Tag: Microsoft Purview

AB-900, Microsoft Certification

Search for files and emails by using Content Search in Microsoft Purview eDiscovery (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Search for files and emails by using Content Search in Microsoft Purview eDiscovery

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

This topic measures your understanding of how administrators and compliance professionals use Microsoft Purview eDiscovery Content Search to locate emails, documents, Teams conversations, and other Microsoft 365 content during investigations, audits, legal matters, and compliance activities.

For the AB-900 exam, you are not expected to become an eDiscovery specialist. Instead, you should understand:

  • The purpose of Content Search
  • What types of content can be searched
  • How searches work
  • Common search criteria
  • Permissions required
  • Typical use cases
  • How Content Search supports Microsoft 365 Copilot governance

What Is Microsoft Purview eDiscovery?

Microsoft Purview eDiscovery is a Microsoft Purview solution that helps organizations identify, preserve, search, review, and export electronically stored information (ESI).

It is commonly used for:

  • Internal investigations
  • Legal discovery
  • Regulatory compliance
  • Human resources investigations
  • Security investigations
  • Privacy requests
  • Audits

One of the most frequently used capabilities within eDiscovery is Content Search.

What Is Content Search?

Content Search allows administrators and investigators to search across Microsoft 365 for specific information without manually checking each user’s mailbox or files.

Instead of searching one mailbox at a time, Content Search can simultaneously search:

  • Exchange Online mailboxes
  • SharePoint Online sites
  • OneDrive accounts
  • Microsoft Teams messages
  • Viva Engage (Yammer) messages (where supported)
  • Microsoft 365 Groups
  • Copilot-related stored content (through underlying Microsoft 365 data)

Think of it as an enterprise-wide search engine designed for compliance investigations.

Why Organizations Use Content Search

Organizations perform Content Searches to:

  • Locate specific emails
  • Find confidential documents
  • Investigate insider threats
  • Respond to legal requests
  • Prepare evidence for court
  • Support compliance audits
  • Investigate data leaks
  • Review suspicious activity
  • Locate files related to AI-generated work

Where Content Search Is Located

Content Search is available in the Microsoft Purview portal under:

Microsoft Purview → eDiscovery

Administrators can:

  • Create searches
  • Edit searches
  • Run searches
  • Preview results
  • Export results (with appropriate permissions)

Content That Can Be Searched

Content Search supports many Microsoft 365 workloads.

Examples include:

Exchange Online

Searches include:

  • Emails
  • Calendar items
  • Contacts
  • Tasks
  • Attachments

Example:

Find every email containing a specific customer name.

SharePoint Online

Can search:

  • Documents
  • PDFs
  • Word files
  • Excel files
  • PowerPoint presentations
  • Lists

Example:

Locate every document containing a confidential project code.

OneDrive for Business

Searches users’ personal work files.

Example:

Find documents uploaded by an employee before they resigned.

Microsoft Teams

Can search:

  • Chat messages
  • Channel conversations
  • Shared files

Example:

Find Teams conversations discussing a confidential acquisition.

Microsoft 365 Groups

Includes:

  • Group mailboxes
  • Shared documents

How Content Search Works

A Content Search generally follows these steps.

Step 1

Create a search.

Step 2

Select locations.

Examples:

  • Specific mailbox
  • All mailboxes
  • OneDrive sites
  • SharePoint sites
  • Teams

Step 3

Define search conditions.

Examples:

  • Keywords
  • Dates
  • Senders
  • Recipients
  • File types

Step 4

Run the search.

Microsoft indexes the selected content and returns matching results.

Step 5

Review results.

Administrators can:

  • View statistics
  • Preview items
  • Refine search criteria

Step 6

Export results if necessary.

This is common during legal investigations.

Search Locations

Content Search allows searches across:

  • Individual mailboxes
  • Shared mailboxes
  • Distribution groups
  • SharePoint sites
  • OneDrive accounts
  • Microsoft Teams
  • Specific users
  • Entire organization

Common Search Criteria

Administrators can filter searches using many conditions.

Keywords

Search for:

  • Customer names
  • Project names
  • Product codes
  • Sensitive terms

Example:

Confidential

Sender

Locate messages sent by:

john@contoso.com

Recipient

Locate emails received by:

finance@contoso.com

Date Range

Example:

January 1 through March 31.

Useful during investigations.

File Type

Examples:

  • PDF
  • DOCX
  • XLSX
  • PPTX

File Name

Search for a specific document.

Example:

Budget2026.xlsx

Sensitive Information

When combined with Microsoft Purview classifications, administrators can search for:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Financial records

Keyword Query Language (KQL)

Content Search uses Keyword Query Language (KQL).

Administrators can build more advanced searches.

Examples include:

  • AND
  • OR
  • NOT
  • Parentheses
  • Property filters

Example:

Project AND Budget

Example:

Budget OR Forecast

Example:

Confidential NOT Draft

The AB-900 exam only expects a basic understanding that KQL enables more precise searches.

Search Results

After a search completes, administrators receive:

  • Number of matching items
  • Number of locations searched
  • Total estimated size
  • Search statistics
  • Preview of matching items

The search does not automatically change or delete content.

Previewing Results

Before exporting data, investigators can preview:

  • Emails
  • Documents
  • Teams conversations

Previewing helps determine whether additional filtering is needed.

Exporting Results

Authorized users can export search results.

Exports may include:

  • PST files
  • Native Office documents
  • PDFs
  • Metadata
  • Reports

Exporting is commonly used for:

  • Courts
  • Attorneys
  • Regulatory agencies
  • Internal investigations

Permissions Required

Not every administrator can perform Content Searches.

Organizations typically assign permissions using Microsoft Purview role groups.

Common roles include:

  • eDiscovery Manager
  • eDiscovery Administrator
  • Compliance Administrator

Least privilege should always be followed.

Content Search vs eDiscovery Cases

These concepts are related but different.

Content SearcheDiscovery Case
Searches contentManages investigations
Can be run independentlyOrganizes legal matters
Finds informationStores searches, holds, reviewers, exports
Useful for quick investigationsUseful for complete legal workflows

Think of Content Search as one tool inside the broader eDiscovery process.

How Content Search Supports Microsoft 365 Copilot

Microsoft 365 Copilot retrieves information users already have permission to access.

If sensitive information exists within Microsoft 365:

  • Copilot may surface it to authorized users.
  • Administrators can use Content Search to identify where sensitive information is stored.
  • This helps organizations improve governance before deploying AI widely.

Examples include:

  • Confidential HR files
  • Financial reports
  • Intellectual property
  • Legal documents

Relationship with Other Microsoft Purview Features

Content Search works alongside many Purview capabilities.

Sensitivity Labels

Search labeled documents.

Data Loss Prevention (DLP)

Investigate DLP incidents.

Retention Policies

Locate retained content.

Insider Risk Management

Search content involved in investigations.

Audit

Correlate search results with user activities.

eDiscovery Premium

Use Content Search as part of advanced legal investigations.

Best Practices

Microsoft recommends that organizations:

  • Search only necessary locations.
  • Use descriptive search names.
  • Apply precise filters.
  • Limit access using least privilege.
  • Preview results before exporting.
  • Protect exported evidence.
  • Maintain audit logs.
  • Regularly review permissions.
  • Use Content Search together with retention and sensitivity labels.
  • Govern sensitive data before deploying Microsoft 365 Copilot broadly.

Key Exam Tips

Remember these important points for the AB-900 exam:

  • Content Search is part of Microsoft Purview eDiscovery.
  • It searches across Microsoft 365 services from one interface.
  • It can search Exchange, SharePoint, OneDrive, Teams, and other supported workloads.
  • Searches can be filtered by keywords, users, dates, file types, and other properties.
  • Search results can be previewed before export.
  • Appropriate permissions are required to perform searches.
  • Content Search helps organizations investigate compliance, legal, and security incidents.
  • It supports Microsoft 365 Copilot governance by helping organizations identify where sensitive information exists.

Practice Exam Questions

Question 1

An administrator needs to locate every email containing the phrase “Quarterly Budget” across the organization. Which Microsoft Purview feature should they use?

A. Communication Compliance

B. Content Search in eDiscovery

C. Insider Risk Management

D. Compliance Manager

Correct Answer: B

Explanation: Content Search enables administrators to search mailboxes, SharePoint sites, OneDrive, Teams, and other Microsoft 365 locations for keywords and other search criteria.

Question 2

Which Microsoft 365 workload can be searched by Microsoft Purview Content Search?

A. Exchange Online

B. Microsoft Teams

C. SharePoint Online

D. All of the above

Correct Answer: D

Explanation: Content Search supports multiple Microsoft 365 workloads, including Exchange Online, SharePoint Online, OneDrive, Teams, Microsoft 365 Groups, and more.

Question 3

Before exporting search results, what is the recommended action?

A. Delete duplicate items.

B. Apply a retention policy.

C. Preview the search results.

D. Disable auditing.

Correct Answer: C

Explanation: Previewing results helps verify that the search returned the intended items before exporting data.

Question 4

What is the primary purpose of Microsoft Purview Content Search?

A. Encrypt documents automatically.

B. Create sensitivity labels.

C. Monitor endpoint devices.

D. Locate content across Microsoft 365 for investigations and compliance.

Correct Answer: D

Explanation: Content Search is designed to find emails, files, chats, and other content across Microsoft 365 to support investigations, audits, and legal discovery.

Question 5

Which search criterion could an administrator use to narrow Content Search results?

A. Sender

B. File type

C. Date range

D. All of the above

Correct Answer: D

Explanation: Administrators can filter searches by numerous criteria, including sender, recipient, keywords, dates, and file types.

Question 6

Why is Content Search important for Microsoft 365 Copilot governance?

A. It trains Copilot models.

B. It identifies where sensitive information is stored so organizations can better govern AI access.

C. It automatically blocks Copilot prompts.

D. It creates Copilot licenses.

Correct Answer: B

Explanation: Understanding where sensitive information resides helps organizations apply appropriate governance before broad Copilot deployment.

Question 7

Which language provides advanced query capabilities for Content Search?

A. SQL

B. PowerShell

C. XPath

D. Keyword Query Language (KQL)

Correct Answer: D

Explanation: Content Search uses KQL to build advanced searches using keywords, logical operators, and property filters.

Question 8

Which statement about Content Search permissions is correct?

A. Every Microsoft 365 user can run organization-wide searches.

B. Only Global Administrators can perform Content Searches.

C. Appropriate Microsoft Purview roles are required to perform Content Searches.

D. Content Search requires no administrative permissions.

Correct Answer: C

Explanation: Organizations assign eDiscovery and compliance roles to authorized users who need to perform searches.

Question 9

A compliance investigator wants to search only documents stored in employees’ personal cloud storage. Which location should be selected?

A. Microsoft Teams

B. OneDrive for Business

C. Exchange Online

D. Microsoft Entra ID

Correct Answer: B

Explanation: OneDrive for Business stores users’ personal work files and can be targeted independently during a Content Search.

Question 10

Which statement best describes Microsoft Purview Content Search?

A. It permanently deletes search results after completion.

B. It automatically applies retention labels to matching items.

C. It searches Microsoft 365 content and allows authorized users to review and export matching results.

D. It encrypts all files matching the search query.

Correct Answer: C

Explanation: Content Search is a discovery tool that locates content across Microsoft 365, allowing investigators to preview and export results without modifying the original data.

Go to the AB-900 Exam Prep Hub main page

AI, Microsoft Certification, AI Governance, AI Security, AB-900, security

Discover and manage AI activity by using DSPM for AI (Part 2) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Part 1, you learned how Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations discover AI activity, identify sensitive data exposure, detect oversharing, and provide visibility into how AI interacts with Microsoft 365 data.

This section (Part 2) focuses on how DSPM for AI helps administrators manage AI-related risks, integrates with other Microsoft security and compliance services, and supports secure AI adoption.

Security Recommendations Generated by DSPM for AI

One of DSPM for AI’s most valuable capabilities is providing actionable security recommendations rather than simply identifying problems.

After analyzing an organization’s AI environment, DSPM highlights areas that should be improved to reduce the likelihood of accidental data exposure or compliance violations.

Examples of recommendations include:

  • Reduce excessive SharePoint permissions.
  • Apply sensitivity labels to unclassified confidential files.
  • Configure Data Loss Prevention (DLP) policies.
  • Limit external sharing.
  • Protect highly confidential document libraries.
  • Enable auditing for AI-related activities.
  • Improve data governance before expanding AI deployments.

These recommendations help administrators prioritize improvements based on potential business impact and security risk.

Risk Prioritization

Not every security finding represents the same level of risk.

DSPM helps prioritize remediation efforts by evaluating factors such as:

  • Amount of sensitive data exposed
  • Number of users with access
  • Business importance of the data
  • Existing protection mechanisms
  • AI usage patterns
  • Permission inheritance
  • Regulatory implications

This enables administrators to address the highest-risk issues first.

For example:

RiskPriority
Public access to executive financial reportsHigh
Sensitive HR documents lacking labelsHigh
Marketing presentations shared internallyMedium
Public training documentsLow

Discovering AI-Related Data Exposure

Organizations often ask:

“If we enable Microsoft 365 Copilot today, what sensitive information could users potentially discover?”

DSPM helps answer this question.

It analyzes:

  • Existing permissions
  • Data classifications
  • Sharing configurations
  • Microsoft Graph relationships
  • Collaboration patterns

This provides insight into which sensitive data could become more discoverable through AI-assisted searches and summaries.

Remember:

Copilot does not bypass security permissions. It only accesses information that the signed-in user is already authorized to access. DSPM helps identify situations where those permissions may already be too broad.

Remediation Recommendations

After identifying risks, DSPM recommends remediation steps.

Common recommendations include:

Reduce Oversharing

Examples include:

  • Remove unnecessary SharePoint permissions.
  • Restrict Microsoft Teams membership.
  • Remove Everyone access.
  • Limit guest sharing.

Improve Data Classification

Examples include:

  • Apply sensitivity labels.
  • Enable automatic labeling.
  • Use trainable classifiers.
  • Configure sensitive information types.

Better classification improves downstream protections across Microsoft Purview.

Strengthen Data Protection Policies

DSPM may recommend:

  • Creating DLP policies
  • Encrypting confidential documents
  • Restricting downloads
  • Blocking external sharing
  • Applying retention labels

Review AI Access

Administrators may decide to:

  • Limit AI rollout to selected departments
  • Review permissions before enabling Copilot broadly
  • Reduce access to legacy repositories
  • Remove stale user accounts

Integration with Microsoft Purview

DSPM for AI does not operate as an isolated product.

