Tag: Microsoft SharePoint

AB-900, Agentic AI, AI, Generative AI, Microsoft Certification

Compare Copilot monthly license model to Pay-as-You-Go, including SharePoint (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Understand features and capabilities of Copilot and agents
      --> Compare Copilot monthly license model to Pay-as-You-Go, including SharePoint

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Microsoft offers multiple licensing models for AI experiences across Microsoft 365. Understanding these licensing options is important for administrators who plan deployments, manage costs, and determine which AI capabilities are available to users.

For the AB-900 exam, you should understand the differences between:

  • Microsoft 365 Copilot monthly user licensing
  • Pay-as-you-go (consumption-based) licensing
  • SharePoint Copilot licensing
  • When each licensing model is appropriate

The exam focuses on understanding the concepts rather than memorizing pricing.

Why Multiple Licensing Models Exist

Organizations vary greatly in how employees use AI.

Some organizations:

  • Have employees who use AI all day.
  • Need AI integrated into Microsoft 365 apps.
  • Require predictable monthly costs.

Other organizations:

  • Use AI occasionally.
  • Need specialized agents.
  • Want to pay only when AI is used.

Microsoft therefore offers both subscription-based and consumption-based licensing.

Microsoft 365 Copilot Monthly License Model

The traditional Microsoft 365 Copilot license is assigned to individual users.

Each licensed user receives access to Copilot experiences across supported Microsoft 365 applications.

Examples include:

  • Word
  • Excel
  • PowerPoint
  • Outlook
  • Teams
  • OneNote
  • Microsoft 365 Chat

The license is:

  • Assigned per user
  • Monthly subscription
  • Predictable recurring cost

Characteristics of the Monthly License

The monthly model provides:

  • Full Microsoft 365 Copilot experience
  • Unlimited daily usage (subject to service limits)
  • Personalized AI assistance
  • Microsoft Graph integration
  • Cross-app experiences
  • Enterprise security and compliance

This model is best for employees who regularly use Copilot throughout their workday.

Typical Monthly License Scenario

A financial analyst uses Copilot every day to:

  • Analyze Excel workbooks
  • Draft reports
  • Summarize meetings
  • Create PowerPoint presentations
  • Search organizational knowledge

Because AI is used continuously, a monthly license provides predictable costs.

Benefits of Monthly Licensing

Advantages include:

  • Predictable budgeting
  • No need to monitor consumption
  • Continuous access
  • Simplified administration
  • Consistent user experience
  • Ideal for heavy users

Limitations of Monthly Licensing

Considerations include:

  • Fixed monthly cost regardless of usage
  • Not ideal for occasional users
  • Every user requires their own license
  • Organizations may over-license infrequent users

Pay-as-You-Go Licensing

Pay-as-you-go (PAYG) is a consumption-based licensing model.

Instead of paying for every user every month, organizations pay based on actual AI usage.

Think of it similarly to cloud computing services:

  • More usage = higher cost
  • Less usage = lower cost

Characteristics of Pay-as-You-Go

Pay-as-you-go provides:

  • Usage-based billing
  • Flexible scaling
  • No requirement for every user to have a monthly Copilot license
  • Cost based on AI requests or service consumption (depending on the service)

This model is especially useful for agents and certain AI scenarios.

Benefits of Pay-as-You-Go

Advantages include:

  • Lower upfront costs
  • Pay only for actual usage
  • Flexible deployment
  • Easy experimentation
  • Ideal for seasonal workloads
  • Good for occasional users

Limitations of Pay-as-You-Go

Potential drawbacks include:

  • Variable monthly costs
  • Budget forecasting is more difficult
  • Requires monitoring usage
  • Heavy usage may become more expensive than subscription licensing

Comparing Monthly Licensing and Pay-as-You-Go

Monthly LicensePay-as-You-Go
Fixed monthly costUsage-based cost
Licensed per userConsumption-based
Predictable budgetingVariable spending
Best for daily usersBest for occasional use
Continuous Copilot accessPay only when AI is used
Simpler cost managementRequires usage monitoring

Microsoft 365 Copilot Chat

Organizations should understand that Microsoft offers AI experiences beyond the traditional monthly Copilot license.

For example:

  • Microsoft 365 Copilot Chat is available to Microsoft 365 users.
  • Organizations can extend Copilot Chat with agents.
  • Some agent usage can be billed using pay-as-you-go licensing rather than requiring every user to have a full Copilot subscription.

This provides flexibility for organizations with mixed AI usage patterns.

