B. Stronger identity security posture
C. More SharePoint sites
D. Better Teams performance

Correct Answer: B

Explanation: Higher scores reflect the implementation of more recommended identity protections.

Question 5

Which information is provided with an improvement action?

A. Available point value and security benefit
B. Teams meeting recordings
C. Exchange message traces
D. OneDrive storage quotas

Correct Answer: A

Explanation: Improvement actions include descriptions, benefits, and associated points.

Question 6

Which recommendation commonly appears in Identity Secure Score?

A. Increase mailbox size limits
B. Add Teams emojis
C. Disable legacy authentication
D. Create more SharePoint libraries

Correct Answer: C

Explanation: Legacy authentication is a common attack vector, and disabling it improves security.

Question 7

What is one benefit of historical trend information?

A. It increases license counts automatically.
B. It allows organizations to track security improvements over time.
C. It creates Conditional Access policies automatically.
D. It backs up SharePoint sites.

Correct Answer: B

Explanation: Historical trends help administrators measure progress and evaluate changes.

Question 8

How does Identity Secure Score differ from Microsoft Secure Score?

A. Identity Secure Score measures device storage.
B. Microsoft Secure Score only evaluates Exchange Online.
C. Identity Secure Score focuses specifically on identity security controls.
D. Microsoft Secure Score only applies to Copilot.

Correct Answer: C

Explanation: Identity Secure Score concentrates on authentication and identity protection, while Microsoft Secure Score covers broader Microsoft 365 security.

Question 9

Which statement about a perfect Identity Secure Score is correct?

A. It guarantees the organization cannot be compromised.
B. It is legally required for Microsoft 365 tenants.
C. It automatically enables all security features.
D. It is not required; continuous improvement is the goal.

Correct Answer: D

Explanation: Secure Score is intended as guidance and a tool for ongoing security enhancement.

Question 10

Why is Identity Secure Score important for Microsoft 365 Copilot?

A. Copilot stores Secure Score values inside Word documents.
B. Copilot uses Microsoft Entra identities for access to organizational data.
C. Copilot disables Conditional Access policies.
D. Copilot replaces Microsoft Entra authentication.

Correct Answer: B

Explanation: Strong identity controls help protect Copilot and the data it can access.

Go to the AB-900 Exam Prep Hub main page

Microsoft Certification, Cybersecurity, AB-900, security June 27, 2026

Identify the appropriate tools to troubleshoot common sign-in issues (multifactor authentication [MFA], conditional access, and risky sign-ins) (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
–> Identify the core security features of Microsoft 365 services
–> Identify the appropriate tools to troubleshoot common sign-in issues (multifactor authentication [MFA], conditional access, and risky sign-ins)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub’s main page below the exam topics section.

Introduction

Identity security is one of the foundations of Microsoft 365. Users depend on secure and reliable access to services such as Outlook, Teams, SharePoint, OneDrive, and Microsoft 365 Copilot. When users cannot sign in, administrators must determine the cause and resolve the issue quickly.

Microsoft provides several tools within Microsoft Entra, Microsoft 365, and Microsoft Defender to diagnose and troubleshoot sign-in problems related to:

Multi-Factor Authentication (MFA)
Conditional Access policies
Risky sign-ins
Identity Protection alerts
Account lockouts
Authentication failures

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand which tools are used to investigate and resolve these common issues.

Common Causes of Sign-In Problems

Users may experience sign-in failures because of:

Incorrect passwords
Expired credentials
Multi-Factor Authentication failures
Conditional Access policies
Blocked locations
Device compliance requirements
Risky sign-ins detected by Microsoft Entra
Account lockouts
Disabled user accounts

Troubleshooting begins by identifying which security control is preventing access.

Microsoft Entra Admin Center

The Microsoft Entra admin center is the primary location for troubleshooting identity-related problems.

Administrators can:

View users and groups.
Reset passwords.
Review authentication methods.
Investigate sign-in activity.
Examine Conditional Access policies.
Review risky users and risky sign-ins.

Many sign-in investigations begin here.

Sign-In Logs

One of the most important troubleshooting tools is the Sign-In Logs page in Microsoft Entra.

Sign-in logs provide information such as:

User account involved
Time of sign-in attempt
Success or failure status
IP address
Location
Device information
Authentication method used
Applications being accessed
Conditional Access results

Example

A user reports they cannot access Teams.