Instead, it complements several Microsoft Purview solutions.

Understanding these relationships is important for the AB-900 exam.

Microsoft Purview Information Protection

Information Protection classifies and protects data.

DSPM benefits from these classifications.

For example:

A document labeled:

  • Highly Confidential
  • Internal Only
  • Financial
  • Legal

helps DSPM understand the sensitivity of AI-accessible content.

Without labels, DSPM has less context when evaluating risk.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents sensitive information from being shared inappropriately.

DSPM identifies potential risks.

DLP helps enforce policies to prevent those risks from becoming incidents.

Example workflow:

  1. DSPM discovers sensitive payroll files.
  2. DLP prevents external sharing.
  3. Organization reduces AI-related exposure.

Microsoft Purview Insider Risk Management

DSPM identifies risky data exposure.

Insider Risk Management identifies risky user behavior.

Together they help answer two different questions:

DSPM asks:

“What sensitive data could AI access?”

Insider Risk asks:

“Is someone attempting to misuse sensitive data?”

These products complement one another.

Microsoft Purview Activity Explorer

Activity Explorer provides visibility into user interactions with sensitive information.

DSPM can use Activity Explorer insights to better understand:

  • Sensitive file access
  • Label usage
  • DLP events
  • Data movement

Administrators gain a clearer understanding of how protected information is being used across Microsoft 365.

Microsoft Purview Compliance Manager

Compliance Manager focuses on regulatory compliance.

DSPM focuses on AI data governance.

Together they help organizations:

  • Reduce compliance risk
  • Improve governance
  • Meet regulatory requirements
  • Protect sensitive information used by AI

Microsoft Defender

Microsoft Defender protects identities, endpoints, applications, and cloud resources.

DSPM complements Defender by focusing specifically on AI-related data risks.

Examples:

Microsoft Defender detects:

  • Malware
  • Credential theft
  • Phishing
  • Device compromise

DSPM identifies:

  • Overshared files
  • AI exposure
  • Sensitive data visibility
  • Permission risks

AI Governance Dashboard

DSPM provides dashboards that help administrators understand their organization’s AI posture.

Typical dashboard information includes:

  • AI adoption trends
  • Sensitive data exposure
  • High-risk repositories
  • Oversharing statistics
  • AI application inventory
  • Policy recommendations
  • Governance posture

Rather than investigating individual files, administrators receive a broad organizational view.

Discovering AI Applications

DSPM helps organizations understand:

  • Which AI tools are in use
  • Which departments use them
  • Adoption trends
  • AI usage over time

Examples include:

  • Microsoft 365 Copilot
  • Microsoft Copilot Chat
  • Supported third-party AI services

This visibility helps organizations establish AI governance policies.

Investigating AI Risks

Administrators typically investigate findings by asking questions such as:

  • Which sensitive files are accessible?
  • Who has access?
  • Why do they have access?
  • Is the data properly labeled?
  • Are permissions appropriate?
  • Is the data externally shared?
  • Should additional protection be applied?

DSPM helps surface this information so administrators can make informed decisions.

Typical Investigation Workflow

A simplified investigation might follow these steps:

Step 1

DSPM identifies an overshared SharePoint site.

Step 2

Administrator reviews permissions.

Step 3

Sensitive files are discovered.

Step 4

Sensitivity labels are applied.

Step 5

Permissions are reduced.

Step 6

DLP policies are enabled.

Step 7

Risk is reduced before broader Copilot deployment.

Best Practices

Organizations implementing Microsoft 365 Copilot should follow several best practices.

Review Permissions Before AI Rollout

Avoid enabling Copilot before understanding existing permissions.

Classify Sensitive Data

Use Microsoft Purview Information Protection to classify important documents.

Apply Least Privilege

Users should only have access to information required for their job.

Reduce Oversharing

Review:

  • SharePoint permissions
  • Teams memberships
  • OneDrive sharing
  • External sharing

Enable DLP

Prevent accidental sharing of confidential information.

Monitor AI Adoption

Understand:

  • Who uses AI
  • Which departments use AI
  • What information AI accesses

Regularly Review Recommendations

DSPM continuously evaluates the environment.

Administrators should regularly review new recommendations as data, permissions, and AI usage evolve.

Licensing Considerations

For the AB-900 exam, you are not expected to memorize licensing details, as licensing can change over time.

However, you should understand these general principles:

  • DSPM for AI is part of the Microsoft Purview family.
  • Advanced governance and AI security capabilities may require appropriate Microsoft licensing.
  • Organizations should verify current licensing requirements before deployment.

Common Exam Scenarios

You may encounter questions like:

Scenario 1

An organization wants to know whether Microsoft 365 Copilot could expose confidential HR documents because of existing permissions.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 2

Administrators want recommendations to reduce AI-related data exposure before deploying Copilot.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 3

Security administrators want visibility into AI adoption across Microsoft 365.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 4

Administrators want to identify overshared SharePoint sites that AI could access.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 5

An organization wants to understand where sensitive information may be exposed through AI.

Relevant technology:

Microsoft Purview DSPM for AI

Common Misconceptions

Misconception 1

DSPM blocks AI prompts.

Incorrect.

DSPM primarily discovers, assesses, and helps reduce AI-related data risks. It is not a prompt-filtering or AI-blocking solution.

Misconception 2

Copilot ignores permissions.

Incorrect.

Copilot always respects the signed-in user’s existing Microsoft 365 permissions.

Misconception 3

DSPM replaces Microsoft Purview DLP.

Incorrect.

DSPM identifies risks, while DLP enforces policies that help prevent inappropriate sharing of sensitive data.

Misconception 4

DSPM replaces Microsoft Defender.

Incorrect.

Defender focuses on threats and attacks, whereas DSPM focuses on AI-related data exposure and governance.

Misconception 5

DSPM automatically fixes security issues.

Incorrect.

DSPM provides visibility, recommendations, and guidance. Administrators remain responsible for implementing changes such as adjusting permissions, applying labels, or configuring policies.

AB-900 Exam Tips

Focus on these key concepts:

  • Microsoft Purview DSPM for AI is an AI governance and visibility solution.
  • It helps organizations discover AI usage, identify sensitive data exposure, and reduce AI-related risks.
  • DSPM does not bypass or modify Microsoft 365 permissions.
  • It works alongside Information Protection, DLP, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • One of its primary goals is to identify oversharing before it becomes a business risk.
  • DSPM provides recommendations, not automatic remediation.
  • It supports organizations throughout the AI adoption lifecycle by helping them continuously improve their security posture.

Chapter Summary

Microsoft Purview DSPM for AI enables organizations to adopt AI confidently by providing visibility into how AI interacts with organizational data. It discovers AI usage, inventories AI applications, identifies oversharing, evaluates sensitive data exposure, and recommends actions to strengthen governance.

Rather than replacing existing Microsoft Purview or Microsoft Defender capabilities, DSPM for AI enhances them by adding AI-specific insights. It integrates with Information Protection, Data Loss Prevention, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender to create a comprehensive approach to AI governance.

For the AB-900 exam, remember that DSPM for AI is fundamentally about discovering, assessing, and managing AI-related data risks. It helps administrators understand where AI could expose sensitive information due to existing permissions and governance gaps, enabling organizations to improve their security posture before and during Microsoft 365 Copilot deployment.

Practice Exam Questions

Question 1

A company plans to deploy Microsoft 365 Copilot across all departments. Before deployment, administrators want to determine whether confidential documents are overly accessible due to existing SharePoint permissions.

Which Microsoft solution should they use?

A. Microsoft Entra Domain Services

B. Microsoft Defender for Endpoint

C. Microsoft Intune

D. Microsoft Purview Data Security Posture Management (DSPM) for AI

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI helps organizations discover overshared content, evaluate AI-related data exposure, and identify permission risks before deploying AI solutions such as Microsoft 365 Copilot.

  • A is correct because DSPM for AI analyzes permissions and identifies AI-related security risks.
  • B is incorrect because Defender for Endpoint protects devices.
  • C is incorrect because Intune manages devices and applications.
  • D is incorrect because Entra Domain Services provides managed domain services rather than AI governance.

Question 2

An administrator wants to understand which departments are actively using Microsoft 365 Copilot and other approved AI applications.

Which capability best addresses this requirement?

A. Microsoft Purview Information Protection

B. Microsoft Purview DSPM for AI

C. Microsoft Defender for Cloud Apps

D. Microsoft Entra Conditional Access

Correct Answer: B

Explanation

DSPM for AI provides visibility into AI adoption, AI application inventory, and usage trends across the organization.

  • B is correct because DSPM for AI discovers AI activity and AI adoption.
  • A classifies and protects data.
  • C monitors cloud applications but is not specifically designed for AI governance.
  • D controls authentication conditions.

Question 3

Which statement best describes how Microsoft 365 Copilot accesses organizational data?

A. It bypasses Microsoft 365 permissions when generating responses.

B. It can access all documents stored in Microsoft 365 regardless of permissions.

C. It only accesses content the signed-in user is already authorized to access.

D. It only accesses files created after Copilot was enabled.

Correct Answer: C

Explanation

Copilot respects existing Microsoft 365 permissions. It never bypasses authorization.

  • C is correct because Copilot only retrieves content the current user can already access.
  • A and B incorrectly imply that Copilot ignores permissions.
  • D is incorrect because file creation date is irrelevant.

Question 4

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Prevent all AI-generated responses

B. Replace Microsoft Defender

C. Automatically encrypt all Microsoft 365 data

D. Discover AI activity and identify AI-related data risks

Correct Answer: D

Explanation

DSPM for AI provides visibility into AI usage and helps identify governance and security risks.

  • D is correct because discovering AI activity and assessing AI-related risks are its primary objectives.
  • A, B, and C describe capabilities DSPM does not provide.

Question 5

An organization discovers that hundreds of employees can access executive financial reports because of inherited SharePoint permissions.

What type of risk has DSPM for AI identified?

A. Malware infection

B. Oversharing

C. Identity synchronization failure

D. Device compliance failure

Correct Answer: B

Explanation

Oversharing occurs when users have broader access to information than intended.

  • B is correct because excessive permissions increase AI-related exposure.
  • A, C, and D are unrelated to data governance.

Question 6

Which Microsoft technology provides much of the contextual relationship information that helps DSPM for AI understand user access to Microsoft 365 content?

A. Microsoft SQL Server

B. Microsoft Defender XDR

C. Microsoft Graph

D. Azure Kubernetes Service

Correct Answer: C

Explanation

Microsoft Graph provides relationships between users, files, emails, Teams, SharePoint, and other Microsoft 365 resources.

  • C is correct because DSPM uses Microsoft Graph signals to understand data access.
  • The remaining options do not provide organizational relationship data.

Question 7

Which Microsoft Purview solution works alongside DSPM for AI by preventing inappropriate sharing of sensitive information?

A. Microsoft Purview Data Loss Prevention (DLP)

B. Microsoft Entra ID Protection

C. Microsoft Intune

D. Windows Autopilot

Correct Answer: A

Explanation

DLP enforces policies that prevent sensitive information from being shared improperly.

  • A is correct because DLP complements DSPM by enforcing protection policies.
  • B, C, and D serve different purposes.

Question 8

An administrator wants recommendations for reducing AI-related security risks before expanding Microsoft 365 Copilot deployment.

What should they use?

A. Microsoft Defender Antivirus

B. Microsoft Purview DSPM for AI

C. Exchange Online Protection

D. Microsoft Entra Connect

Correct Answer: B

Explanation

DSPM for AI evaluates AI-related risks and recommends improvements such as reducing oversharing, improving data classification, and strengthening governance.

  • B is correct because providing security recommendations is one of its core capabilities.
  • The other products address different areas of Microsoft security.

Question 9

Which action would most effectively reduce AI-related data exposure identified by DSPM for AI?

A. Disable Microsoft Teams

B. Increase mailbox quotas

C. Review permissions and apply sensitivity labels to confidential data

D. Upgrade Windows devices

Correct Answer: C

Explanation

Reducing excessive permissions and properly classifying sensitive information significantly reduces AI-related exposure.

  • C is correct because both permission management and data classification are recommended remediation actions.
  • A, B, and D do not directly address AI governance.

Question 10

Which statement best summarizes Microsoft’s approach to AI governance with DSPM for AI?

A. DSPM automatically blocks all AI interactions involving confidential information.

B. DSPM replaces Microsoft Purview Information Protection.

C. DSPM eliminates the need for Microsoft Defender.

D. DSPM provides visibility, identifies risks, and recommends actions that help organizations securely adopt AI.

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI is designed to improve organizational AI security posture by discovering AI usage, identifying risks, and recommending governance improvements.

  • D is correct because it accurately reflects the purpose of DSPM for AI.
  • A is incorrect because DSPM is primarily a discovery and governance solution rather than an AI-blocking mechanism.
  • B is incorrect because Information Protection remains responsible for classifying and protecting data.
  • C is incorrect because Microsoft Defender continues to provide threat protection and complements, rather than is replaced by, DSPM for AI.

Key Takeaways for the AB-900 Exam

After studying this topic, you should be able to:

  • Explain the purpose of Microsoft Purview DSPM for AI.
  • Describe how DSPM for AI helps organizations discover and govern AI activity.
  • Understand that Microsoft 365 Copilot always respects existing user permissions.
  • Explain the concept of oversharing and why it is a significant AI-related risk.
  • Describe how Microsoft Graph provides context that enables DSPM for AI to evaluate data access.
  • Identify how DSPM for AI integrates with Microsoft Purview Information Protection, Data Loss Prevention (DLP), Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • Recognize that DSPM for AI provides visibility, risk assessment, and recommendations, but administrators remain responsible for implementing remediation actions.
  • Apply DSPM for AI concepts to common AB-900 scenario-based questions involving Microsoft 365 Copilot deployments and AI governance.

These concepts form an important part of the “Identify data protection and governance risks for Microsoft 365 and Copilot” objective and are frequently tested through scenario-based questions that assess your understanding of secure AI adoption and governance.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI, AI Governance, AI Security, Data Security, Microsoft Certification

Discover and Manage AI activity by using DSPM for AI (Part 1) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and Manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly adopt AI-powered tools such as Microsoft 365 Copilot, administrators face a new challenge: understanding how AI accesses, processes, and exposes organizational data. Traditional security tools focus on protecting users, devices, and data, but AI introduces new considerations. AI assistants can summarize documents, answer questions, generate reports, and analyze data from across an organization’s Microsoft 365 environment. If permissions are overly broad or sensitive information is poorly governed, AI can unintentionally surface information to users who already have access but should not necessarily see it in a summarized or easily discoverable form.