SharePoint and Copilot

SharePoint includes AI capabilities that help users work with documents, sites, and organizational knowledge.

Examples include:

  • Summarizing documents
  • Answering questions about files
  • Generating page content
  • Assisting with document creation
  • Improving knowledge discovery

SharePoint Agents

One important capability is SharePoint agents.

A SharePoint agent can:

  • Be created from a SharePoint site or document library
  • Answer questions using approved SharePoint content
  • Help users locate organizational knowledge
  • Reduce the need to manually search documents

For example:

A Human Resources SharePoint site may contain:

  • Employee handbook
  • Benefits guide
  • Leave policies
  • Training documents

An HR SharePoint agent can answer employee questions using those documents.

SharePoint Pay-as-You-Go

Organizations can use SharePoint agents without assigning every user a full Microsoft 365 Copilot license.

Instead, administrators can configure consumption-based billing.

Benefits include:

  • Lower cost for occasional users
  • Easy pilot deployments
  • Department-specific AI
  • Flexible scaling

This makes SharePoint agents attractive for organizations wanting targeted AI experiences without licensing every employee.

Choosing the Right Licensing Model

Choose Monthly Licensing When

  • Employees use Copilot every day.
  • AI is integrated into daily workflows.
  • Predictable monthly budgeting is important.
  • Users need full Copilot functionality across Microsoft 365.

Examples:

  • Executives
  • Project managers
  • Analysts
  • Consultants
  • Sales professionals
  • Knowledge workers

Choose Pay-as-You-Go When

  • AI usage is occasional.
  • Organizations are testing AI.
  • Departments need specialized agents.
  • Seasonal usage is expected.
  • Budget flexibility is acceptable.

Examples:

  • HR help desk agent
  • Legal document agent
  • IT support chatbot
  • SharePoint knowledge assistant

Administrative Considerations

Administrators should evaluate:

  • Expected AI usage
  • Number of users
  • Cost predictability
  • Department requirements
  • Governance policies
  • Licensing strategy
  • Agent deployment plans

Security Remains the Same

Regardless of licensing model:

  • Microsoft Entra ID authentication is used.
  • Microsoft Graph permissions are enforced.
  • Microsoft Purview policies apply.
  • Data Loss Prevention (DLP) policies remain active.
  • Sensitivity labels continue protecting content.
  • Microsoft Defender protections remain in effect.

Licensing changes how organizations pay for AI—not how Microsoft secures organizational data.

Best Practices

Microsoft recommends that organizations:

  • License frequent users with Microsoft 365 Copilot subscriptions.
  • Use pay-as-you-go for occasional AI usage.
  • Monitor AI adoption and consumption.
  • Start with pilot deployments.
  • Evaluate SharePoint agents for departmental knowledge scenarios.
  • Review licensing regularly as adoption increases.

Exam Tips

For the AB-900 exam, remember these key points:

  • Microsoft 365 Copilot is commonly licensed per user with a monthly subscription.
  • Pay-as-you-go bills organizations based on AI usage.
  • Monthly licensing provides predictable costs.
  • Pay-as-you-go offers flexibility for occasional or specialized AI use.
  • SharePoint agents can be deployed using consumption-based licensing in supported scenarios.
  • Licensing affects billing—not security or permissions.
  • Microsoft Graph, Microsoft Purview, and Microsoft Entra ID protections apply regardless of licensing model.
  • Heavy AI users are generally better suited to monthly licensing.
  • Departmental or pilot AI deployments often benefit from pay-as-you-go.

Practice Exam Questions

Question 1

Which licensing model provides users with a predictable monthly cost for Microsoft 365 Copilot?

A. Pay-as-you-go
B. Monthly per-user license
C. Azure consumption credits
D. SharePoint storage licensing

Correct Answer: B

Explanation: A monthly per-user license provides continuous access to Microsoft 365 Copilot for a fixed monthly subscription.

Question 2

What is the primary advantage of the pay-as-you-go licensing model?

A. Users receive unlimited AI usage regardless of activity.
B. Organizations pay only for actual AI usage.
C. Every employee automatically receives Microsoft 365 Copilot.
D. It disables Microsoft Graph integration.

Correct Answer: B

Explanation: Pay-as-you-go charges based on consumption, making it suitable for occasional or specialized AI usage.

Question 3

Which type of user is generally the best candidate for a Microsoft 365 Copilot monthly license?

