Tag: Microsoft Purview

Microsoft Certification, Cybersecurity, AB-900

Understand retention in Microsoft Purview (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Understand retention

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Data is one of an organization’s most valuable assets. However, organizations must not only protect data but also manage how long it is kept and when it should be deleted. Regulatory requirements, legal obligations, business needs, and security concerns all influence data retention decisions.

Microsoft Purview provides comprehensive retention capabilities that help organizations retain, preserve, review, and dispose of information across Microsoft 365 services. Retention is a key component of information governance and records management.

For the AB-900 exam, it is important to understand the purpose of retention, the difference between retention policies and retention labels, and how Microsoft Purview helps organizations meet compliance and governance requirements.

What Is Retention?

Retention refers to the process of determining:

  • How long information should be kept
  • Whether information must be preserved
  • When information should be deleted
  • How organizations comply with legal, regulatory, and business requirements

Retention ensures that important information remains available when needed while reducing risks associated with keeping unnecessary data indefinitely.

Examples include:

  • Retaining financial records for seven years
  • Preserving employee communications during legal investigations
  • Automatically deleting outdated project documents
  • Maintaining business records for compliance purposes

Why Retention Matters

Organizations use retention solutions to achieve several goals:

Regulatory Compliance

Many industries have laws requiring data to be retained for specific periods.

Examples include:

  • Financial records
  • Healthcare records
  • Tax documentation
  • Legal contracts

Legal Protection

Organizations may need to preserve information for:

  • Litigation
  • Audits
  • Investigations
  • Regulatory reviews

Information Governance

Retention helps organizations:

  • Reduce data sprawl
  • Improve information quality
  • Eliminate outdated content
  • Manage storage costs

Security Improvement

Keeping unnecessary data increases risk.

Proper retention practices help:

  • Minimize exposure to breaches
  • Reduce attack surfaces
  • Remove outdated sensitive information

Retention in Microsoft Purview

Microsoft Purview provides retention solutions that work across Microsoft 365 services such as:

  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Microsoft Teams
  • Microsoft 365 Groups
  • Viva Engage
  • Copilot-related content stored in Microsoft 365

Purview allows organizations to automatically:

  • Retain content
  • Delete content
  • Retain and then delete content

Retention Policies

A retention policy automatically applies retention settings to locations across Microsoft 365.

Administrators create policies that specify:

  • Where the policy applies
  • How long content is retained
  • What happens after the retention period ends

Example

A policy might:

  • Retain all Teams chat messages for 5 years
  • Automatically delete them afterward

Advantages

Retention policies:

  • Apply automatically
  • Require little user involvement
  • Work at scale
  • Provide consistent compliance

Retention Labels

Retention labels provide more granular control than retention policies.

A retention label can be assigned to individual items such as:

  • Documents
  • Emails
  • Files
  • Records

Labels can be applied:

  • Manually by users
  • Automatically by policies
  • Through sensitive information detection
  • Through trainable classifiers

Example

A document labeled “Financial Record” could:

  • Be retained for 7 years
  • Be declared a record
  • Be deleted after the retention period expires

Retention Policies vs. Retention Labels

FeatureRetention PolicyRetention Label
ScopeBroad locationsIndividual items
User involvementUsually noneMay require user action
GranularityLocation levelItem level
FlexibilityModerateHigh
Records managementLimitedStrong

A useful exam tip is:

Retention policies manage locations, while retention labels manage individual content items.

Retain, Delete, or Retain and Delete

Microsoft Purview supports three primary retention actions.

Retain Only

Content remains available throughout the retention period.

Example:

  • Retain employee records for seven years.

Delete Only

Content is automatically removed after a specified period.

Example:

  • Delete temporary files after one year.

Retain and Then Delete

Content is preserved for a retention period and then automatically removed.

Example:

  • Retain project documents for five years and delete afterward.

Records Management

Records management builds on retention by treating important information as official records.

Organizations can:

  • Declare content as records
  • Restrict modifications
  • Track lifecycle events
  • Preserve compliance evidence

Examples of records:

  • Legal contracts
  • Corporate policies
  • Regulatory filings
  • Financial statements

Retention labels are commonly used to manage records.

Retention and Microsoft Teams

Organizations increasingly need to manage communication data.

Purview retention can manage:

  • Teams chat messages
  • Channel messages
  • Meeting content
  • Shared files

Example:

An organization may retain all Teams conversations for three years to satisfy compliance requirements.

Retention and Exchange Online

Retention can be applied to:

  • Emails
  • Mailboxes
  • Calendar items
  • Contacts

Example:

All employee email messages are retained for seven years and deleted afterward.

Retention and SharePoint/OneDrive

Retention supports:

  • Documents
  • Libraries
  • Files
  • Collaboration content

Example:

Project documentation is retained for five years after project completion.

Retention and Microsoft 365 Copilot

Microsoft 365 Copilot uses organizational data stored in Microsoft 365.

Because Copilot accesses existing organizational content:

  • Retention policies continue to govern underlying data.
  • Retention labels remain effective.
  • Information governance policies still apply.
  • Deleted content generally becomes unavailable after retention requirements are fulfilled.