To address these challenges, Microsoft introduced Microsoft Purview Data Security Posture Management (DSPM) for AI, a solution designed to help organizations discover AI usage, identify potential security risks, understand data exposure, and strengthen governance before and during AI adoption.

For the AB-900 exam, you are not expected to configure DSPM for AI. Instead, you should understand:

  • What DSPM for AI is
  • Why organizations use it
  • How it discovers AI activity
  • How it helps identify risks
  • How it integrates with Microsoft Purview
  • The types of recommendations it provides

What Is Microsoft Purview DSPM for AI?

Microsoft Purview DSPM for AI is a governance and security solution that provides visibility into how artificial intelligence applications interact with organizational data.

Rather than preventing AI usage, DSPM for AI helps administrators answer important questions such as:

  • Which AI applications are employees using?
  • What sensitive information is being accessed?
  • Are AI tools exposing confidential content?
  • Are permissions overly broad?
  • Are Microsoft 365 Copilot users accessing highly sensitive data?
  • Where should security controls be strengthened?

Think of DSPM for AI as a risk discovery and governance solution specifically designed for AI workloads.

What Does “Data Security Posture Management” Mean?

The term Data Security Posture Management (DSPM) refers to continuously evaluating an organization’s data environment to identify security weaknesses before they become incidents.

DSPM focuses on questions such as:

  • Where is sensitive data stored?
  • Who has access?
  • Is the data properly classified?
  • Are security policies protecting it?
  • Could AI expose it more easily?

When AI is introduced, DSPM expands these questions to include:

  • Which AI tools are interacting with company data?
  • Which users are using AI?
  • What content is AI accessing?
  • Could AI reveal confidential information?
  • Are there oversharing risks?

Rather than reacting after a breach occurs, DSPM promotes proactive risk management.

Why Organizations Need DSPM for AI

Many organizations begin using AI before fully understanding their existing data environment.

Common issues include:

  • Excessive file permissions
  • Sensitive documents shared too broadly
  • Unlabeled confidential data
  • Legacy SharePoint permissions
  • Public Teams channels
  • Old collaboration sites
  • Inactive security policies

Without visibility into these issues, AI may legally retrieve information based on existing permissions—even though administrators were unaware those permissions existed.

DSPM for AI helps organizations discover these weaknesses before they become security problems.

Core Capabilities of DSPM for AI

Microsoft Purview DSPM for AI provides several major capabilities.

1. Discover AI Usage

DSPM identifies where AI is being used throughout the organization.

Examples include:

  • Microsoft 365 Copilot
  • Microsoft Copilot Chat
  • AI-enabled Microsoft services
  • Supported third-party AI applications

Administrators gain visibility into:

  • AI adoption
  • AI usage trends
  • Departments using AI
  • Types of AI interactions

This helps organizations understand how quickly AI is being adopted.

2. Discover Sensitive Data Exposure

DSPM evaluates whether AI has access to sensitive organizational data.

Examples include:

  • Financial reports
  • HR records
  • Customer information
  • Legal documents
  • Intellectual property
  • Healthcare information
  • Personally identifiable information (PII)

The solution identifies locations where sensitive information may be accessible through AI.

3. Identify Oversharing Risks

One of the most important concepts for the AB-900 exam is oversharing.

Oversharing occurs when users have legitimate permissions to data that administrators did not intend them to have.

For example:

  • A confidential SharePoint library inherits incorrect permissions.
  • Hundreds of employees can read executive documents.
  • Microsoft 365 Copilot can summarize those documents for anyone with existing access.

The problem is not Copilot.

The problem is the underlying permissions.

DSPM helps identify these situations.

4. Inventory AI Applications

Organizations often have many AI applications in use.

DSPM helps administrators discover:

  • Approved AI tools
  • Newly adopted AI tools
  • Shadow AI applications
  • AI usage across departments

This visibility supports governance decisions.

5. Monitor AI Interactions

DSPM can provide insights into how AI interacts with organizational content.

Examples include:

  • Documents accessed
  • Sensitive data locations
  • AI usage frequency
  • Common AI workflows
  • Business units using AI

Administrators gain a better understanding of AI usage patterns without reading users’ private prompts or monitoring employee productivity.

How DSPM for AI Discovers AI Activity

DSPM analyzes signals across Microsoft 365 services to understand AI usage.

These signals may include:

  • User activity
  • Data access
  • File classifications
  • Permissions
  • Labels
  • Microsoft Graph relationships
  • Microsoft Purview metadata

Rather than simply counting AI prompts, DSPM builds a broader picture of how AI interacts with organizational data.

Microsoft Graph’s Role

One important concept for the AB-900 exam is understanding the relationship between Microsoft Graph and DSPM.

Microsoft Graph acts as the intelligence layer connecting Microsoft 365 services.

DSPM uses Microsoft Graph signals to understand:

  • Which files users can access
  • Collaboration relationships
  • SharePoint permissions
  • Teams memberships
  • OneDrive access
  • Email relationships
  • Microsoft 365 activity

This allows DSPM to identify situations where AI could expose sensitive information because users already possess excessive permissions.

Data Sources Evaluated by DSPM

DSPM evaluates multiple Microsoft 365 services.

Examples include:

SharePoint Online

  • Sensitive document libraries
  • Overshared sites
  • Confidential folders
  • File permissions

OneDrive

  • Shared personal files
  • External sharing
  • Sensitive documents
  • Personal work data

Microsoft Teams

  • Shared files
  • Team memberships
  • Collaboration spaces
  • Shared conversations

Exchange Online

  • Email data
  • Mailbox access
  • Shared mailboxes
  • Sensitive communications

Microsoft 365 Copilot

DSPM evaluates how Copilot interacts with organizational data by examining:

  • Available permissions
  • Data sources
  • Sensitive information exposure
  • Governance controls

Types of Risks DSPM Can Identify

DSPM helps identify a variety of AI-related risks.

Overshared Content

Examples include:

  • Everyone can access HR documents.
  • Finance reports are visible to the entire company.
  • Sensitive SharePoint sites inherit incorrect permissions.

Sensitive Information Exposure

Examples include:

  • Credit card numbers
  • Passport numbers
  • Social Security numbers
  • Customer records
  • Healthcare data
  • Intellectual property

Excessive Permissions

Users frequently accumulate permissions over time.

DSPM identifies situations where users have access to more information than necessary.

This supports the principle of least privilege.

Unclassified Sensitive Data

Organizations often possess sensitive information that has never been classified.

DSPM can identify repositories containing:

  • Unlabeled confidential documents
  • Sensitive spreadsheets
  • Legal contracts
  • Financial reports

This allows administrators to apply Microsoft Purview Information Protection labels.

Shadow AI

Shadow AI refers to employees using AI tools that have not been approved by the organization.

Examples might include:

  • Public AI chat services
  • AI writing assistants
  • AI coding assistants
  • AI document summarizers

DSPM helps organizations understand where unmanaged AI usage exists so appropriate governance decisions can be made.

Key Exam Tips

For the AB-900 exam, remember these important points:

  • DSPM for AI is primarily a visibility and governance solution, not an AI blocking solution.
  • It helps organizations discover, understand, and reduce AI-related risks.
  • It identifies oversharing, sensitive data exposure, and permission issues.
  • DSPM works closely with other Microsoft Purview solutions to improve an organization’s overall AI security posture.
  • Microsoft Graph provides much of the contextual information that enables DSPM to evaluate AI data access and potential risks.
  • The goal is not to restrict productive AI use, but to ensure that AI operates within an organization’s existing security, compliance, and governance framework.

Go to Part 2 of this topic.

Go to the AB-900 Exam Prep Hub main page

AB-900, Data Security, Microsoft Certification, security

Identify user activities reported by Microsoft Purview Activity Explorer (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify user activities reported by Microsoft Purview Activity Explorer

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand how Microsoft Purview Activity Explorer helps administrators investigate user activities involving sensitive information. Activity Explorer provides visibility into how sensitive data is accessed, shared, modified, labeled, or protected across Microsoft 365 services. It is an important investigative tool for identifying potential data protection and governance risks.

What Is Microsoft Purview Activity Explorer?

Microsoft Purview Activity Explorer is an investigation tool that displays activities involving sensitive information and Microsoft Purview protection technologies across Microsoft 365.

Rather than preventing actions, Activity Explorer helps administrators answer questions such as:

  • Who accessed sensitive information?
  • Which files contained sensitive data?
  • Was a sensitivity label applied or removed?
  • Did a Data Loss Prevention (DLP) policy trigger?
  • Was confidential information shared externally?
  • When did a particular activity occur?

Activity Explorer provides a searchable history of events so administrators can investigate potential compliance and security incidents.

Purpose of Activity Explorer

The primary purpose of Activity Explorer is to provide visibility into how organizational data is being used and protected.

It helps organizations:

  • Investigate compliance incidents
  • Monitor sensitive information usage
  • Validate Microsoft Purview policy effectiveness
  • Support audits
  • Identify risky user behavior
  • Understand how sensitive data moves throughout Microsoft 365

How Activity Explorer Fits into Microsoft Purview

Activity Explorer works alongside several Microsoft Purview solutions.

Microsoft Purview SolutionPurpose
Information ProtectionApplies sensitivity labels
Data Loss Prevention (DLP)Prevents inappropriate sharing of sensitive data
Data ClassificationIdentifies sensitive information
Insider Risk ManagementInvestigates risky user behavior
Activity ExplorerDisplays activities involving protected or sensitive content

Think of Activity Explorer as the investigation dashboard that brings many of these activities together.

User Activities Reported by Activity Explorer

Activity Explorer records many different activities related to sensitive information.

1. Sensitivity Label Activities

Administrators can identify when users:

  • Apply sensitivity labels
  • Remove sensitivity labels
  • Change sensitivity labels
  • Automatically receive labels
  • Manually classify documents

Example:

A user changes a document from Confidential to Public.

Activity Explorer records:

  • User
  • File
  • Previous label
  • New label
  • Time of change

2. Data Loss Prevention (DLP) Activities

Activity Explorer reports when DLP policies detect sensitive information.

Examples include:

  • Email blocked
  • File upload blocked
  • USB copy blocked
  • External sharing blocked
  • Policy warning shown
  • Policy override used

Example:

A user attempts to email customer credit card numbers.

The DLP policy detects the data and Activity Explorer records the event.

3. Sensitive Information Detection

Activity Explorer records when Microsoft identifies sensitive information types such as:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers
  • Healthcare identifiers

The tool helps administrators understand where sensitive information exists.

4. File Activities

Activity Explorer can display events involving files that contain sensitive information.

Examples include:

  • File created
  • File modified
  • File deleted
  • File copied
  • File downloaded
  • File shared
  • File moved

5. Sharing Activities

Administrators can investigate file-sharing behavior.

Examples:

  • Internal sharing
  • External sharing
  • Anonymous sharing links
  • Sharing permission changes
  • Sharing sensitive documents

These activities help identify potential data exposure risks.

6. Email Activities

Activity Explorer can report events involving protected email messages.

Examples include:

  • Email containing sensitive information
  • Protected email
  • Label changes
  • DLP policy matches

7. Teams Activities

Activity Explorer includes activities related to Microsoft Teams when supported by Microsoft Purview policies.

Examples include:

  • Sensitive information shared in Teams chats
  • Files shared in Teams
  • DLP policy matches
  • Protected documents shared

8. SharePoint and OneDrive Activities

Common activities include:

  • Sensitive file uploads
  • Downloads
  • External sharing
  • Label application
  • DLP events
  • File modifications

Information Displayed for Each Activity

Each event typically includes:

  • Date and time
  • User
  • Workload (Exchange, Teams, SharePoint, OneDrive)
  • Activity type
  • Policy involved
  • Sensitive information detected
  • Sensitivity label
  • File name
  • Location
  • Severity (when applicable)

This information helps investigators quickly understand what occurred.

Filtering Activity Explorer

Administrators can filter results by:

  • User
  • Date range
  • Workload
  • Activity type
  • Policy
  • Sensitive information type
  • Sensitivity label
  • Location
  • Service
  • File name

Filtering makes investigations faster and more targeted.

Common Investigation Scenarios

Scenario 1: External File Sharing

Question:

Has confidential information been shared outside the organization?

Activity Explorer allows investigators to:

  • Find externally shared files
  • Identify the user
  • Determine whether a DLP policy triggered
  • Review sensitivity labels

Scenario 2: Sensitive Information Discovery

Question:

Where are customer Social Security numbers stored?

Activity Explorer can identify:

  • Files
  • Users
  • Locations
  • Labels
  • Detection events

Scenario 3: Label Investigation

Question:

Who removed the Confidential label from a document?

Activity Explorer shows:

  • User
  • Time
  • Original label
  • New label
  • File involved

Scenario 4: DLP Policy Review

Question:

Which users triggered the most DLP alerts this week?

Administrators can filter DLP events by:

  • User
  • Policy
  • Date
  • Severity

Relationship to Microsoft 365 Copilot

As organizations deploy Microsoft 365 Copilot, understanding how sensitive information is used becomes increasingly important.

Activity Explorer helps administrators:

  • Verify that sensitivity labels are being applied
  • Review DLP policy activity
  • Monitor how protected information is handled
  • Investigate suspicious sharing activities
  • Support governance for content that Copilot may reference based on users’ existing permissions

Although Activity Explorer does not monitor Copilot prompts or responses directly, it helps administrators understand the underlying data protection activities associated with Microsoft 365 content.

Difference Between Activity Explorer and Audit Logs

These tools are related but serve different purposes.

Activity ExplorerMicrosoft Purview Audit
Focuses on sensitive information activitiesRecords broad user and administrator activities
Highlights DLP and sensitivity label eventsRecords nearly all Microsoft 365 events
Designed for data protection investigationsDesigned for security, compliance, and auditing
Optimized for Microsoft Purview investigationsOptimized for overall audit history

Best Practices

Organizations should:

  • Regularly review Activity Explorer.
  • Investigate repeated DLP policy matches.
  • Monitor external sharing of sensitive files.
  • Review sensitivity label changes.
  • Use filters to focus investigations.
  • Integrate findings with Insider Risk Management when appropriate.
  • Periodically validate that Purview policies are functioning as expected.

AB-900 Exam Tips

Remember these key points for the exam:

  • Activity Explorer is an investigation tool.
  • It reports activities involving sensitive information and Microsoft Purview protections.
  • It displays DLP events, sensitivity label activities, sharing events, and sensitive information detections.
  • It helps administrators investigate compliance and governance risks.
  • Activity Explorer complements Audit logs but focuses specifically on data protection activities.
  • Administrators can filter activities by user, workload, policy, label, activity type, and date.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Activity Explorer?