The sign-in log may show:

Failure reason: Conditional Access policy requires a compliant device.

This immediately points administrators toward the root cause.

Authentication Methods

Administrators can review a user’s configured authentication methods.

Examples include:

Microsoft Authenticator app
SMS verification
Phone calls
FIDO2 security keys
Passkeys

Problems may occur if:

A user changes phones.
The Authenticator app is deleted.
Authentication methods are not registered.

Administrators can help users re-register their methods if necessary.

Troubleshooting Multi-Factor Authentication (MFA)

MFA issues commonly involve:

Missing Registration

The user never enrolled in MFA.

Lost Device

The user replaced or lost their phone.

Notification Problems

Push notifications are not being received.

Incorrect Verification Method

The user is attempting to use an outdated authentication method.

Blocked Authentication

Security policies may prevent certain authentication methods.

Authentication Methods Policy

Administrators can review authentication method policies to verify:

Which methods are allowed.
Which users are targeted.
Whether a method has been disabled.

If SMS authentication has been disabled, users relying on text messages may be unable to complete MFA.

Conditional Access Troubleshooting

Conditional Access policies are a common source of access problems.

Examples include:

Requiring MFA
Blocking certain countries
Requiring compliant devices
Restricting specific applications

A user may have valid credentials but still be denied access because a policy condition is not satisfied.

Conditional Access Insights

The Conditional Access tab in sign-in logs helps administrators understand:

Which policies were evaluated.
Which policies applied.
Why access was granted or denied.

Example

The log may indicate:

Access blocked because device is not compliant.

This allows administrators to identify the exact policy causing the issue.

What-If Tool

The Conditional Access What-If tool allows administrators to simulate access scenarios.

Administrators can test:

User identity
Device platform
Location
Application

The tool predicts which policies would apply without affecting production users.

This is extremely helpful when diagnosing policy conflicts.

Risky Sign-Ins

Microsoft Entra Identity Protection analyzes sign-in behavior and detects suspicious activity.

Examples include:

Impossible travel
Anonymous IP addresses
Malware-linked addresses
Unfamiliar locations

A sign-in may be blocked even when the password is correct.

Risky Users

A user may be flagged as risky because:

Credentials were leaked.
Suspicious activity was detected.
Malware activity was associated with the account.

Risk levels include:

Low
Medium
High

Administrators can review and remediate risky users.

Identity Protection Dashboard

The Identity Protection dashboard helps administrators investigate:

Risky users
Risky sign-ins
Risk detections

Administrators can:

Confirm compromise.
Dismiss false positives.
Require password resets.
Restore access.

Password Reset Tools

Users who forget passwords can use:

Self-Service Password Reset (SSPR)

Allows users to reset passwords without contacting IT.

Benefits include:

Faster recovery
Reduced help desk workload
Improved productivity

Administrators can also manually reset passwords when necessary.

Account Status

Administrators should verify whether:

The account is enabled.
The user license is assigned.
The account has been deleted.
Sign-in is blocked.

Sometimes the simplest explanation is the correct one.

Device Compliance Issues

Conditional Access often integrates with Microsoft Intune.

Users may be blocked because:

Device encryption is disabled.
Operating systems are outdated.
Antivirus requirements are unmet.
Devices are unmanaged.

Administrators can review compliance status in Intune.

Common Troubleshooting Workflow

Step 1: Verify User Account

Is the account active?
Is the correct license assigned?

Step 2: Review Sign-In Logs

Determine why authentication failed.

Step 3: Check MFA

Verify authentication methods.

Step 4: Review Conditional Access

Identify policies that blocked access.

Step 5: Review Risk Detections

Investigate risky users or risky sign-ins.

Step 6: Remediate

Reset password.
Re-register MFA.
Update device compliance.
Modify policy if appropriate.

Microsoft 365 Copilot Sign-In Issues

Microsoft 365 Copilot uses the same identity infrastructure as Microsoft 365.

Therefore, problems involving:

MFA
Conditional Access
User permissions
Risky sign-ins

can also affect access to Copilot.

Copilot does not bypass Microsoft Entra security controls.

Best Practices

Enable Self-Service Password Reset

Reduce support calls and improve user productivity.

Require MFA

Protect accounts from password theft.