Organizations should ensure retention strategies are aligned with Copilot usage to maintain compliance and data governance.

Adaptive Scopes

Large organizations often need dynamic retention assignments.

Adaptive scopes allow administrators to target retention policies based on attributes such as:

  • Department
  • Geography
  • User type
  • Business unit

This reduces administrative effort and improves policy accuracy.

Retention and eDiscovery

Retention supports eDiscovery by ensuring content remains available during investigations.

Benefits include:

  • Preserving evidence
  • Supporting legal holds
  • Maintaining compliance records
  • Simplifying investigations

Retained content can remain available even if users attempt to delete it.

Retention Best Practices

Organizations should:

  1. Identify regulatory requirements.
  2. Define retention schedules.
  3. Use retention policies for broad coverage.
  4. Use retention labels for specific content.
  5. Regularly review retention settings.
  6. Apply least-privilege administration.
  7. Align retention with records management processes.
  8. Test policies before large-scale deployment.

Key Exam Takeaways

For the AB-900 exam, remember these important concepts:

  • Retention determines how long data is kept and when it is deleted.
  • Microsoft Purview provides retention policies and retention labels.
  • Retention policies apply broadly to locations and workloads.
  • Retention labels apply to individual content items.
  • Organizations can retain content, delete content, or retain and then delete content.
  • Retention supports compliance, governance, security, and legal requirements.
  • Records management relies heavily on retention labels.
  • Retention applies across Exchange Online, SharePoint, OneDrive, Teams, and other Microsoft 365 services.
  • Copilot content governance relies on the retention controls applied to underlying Microsoft 365 data.

Practice Exam Questions

Question 1

An organization wants all Teams chat messages retained for five years and then automatically deleted. Which Microsoft Purview capability should be used?

A. Sensitivity labels
B. Retention policy
C. Conditional Access
D. Insider Risk Management

Answer: B

Explanation: Retention policies can apply retention settings broadly across Microsoft 365 workloads such as Teams chats and automatically delete content after the retention period expires.

Question 2

What is the primary purpose of retention in Microsoft Purview?

A. Encrypt all files in Microsoft 365
B. Prevent users from sharing documents externally
C. Control how long information is preserved and when it is deleted
D. Monitor user productivity

Answer: C

Explanation: Retention helps organizations manage the lifecycle of information by determining how long content is kept and when it should be removed.

Question 3

Which statement best describes a retention label?

A. It applies retention settings to individual items such as emails and documents.
B. It blocks external access to files.
C. It enforces multifactor authentication.
D. It manages network security rules.

Answer: A

Explanation: Retention labels provide item-level retention management and can be applied to specific documents, emails, and records.

Question 4

A company wants users to classify certain documents as official records that cannot be easily altered. Which solution is most appropriate?

A. Adaptive scopes
B. Conditional Access policies
C. Microsoft Defender XDR
D. Retention labels with records management capabilities

Answer: D

Explanation: Retention labels can declare documents as records and enforce records management requirements.

Question 5

Which retention action preserves content during a specified period and then removes it automatically?

A. Retain only
B. Delete only
C. Retain and then delete
D. Archive only

Answer: C

Explanation: Retain and then delete ensures content remains available during the retention period before automatic deletion occurs.

Question 6

What is a key difference between retention policies and retention labels?

A. Retention policies only work with Exchange Online.
B. Retention labels apply to individual content items.
C. Retention labels cannot be automated.
D. Retention policies require user assignment.

Answer: B

Explanation: Retention labels provide item-level control, while retention policies generally apply to locations or workloads.

Question 7

An administrator wants a retention policy to automatically target users based on department membership. Which feature should be used?

A. Data Loss Prevention
B. eDiscovery
C. Sensitivity labeling
D. Adaptive scopes

Answer: D

Explanation: Adaptive scopes dynamically assign retention policies using organizational attributes such as department or location.

Question 8

Why is retention important for eDiscovery investigations?

A. It automatically encrypts evidence.
B. It prevents users from signing in.
C. It helps ensure relevant information remains available for review.
D. It removes all old content immediately.

Answer: C

Explanation: Retention preserves information that may be required for legal or regulatory investigations.

Question 9

Which Microsoft 365 workload can be governed by Microsoft Purview retention policies?

A. Microsoft Teams only
B. SharePoint Online only
C. Exchange Online only
D. Exchange Online, SharePoint Online, OneDrive, and Teams

Answer: D

Explanation: Retention policies support multiple Microsoft 365 workloads, including Exchange, SharePoint, OneDrive, and Teams.

Question 10

How does Microsoft 365 Copilot relate to retention policies?

A. Copilot bypasses all retention settings.
B. Copilot replaces retention labels.
C. Copilot uses underlying Microsoft 365 content that remains governed by retention controls.
D. Copilot automatically creates retention policies.

Answer: C

Explanation: Copilot accesses organizational data stored in Microsoft 365, and existing retention policies and labels continue to govern that content.