A. Create Microsoft 365 user accounts

B. Display activities involving sensitive information and Microsoft Purview protections

C. Configure Conditional Access policies

D. Reset user passwords

Correct Answer: B

Explanation: Activity Explorer helps administrators investigate activities involving sensitive information, DLP events, sensitivity labels, and other Microsoft Purview protection technologies.

Question 2

Which activity would most likely appear in Activity Explorer?

A. BIOS firmware updates

B. Windows device driver installation

C. A user applies a Confidential sensitivity label to a document

D. Printer toner replacement

Correct Answer: C

Explanation: Applying or changing sensitivity labels is one of the primary activities tracked by Activity Explorer.

Question 3

Which Microsoft Purview feature commonly generates events that are visible in Activity Explorer?

A. Microsoft Intune

B. Windows Update

C. Active Directory Sites and Services

D. Data Loss Prevention (DLP)

Correct Answer: D

Explanation: Activity Explorer records DLP policy matches, alerts, overrides, and other related events.

Question 4

An administrator wants to determine who shared a sensitive document externally. Which Microsoft Purview tool should they use?

A. Activity Explorer

B. Windows Event Viewer

C. Device Manager

D. Microsoft Paint

Correct Answer: A

Explanation: Activity Explorer displays sharing activities involving sensitive information, including external sharing events.

Question 5

Which information can administrators use to filter Activity Explorer results?

A. CPU temperature

B. Printer model

C. User name, activity type, and date range

D. Network cable type

Correct Answer: C

Explanation: Activity Explorer supports filtering by user, workload, activity type, policy, label, location, and date range.

Question 6

Which statement best describes Activity Explorer?

A. It permanently blocks sensitive file sharing.

B. It investigates activities involving protected or sensitive information.

C. It replaces Microsoft Defender Antivirus.

D. It encrypts every Microsoft 365 file automatically.

Correct Answer: B

Explanation: Activity Explorer is designed for investigation and reporting rather than prevention.

Question 7

Which Microsoft 365 workloads can contribute activities to Activity Explorer?

A. Only Microsoft Excel

B. Only Microsoft Teams

C. Only Exchange Online

D. Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams

Correct Answer: D

Explanation: Activity Explorer collects supported events from multiple Microsoft 365 workloads to provide a comprehensive view of sensitive data activities.

Question 8

What can an administrator determine by reviewing Activity Explorer?

A. Which BIOS version users are running

B. Which sensitive information types were detected in organizational content

C. The amount of available disk space on each device

D. Which printer is the default printer

Correct Answer: B

Explanation: Activity Explorer displays detections of sensitive information types such as credit card numbers, Social Security numbers, and other classified data.

Question 9

How does Activity Explorer differ from Microsoft Purview Audit?

A. Activity Explorer focuses on sensitive information and data protection activities, while Audit records a broader range of Microsoft 365 events.

B. Activity Explorer stores passwords.

C. Audit only records Teams activities.

D. Both tools provide identical information.

Correct Answer: A

Explanation: Activity Explorer specializes in Microsoft Purview-related activities, while Audit provides broader auditing across Microsoft 365.

Question 10

Why is Microsoft Purview Activity Explorer valuable in organizations using Microsoft 365 Copilot?

A. It records every Copilot prompt entered by users.

B. It replaces Copilot security permissions.

C. It helps administrators monitor the protection and handling of sensitive Microsoft 365 content that Copilot may access based on existing permissions.

D. It automatically blocks all Copilot responses.

Correct Answer: C

Explanation: Activity Explorer helps administrators understand how sensitive content is protected and used within Microsoft 365, supporting governance for data that Copilot can access according to user permissions.

Go to the AB-900 Exam Prep Hub main page

Data Security, Data Governance, Microsoft Certification, AI Security, AB-900, security

Identify policy violations generated by Communication Compliance (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify policy violations generated by Communication Compliance

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, you should understand how Microsoft Purview Communication Compliance helps organizations detect, investigate, and respond to inappropriate communications that may violate corporate policies, legal requirements, or regulatory standards. You should also understand how administrators review policy matches, investigate alerts, and take appropriate remediation actions.

What is Microsoft Purview Communication Compliance?

Microsoft Purview Communication Compliance is a Microsoft Purview solution that helps organizations detect and investigate inappropriate or risky communications across Microsoft 365 services.

Rather than preventing users from communicating, Communication Compliance monitors communications and alerts authorized reviewers when messages match organizational policies.

It helps organizations detect communications involving:

  • Harassment
  • Discrimination
  • Offensive language
  • Threats
  • Confidential information sharing
  • Regulatory violations
  • Inappropriate behavior
  • Insider risks

Communication Compliance is designed to reduce legal, compliance, and reputational risks while helping organizations meet industry regulations.

Why Communication Compliance Is Important

Organizations communicate constantly using:

  • Microsoft Teams chats
  • Teams channel messages
  • Outlook emails
  • Viva Engage (Yammer)
  • Third-party communication platforms (through supported connectors)

Without monitoring, inappropriate communications may:

  • Create hostile work environments
  • Lead to lawsuits
  • Violate government regulations
  • Expose confidential information
  • Damage an organization’s reputation

Communication Compliance provides visibility into these risks.

What Are Policy Violations?

A policy violation occurs when a communication matches conditions defined within a Communication Compliance policy.

Examples include:

  • Use of offensive language
  • Bullying or harassment
  • Sharing confidential customer information
  • Threatening another employee
  • Insider trading discussions
  • Regulatory compliance violations
  • Sharing protected intellectual property

A policy violation does not automatically mean misconduct occurred.

Instead, it means the communication requires human review.

How Communication Compliance Works

The workflow follows several stages.

Step 1: Create a Policy

Administrators create policies that define:

  • Users or groups to monitor
  • Communication locations
  • Types of violations
  • Detection conditions
  • Review workflow

Step 2: Monitor Communications

Communication Compliance continuously analyzes supported communications.

Examples include:

  • Teams messages
  • Emails
  • Viva Engage posts

Content is evaluated against policy conditions.

Step 3: Generate Alerts

If content matches a policy:

  • An alert is generated.
  • The alert appears in the Communication Compliance dashboard.
  • Reviewers receive notification.

Step 4: Human Review

Authorized reviewers investigate:

  • Original message
  • Conversation context
  • Users involved
  • Severity
  • Previous incidents

Reviewers determine whether the communication truly violated policy.

Step 5: Resolution

Reviewers choose an appropriate action, such as:

  • Resolve as compliant
  • Confirm violation
  • Escalate investigation
  • Notify HR
  • Notify legal
  • Train employee
  • Document findings

Common Types of Policy Violations

Harassment

Detects communications containing:

  • Insults
  • Bullying
  • Abusive language
  • Threats

Example:

“You’re completely useless and should quit.”

Discrimination

Detects language involving:

  • Race
  • Gender
  • Religion
  • Disability
  • Age
  • Protected characteristics

Offensive Language

Identifies:

  • Profanity
  • Hate speech
  • Offensive expressions

Sensitive Information Sharing

Detects messages containing:

  • Credit card numbers
  • Social Security numbers
  • Customer information
  • Financial records
  • Medical information

Regulatory Compliance Violations

Organizations in regulated industries monitor communications involving:

  • Insider trading
  • Market manipulation
  • Financial misconduct
  • Unauthorized disclosures

Confidential Information

Detects unauthorized sharing of:

  • Trade secrets
  • Product designs
  • Internal reports
  • Source code
  • Financial forecasts

Policy Alerts

A Communication Compliance alert contains information such as:

  • Policy name
  • Date and time
  • Severity
  • User involved
  • Communication type
  • Matched rule
  • Review status

Alerts help reviewers prioritize investigations.

Alert Severity

Organizations often classify alerts as:

Low

Minor language concerns.

Example:

A mildly inappropriate joke.

Medium

Behavior that may violate company policy.

Example:

Repeated offensive language.

High

Serious compliance concern.

Example:

Threats of violence or disclosure of confidential data.

Reviewing Policy Violations

Authorized reviewers access the Communication Compliance portal.

During review they can examine:

  • Conversation history
  • Message participants
  • Attachments
  • Policy triggered
  • Matching keywords
  • Previous incidents
  • Related alerts

Context is important because individual messages may appear harmless without surrounding conversation.

Investigation Workflow

A typical investigation includes:

  1. Open the alert.
  2. Review message details.
  3. Examine conversation context.
  4. Determine whether policy was actually violated.
  5. Assign a review outcome.
  6. Document findings.
  7. Close or escalate the case.

Possible Review Outcomes

Reviewers may classify alerts as:

  • No violation
  • Violation confirmed
  • Needs escalation
  • False positive
  • Resolved

These outcomes help improve future policy effectiveness.

False Positives

Not every alert represents an actual violation.

Examples include:

  • Educational discussions
  • Medical terminology
  • Technical documentation
  • Quoted material
  • Sarcasm
  • Context misunderstood by automated analysis

Human review remains essential.

Improving Detection Accuracy

Organizations can improve policy effectiveness by:

  • Updating keyword dictionaries
  • Using machine learning classifiers
  • Adjusting policy thresholds
  • Creating separate policies for departments
  • Reviewing false positives
  • Refining monitored user groups

Who Reviews Violations?

Communication Compliance uses role-based access control.

Typical reviewers include:

  • Compliance administrators
  • Compliance officers
  • Human Resources
  • Legal teams
  • Risk investigators

Only authorized personnel can review sensitive communications.

Privacy Considerations

Communication Compliance is designed with privacy controls.

Organizations can:

  • Limit reviewer access
  • Use pseudonymization (where supported)
  • Restrict investigations
  • Audit reviewer actions
  • Follow regional privacy laws

Integration with Other Microsoft Security Solutions

Communication Compliance works alongside several Microsoft security solutions.

Microsoft Purview Insider Risk Management

Communication Compliance findings may support insider risk investigations involving suspicious employee behavior.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents unauthorized sharing of sensitive information, while Communication Compliance reviews the content and context of communications.

Microsoft Purview Information Protection

Sensitivity labels applied to documents help reviewers understand the sensitivity of shared information.

Microsoft Defender

Security incidents and user risk signals can complement Communication Compliance investigations.

Communication Compliance and Microsoft 365 Copilot

As organizations adopt Microsoft 365 Copilot, Communication Compliance remains important because users increasingly collaborate through Teams, Outlook, and other Microsoft 365 services that Copilot can reference based on existing permissions.

If inappropriate communications occur, Communication Compliance can:

  • Detect policy violations
  • Assist investigations
  • Support regulatory compliance
  • Help protect organizational reputation
  • Complement broader Microsoft Purview governance capabilities

Best Practices

For the AB-900 exam, remember these best practices:

  • Monitor communications using clearly defined policies.
  • Review alerts promptly.
  • Always investigate message context before making decisions.
  • Use authorized reviewers only.
  • Tune policies to reduce false positives.
  • Protect employee privacy while maintaining compliance.
  • Integrate Communication Compliance with broader Microsoft Purview governance.

AB-900 Exam Tips

Remember these key points:

  • Communication Compliance monitors communications—it does not block them.
  • Policy violations generate alerts, not automatic disciplinary actions.
  • Human reviewers determine whether a true violation occurred.
  • Context matters when reviewing communications.
  • Communication Compliance supports compliance, legal, HR, and risk management teams.
  • Alerts can detect harassment, discrimination, offensive language, regulatory violations, and sensitive information sharing.
  • Communication Compliance works together with Insider Risk Management, DLP, Information Protection, and Microsoft Defender.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Communication Compliance?

A. Encrypt all Microsoft Teams messages

B. Detect and investigate communications that may violate organizational policies

C. Prevent users from sending emails

D. Back up Microsoft 365 communications

Correct Answer: B

Explanation: Communication Compliance monitors supported communications and generates alerts when messages match configured compliance policies.

Question 2

A Communication Compliance alert indicates that a Teams message matched a harassment policy. What should happen next?

A. The user account is automatically disabled.

B. The message is permanently deleted.

C. An authorized reviewer investigates the communication.

D. The policy is automatically removed.

Correct Answer: C

Explanation: Communication Compliance generates alerts for human review rather than taking automatic disciplinary actions.

Question 3

Which type of communication can Microsoft Purview Communication Compliance monitor?

A. BIOS startup messages

B. Local Windows Event Logs

C. Microsoft Teams chats

D. Printer configuration files

Correct Answer: C

Explanation: Teams chats are one of the primary communication sources monitored by Communication Compliance.

Question 4

Why is conversation context important when reviewing alerts?

A. It determines network bandwidth.

B. It identifies device drivers.

C. It encrypts communications.

D. It helps reviewers determine whether a message truly violates policy.

Correct Answer: D

Explanation: Individual messages may appear inappropriate when viewed alone but may be acceptable within the full conversation.

Question 5

Which activity is an example of a Communication Compliance policy violation?

A. Updating Windows patches

B. Sharing vacation schedules

C. Sending offensive or harassing messages to coworkers

D. Resetting a forgotten password

Correct Answer: C

Explanation: Offensive or harassing communications are common scenarios monitored by Communication Compliance.

Question 6

Who should review Communication Compliance alerts?

A. Any employee

B. Only authorized compliance reviewers

C. External customers

D. Guest users

Correct Answer: B

Explanation: Access to Communication Compliance investigations is limited through role-based access control.

Question 7

What is a false positive in Communication Compliance?

A. A communication incorrectly identified as violating policy

B. A deleted user account

C. An expired Microsoft 365 license

D. A successful malware scan

Correct Answer: A

Explanation: False positives occur when automated detection flags communications that are ultimately determined not to violate policy.

Question 8

Which Microsoft Purview solution focuses primarily on preventing sensitive information from leaving the organization?

A. Communication Compliance

B. Insider Risk Management

C. Data Loss Prevention (DLP)

D. Compliance Manager

Correct Answer: C

Explanation: DLP is designed to detect and prevent unauthorized sharing of sensitive information, while Communication Compliance focuses on reviewing communications.

Question 9

What does a Communication Compliance alert indicate?

A. A confirmed policy violation requiring disciplinary action

B. A communication matched a configured policy and should be reviewed

C. The user’s account has been compromised

D. Microsoft 365 licensing has expired

Correct Answer: B

Explanation: Alerts indicate potential policy matches that require investigation; they are not proof of wrongdoing.