Review Sign-In Logs First

They often reveal the root cause quickly.

Test Policies Before Deployment

Use the What-If tool to avoid accidental lockouts.

Monitor Risk Detections

Respond quickly to compromised accounts.

Apply Least Privilege

Avoid overly broad permissions and exceptions.

Exam Tips

Remember these AB-900 concepts:

The Microsoft Entra admin center is the primary identity troubleshooting portal.
Sign-in logs provide detailed authentication information.
MFA problems often involve authentication methods.
Conditional Access policies can block otherwise valid sign-ins.
The What-If tool simulates policy results.
Risky sign-ins are detected by Identity Protection.
Risky users may require password resets.
Self-Service Password Reset helps users recover accounts.
Device compliance can affect access.
Microsoft 365 Copilot relies on the same identity controls as Microsoft 365.

Practice Exam Questions

Question 1

A user reports they cannot access Microsoft Teams even though their password is correct. Which tool should an administrator review first?

A. Microsoft Planner
B. SharePoint recycle bin
C. Exchange message trace
D. Sign-in logs in Microsoft Entra

Correct Answer: D

Explanation: Sign-in logs provide details about authentication attempts and often reveal the reason access failed.

Question 2

Which Microsoft portal is the primary location for investigating identity-related sign-in problems?

A. SharePoint admin center
B. Microsoft Entra admin center
C. Teams admin center
D. Exchange admin center

Correct Answer: B

Explanation: Microsoft Entra provides identity management and troubleshooting capabilities.

Question 3

A user receives an MFA prompt but no longer has their old phone. Which area should an administrator review?

A. Distribution groups
B. Shared mailboxes
C. Authentication methods
D. Mail flow rules

Correct Answer: C

Explanation: Authentication methods determine which MFA options are available to users.

Question 4

Which feature allows administrators to simulate how Conditional Access policies would affect a user?

A. Risk detections dashboard
B. Sign-in diagnostics
C. Password reset portal
D. Conditional Access What-If tool

Correct Answer: D

Explanation: The What-If tool predicts policy outcomes without affecting users.

Question 5

Which Microsoft capability identifies suspicious activities such as impossible travel?

A. Exchange Online Protection
B. Microsoft Lists
C. Identity Protection
D. SharePoint Syntex

Correct Answer: C

Explanation: Identity Protection analyzes sign-in behavior and detects potential compromises.

Question 6

A sign-in log shows that access was denied because the device is not compliant. Which Microsoft service commonly provides compliance information?

A. Microsoft Intune
B. Outlook
C. Planner
D. Word

Correct Answer: A

Explanation: Intune manages devices and reports compliance status used by Conditional Access.

Question 7

Which feature allows users to reset their own passwords without contacting IT?

A. Password Protection
B. Self-Service Password Reset (SSPR)
C. Secure Score
D. Message Encryption

Correct Answer: B

Explanation: SSPR enables users to recover access independently.

Question 8

Which information can administrators view in sign-in logs?

A. Printer serial numbers
B. Monitor resolutions
C. CPU temperatures
D. Authentication success or failure details

Correct Answer: D

Explanation: Sign-in logs contain information about sign-in attempts and their outcomes.

Question 9

Which type of event may cause Microsoft Entra to classify a sign-in as risky?

A. Impossible travel between locations
B. A full mailbox
C. Duplicate Teams channels
D. Deleted SharePoint folders

Correct Answer: A

Explanation: Impossible travel is one of the risk signals analyzed by Identity Protection.

Question 10

How are Microsoft 365 Copilot sign-in problems typically investigated?

A. Copilot uses a separate identity system.
B. Copilot bypasses Conditional Access.
C. Copilot relies on the same Microsoft Entra identity controls as Microsoft 365.
D. Copilot does not use MFA.

Correct Answer: C

Explanation: Copilot uses the same authentication and security infrastructure as other Microsoft 365 services.

Go to the AB-900 Exam Prep Hub main page

Microsoft Certification, Cybersecurity, AB-900, security June 27, 2026

Identify the appropriate security object to use in an organization (users and groups) (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core security features of Microsoft 365 services
      --> Identify the appropriate security object to use in an organization (users and groups)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft 365 uses identities and group memberships to control access to resources, applications, and data. Two of the most important security objects in Microsoft Entra ID and Microsoft 365 are users and groups.