Go to the AB-900 Exam Prep Hub main page

AB-900, Cybersecurity, Microsoft Certification, security

Understand data classification in Microsoft Purview (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Understand data classification in Microsoft Purview

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Data is one of an organization’s most valuable assets. However, not all data carries the same level of sensitivity or business value. Some information can be shared publicly, while other information must be protected because it contains financial records, intellectual property, customer data, healthcare information, or confidential business plans.

Microsoft Purview Data Classification helps organizations identify, categorize, and protect sensitive information throughout Microsoft 365. Data classification is a foundational capability that enables organizations to understand their data landscape, apply appropriate protections, meet compliance requirements, and securely adopt AI technologies such as Microsoft 365 Copilot.

For the AB-900 exam, it is important to understand how Microsoft Purview classifies data, the tools involved, and how classification supports security, compliance, governance, and AI readiness.

What Is Data Classification?

Data classification is the process of identifying and categorizing information based on its:

  • Sensitivity
  • Confidentiality
  • Regulatory requirements
  • Business value
  • Risk level

Classification allows organizations to answer questions such as:

  • Which files contain sensitive information?
  • Where is confidential data stored?
  • Who can access regulated data?
  • Which content should be protected or retained?
  • What data can Copilot safely access?

Microsoft Purview automates much of this process through built-in detection technologies.

Why Data Classification Is Important

Without data classification, organizations often struggle to:

  • Identify sensitive information
  • Apply consistent protections
  • Meet compliance requirements
  • Prevent data loss
  • Govern AI access to information

Benefits of data classification include:

  • Improved data visibility
  • Better security controls
  • Regulatory compliance
  • Reduced risk of data breaches
  • More effective data governance
  • Safer use of Microsoft 365 Copilot

Microsoft Purview Data Classification Components

Microsoft Purview uses several components to classify information.

Sensitive Information Types (SITs)

Sensitive Information Types are predefined patterns used to identify sensitive data.

Examples include:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Driver’s license numbers
  • Bank account numbers
  • Tax identification numbers

Microsoft provides hundreds of built-in SITs covering numerous countries and regions.

Example

A document containing a U.S. Social Security Number may automatically be detected and classified as sensitive content.

Trainable Classifiers

Trainable classifiers use machine learning to identify content based on context rather than exact patterns.

Examples include:

  • Resumes
  • Source code
  • Contracts
  • Financial documents
  • Healthcare records
  • Intellectual property

Unlike SITs, trainable classifiers examine the meaning and context of content.

Example

A contract may be identified even if it does not contain a specific keyword or sensitive number.

Content Explorer

Content Explorer allows administrators to:

  • View classified content
  • See where sensitive data exists
  • Investigate data locations
  • Analyze classification results

This tool helps organizations understand their data environment.

Activity Explorer

Activity Explorer provides visibility into:

  • Labeling activities
  • Classification actions
  • DLP events
  • User interactions with sensitive data

Administrators can investigate how classified information is being used.

Types of Data Classification

Organizations typically classify data into categories such as:

ClassificationDescription
PublicInformation intended for everyone
GeneralEveryday business information
InternalInformation for employees only
ConfidentialSensitive business information
Highly ConfidentialCritical or restricted information

Organizations can customize classifications based on their requirements.

Classification and Sensitivity Labels

Data classification often works together with Sensitivity Labels.

Classification identifies the data.

Sensitivity labels protect the data.

Example

Microsoft Purview detects:

  • Credit card information
  • Customer account numbers

A sensitivity label is then automatically applied:

  • Confidential
  • Highly Confidential

The label can then:

  • Encrypt the file
  • Restrict access
  • Apply watermarks
  • Block unauthorized sharing

Automatic Data Classification

Microsoft Purview can automatically classify information using:

Pattern Matching

Detects predefined sensitive information.

Examples:

  • Credit card numbers
  • Social Security numbers
  • Passport numbers

Machine Learning

Uses trainable classifiers to recognize content types.

Examples:

  • Contracts
  • Legal documents
  • Source code

Keyword Detection

Identifies content based on specific words or phrases.

Examples:

  • Confidential
  • Internal Use Only
  • Proprietary Information

Data Classification and Microsoft 365 Copilot

Data classification is particularly important for Copilot deployments.

Organizations often ask:

What information can Copilot access?

Copilot respects:

  • User permissions
  • Sensitivity labels
  • Compliance controls

Proper data classification helps organizations:

  • Understand their data
  • Identify overshared content
  • Protect confidential information
  • Reduce AI-related risks

Classification improves confidence when deploying AI solutions.

Data Classification and Compliance

Many regulations require organizations to identify and protect sensitive information.

Examples include:

  • GDPR
  • HIPAA
  • PCI DSS
  • SOX
  • Various privacy laws

Microsoft Purview classification helps organizations:

  • Locate regulated data
  • Apply protections
  • Support audits
  • Demonstrate compliance

Data Classification and Data Loss Prevention (DLP)

Data classification works closely with DLP policies.