Question 10

Which statement best describes Microsoft Purview Communication Compliance?

A. It replaces antivirus software.

B. It automatically blocks every risky message.

C. It permanently archives all Microsoft 365 files.

D. It helps organizations identify, investigate, and respond to inappropriate communications.

Correct Answer: D

Explanation: Communication Compliance helps organizations manage communication-related compliance risks through monitoring, alerting, investigation, and response.

Go to the AB-900 Exam Prep Hub main page

AB-900, Data Governance, Microsoft Certification, security

Identify and respond to alerts generated by Microsoft Purview Data Loss Prevention (DLP) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify and respond to alerts generated by Microsoft Purview Data Loss Prevention (DLP)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft Purview Data Loss Prevention (DLP) helps organizations prevent the accidental or intentional exposure of sensitive information. DLP continuously monitors user activities across Microsoft 365 services and generates alerts when users violate data protection policies.

For the AB-900 exam, you should understand:

  • What Microsoft Purview DLP alerts are
  • When DLP alerts are generated
  • How administrators review alerts
  • Alert severity and prioritization
  • Investigation workflows
  • How to respond to DLP alerts
  • Integration with other Microsoft Purview and Microsoft Defender solutions
  • Best practices for managing alerts

What Is Microsoft Purview Data Loss Prevention (DLP)?

Microsoft Purview Data Loss Prevention (DLP) is a Microsoft Purview solution that helps organizations identify, monitor, and protect sensitive information from unauthorized sharing or exposure.

DLP policies monitor data stored in Microsoft 365 services such as:

  • Microsoft Exchange Online
  • Microsoft SharePoint Online
  • Microsoft OneDrive for Business
  • Microsoft Teams
  • Microsoft Defender for Cloud Apps
  • Endpoint devices (with Endpoint DLP)
  • Power BI (supported scenarios)

When a user performs an action that violates a DLP policy, the system can generate an alert.

What Is a DLP Alert?

A DLP alert is a notification generated when a DLP policy detects activity that violates organizational data protection rules.

Alerts help administrators:

  • Detect risky user behavior
  • Investigate policy violations
  • Respond to incidents quickly
  • Reduce data leakage
  • Demonstrate compliance

Alerts are one of the primary tools compliance administrators use to monitor organizational data protection.

When Are DLP Alerts Generated?

Alerts are generated when users perform actions that violate configured DLP policies.

Examples include:

  • Emailing confidential documents externally
  • Uploading sensitive files to unauthorized cloud storage
  • Copying protected files to USB devices
  • Printing highly confidential documents
  • Sharing files publicly
  • Downloading sensitive files from SharePoint
  • Copying confidential information into unmanaged applications

Not every policy generates an alert. Alert generation depends on the configured policy actions.

How DLP Detects Sensitive Information

Before generating alerts, DLP identifies sensitive content using several methods.

Sensitive Information Types (SITs)

Built-in detectors identify information such as:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers
  • Healthcare identifiers

Sensitivity Labels

Microsoft Purview Information Protection labels can identify:

  • Public
  • General
  • Confidential
  • Highly Confidential

Policies can generate alerts whenever protected documents are shared improperly.

Trainable Classifiers

Machine learning can recognize documents such as:

  • Resumes
  • Contracts
  • Source code
  • Financial reports
  • Legal documents

Exact Data Match (EDM)

Organizations can detect exact records such as:

  • Customer databases
  • Employee IDs
  • Payroll records

Components of a DLP Alert

Each alert contains detailed information to help administrators investigate the incident.

Typical alert details include:

  • User involved
  • Date and time
  • Policy name
  • Rule triggered
  • Sensitive information detected
  • File name
  • File location
  • Service involved
  • Severity level
  • User activity
  • Recommended actions

Alert Severity

DLP alerts are assigned severity levels to help prioritize investigations.

Typical levels include:

Low

Examples:

  • Minor policy violations
  • First-time incidents
  • Low-risk data exposure

Medium

Examples:

  • Multiple policy violations
  • Larger quantities of sensitive information
  • Repeated risky behavior

High

Examples:

  • Large-scale data exfiltration
  • Highly confidential information
  • Repeated attempts to bypass policies
  • Executive or privileged account violations

Administrators generally investigate High severity alerts first.

Reviewing DLP Alerts

Administrators review alerts in the Microsoft Purview portal.

The alert dashboard allows administrators to:

  • View all active alerts
  • Filter alerts
  • Search alerts
  • Sort by severity
  • Review alert details
  • Assign alerts
  • Track investigation status

Information Available During Investigation

Selecting an alert provides additional information.

Examples include:

User Information

  • Username
  • Department
  • Device
  • Location

Activity Timeline

Investigators can review:

  • File creation
  • Downloads
  • Sharing
  • Email activity
  • Printing
  • USB transfers

Policy Information

The alert identifies:

  • Which DLP policy triggered
  • Which rule matched
  • Sensitive information detected
  • Confidence level

File Details

Investigators may see:

  • File name
  • Location
  • File owner
  • Label applied
  • Number of sensitive items detected

Responding to DLP Alerts

After reviewing an alert, administrators choose an appropriate response.

Possible actions include:

Close the Alert

If the activity is determined to be legitimate or a false positive.

Investigate Further

Review:

  • User behavior
  • Related alerts
  • Audit logs
  • Endpoint activities

Escalate

Escalate high-risk alerts to:

  • Security teams
  • Compliance officers
  • Legal departments
  • Human Resources

Adjust Policies

If alerts indicate:

  • Too many false positives
  • Policy gaps
  • Incorrect thresholds

Administrators can modify DLP policies accordingly.

Educate Users

Many violations are accidental.

Organizations often:

  • Notify users
  • Provide training
  • Improve awareness

User Notifications (Policy Tips)

Instead of immediately blocking users, DLP can display Policy Tips.

Policy Tips inform users that:

  • Sensitive information was detected
  • Their action violates policy
  • They should modify their behavior

Examples include:

  • “This email contains confidential information.”
  • “Sharing this document externally violates company policy.”

Policy Tips reduce accidental violations.

Alert Lifecycle

A typical DLP alert progresses through several stages.

  1. Sensitive data is detected.
  2. DLP policy evaluates the activity.
  3. Alert is generated.
  4. Administrator reviews the alert.
  5. Investigation begins.
  6. Response action is taken.
  7. Alert is closed.

Integration with Microsoft Purview Solutions

DLP works closely with other Microsoft Purview capabilities.

Microsoft Purview Information Protection

Sensitivity labels provide additional context for DLP decisions.

Example:

A “Highly Confidential” document shared externally generates a higher-priority alert.

Microsoft Purview Insider Risk Management

Repeated DLP violations can contribute to insider risk investigations.

Example:

An employee repeatedly emailing confidential documents externally may trigger both DLP and Insider Risk Management alerts.

Microsoft Purview Audit

Audit logs provide additional evidence.

Investigators can review:

  • File access
  • Sharing history
  • Administrative changes
  • User activities

Microsoft Purview Compliance Manager

Compliance Manager helps organizations improve their compliance posture by recommending controls that reduce DLP-related risks.

Integration with Microsoft Defender

DLP integrates with Microsoft Defender solutions.

Examples include:

  • Endpoint DLP
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Cloud Apps

These integrations provide additional context, including:

  • Device information
  • Endpoint activities
  • Application usage
  • USB activity
  • Browser uploads

Common DLP Alert Scenarios

Scenario 1

A user emails a spreadsheet containing hundreds of customer credit card numbers to a personal Gmail account.

Result:

A High severity DLP alert is generated.

Scenario 2

An employee uploads payroll records to an unauthorized cloud storage provider.

Result:

A DLP alert identifies unauthorized data movement.

Scenario 3

A contractor copies confidential engineering documents onto a USB drive.

Result:

Endpoint DLP generates an alert.

Scenario 4

A user attempts to publicly share a SharePoint folder containing confidential HR records.

Result:

The sharing attempt triggers a DLP alert.

Best Practices

Organizations should:

  • Create well-designed DLP policies
  • Use sensitivity labels
  • Enable Policy Tips
  • Review alerts regularly
  • Prioritize High severity alerts
  • Investigate repeated violations
  • Reduce false positives through policy tuning
  • Integrate DLP with Insider Risk Management
  • Monitor trends over time
  • Train users on proper data handling

Exam Tips

For the AB-900 exam, remember the following:

  • DLP alerts are generated when users violate DLP policies.
  • Alerts help administrators detect potential data leakage.
  • Alerts contain details about users, files, policies, and detected sensitive information.
  • Severity levels help prioritize investigations.
  • Administrators can investigate, escalate, close, or remediate alerts.
  • DLP integrates with Microsoft Purview Information Protection, Insider Risk Management, Audit, Compliance Manager, and Microsoft Defender.
  • Policy Tips help reduce accidental policy violations.
  • Endpoint DLP extends protection to Windows devices.

10 Practice Exam Questions

Question 1

A user attempts to email a document containing multiple credit card numbers to an external recipient. A Microsoft Purview DLP policy blocks the email.

What additional action can the policy perform?

A. Remove the user’s Microsoft 365 license

B. Disable the user’s account

C. Delete the user’s mailbox

D. Automatically create a DLP alert for administrators

Correct Answer: D

Explanation: DLP policies can generate alerts whenever sensitive information triggers configured policy rules, allowing administrators to investigate the incident.

Question 2

Which information is typically included in a Microsoft Purview DLP alert?

A. The organization’s annual revenue

B. The user involved, policy triggered, sensitive information detected, and activity details

C. The user’s payroll information

D. The organization’s Active Directory schema

Correct Answer: B

Explanation: DLP alerts include detailed information such as the user, file, policy, rule, sensitive information detected, and the action that triggered the alert.

Question 3

An administrator wants to focus first on the most critical potential data leakage incidents.

Which alert characteristic should they prioritize?

A. Oldest alert

B. Alphabetical order

C. Alert severity

D. File size

Correct Answer: C

Explanation: Alert severity (Low, Medium, High) helps administrators prioritize investigations based on potential business impact.

Question 4

What is the primary purpose of Policy Tips in Microsoft Purview DLP?

A. Replace DLP policies

B. Notify users that their actions may violate data protection policies

C. Automatically encrypt all files

D. Prevent administrators from reviewing alerts

Correct Answer: B

Explanation: Policy Tips educate users in real time about potential policy violations, reducing accidental exposure of sensitive information.

Question 5

Which Microsoft Purview solution commonly works with DLP by applying sensitivity labels to documents?

A. Microsoft Purview Information Protection

B. Microsoft Intune

C. Microsoft Planner

D. Microsoft Bookings

Correct Answer: A

Explanation: Information Protection applies sensitivity labels that DLP can use when evaluating and protecting sensitive content.

Question 6

What is an appropriate response after reviewing a DLP alert that is determined to be a false positive?

A. Delete the user’s Microsoft account

B. Close the alert and, if necessary, refine the DLP policy

C. Block all external email permanently

D. Remove all DLP policies

Correct Answer: B

Explanation: Administrators should close false-positive alerts and may adjust policy conditions to reduce unnecessary alerts.

Question 7

Which scenario is most likely to generate a High severity DLP alert?

A. A user changes their Teams profile picture

B. A user updates a calendar meeting

C. A user downloads a public marketing brochure

D. A user sends a file containing hundreds of customer Social Security numbers to a personal email account

Correct Answer: D

Explanation: Attempting to send large amounts of highly sensitive personal information externally is a common High severity DLP event.

Question 8

Which Microsoft solution provides additional endpoint information, such as USB activity, that can complement DLP investigations?

A. Microsoft Defender for Endpoint

B. Microsoft Word

C. Microsoft Visio

D. Microsoft Lists

Correct Answer: A

Explanation: Microsoft Defender for Endpoint provides endpoint telemetry that enhances DLP investigations, especially for Endpoint DLP scenarios.

Question 9

What is the first event that typically occurs in the DLP alert lifecycle?

A. An administrator closes the alert

B. A DLP policy detects sensitive information during a monitored user activity

C. Human Resources opens an investigation

D. The user account is suspended

Correct Answer: B

Explanation: The process begins when DLP identifies sensitive information and evaluates the activity against configured policies. If a violation is detected, an alert can be generated.

Question 10

Why would an organization integrate Microsoft Purview Insider Risk Management with DLP?

A. To replace all DLP policies

B. To reduce Microsoft 365 licensing costs

C. To correlate repeated DLP violations with broader patterns of risky user behavior

D. To manage Windows software updates

Correct Answer: C

Explanation: Insider Risk Management can use repeated DLP incidents as signals when identifying users who may present elevated insider risks, helping investigators understand behavior patterns rather than isolated events.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Security, Microsoft Certification, security

Identify risks by using Microsoft Purview Insider Risk Management (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify risks by using Microsoft Purview Insider Risk Management

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft Purview Insider Risk Management (IRM) helps organizations detect, investigate, and respond to insider risks before they result in significant business damage. Unlike external cyberattacks, insider risks originate from individuals who already have authorized access to organizational resources. These individuals may intentionally misuse data or unintentionally expose sensitive information through careless actions.

For the AB-900 exam, you should understand:

  • What Insider Risk Management is
  • The types of risks it helps identify
  • The components used to detect insider risks
  • How risk indicators and policies work
  • How investigations are performed
  • How Insider Risk Management integrates with other Microsoft 365 security solutions
  • Common use cases

What Is Microsoft Purview Insider Risk Management?

Microsoft Purview Insider Risk Management is a Microsoft Purview solution that uses machine learning, analytics, user activity signals, and built-in privacy protections to identify potentially risky user behavior.

Its purpose is not to assume users are malicious. Instead, it identifies behaviors that could indicate:

  • Data theft
  • Intellectual property loss
  • Security violations
  • Compliance violations
  • Accidental data exposure
  • Policy violations

The solution helps security, compliance, HR, and legal teams investigate suspicious activities while respecting employee privacy.

What Is an Insider Risk?

An insider risk is any situation where someone with legitimate access to organizational systems creates risk for the organization.

Examples include:

  • An employee downloading thousands of confidential files before resigning
  • A contractor copying customer information to a USB drive
  • A user emailing sensitive documents to a personal email account
  • An employee sharing confidential information through unauthorized cloud storage
  • A user repeatedly accessing data unrelated to their job responsibilities

Not every insider risk is malicious.

Many incidents are accidental.

Examples include:

  • Sending confidential files to the wrong recipient
  • Uploading sensitive documents to public cloud storage
  • Accidentally sharing confidential Teams files

Types of Insider Risks

Microsoft categorizes insider risks into several common scenarios.