Understanding when to use users and groups is fundamental to administering Microsoft 365 and securing resources. Rather than assigning permissions individually to every person, administrators can use groups to simplify access management and improve security.

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand the purpose of users and groups, their differences, and common scenarios for using each object.

Understanding Security Objects

A security object represents an identity or a collection of identities that can receive permissions and access rights.

Common Microsoft 365 security objects include:

Users
Groups
Service principals
Devices

For the AB-900 exam, the focus is primarily on users and groups.

Users

A user represents an individual identity that can authenticate and access Microsoft 365 resources.

Examples include:

Employees
Contractors
Students
Administrators

Each user account contains information such as:

Username (User Principal Name)
Display name
Email address
Assigned licenses
Group memberships
Authentication settings

Types of User Accounts

Member Users

Member users belong to the organization’s Microsoft Entra tenant.

Examples:

Employees
IT administrators
Internal staff

Member users typically receive:

Microsoft 365 licenses
Mailboxes
Teams access
SharePoint permissions

Guest Users

Guest users are external users invited into the organization through Microsoft Entra B2B collaboration.

Examples:

Vendors
Consultants
Business partners

Guest users:

Use their own credentials.
Access only resources that have been shared with them.
Typically do not require full Microsoft 365 licenses.

Why User Accounts Are Important

User accounts provide:

Authentication

Verifying identity during sign-in.

Authorization

Determining what resources users can access.

Auditing

Tracking activities performed by specific individuals.

Personalization

Providing personalized experiences across Microsoft 365.

Groups

A group is a collection of users that simplifies management.

Instead of assigning permissions individually to many users, administrators assign permissions to the group and then add users to that group.

Benefits include:

Easier administration
Consistent permissions
Reduced errors
Faster onboarding and offboarding

Why Groups Improve Security

Suppose 100 employees need access to a SharePoint site.

Without groups:

Permissions must be assigned to 100 individual users.

With groups:

Create a group.
Assign permissions once.
Add users to the group.

This approach is:

Easier to manage.
More scalable.
Less likely to produce permission mistakes.

Types of Groups in Microsoft 365

Security Groups

Security groups are used primarily for assigning permissions.

Common uses:

SharePoint access
Conditional Access targeting
Application permissions
Device management

Example:

Finance Security Group

Members automatically inherit permissions assigned to the group.

Microsoft 365 Groups

Microsoft 365 groups provide collaboration capabilities in addition to membership management.

They can automatically provide:

Shared mailbox
Shared calendar
Teams workspace
SharePoint site
Planner resources

Example:

Marketing Team

Distribution Groups

Distribution groups are used mainly for email communication.

Purpose:

Send one email to multiple recipients.

Examples:

All Employees
Human Resources
Sales Department

Distribution groups do not provide collaboration resources like Teams or SharePoint sites.

Mail-Enabled Security Groups

These groups combine:

Security permissions
Email distribution capabilities

They are useful when a group needs both access permissions and email functionality.

Users vs Groups

Users	Groups
Represent individuals	Represent collections of users
Authenticate directly	Do not sign in
Receive licenses	Usually do not receive licenses
Have personal settings	Share common permissions
Used for identity	Used for access management

When to Use Individual Users

Use user objects when:

Assigning licenses.
Managing authentication methods.
Configuring MFA.
Reviewing sign-in logs.
Managing personal mailboxes.

Examples:

Assigning a Microsoft 365 Copilot license.
Resetting a password.
Enabling MFA.

When to Use Groups

Use groups when:

Granting access to resources.
Assigning SharePoint permissions.
Managing Teams membership.
Applying Conditional Access policies.
Organizing departments.

Examples:

Finance team access to a SharePoint site.
Sales department access to Teams channels.
Applying a security policy to all administrators.

Group-Based Management

Microsoft Entra supports group-based administration.

Advantages include:

Simplified Administration

One change affects many users.

Reduced Errors

Permissions are applied consistently.

Faster Employee Onboarding

Adding a new employee to the correct groups automatically provides needed access.

Easier Offboarding

Removing users from groups quickly revokes access.

Dynamic Groups

Dynamic groups automatically add or remove users based on attributes.