Process

  1. Purview identifies sensitive content.
  2. Content is classified.
  3. DLP policies evaluate the classification.
  4. Protective actions occur.

Examples:

  • Block file sharing
  • Restrict email transmission
  • Alert administrators
  • Notify users

Without classification, DLP cannot effectively identify sensitive content.

Data Classification and Insider Risk Management

Classified data helps Insider Risk Management identify risky activities involving:

  • Financial records
  • Intellectual property
  • Customer information
  • Confidential business data

This improves risk detection and investigation capabilities.

Common Data Classification Use Cases

Financial Information Protection

Detect:

  • Credit card numbers
  • Banking information
  • Tax records

Apply protection automatically.

Human Resources Data

Identify:

  • Employee records
  • Salary information
  • Performance reviews

Restrict access to authorized personnel.

Healthcare Information

Classify:

  • Patient records
  • Medical identifiers

Support HIPAA compliance.

Legal Documents

Detect:

  • Contracts
  • Legal agreements

Apply confidentiality protections.

Intellectual Property Protection

Identify:

  • Product designs
  • Research data
  • Source code

Prevent unauthorized sharing.

Key Exam Concepts

For the AB-900 exam, remember:

  • Data classification identifies and categorizes information.
  • Sensitive Information Types detect specific data patterns.
  • Trainable classifiers use machine learning and context.
  • Classification supports sensitivity labels and DLP.
  • Content Explorer helps locate classified content.
  • Activity Explorer helps investigate classification activity.
  • Classification is essential for compliance and governance.
  • Microsoft 365 Copilot benefits from proper data classification.
  • Classification enables automated protection policies.
  • Data classification improves organizational visibility into sensitive information.

Practice Exam Questions

Question 1

What is the primary purpose of data classification in Microsoft Purview?

A. To improve internet connectivity
B. To categorize information based on sensitivity and business value
C. To manage Windows updates
D. To configure virtual machines

Answer: B

Explanation: Data classification identifies and categorizes information so organizations can apply appropriate protections and governance controls.

Question 2

Which Microsoft Purview feature identifies information such as Social Security numbers and credit card numbers?

A. Activity Explorer
B. Sensitive Information Types
C. Compliance Manager
D. Insider Risk Management

Answer: B

Explanation: Sensitive Information Types (SITs) are designed to detect structured sensitive data using predefined patterns.

Question 3

Which technology enables Microsoft Purview to recognize contracts and resumes based on context?

A. Firewall policies
B. Sensitivity labels
C. Trainable classifiers
D. Conditional Access

Answer: C

Explanation: Trainable classifiers use machine learning and contextual analysis to identify content types.

Question 4

An administrator wants to see where sensitive information exists across Microsoft 365. Which tool should they use?

A. Microsoft Defender Portal
B. Teams Admin Center
C. Content Explorer
D. Exchange Admin Center

Answer: C

Explanation: Content Explorer provides visibility into classified content and its locations.

Question 5

What is the relationship between data classification and sensitivity labels?

A. They are unrelated technologies
B. Sensitivity labels identify data while classification encrypts it
C. Classification identifies data and labels protect it
D. Classification replaces sensitivity labels

Answer: C

Explanation: Classification discovers and categorizes information, while sensitivity labels apply protection settings.

Question 6

Which statement about Microsoft 365 Copilot is correct?

A. Copilot ignores classified information
B. Copilot respects permissions and protection controls associated with classified data
C. Copilot automatically removes sensitivity labels
D. Copilot bypasses governance policies

Answer: B

Explanation: Copilot honors existing permissions, labels, and compliance controls.

Question 7

Which Microsoft Purview feature allows administrators to investigate labeling and classification events?

A. Activity Explorer
B. Endpoint Manager
C. SharePoint Admin Center
D. Azure Monitor

Answer: A

Explanation: Activity Explorer provides visibility into classification-related activities and events.

Question 8

Which compliance-related benefit does data classification provide?

A. Faster network performance
B. Reduced storage costs only
C. Automatic hardware replacement
D. Easier identification and protection of regulated data

Answer: D

Explanation: Classification helps organizations locate and protect regulated information to support compliance requirements.

Question 9

A Data Loss Prevention (DLP) policy blocks sharing of files containing credit card numbers. What enables the DLP policy to identify those files?

A. Exchange transport rules only
B. Sensitive Information Types and data classification
C. Network firewalls
D. Device encryption

Answer: B

Explanation: DLP relies on classification mechanisms such as Sensitive Information Types to identify protected content.

Question 10

Which statement best describes trainable classifiers?

A. They only detect file names
B. They require manual review of every document
C. They identify information using contextual machine learning models
D. They replace all sensitivity labels

Answer: C

Explanation: Trainable classifiers use machine learning to recognize content such as contracts, source code, and resumes based on context rather than simple pattern matching.

Go to the AB-900 Exam Prep Hub main page

AB-900, Microsoft Certification, security

Identify the use cases for sensitivity labels in Microsoft Purview (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Identify the use cases for sensitivity labels in Microsoft Purview

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction to Microsoft Purview Sensitivity Labels

Microsoft Purview Sensitivity Labels are classification and protection mechanisms that help organizations secure sensitive information across Microsoft 365. Labels enable organizations to identify important data and apply protections automatically or manually.