Data Theft

Occurs when users attempt to remove valuable organizational information.

Examples include:

  • Downloading confidential files
  • Copying files to USB devices
  • Printing sensitive documents
  • Emailing proprietary information externally

Data Leakage

Sensitive information leaves the organization unintentionally.

Examples include:

  • Uploading files to personal cloud storage
  • Sending confidential documents externally
  • Sharing protected files publicly

Security Policy Violations

Users violate established organizational security rules.

Examples include:

  • Disabling security controls
  • Using unauthorized applications
  • Circumventing compliance policies

Compliance Violations

Employees violate legal or regulatory requirements.

Examples include:

  • Sharing regulated financial records
  • Mishandling healthcare information
  • Improperly accessing customer records

Departing Employee Risks

A common scenario involves employees preparing to leave the organization.

Potential indicators include:

  • Large file downloads
  • Increased file copying
  • Unusual external sharing
  • Mass printing
  • Accessing previously unused repositories

How Insider Risk Management Works

Insider Risk Management follows a multi-stage process.

Step 1: Collect Activity Signals

Microsoft collects activity information from supported Microsoft 365 services.

Examples include:

  • SharePoint Online
  • OneDrive
  • Exchange Online
  • Microsoft Teams
  • Microsoft Defender
  • Microsoft Entra ID
  • Endpoint activity
  • Microsoft Defender for Endpoint

Step 2: Analyze User Activity

Machine learning compares current activity against:

  • Normal behavior
  • Organizational policies
  • Risk indicators
  • User context

This reduces false positives.

Step 3: Generate Risk Alerts

If suspicious behavior exceeds configured thresholds:

  • An alert is created.
  • The alert receives a severity level.
  • Investigators can review supporting evidence.

Step 4: Investigate

Compliance administrators review:

  • Timeline of events
  • User activities
  • File operations
  • Email actions
  • Device activities
  • Related alerts

Step 5: Respond

Possible actions include:

  • Escalating investigations
  • Assigning cases
  • Collecting evidence
  • Alerting management
  • Applying additional protections
  • Closing false positives

Risk Indicators

Risk indicators are behaviors that contribute to a user’s overall risk score.

Examples include:

File Activities

  • Downloading files
  • Deleting files
  • Printing documents
  • Copying files
  • Uploading files

Email Activities

  • Sending attachments externally
  • Forwarding confidential emails
  • Mass emailing sensitive information

Device Activities

  • USB device usage
  • File transfers
  • Printing
  • Local file copying

Collaboration Activities

  • Sharing Teams files externally
  • Creating anonymous sharing links
  • Public document sharing

User Behavior

Examples include:

  • Working unusual hours
  • Accessing unusual locations
  • Accessing excessive numbers of files
  • Sudden changes in behavior

Insider Risk Policies

Policies determine:

  • Which users are monitored
  • What behaviors are evaluated
  • Alert thresholds
  • Investigation rules

Policies are based on templates.

Common templates include:

  • Data leaks
  • Data theft
  • Security policy violations
  • Departing employees
  • Risky browser usage
  • Priority user monitoring

Policies allow organizations to customize detection based on their business needs.

Risk Scores

Each user activity contributes to a risk score.

Higher scores indicate more concerning activity.

Factors influencing scores include:

  • Number of risky actions
  • Severity of activities
  • Frequency
  • Historical behavior
  • Machine learning analysis

Risk scores help investigators prioritize the most serious incidents.

Alerts

When policy thresholds are exceeded, alerts are created.

Alerts typically include:

  • User involved
  • Policy triggered
  • Activity timeline
  • Risk level
  • Supporting evidence
  • Recommended investigation steps

Alert severity may include:

  • Low
  • Medium
  • High

Cases

Investigators can promote alerts into investigation cases.

Cases centralize:

  • Evidence
  • User activity
  • Timeline
  • Notes
  • Investigation status
  • Assigned investigators

This allows multiple reviewers to collaborate.

Privacy by Design

Microsoft designed Insider Risk Management with employee privacy in mind.

Privacy protections include:

  • Role-based access control
  • User pseudonymization (where supported)
  • Audit logging
  • Configurable privacy settings
  • Limited investigator access

Organizations control who can view personally identifiable information.

Integration with Microsoft 365 Services

Insider Risk Management integrates with many Microsoft security solutions.

Microsoft Purview Data Loss Prevention (DLP)

Provides sensitivity information about protected files.

Example:

A user emailing a document containing credit card numbers may trigger both DLP and Insider Risk Management.

Microsoft Purview Information Protection

Sensitivity labels provide additional context.

Example:

Downloading dozens of “Highly Confidential” documents creates greater risk than downloading public documents.

Microsoft Defender

Endpoint signals include:

  • USB usage
  • File copying
  • Application activity
  • Device events

These signals improve risk detection.

Microsoft Entra ID

Identity information provides context, including:

  • User identity
  • Sign-in behavior
  • Account changes
  • Risk signals

Microsoft 365 Audit Logs

User activities across Microsoft 365 workloads provide evidence for investigations.

AI and Machine Learning

Machine learning helps reduce false positives by:

  • Understanding normal behavior
  • Detecting unusual activity
  • Correlating multiple signals
  • Prioritizing serious incidents

This allows investigators to focus on the highest-risk alerts.

Common Use Cases

Protecting Intellectual Property

Identify employees copying engineering documents before leaving the company.

Detecting Insider Data Theft

Identify users downloading large numbers of confidential files.

Monitoring High-Risk Users

Monitor executives or privileged administrators who have access to sensitive information.

Investigating Data Leaks

Determine how confidential information left the organization.

Supporting HR Investigations

Provide evidence when investigating employee misconduct.

Benefits of Insider Risk Management

Organizations benefit by:

  • Detecting insider threats early
  • Protecting confidential information
  • Reducing compliance violations
  • Improving investigations
  • Prioritizing high-risk incidents
  • Using AI to reduce false positives
  • Integrating with Microsoft Purview and Microsoft Defender
  • Supporting regulatory compliance
  • Protecting intellectual property
  • Providing centralized case management

Exam Tips

For the AB-900 exam, remember these key points:

  • Insider Risk Management focuses on user behavior, not external attackers.
  • It detects both malicious and accidental risky activities.
  • Policies determine what activities are monitored.
  • Machine learning helps reduce false positives.
  • Alerts can be promoted into investigation cases.
  • Insider Risk Management integrates with DLP, Information Protection, Microsoft Defender, Microsoft Entra ID, and Microsoft 365 audit logs.
  • Risk scores help prioritize investigations.
  • Privacy protections are built into the solution.

10 Practice Exam Questions

Question 1

An employee uploads several confidential engineering documents to a personal cloud storage account shortly before resigning.

Which Microsoft Purview solution is specifically designed to investigate this type of behavior?

A. Microsoft Purview eDiscovery

B. Microsoft Purview Insider Risk Management

C. Microsoft Defender for Cloud Apps

D. Microsoft Intune

Correct Answer: B

Explanation: Insider Risk Management is specifically designed to identify potentially risky insider behavior such as data theft, data leakage, and activities performed by departing employees.

Question 2

Which activity is most likely to increase a user’s insider risk score?

A. Viewing the company homepage

B. Logging into Microsoft Teams during normal working hours

C. Downloading hundreds of confidential files before leaving the company

D. Changing a desktop wallpaper

Correct Answer: C

Explanation: Large-scale downloads of sensitive information—especially by departing employees—are common indicators of insider risk.

Question 3

What is the primary purpose of Insider Risk Management policies?

A. Encrypt all Microsoft 365 data

B. Replace antivirus software

C. Control Microsoft licensing

D. Define which users, activities, and risk indicators should be monitored

Correct Answer: D

Explanation: Policies specify monitored users, monitored activities, thresholds, and investigation settings.

Question 4

Which Microsoft technology helps Insider Risk Management reduce false positives?

A. Static firewall rules

B. Manual investigations only

C. Machine learning and behavioral analytics

D. Network packet inspection

Correct Answer: C

Explanation: Machine learning evaluates user behavior patterns and distinguishes normal activity from potentially risky behavior.

Question 5

What happens after Insider Risk Management determines that user activity exceeds a configured policy threshold?

A. The user account is automatically deleted.

B. The organization’s Microsoft 365 subscription is suspended.

C. All user devices are immediately wiped.

D. An insider risk alert is generated for investigation.

Correct Answer: D

Explanation: Alerts are created when monitored activities exceed policy thresholds and can later be investigated or promoted into cases.

Question 6

Which Microsoft solution provides endpoint signals such as USB usage and local file copying to Insider Risk Management?

A. Microsoft Defender for Endpoint

B. Microsoft Outlook

C. Microsoft Planner

D. Microsoft Bookings

Correct Answer: A

Explanation: Microsoft Defender for Endpoint supplies valuable endpoint telemetry that strengthens insider risk detection.

Question 7

Which statement best describes Microsoft’s approach to employee privacy within Insider Risk Management?

A. Every administrator automatically sees all employee information.

B. Employee privacy protections such as role-based access and pseudonymization are built into the solution.

C. All investigations are anonymous and cannot identify users.

D. Privacy settings cannot be customized.

Correct Answer: B

Explanation: Insider Risk Management incorporates privacy-by-design principles, including role-based access, pseudonymization where supported, and configurable privacy controls.

Question 8

Which scenario is an example of an accidental insider risk?

A. A hacker exploits an internet-facing server.

B. An attacker launches a ransomware attack.

C. An employee mistakenly emails confidential information to the wrong external recipient.

D. A distributed denial-of-service (DDoS) attack targets a website.

Correct Answer: C

Explanation: Insider risks include accidental actions, such as unintentionally sharing sensitive information with unauthorized recipients.

Question 9

What information helps investigators prioritize which alerts should be reviewed first?

A. The user’s mailbox size

B. Microsoft licensing level

C. The user’s department name

D. The insider risk score and alert severity

Correct Answer: D

Explanation: Risk scores and alert severity help investigators focus on the most significant potential threats first.

Question 10

Which Microsoft Purview capability most directly complements Insider Risk Management by identifying and protecting sensitive content through labeling?

A. Microsoft Purview Information Protection

B. Microsoft Exchange Online Protection

C. Microsoft Intune

D. Windows Firewall

Correct Answer: A

Explanation: Microsoft Purview Information Protection classifies and labels sensitive information. Those labels provide valuable context that Insider Risk Management can use when assessing the risk associated with user activities.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Governance, Data Governance, Data Security, Microsoft Certification

Identify sensitive information by using Microsoft Purview Data Explorer (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify sensitive information by using Microsoft Purview Data Explorer

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly rely on Microsoft 365 and Microsoft 365 Copilot, understanding where sensitive information resides has become a critical governance and security requirement. Sensitive data such as credit card numbers, Social Security numbers, health records, financial information, intellectual property, and confidential business documents can create significant compliance and security risks if not properly managed.

Microsoft Purview Data Explorer helps organizations discover, analyze, and understand sensitive information stored across Microsoft 365 services. It provides visibility into the location, volume, and classification of sensitive data, enabling administrators to make informed decisions about data protection, governance, compliance, and Copilot readiness.

For the AB-900 exam, you should understand the purpose of Data Explorer, how it identifies sensitive information, the types of information it can discover, and how organizations use its insights to reduce compliance and governance risks.

What Is Microsoft Purview Data Explorer?

Microsoft Purview Data Explorer is a reporting and investigation tool within Microsoft Purview that helps administrators visualize and analyze sensitive data across Microsoft 365 environments.

Data Explorer enables organizations to:

  • Discover sensitive information
  • Understand where sensitive data is stored
  • Analyze data classification results
  • Identify compliance risks
  • Support data governance initiatives
  • Validate Microsoft Purview policy effectiveness
  • Improve Microsoft 365 Copilot readiness

Rather than protecting data directly, Data Explorer provides visibility into an organization’s data landscape so administrators can take appropriate actions.

Why Data Discovery Is Important

Organizations often accumulate large amounts of data over time. Without visibility into that data, administrators may not know:

  • What sensitive information exists
  • Where the information is stored
  • Who has access to it
  • Whether it is properly protected
  • Whether regulatory requirements are being met

For example:

  • Customer records may contain personally identifiable information (PII).
  • Financial documents may contain account numbers.
  • Healthcare records may contain protected health information (PHI).
  • Contracts may contain confidential business information.

Data Explorer helps identify these risks before they become security or compliance issues.

How Data Explorer Works

Data Explorer analyzes Microsoft 365 content using classification technologies available in Microsoft Purview.

The system scans content stored in supported locations and identifies:

  • Sensitive information types
  • Sensitivity labels
  • Trainable classifiers
  • Retention labels
  • Data classifications

The results are then presented through visual dashboards and detailed reports.

Administrators can use these reports to understand the organization’s sensitive data footprint.

Data Sources Analyzed by Data Explorer

Data Explorer can analyze content across Microsoft 365 services, including:

SharePoint Online

Examples:

  • Documents
  • Team sites
  • Department sites
  • Project repositories

OneDrive for Business

Examples:

  • Personal work files
  • Shared documents
  • Business records

Exchange Online

Examples:

  • Email messages
  • Attachments
  • Mailbox content

Microsoft Teams

Examples:

  • Shared files
  • Team documents
  • Collaboration content

These locations often contain the information that Microsoft 365 Copilot accesses when generating responses.

Sensitive Information Types (SITs)

One of the primary ways Data Explorer identifies sensitive information is through Sensitive Information Types (SITs).

Sensitive Information Types are predefined patterns that identify specific categories of sensitive data.

Examples include:

  • Social Security Numbers
  • Credit Card Numbers
  • Driver’s License Numbers
  • Passport Numbers
  • Tax Identification Numbers
  • Bank Account Numbers
  • Healthcare Information

Microsoft provides hundreds of built-in sensitive information types.

Organizations can also create custom sensitive information types.

Trainable Classifiers

Data Explorer can also identify information using trainable classifiers.

Unlike pattern matching, trainable classifiers use machine learning to recognize content based on context.

Examples include:

  • Resumes
  • Contracts
  • Invoices
  • Financial documents
  • Source code
  • Intellectual property

This helps organizations classify content that may not contain obvious patterns such as account numbers or IDs.

Sensitivity Labels and Data Explorer

Organizations often use sensitivity labels to classify and protect information.

Examples of labels include:

  • Public
  • General
  • Confidential
  • Highly Confidential

Data Explorer can show:

  • Which files have sensitivity labels
  • Label distribution across the organization
  • Unlabeled sensitive content
  • Areas where additional labeling may be needed

This visibility helps improve data governance and security.