Examples:

Department = Sales
Country = United States
Job title = Manager

Benefits:

Automation
Reduced administrative effort
Consistent membership

Groups and Conditional Access

Conditional Access policies often target:

Users
Groups

Example:

Require MFA for all members of the IT Administrators group.

This is more efficient than configuring each administrator individually.

Groups and Microsoft 365 Copilot

Groups help manage access to resources used by Microsoft 365 Copilot.

Examples:

Teams membership
SharePoint permissions
Collaboration resources
Departmental content access

Because Copilot respects existing permissions, group memberships indirectly influence what content users can access through Copilot.

Best Practices

Assign Permissions to Groups Instead of Individuals

This improves scalability and consistency.

Use Security Groups for Access Management

Avoid assigning permissions directly to users whenever possible.

Use Microsoft 365 Groups for Collaboration

These groups support Teams, SharePoint, and Outlook integration.

Follow Least Privilege

Provide only the permissions users require.

Review Group Membership Regularly

Remove unnecessary access and outdated memberships.

Exam Tips

Remember these AB-900 concepts:

Users represent individual identities.
Groups represent collections of users.
Users authenticate; groups do not.
Security groups manage permissions.
Microsoft 365 groups support collaboration resources.
Distribution groups are primarily used for email.
Group-based management simplifies administration.
Dynamic groups automate membership.
Conditional Access policies can target groups.
Microsoft 365 Copilot respects permissions inherited through groups.

Practice Exam Questions

Question 1

Which security object represents an individual identity in Microsoft 365?

A. Distribution group
B. Microsoft 365 group
C. User account
D. Shared mailbox

Correct Answer: C

Explanation: A user account represents an individual who can authenticate and access Microsoft 365 resources.

Question 2

What is the primary advantage of using groups instead of assigning permissions individually?

A. Groups eliminate authentication requirements.
B. Groups simplify administration and provide consistent access.
C. Groups automatically assign licenses.
D. Groups replace Microsoft Entra ID.

Correct Answer: B

Explanation: Groups allow administrators to manage permissions for multiple users at once.

Question 3

Which type of group is primarily used for email distribution?

A. Security group
B. Microsoft 365 group
C. Dynamic group
D. Distribution group

Correct Answer: D

Explanation: Distribution groups are designed mainly for sending email messages to multiple recipients.

Question 4

Which object can sign in to Microsoft 365?

A. User account
B. Security group
C. Distribution group
D. Microsoft 365 group

Correct Answer: A

Explanation: Users authenticate directly, while groups are collections of users and cannot sign in.

Question 5

Which group type automatically provides collaboration resources such as a shared mailbox and SharePoint site?

A. Security group
B. Distribution group
C. Mail-enabled security group
D. Microsoft 365 group

Correct Answer: D

Explanation: Microsoft 365 groups provide collaboration services including Teams and SharePoint.

Question 6

A company wants to grant SharePoint access to an entire department. Which approach is recommended?

A. Assign permissions to each employee individually.
B. Create a security group and assign permissions to the group.
C. Create separate user accounts for each site.
D. Use a distribution group only.

Correct Answer: B

Explanation: Security groups simplify access management and reduce administrative effort.

Question 7

What is a dynamic group?

A. A group used only for Teams meetings.
B. A group with manually maintained memberships.
C. A group that sends email externally.
D. A group whose membership is automatically managed based on user attributes.

Correct Answer: D

Explanation: Dynamic groups automatically update membership according to configured rules.

Question 8

Which object is typically assigned Microsoft 365 licenses?

A. Security groups
B. Distribution groups
C. User accounts
D. Shared calendars

Correct Answer: C

Explanation: Licenses are generally assigned to individual users.

Question 9

Which statement about guest users is correct?

A. Guest users must always have Microsoft 365 licenses.
B. Guest users are external users invited to collaborate with the organization.
C. Guest users replace security groups.
D. Guest users cannot access SharePoint resources.

Correct Answer: B

Explanation: Guest users are external identities that can be granted access to shared resources.

Question 10

How do groups influence Microsoft 365 Copilot?

A. Groups allow Copilot to bypass permissions.
B. Groups disable Conditional Access.
C. Groups determine resource permissions that Copilot respects.
D. Groups automatically generate Copilot prompts.

Correct Answer: C

Explanation: Copilot uses existing Microsoft 365 permissions, many of which are granted through group memberships.

Go to the AB-900 Exam Prep Hub main page