Sensitivity labels are part of Microsoft Purview Information Protection and support the principles of:

  • Data classification
  • Data protection
  • Compliance
  • Governance
  • Secure collaboration
  • AI readiness for Microsoft 365 Copilot

Instead of securing locations only, sensitivity labels secure the data itself, allowing protections to remain with content wherever it travels.

Why Sensitivity Labels Matter

Organizations often handle information with varying levels of confidentiality:

  • Public documents
  • Internal business data
  • Financial records
  • Human resources information
  • Customer data
  • Intellectual property
  • Legal documents

Sensitivity labels provide a consistent method for:

  • Identifying content sensitivity
  • Applying encryption
  • Restricting access
  • Adding visual markings
  • Preventing accidental exposure
  • Supporting compliance requirements

How Sensitivity Labels Work

A sensitivity label can be applied to:

  • Documents
  • Emails
  • Microsoft Teams
  • Microsoft 365 Groups
  • SharePoint sites
  • OneDrive content

Labels can be:

Manually applied

Users choose the appropriate label.

Automatically applied

Microsoft Purview detects sensitive information and assigns labels automatically.

Recommended

Users receive suggestions to apply a label.

Common Label Hierarchies

Organizations frequently create labels such as:

LabelIntended Audience
PublicAnyone
GeneralEmployees
InternalInternal users only
ConfidentialSpecific departments
Highly ConfidentialRestricted users

Labels are customizable and vary by organization.

Core Protection Capabilities

A sensitivity label may configure:

Encryption

Controls who can open content and what actions they can perform.

Examples:

  • View only
  • Edit allowed
  • Print blocked
  • Copy restricted

Content Markings

Visual indicators help users recognize sensitivity.

Examples:

  • Headers
  • Footers
  • Watermarks

Access Restrictions

Limits content access to:

  • Individuals
  • Groups
  • Departments
  • External users

Expiration Settings

Content access can expire after a specified period.

Major Use Cases for Sensitivity Labels

1. Protecting Confidential Documents

Organizations can label:

  • Financial statements
  • Contracts
  • Product designs
  • Strategic plans

Example:

A “Highly Confidential” label encrypts a document and restricts access to executives only.

2. Protecting Email Messages

Labels can secure email communication.

Example:

An HR manager sends salary information using a “Confidential – HR” label that:

  • Encrypts the email
  • Restricts forwarding
  • Prevents printing

3. Supporting Microsoft 365 Copilot

Copilot respects existing permissions and sensitivity labels.

If a document is labeled:

  • Confidential
  • Highly Confidential
  • Executive Only

Copilot only uses content that the user already has permission to access.

Sensitivity labels therefore help organizations prepare data safely for AI experiences.

4. Securing External Collaboration

Organizations can share files externally while maintaining protection.

Example:

A company sends a proposal to a partner:

  • External recipients can read it.
  • Forwarding is blocked.
  • Printing is disabled.

Protection travels with the document.

5. Meeting Regulatory Compliance Requirements

Sensitivity labels help support:

  • GDPR
  • HIPAA
  • Financial regulations
  • Privacy laws
  • Industry-specific requirements

Organizations can demonstrate that sensitive information receives appropriate protection.

6. Preventing Accidental Data Exposure

Users sometimes unintentionally send sensitive information.

Labels provide:

  • Classification awareness
  • Visual reminders
  • Automated protection

Example:

A user sending customer data receives an automatic recommendation to apply a Confidential label.

7. Protecting Intellectual Property

Engineering designs, research documents, and proprietary information can be restricted.

Example:

Only members of the Research department can access files labeled “R&D Confidential.”

8. Applying Visual Classification

Headers, footers, and watermarks immediately show sensitivity.

Examples:

  • INTERNAL USE ONLY
  • CONFIDENTIAL
  • HIGHLY CONFIDENTIAL

These markings help employees recognize handling requirements.

9. Labeling Containers

Sensitivity labels can be applied to:

  • Microsoft Teams
  • Microsoft 365 Groups
  • SharePoint sites

Container labels can control:

  • Guest access
  • Privacy settings
  • External sharing
  • Unmanaged device access

Example:

A Team labeled “Confidential Project” automatically disables guest access.

10. Supporting Data Loss Prevention (DLP)

Sensitivity labels integrate with Microsoft Purview DLP.

Example:

A DLP policy may block external sharing of content labeled “Highly Confidential.”

Labels and DLP together provide layered protection.

Manual vs Automatic Labeling

MethodDescription
Manual labelingUser chooses the label
Recommended labelingSystem suggests labels
Automatic labelingPurview assigns labels automatically

Automatic labeling reduces reliance on users and improves consistency.