Retention Labels and Data Explorer

Retention labels determine how long content should be retained and when it should be deleted.

Data Explorer can help organizations understand:

  • Which files have retention labels
  • Which files lack retention labels
  • Data that may require retention controls
  • Potential records management gaps

Data Classification Overview

Data classification is the process of identifying and categorizing information according to its sensitivity and business value.

Data Explorer supports classification efforts by helping organizations:

  • Locate sensitive data
  • Understand risk exposure
  • Apply appropriate protections
  • Improve compliance programs

The classification process typically includes:

  1. Discover data
  2. Classify data
  3. Protect data
  4. Monitor data
  5. Govern data

Data Explorer primarily supports the discovery and analysis phases.

Visualizations and Reporting

Data Explorer provides dashboards and reports that help administrators quickly understand sensitive data trends.

Reports can show:

  • Number of sensitive items
  • Sensitive information types detected
  • Label usage
  • Data locations
  • Content trends
  • Classification coverage

These visualizations help administrators identify areas requiring additional protection.

Data Explorer and Microsoft 365 Copilot

Data Explorer plays an important role in Copilot readiness assessments.

Because Microsoft 365 Copilot uses existing permissions and accesses organizational data through Microsoft Graph, organizations should understand what data exists before deploying Copilot broadly.

Data Explorer helps identify:

  • Overexposed sensitive data
  • Unclassified content
  • Excessively shared files
  • Confidential documents lacking protection
  • Data governance gaps

Administrators can use these insights to improve security before expanding Copilot adoption.

Common Governance Risks Identified by Data Explorer

Unlabeled Sensitive Data

Sensitive documents may exist without sensitivity labels.

Risk:

  • Users may accidentally share confidential information.

Recommended Action:

  • Apply sensitivity labels.

Excessive Data Exposure

Sensitive files may be accessible to too many users.

Risk:

  • Unauthorized access.

Recommended Action:

  • Review permissions and sharing settings.

Missing Retention Controls

Important records may lack retention policies.

Risk:

  • Regulatory violations.

Recommended Action:

  • Implement retention labels and policies.

Sensitive Data in Unexpected Locations

Data may be stored outside approved repositories.

Risk:

  • Governance challenges.

Recommended Action:

  • Review storage practices and apply controls.

Relationship with Other Microsoft Purview Solutions

Data Explorer works alongside other Microsoft Purview solutions.

Information Protection

Provides:

  • Sensitivity labels
  • Encryption
  • Classification

Data Explorer shows where protected and unprotected content exists.

Data Loss Prevention (DLP)

Provides:

  • Policy enforcement
  • Data movement restrictions

Data Explorer helps identify data that may require DLP protection.

Insider Risk Management

Provides:

  • Risk detection
  • Insider threat analysis

Data Explorer helps identify sensitive data that could be targeted.

Compliance Manager

Provides:

  • Compliance assessments
  • Risk reduction recommendations

Data Explorer provides visibility into the data that compliance programs are designed to protect.

Benefits of Using Data Explorer

Organizations use Data Explorer to:

  • Discover sensitive information
  • Improve data governance
  • Support regulatory compliance
  • Prepare for Copilot deployment
  • Validate classification strategies
  • Identify protection gaps
  • Reduce organizational risk
  • Improve visibility into data assets

Key Exam Tips

For the AB-900 exam, remember the following:

  • Data Explorer helps organizations discover and analyze sensitive information.
  • It provides visibility into sensitive data locations across Microsoft 365.
  • Sensitive Information Types identify structured sensitive data such as Social Security numbers and credit card numbers.
  • Trainable classifiers identify content based on context and machine learning.
  • Data Explorer supports governance, compliance, and Copilot readiness initiatives.
  • It helps identify unlabeled, unprotected, or overexposed sensitive information.
  • Data Explorer is primarily a discovery and analysis tool, not a protection or enforcement tool.
  • Data Explorer works with sensitivity labels, retention labels, DLP, and other Microsoft Purview solutions.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Data Explorer?

A. Generate AI responses for users

B. Discover and analyze sensitive information across Microsoft 365

C. Encrypt all organizational files

D. Replace Microsoft Defender

Answer: B

Explanation: Data Explorer is designed to help organizations discover, analyze, and understand sensitive information stored across Microsoft 365 services.

Question 2

Which Microsoft 365 service can be analyzed by Data Explorer?

A. SharePoint Online

B. Windows Server

C. Hyper-V

D. Microsoft Intune only

Answer: A

Explanation: Data Explorer can analyze content stored in SharePoint Online, OneDrive, Exchange Online, Teams, and other supported Microsoft 365 locations.

Question 3

What is a Sensitive Information Type (SIT)?

A. A method for creating Teams meetings

B. A licensing model for Microsoft Purview

C. A predefined pattern used to identify sensitive information

D. A backup technology

Answer: C

Explanation: Sensitive Information Types are predefined detectors that identify sensitive data such as Social Security numbers and credit card numbers.

Question 4

Which technology helps identify content such as contracts and resumes using context rather than pattern matching?

A. DLP policies

B. Retention labels

C. Sensitivity labels

D. Trainable classifiers

Answer: D

Explanation: Trainable classifiers use machine learning and contextual analysis to identify document types such as contracts, resumes, and invoices.

Question 5

An administrator wants to determine whether confidential files lack sensitivity labels. Which tool should they use?

A. Microsoft Planner

B. Microsoft Lists

C. Microsoft Purview Data Explorer

D. Microsoft Whiteboard

Answer: C

Explanation: Data Explorer can identify sensitive content and show whether appropriate sensitivity labels have been applied.

Question 6

Which statement best describes Data Explorer?

A. It automatically blocks all file sharing.

B. It discovers and reports on sensitive information.

C. It replaces retention policies.

D. It automatically deletes noncompliant content.

Answer: B

Explanation: Data Explorer focuses on visibility and analysis rather than directly enforcing protection actions.

Question 7

Why is Data Explorer valuable before deploying Microsoft 365 Copilot broadly?

A. It upgrades Copilot licenses.

B. It improves Teams meeting quality.

C. It increases mailbox storage.

D. It helps identify sensitive or overexposed data that Copilot could potentially access.

Answer: D

Explanation: Understanding data exposure and classification gaps helps organizations prepare for secure Copilot adoption.

Question 8

Which item would most likely be identified through a built-in Sensitive Information Type?

A. A company strategy presentation

B. A software design diagram

C. A credit card number

D. A project timeline

Answer: C

Explanation: Sensitive Information Types are designed to detect structured data such as credit card numbers, passport numbers, and Social Security numbers.

Question 9

What governance risk might Data Explorer help identify?

A. Unlabeled sensitive documents

B. Printer driver issues

C. Network latency

D. Browser compatibility problems

Answer: A

Explanation: Data Explorer helps identify sensitive content that lacks classification or protection controls.

Question 10

How does Data Explorer support data governance?

A. By replacing all security controls

B. By automatically enforcing compliance regulations

C. By eliminating the need for sensitivity labels

D. By providing visibility into sensitive data and classification coverage

Answer: D

Explanation: Data Explorer supports governance efforts by helping organizations understand where sensitive information exists and whether appropriate classifications and protections are in place.

Exam Summary

Microsoft Purview Data Explorer is a discovery and analysis tool that helps organizations identify sensitive information across Microsoft 365. It uses Sensitive Information Types, trainable classifiers, sensitivity labels, and retention labels to provide visibility into data risks and governance gaps. Data Explorer is particularly important for compliance initiatives and Microsoft 365 Copilot readiness because it helps organizations understand what sensitive information exists, where it is stored, and whether it is properly protected. Understanding how Data Explorer identifies and reports sensitive information is an important objective for the AB-900 certification exam.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Governance, AI Security, Microsoft Certification

Identify compliance risks and recommendations by using Microsoft Purview Compliance Manager (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify compliance risks and recommendations by using Microsoft Purview Compliance Manager

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Organizations today face increasing regulatory and compliance requirements related to data privacy, security, records management, and governance. Regulations such as GDPR, HIPAA, ISO 27001, NIST, PCI DSS, and many others require organizations to implement controls that protect sensitive information and demonstrate compliance.

Microsoft Purview Compliance Manager is a solution within Microsoft Purview that helps organizations assess, manage, and improve their compliance posture. It provides a risk-based approach to compliance by measuring how well an organization has implemented controls and by offering actionable recommendations to reduce compliance risks.

For the AB-900 exam, you should understand the purpose of Compliance Manager, how it identifies compliance risks, how compliance scores are calculated, and how organizations can use recommendations to improve their compliance posture.

What Is Microsoft Purview Compliance Manager?

Microsoft Purview Compliance Manager is a compliance management solution that helps organizations:

  • Assess compliance risks
  • Monitor compliance status
  • Track implementation of compliance controls
  • Improve regulatory compliance
  • Generate evidence for audits
  • Prioritize remediation efforts

Compliance Manager translates complex regulatory requirements into manageable improvement actions that administrators can implement within Microsoft 365.

Rather than simply reporting compliance status, Compliance Manager helps organizations actively improve compliance through continuous assessment and risk reduction.

Why Compliance Manager Is Important

Organizations must comply with numerous regulations and standards. Managing compliance manually can be difficult because:

  • Regulations frequently change
  • Multiple frameworks may apply simultaneously
  • Compliance controls span many systems
  • Evidence collection can be time-consuming
  • Auditors require documentation

Compliance Manager helps centralize compliance activities and provides visibility into compliance readiness.

Benefits include:

  • Reduced compliance risk
  • Improved governance
  • Simplified audit preparation
  • Better visibility into regulatory requirements
  • Continuous compliance monitoring
  • Prioritized remediation efforts

Understanding Compliance Risk

Compliance risk refers to the possibility that an organization fails to meet legal, regulatory, or internal policy requirements.

Examples include:

  • Improper handling of personal data
  • Missing security controls
  • Lack of retention policies
  • Inadequate access controls
  • Failure to encrypt sensitive information
  • Insufficient auditing and monitoring

Compliance Manager helps identify these risks by comparing organizational practices against compliance requirements.

Compliance Score

One of the most important concepts in Compliance Manager is the Compliance Score.

The Compliance Score is a measurement that reflects the organization’s progress toward meeting selected compliance requirements.

The score:

  • Is risk-based
  • Measures completed controls
  • Helps prioritize work
  • Changes as actions are completed

A higher score generally indicates that more compliance controls have been implemented.

However, the score does not guarantee compliance with a regulation. It serves as a management tool for tracking progress and reducing risk.

How Compliance Score Is Calculated

Compliance Manager assigns points to improvement actions.

Points are awarded when actions are completed.

Examples of actions include:

  • Enabling multifactor authentication
  • Configuring retention policies
  • Applying sensitivity labels
  • Enabling audit logging
  • Implementing access controls

Higher-risk controls typically receive more points because they contribute more significantly to risk reduction.

Assessments in Compliance Manager

An assessment measures compliance against a specific regulation, standard, or framework.

Examples include:

  • GDPR
  • ISO 27001
  • NIST
  • HIPAA
  • PCI DSS
  • Microsoft Data Protection Baseline

Each assessment contains:

  • Control objectives
  • Improvement actions
  • Testing guidance
  • Documentation requirements
  • Compliance status tracking

Organizations can use multiple assessments simultaneously.

Types of Controls

Compliance Manager evaluates different types of controls.

Microsoft-Managed Controls

These controls are implemented and managed by Microsoft.

Examples include:

  • Physical datacenter security
  • Infrastructure protections
  • Platform-level safeguards

Microsoft provides evidence showing how these controls are implemented.

Customer-Managed Controls

These controls are the responsibility of the organization.

Examples include:

  • MFA configuration
  • Retention policies
  • Access management
  • User training
  • Data classification

Administrators must implement and document these controls.

Shared Controls

Shared controls involve responsibilities divided between Microsoft and the customer.

Examples include:

  • Identity management
  • Security monitoring
  • Data protection configurations

Both parties contribute to compliance.

Improvement Actions

Improvement actions are recommendations that help organizations reduce compliance risk.

An improvement action typically includes:

  • Description of the requirement
  • Implementation guidance
  • Testing procedures
  • Documentation requirements
  • Risk impact

Examples include:

  • Enable multifactor authentication
  • Configure audit logging
  • Apply sensitivity labels
  • Restrict external sharing
  • Implement retention policies
  • Enable Data Loss Prevention policies

Completing improvement actions increases the compliance score.

Recommendations in Compliance Manager

Compliance Manager provides actionable recommendations that help organizations improve compliance.

Recommendations may involve:

Identity Security

Examples:

  • Enable MFA
  • Implement Conditional Access
  • Review privileged accounts
  • Use least-privilege access

Data Protection

Examples:

  • Configure sensitivity labels
  • Encrypt sensitive content
  • Implement DLP policies
  • Protect confidential information

Monitoring and Auditing

Examples:

  • Enable auditing
  • Review activity logs
  • Investigate suspicious behavior
  • Maintain audit records

Information Governance

Examples:

  • Create retention policies
  • Define retention labels
  • Manage records
  • Implement deletion schedules

Testing and Evidence Collection

Compliance Manager supports audit preparation through evidence collection.

Organizations can:

  • Upload documentation
  • Store screenshots
  • Attach policy documents
  • Record test results
  • Maintain audit evidence

This makes audits easier because evidence is stored alongside compliance controls.

Regulatory Templates

Compliance Manager includes built-in templates for many regulations and standards.

Examples include:

  • GDPR
  • HIPAA
  • ISO 27001
  • NIST CSF
  • SOC 2
  • PCI DSS

Templates reduce the effort required to build compliance programs from scratch.

Monitoring Compliance Over Time

Compliance is not a one-time activity.

Compliance Manager supports continuous monitoring by:

  • Tracking score changes
  • Updating assessment status
  • Identifying new risks
  • Monitoring action completion
  • Highlighting outstanding requirements

Organizations can regularly review their compliance posture and address gaps.

Compliance Manager and Microsoft 365 Copilot

As organizations adopt Microsoft 365 Copilot, governance and compliance become increasingly important.

Compliance Manager can help organizations:

  • Evaluate data protection readiness
  • Review access controls
  • Verify sensitivity label deployment
  • Assess retention policies
  • Confirm audit logging is enabled
  • Measure compliance maturity

These controls help ensure Copilot operates within established governance and compliance frameworks.