Supported Workloads

Sensitivity labels work across:

  • Microsoft Word
  • Excel
  • PowerPoint
  • Outlook
  • Teams
  • SharePoint Online
  • OneDrive
  • Microsoft 365 Groups

Relationship Between Sensitivity Labels and Retention Labels

These labels serve different purposes:

Label TypePurpose
Sensitivity labelProtect and classify data
Retention labelGovern how long data is kept

Sensitivity labels answer:

“Who can access this?”

Retention labels answer:

“How long should we keep this?”

Benefits of Sensitivity Labels

Organizations gain:

  • Stronger data protection
  • Better compliance
  • Secure AI adoption
  • Reduced data leakage
  • Improved collaboration
  • Consistent classification
  • User awareness of sensitive data

AB-900 Exam Tips

Remember these key points:

  • Sensitivity labels protect the content itself, not just the storage location.
  • Labels can apply encryption, markings, and access restrictions.
  • Labels work across Microsoft 365 workloads.
  • Microsoft 365 Copilot honors sensitivity labels and permissions.
  • Labels can be manually or automatically applied.
  • Sensitivity labels and retention labels serve different purposes.
  • Labels integrate with DLP policies for additional protection.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview sensitivity labels?

A. Monitor network traffic
B. Protect and classify data based on sensitivity
C. Manage software updates
D. Create backups

Answer: B

Explanation: Sensitivity labels classify information and apply protections such as encryption and access restrictions.

Question 2

Which Microsoft 365 service respects sensitivity labels when generating responses?

A. Microsoft DHCP
B. Windows Update
C. Hyper-V
D. Microsoft 365 Copilot

Answer: D

Explanation: Copilot honors both user permissions and sensitivity labels.

Question 3

Which capability can sensitivity labels provide?

A. Device firmware updates
B. Password resets
C. Encryption and access control
D. Network routing

Answer: C

Explanation: Labels can encrypt content and define who can access it.

Question 4

A company wants documents to display “CONFIDENTIAL” across every page. Which sensitivity label feature supports this?

A. Authentication logs
B. Retention policies
C. Device compliance
D. Watermarks and content markings

Answer: D

Explanation: Labels can add headers, footers, and watermarks.

Question 5

What type of information is commonly protected with sensitivity labels?

A. Product designs and financial reports
B. Printer drivers only
C. Operating system files only
D. DNS records

Answer: A

Explanation: Sensitive business information is a common use case.

Question 6

Which statement about automatic labeling is correct?

A. Users must always choose labels manually.
B. Labels only work with Outlook.
C. Purview can automatically apply labels based on detected sensitive information.
D. Automatic labeling disables encryption.

Answer: C

Explanation: Purview can detect sensitive content and assign labels automatically.

Question 7

Which object can receive a sensitivity label?

A. Microsoft Teams
B. Documents
C. Emails
D. All of the above

Answer: D

Explanation: Labels support files, emails, Teams, groups, and SharePoint sites.

Question 8

How do sensitivity labels differ from retention labels?

A. They are identical.
B. Sensitivity labels protect data, while retention labels control how long data is kept.
C. Retention labels encrypt content.
D. Sensitivity labels manage software deployment.

Answer: B

Explanation: Protection and lifecycle management are separate functions.

Question 9

Which Microsoft Purview feature commonly works together with sensitivity labels to prevent data leakage?

A. Windows Firewall
B. Azure Virtual Machines
C. Data Loss Prevention (DLP)
D. Active Directory Sites and Services

Answer: C

Explanation: DLP policies can use sensitivity labels to enforce protection rules.

Question 10

Why are sensitivity labels important for Microsoft 365 Copilot adoption?

A. They increase processor speed.
B. They replace permissions.
C. They eliminate identity management.
D. They help ensure AI accesses data according to existing protections.

Answer: D

Explanation: Copilot follows permissions and sensitivity labels, helping organizations safely enable AI experiences.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Security, Cybersecurity, Data Security, Microsoft Certification, security

Understand features and capabilities of Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Data Security Posture Management (DSPM) for AI, and Microsoft Purview Data Lifecycle Management (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Understand Microsoft Purview
      --> Understand features and capabilities of Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention (DLP), Microsoft Purview Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Data Security Posture Management (DSPM) for AI, and Microsoft Purview Data Lifecycle Management

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations adopt Microsoft 365, Copilot, and AI-powered solutions, protecting sensitive information becomes increasingly important. Microsoft provides a unified compliance and governance platform called Microsoft Purview.

Microsoft Purview helps organizations:

  • Protect sensitive information.
  • Prevent accidental or intentional data loss.
  • Manage records and retention.
  • Detect insider risks.
  • Monitor communications.
  • Strengthen AI data governance.
  • Meet regulatory and compliance requirements.

For the AB-900 exam, you should understand the purpose and capabilities of the major Microsoft Purview solutions rather than detailed implementation steps.

What Is Microsoft Purview?

Microsoft Purview is Microsoft’s unified data governance, compliance, and risk management platform.

Purview enables organizations to:

  • Discover and classify data.
  • Protect sensitive information.
  • Govern information throughout its lifecycle.
  • Reduce insider threats.
  • Monitor AI-related risks.
  • Meet legal and regulatory obligations.

Purview works across:

  • Microsoft 365
  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Teams
  • Microsoft Copilot
  • Power Platform
  • Endpoint devices
  • Third-party cloud services

Microsoft Purview Information Protection

Purpose

Microsoft Purview Information Protection (MIP) helps organizations classify and protect sensitive information.

It enables organizations to:

  • Identify sensitive data.
  • Apply sensitivity labels.
  • Encrypt content.
  • Control sharing permissions.
  • Track and monitor protected content.

Sensitivity Labels

Sensitivity labels classify content based on its importance.

Examples:

  • Public
  • General
  • Confidential
  • Highly Confidential

Labels can be applied to:

  • Emails
  • Word documents
  • Excel files
  • PowerPoint presentations
  • SharePoint sites
  • Teams
  • Microsoft 365 Groups

Protection Actions

Sensitivity labels can:

Encrypt Data

Only authorized users can open content.

Restrict Access

Prevent forwarding, printing, or copying.

Apply Visual Markings

Add:

  • Headers
  • Footers
  • Watermarks

Protect Copilot Data

Copilot respects existing permissions and sensitivity labels.

Benefits

Information Protection helps organizations:

  • Reduce accidental exposure.
  • Meet compliance requirements.
  • Maintain consistent classification.
  • Protect confidential information.

Microsoft Purview Data Loss Prevention (DLP)

Purpose

Data Loss Prevention (DLP) helps prevent sensitive information from being shared improperly.

DLP identifies sensitive information and automatically applies protection actions.

Examples of Sensitive Information

  • Credit card numbers
  • Social Security numbers
  • Passport numbers
  • Healthcare records
  • Financial information

DLP Actions

Policies can:

  • Block email transmission.
  • Prevent file sharing.
  • Warn users before sending data.
  • Generate alerts.
  • Create audit records.

Locations Protected by DLP

DLP policies can protect:

  • Exchange Online
  • SharePoint Online
  • OneDrive
  • Microsoft Teams
  • Endpoint devices

Example

A user attempts to email customer credit card information outside the company.

DLP can:

  1. Detect the information.
  2. Display a warning.
  3. Block the message.

Benefits

DLP helps:

  • Prevent accidental leaks.
  • Support compliance requirements.
  • Educate users with policy tips.
  • Reduce organizational risk.

Microsoft Purview Insider Risk Management

Purpose

Insider Risk Management helps detect risky behavior from internal users.

Risks may be:

  • Accidental
  • Negligent
  • Malicious

Examples of Risky Activities

  • Downloading large amounts of files.
  • Sending confidential information externally.
  • Copying data to USB devices.
  • Unusual file access patterns.
  • Data theft before leaving the company.

Risk Indicators

The solution uses:

  • User activities
  • Behavioral signals
  • Microsoft 365 audit logs

Investigation Capabilities

Administrators can:

  • Review alerts.
  • Analyze activities.
  • Escalate incidents.
  • Document investigations.

Benefits

Insider Risk Management helps:

  • Reduce insider threats.
  • Detect suspicious behavior early.
  • Protect intellectual property.

Microsoft Purview Communication Compliance

Purpose

Communication Compliance helps organizations monitor communications for policy violations.

Content Sources

Communication Compliance can monitor:

  • Microsoft Teams chats
  • Emails
  • Copilot interactions
  • Other communication channels

Violations It Can Detect

Examples include:

  • Harassment
  • Threatening language
  • Offensive content
  • Inappropriate sharing
  • Regulatory violations

Review Process

Flagged communications are:

  1. Detected automatically.
  2. Reviewed by authorized reviewers.
  3. Investigated when necessary.

Benefits

Communication Compliance helps:

  • Promote workplace safety.
  • Meet industry regulations.
  • Reduce legal exposure.
  • Enforce organizational policies.

Microsoft Purview Data Security Posture Management (DSPM) for AI

Purpose

DSPM for AI helps organizations understand and secure how AI systems interact with organizational data.

As AI adoption grows, organizations need visibility into:

  • What data AI tools can access.
  • Which users have access to sensitive information.
  • Potential AI-related risks.

DSPM for AI Capabilities

DSPM for AI helps organizations:

Discover AI Usage

Identify where AI tools are being used.

Assess Data Exposure

Understand whether sensitive data may be exposed.

Monitor Copilot Activity

Gain visibility into AI interactions.

Identify Oversharing Risks

Locate files with excessive permissions.

Strengthen AI Governance

Improve controls around AI usage.

Example

DSPM for AI may discover:

  • A SharePoint site containing confidential files.
  • Excessive permissions on the site.
  • Potential exposure to Copilot responses.

Administrators can then reduce permissions and improve security.

Benefits

DSPM for AI supports:

  • Responsible AI adoption.
  • Reduced oversharing risks.
  • Better governance of AI systems.

Microsoft Purview Data Lifecycle Management

Purpose

Data Lifecycle Management governs information throughout its lifecycle.

It ensures that information is:

  • Retained when required.
  • Deleted when no longer needed.
  • Managed according to regulations.