Key Exam Tips

For the AB-900 exam, remember:

  • Compliance Manager helps assess and improve compliance posture.
  • Compliance Score measures progress toward implementing controls.
  • Improvement actions provide recommendations for reducing risk.
  • Assessments measure compliance against regulations and standards.
  • Controls may be Microsoft-managed, customer-managed, or shared.
  • Compliance Manager supports evidence collection and audit readiness.
  • A higher Compliance Score indicates improved compliance posture but does not guarantee regulatory compliance.
  • Compliance Manager helps organizations identify and prioritize compliance risks.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Compliance Manager?

A. Create SharePoint sites automatically

B. Assess and improve an organization’s compliance posture

C. Replace Microsoft Defender

D. Manage Windows updates

Answer: B

Explanation: Compliance Manager helps organizations assess compliance risks, track controls, and improve compliance posture through assessments and recommendations.

Question 2

What does the Compliance Score primarily represent?

A. The number of licensed users

B. The percentage of completed support tickets

C. Progress toward implementing compliance controls

D. The amount of storage consumed

Answer: C

Explanation: Compliance Score measures the organization’s progress in implementing controls that reduce compliance risk.

Question 3

Which type of control is managed entirely by Microsoft?

A. Customer-managed control

B. Shared control

C. Administrative control

D. Microsoft-managed control

Answer: D

Explanation: Microsoft-managed controls are implemented and maintained by Microsoft, such as datacenter security and infrastructure protections.

Question 4

An administrator wants to increase the organization’s Compliance Score. What should they do?

A. Purchase more Microsoft licenses

B. Increase mailbox storage limits

C. Complete improvement actions

D. Delete old assessments

Answer: C

Explanation: Improvement actions contribute points to the Compliance Score and help reduce compliance risk.

Question 5

Which feature helps organizations prepare for audits?

A. Microsoft Forms

B. Evidence collection and documentation storage

C. Viva Engage

D. Power Automate approvals

Answer: B

Explanation: Compliance Manager allows organizations to upload documentation, screenshots, and evidence needed for audits.

Question 6

Which of the following is an example of a customer-managed control?

A. Physical datacenter security

B. Network backbone management

C. Global infrastructure redundancy

D. Configuring multifactor authentication

Answer: D

Explanation: Customers are responsible for implementing controls such as MFA, retention policies, and access controls.

Question 7

What is an assessment in Compliance Manager?

A. A financial audit report

B. A measurement of compliance against a regulation or standard

C. A SharePoint permission review

D. A Microsoft support case

Answer: B

Explanation: Assessments evaluate compliance requirements associated with regulations, standards, or frameworks.

Question 8

Which compliance framework could be evaluated using Compliance Manager?

A. HIPAA

B. DHCP

C. SMTP

D. DNS

Answer: A

Explanation: Compliance Manager includes templates and assessments for frameworks such as HIPAA, GDPR, ISO 27001, and NIST.

Question 9

What is the purpose of improvement actions?

A. To reduce compliance risk and guide remediation efforts

B. To create Teams channels automatically

C. To increase internet bandwidth

D. To manage printer deployments

Answer: A

Explanation: Improvement actions provide guidance for implementing controls that reduce compliance risk and improve compliance posture.

Question 10

Which statement about Compliance Score is correct?

A. A perfect score guarantees regulatory compliance.

B. The score measures storage utilization.

C. The score reflects progress toward implementing compliance controls but does not guarantee compliance.

D. The score only applies to Microsoft-managed controls.

Answer: C

Explanation: Compliance Score is a risk-based measurement of implemented controls and progress, but it does not guarantee compliance with any specific regulation.

Exam Summary

Microsoft Purview Compliance Manager is a risk-based compliance management solution that helps organizations assess regulatory requirements, identify compliance gaps, implement recommended controls, collect audit evidence, and continuously improve compliance posture. Understanding Compliance Score, assessments, improvement actions, and risk reduction recommendations is essential for success on the AB-900 exam and for administering Microsoft 365 and Copilot environments responsibly.

Go to the AB-900 Exam Prep Hub main page

AI, Microsoft Certification, AI Security, AB-900

Understand how Copilot uses permissions and other controls in Microsoft 365, Microsoft Purview, and Microsoft Defender to protect against risks (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand data security implications of Copilot
      --> Understand how Copilot uses permissions and other controls in Microsoft 365, Microsoft Purview, and Microsoft Defender to protect against risks

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important security concepts for the AB-900 exam is understanding how Microsoft 365 Copilot protects organizational data. Because Copilot can access and summarize information from across Microsoft 365, organizations must ensure that sensitive information remains protected and that users only receive information they are authorized to access.

Microsoft 365 Copilot does not operate independently of an organization’s security framework. Instead, it inherits and respects the security, compliance, governance, and protection controls already configured in Microsoft 365. These controls come primarily from:

  • Microsoft 365 permissions
  • Microsoft Entra ID
  • Microsoft Purview
  • Microsoft Defender
  • SharePoint and OneDrive security
  • Teams security controls

Together, these technologies ensure that Copilot delivers useful responses while minimizing the risk of unauthorized access, data leakage, compliance violations, and insider threats.

The Security Foundation of Copilot

Microsoft 365 Copilot is built on three key principles:

  1. Access only authorized data
  2. Respect existing security controls
  3. Apply compliance and governance policies automatically

Copilot does not create new permissions.

Instead, it uses the permissions already assigned to users and resources throughout Microsoft 365.

This means that if a user cannot access a file directly, they also cannot access that file through Copilot.

Permission Trimming: The Core Security Mechanism

The most important security concept related to Copilot is permission trimming.

Permission trimming ensures that Copilot only retrieves information the user is authorized to access.

When a user submits a prompt:

  1. Microsoft Graph searches organizational data.
  2. Existing permissions are evaluated.
  3. Unauthorized content is excluded.
  4. Only authorized information is sent to the large language model.

For example:

  • HR files are accessible only to HR employees.
  • Finance reports are accessible only to finance personnel.
  • Confidential legal documents remain restricted to legal teams.

If another employee asks Copilot about those documents, the information is not included in the response.

How Microsoft 365 Permissions Protect Data

Microsoft 365 permissions form the first layer of Copilot security.

Permissions are inherited from services such as:

  • SharePoint Online
  • OneDrive for Business
  • Microsoft Teams
  • Exchange Online
  • Microsoft Loop

Examples include:

SharePoint Permissions

Users can only access sites, libraries, folders, and files for which they have permissions.

OneDrive Permissions

Users can access their own files and content explicitly shared with them.

Teams Permissions

Copilot respects team membership and channel access.

Exchange Permissions

Emails and calendar data are only available to authorized users.

Because Copilot uses Microsoft Graph, these permissions are automatically enforced.

Role of Microsoft Entra ID

Microsoft Entra ID provides identity and access management for Microsoft 365.

Copilot relies on Entra ID to verify:

  • User identity
  • Group membership
  • Role assignments
  • Conditional Access policies
  • Authentication status

Entra ID ensures that only authenticated and authorized users can access Microsoft 365 resources.

Examples

A Conditional Access policy may require:

  • Multifactor authentication (MFA)
  • Compliant devices
  • Approved locations

If requirements are not met, users may be blocked from accessing Microsoft 365 resources and Copilot.

How Microsoft Purview Protects Data Used by Copilot

Microsoft Purview provides compliance, governance, and data protection controls.

Because Copilot works with organizational content, Purview protections automatically apply to data used by Copilot.

Sensitivity Labels

Sensitivity labels classify and protect content.

Common labels include:

  • Public
  • General
  • Confidential
  • Highly Confidential

Labels can enforce:

  • Encryption
  • Access restrictions
  • Watermarking
  • Content markings

If a document is protected by a sensitivity label, Copilot respects those protections.

Data Loss Prevention (DLP)

DLP policies help prevent sensitive information from being exposed.

Examples include:

  • Credit card numbers
  • Social Security numbers
  • Healthcare records
  • Financial information

DLP policies can:

  • Detect sensitive data
  • Block sharing
  • Generate alerts
  • Notify administrators

Copilot interactions remain subject to DLP protections.

Data Classification

Microsoft Purview can automatically classify content based on:

  • Sensitive information types
  • Trainable classifiers
  • Custom classifications

This classification helps organizations understand what information exists and where risks may be present.

Retention Policies

Retention policies ensure information is retained or deleted according to organizational requirements.

Copilot only works with content that remains available within Microsoft 365 according to retention settings.

Data Security Posture Management (DSPM) for AI

DSPM for AI helps organizations identify and reduce AI-related risks.

DSPM can:

  • Discover overshared content
  • Identify risky permissions
  • Detect exposure of sensitive data
  • Recommend remediation actions

This is especially important because Copilot may reveal risks that already exist due to improper permissions.

How Microsoft Defender Protects Copilot Environments

Microsoft Defender provides threat detection, prevention, and response capabilities.

Defender helps protect both the data Copilot accesses and the users interacting with Copilot.

Microsoft Defender XDR

Microsoft Defender XDR provides:

  • Cross-domain threat detection
  • Incident correlation
  • Security investigation
  • Automated response

It helps security teams identify attacks that may affect Copilot-accessible data.

Identity Protection

Microsoft Defender and Entra ID can detect:

  • Risky sign-ins
  • Credential theft
  • Impossible travel events
  • Suspicious account activity

Compromised identities can be blocked before attackers access Copilot.

Endpoint Protection

Microsoft Defender for Endpoint protects devices used to access Copilot.

It helps detect:

  • Malware
  • Ransomware
  • Unauthorized access attempts
  • Device compromise

Threat Intelligence

Microsoft Defender uses global threat intelligence to identify:

  • Known malicious actors
  • Emerging threats
  • Attack techniques

This helps reduce the likelihood that attackers gain access to sensitive organizational information.

Oversharing Risks and Copilot

Copilot does not create oversharing problems.

However, it can expose existing oversharing issues more efficiently.

For example:

If a confidential SharePoint folder has accidentally been shared with all employees:

  • Employees may not discover the folder manually.
  • Copilot may locate relevant content and summarize it.

Because of this, organizations should regularly review:

  • File permissions
  • Site permissions
  • Group memberships
  • Sharing settings

DSPM for AI helps identify these risks.

Security Controls Working Together

The protection of Copilot data relies on multiple layers:

Security LayerPurpose
Microsoft Entra IDIdentity verification and access control
Conditional AccessRestrict access based on risk and conditions
Microsoft 365 PermissionsControl resource access
Microsoft GraphApplies permission trimming
Microsoft PurviewGovernance, compliance, and data protection
Microsoft DefenderThreat detection and response
DSPM for AIAI-specific risk identification

These controls work together to create a secure AI environment.

Key Exam Tips

For the AB-900 exam, remember the following:

  • Copilot does not bypass existing permissions.
  • Permission trimming ensures users only see authorized content.
  • Microsoft Graph enforces access controls during data retrieval.
  • Microsoft Entra ID provides identity and access management.
  • Conditional Access can restrict Copilot access based on organizational policies.
  • Microsoft Purview protects data through sensitivity labels, DLP, classification, retention, and DSPM for AI.
  • Microsoft Defender protects identities, endpoints, and organizational resources from threats.
  • Copilot may reveal existing oversharing risks but does not create them.
  • DSPM for AI helps organizations identify and remediate AI-related data exposure risks.

Practice Exam Questions

Question 1

What security mechanism ensures that Copilot only retrieves information a user is authorized to access?

A. Endpoint isolation
B. Data retention
C. Data replication
D. Permission trimming

Answer: D

Explanation: Permission trimming evaluates a user’s permissions and excludes unauthorized content from Copilot responses.

Question 2

A user asks Copilot about a confidential HR document they do not have permission to view. What will happen?

A. Copilot summarizes the document anyway
B. Copilot requests administrator approval automatically
C. The document is excluded from the response due to permission trimming
D. The document is copied into the user’s OneDrive

Answer: C

Explanation: Copilot respects existing permissions and cannot retrieve content users are not authorized to access.

Question 3

Which Microsoft service provides the identity platform that Copilot relies on for authentication and authorization?

A. Microsoft Defender XDR
B. Microsoft Entra ID
C. Microsoft Purview Insider Risk Management
D. Microsoft Intune

Answer: B

Explanation: Microsoft Entra ID manages identities, authentication, authorization, and access controls for Microsoft 365 services.

Question 4

Which Microsoft Purview capability helps prevent sensitive information such as credit card numbers from being improperly shared?

A. Retention policies
B. Conditional Access
C. Privileged Identity Management
D. Data Loss Prevention (DLP)

Answer: D

Explanation: DLP policies detect and protect sensitive information by blocking or monitoring risky sharing activities.

Question 5

What is the primary purpose of sensitivity labels in Microsoft Purview?

A. Manage operating system updates
B. Monitor network performance
C. Classify and protect content based on sensitivity levels
D. Create backup copies of documents

Answer: C

Explanation: Sensitivity labels classify content and can apply protections such as encryption and access restrictions.

Question 6

Which Microsoft Purview solution helps organizations discover overshared content that may present AI-related risks?

A. Data Security Posture Management (DSPM) for AI
B. Microsoft Planner
C. Exchange Online Protection
D. Windows Defender Firewall

Answer: A

Explanation: DSPM for AI identifies sensitive data exposure risks and recommends remediation actions.

Question 7

How does Microsoft Defender help protect environments that use Copilot?

A. By creating user accounts automatically
B. By replacing Microsoft Entra ID permissions
C. By detecting threats, compromised identities, and suspicious activities
D. By bypassing DLP policies

Answer: C

Explanation: Microsoft Defender provides threat detection, investigation, and response capabilities that protect organizational resources.

Question 8

Which statement best describes the relationship between Copilot and oversharing?

A. Copilot automatically fixes overshared content
B. Copilot creates oversharing by default
C. Copilot ignores shared permissions entirely
D. Copilot may reveal existing oversharing issues because it can efficiently locate accessible content

Answer: D

Explanation: Copilot does not create oversharing problems but can make improperly shared content easier to discover.

Question 9

Which security control can require multifactor authentication before a user accesses Microsoft 365 resources and Copilot?

A. SharePoint version history
B. Conditional Access
C. Retention labels
D. Exchange journaling

Answer: B

Explanation: Conditional Access policies can require MFA, compliant devices, or other conditions before granting access.

Question 10

Which statement about Copilot security is correct?

A. Copilot has unrestricted access to all tenant data.
B. Copilot ignores Microsoft Purview protections.
C. Copilot only follows Microsoft Defender policies.
D. Copilot inherits existing Microsoft 365 permissions and compliance controls.

Answer: D

Explanation: Copilot respects permissions, security settings, compliance policies, and governance controls already configured within Microsoft 365.

Go to the AB-900 Exam Prep Hub main page