Retention Policies

Retention policies determine how long content should be kept.

Examples:

Content TypeRetention Period
HR records7 years
Financial documents10 years
General emails3 years

Retention Labels

Labels can assign different retention periods to individual documents.

Example:

  • Contract documents retained for 10 years.
  • Project files retained for 5 years.

Automatic Deletion

When retention periods expire, content can be deleted automatically.

Benefits include:

  • Reduced storage costs.
  • Reduced legal risk.
  • Better compliance.

Records Management

Organizations can designate records that must not be altered or deleted before their retention period ends.

How These Purview Solutions Work Together

SolutionPrimary Goal
Information ProtectionClassify and protect content
DLPPrevent data leakage
Insider Risk ManagementDetect risky user behavior
Communication ComplianceMonitor communications
DSPM for AISecure AI data access
Data Lifecycle ManagementRetain and dispose of data appropriately

Together, these capabilities provide a comprehensive governance framework for Microsoft 365 and Copilot.

Importance for Microsoft 365 Copilot

Copilot respects existing Microsoft 365 permissions and compliance controls.

Purview solutions help ensure:

  • Sensitive content is labeled.
  • Oversharing risks are minimized.
  • AI interactions remain compliant.
  • Records are retained appropriately.
  • Users do not accidentally expose confidential data.

Key Exam Points

Remember these AB-900 concepts:

  • Information Protection uses sensitivity labels to classify and protect content.
  • DLP prevents inappropriate sharing of sensitive data.
  • Insider Risk Management detects risky user behavior.
  • Communication Compliance monitors communications for policy violations.
  • DSPM for AI helps organizations govern AI usage and identify oversharing risks.
  • Data Lifecycle Management controls retention and deletion of information.
  • Microsoft Purview supports Microsoft 365, Copilot, and AI governance.

Practice Exam Questions

Question 1

Which Microsoft Purview solution primarily uses sensitivity labels to classify and protect content?

A. Communication Compliance
B. Data Lifecycle Management
C. Information Protection
D. Insider Risk Management

Correct Answer: C

Explanation: Microsoft Purview Information Protection uses sensitivity labels to classify and secure content.

Question 2

Which Microsoft Purview capability helps prevent users from emailing credit card numbers outside the organization?

A. Insider Risk Management
B. Communication Compliance
C. Data Loss Prevention (DLP)
D. Records Management

Correct Answer: C

Explanation: DLP detects sensitive information and can block or warn users before sharing it.

Question 3

Which solution is designed to identify potentially malicious or risky behavior by internal users?

A. Information Protection
B. Sensitivity Labels
C. Data Lifecycle Management
D. Insider Risk Management

Correct Answer: D

Explanation: Insider Risk Management focuses on identifying risky activities performed by users inside the organization.

Question 4

A company wants to monitor Teams messages for harassment and inappropriate language. Which Microsoft Purview solution should they use?

A. DLP
B. Communication Compliance
C. DSPM for AI
D. Information Protection

Correct Answer: B

Explanation: Communication Compliance analyzes communications for policy violations.

Question 5

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Manage mailbox permissions
B. Secure and govern AI-related data exposure
C. Encrypt documents automatically
D. Replace Conditional Access

Correct Answer: B

Explanation: DSPM for AI provides visibility into AI usage and helps identify oversharing risks.

Question 6

Which Microsoft Purview capability determines how long information should be retained?

A. Insider Risk Management
B. Communication Compliance
C. Data Lifecycle Management
D. Information Protection

Correct Answer: C

Explanation: Data Lifecycle Management uses retention policies and labels to manage content over time.

Question 7

Which action can a sensitivity label perform?

A. Create Teams channels automatically
B. Synchronize users with Active Directory
C. Configure Conditional Access policies
D. Encrypt documents and restrict access

Correct Answer: D

Explanation: Sensitivity labels can apply encryption and restrict how information is used.

Question 8

Which Microsoft Purview solution helps identify oversharing risks that may affect Microsoft Copilot responses?

A. DSPM for AI
B. Communication Compliance
C. Data Lifecycle Management
D. Exchange Online Protection

Correct Answer: A

Explanation: DSPM for AI helps organizations understand how AI systems interact with organizational data and identify excessive permissions.

Question 9

A company must retain financial documents for ten years to meet regulatory requirements. Which capability addresses this need?

A. DLP
B. Insider Risk Management
C. Data Lifecycle Management
D. Communication Compliance

Correct Answer: C

Explanation: Retention policies and labels within Data Lifecycle Management ensure information is preserved for required periods.

Question 10

Which statement best describes the relationship between Microsoft Purview and Microsoft 365 Copilot?

A. Copilot ignores Purview policies.
B. Purview replaces Copilot permissions.
C. Copilot stores all data outside Microsoft 365.
D. Copilot works with existing Purview protections and permissions.

Correct Answer: D

Explanation: Microsoft 365 Copilot honors existing permissions, sensitivity labels, and compliance controls established through Microsoft Purview.

Go to the AB-900 Exam Prep Hub main page