A. An employee who rarely uses Microsoft 365 applications
B. A seasonal contractor who accesses AI once a month
C. A knowledge worker who uses Copilot throughout the workday
D. A visitor with guest access to SharePoint

Correct Answer: C

Explanation: Heavy or daily users benefit from the predictable costs and continuous access provided by the monthly licensing model.

Question 4

An organization wants to deploy an HR SharePoint agent that employees will use occasionally. Which licensing model is often the better fit?

A. Monthly Copilot license for every employee
B. Windows Enterprise licensing
C. Exchange Online licensing
D. Pay-as-you-go

Correct Answer: D

Explanation: Pay-as-you-go is well suited for departmental agents with occasional usage, allowing organizations to pay based on consumption.

Question 5

Which statement about Microsoft 365 Copilot monthly licensing is correct?

A. It charges only when AI is used.
B. It is assigned to individual users as a subscription.
C. It replaces Microsoft Entra ID.
D. It is available only for SharePoint.

Correct Answer: B

Explanation: The traditional Microsoft 365 Copilot model is licensed per user through a recurring subscription.

Question 6

Which capability is commonly associated with SharePoint agents?

A. Managing Windows updates
B. Replacing Microsoft Graph
C. Answering questions using SharePoint content and document libraries
D. Creating Azure virtual machines

Correct Answer: C

Explanation: SharePoint agents are grounded in SharePoint content and help users locate and understand organizational knowledge.

Question 7

How do Microsoft Purview policies behave when an organization switches from monthly licensing to pay-as-you-go?

A. They are automatically disabled.
B. They apply only to SharePoint documents.
C. They require users to purchase additional licenses before functioning.
D. They continue to protect data regardless of the licensing model.

Correct Answer: D

Explanation: Security and compliance controls such as Microsoft Purview continue to protect data regardless of how AI services are licensed.

Question 8

Which licensing model generally provides the most predictable monthly budgeting?

A. Pay-as-you-go
B. Monthly per-user licensing
C. Azure Reserved Instances
D. SharePoint storage quotas

Correct Answer: B

Explanation: Monthly licensing offers a fixed recurring cost, simplifying budgeting and financial planning.

Question 9

What is a potential disadvantage of pay-as-you-go licensing?

A. It cannot be used with agents.
B. It prevents users from accessing SharePoint.
C. Monthly costs may vary depending on AI usage.
D. It disables Microsoft Graph permissions.

Correct Answer: C

Explanation: Consumption-based billing means costs fluctuate according to actual usage, making budgeting less predictable.

Question 10

Which statement best summarizes the difference between Microsoft 365 Copilot monthly licensing and pay-as-you-go?

A. Monthly licensing is subscription-based, while pay-as-you-go is consumption-based.
B. Monthly licensing does not include Microsoft Graph.
C. Pay-as-you-go removes Microsoft Purview protections.
D. Monthly licensing is only available for SharePoint.

Correct Answer: A

Explanation: The fundamental difference is the billing model: monthly licensing charges a fixed subscription per user, whereas pay-as-you-go charges based on actual AI service consumption.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI Governance, AI Security, Data Governance, Data Security, Microsoft Certification

Understand features and capabilities of SharePoint Advanced Management, including restricted site access (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify and monitor oversharing in SharePoint in Microsoft 365
      --> Understand features and capabilities of SharePoint Advanced Management, including restricted site access

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly rely on Microsoft 365, SharePoint Online, Microsoft Teams, and Microsoft 365 Copilot, protecting organizational data has become more important than ever. While collaboration is essential, unrestricted sharing can expose confidential information to unintended users.

To help organizations better govern SharePoint content, Microsoft offers SharePoint Advanced Management (SAM), a collection of advanced governance, reporting, security, and lifecycle management capabilities designed to improve the security of SharePoint and OneDrive environments.

One of its most important features is Restricted Site Access, which allows administrators to temporarily limit access to specific SharePoint sites that may contain highly sensitive or potentially overshared information.

For the AB-900 exam, you should understand the purpose of SharePoint Advanced Management, its major capabilities, and how Restricted Site Access helps reduce data exposure.

What is SharePoint Advanced Management?

SharePoint Advanced Management is a set of administrative capabilities that extends the standard SharePoint Online administration experience.

Its goals include:

  • Improving governance
  • Reducing oversharing
  • Enhancing visibility into permissions
  • Strengthening data protection
  • Supporting Microsoft 365 Copilot readiness
  • Helping organizations adopt Zero Trust security principles

Rather than replacing Microsoft Purview or Microsoft Defender, SharePoint Advanced Management complements these services by focusing specifically on SharePoint and OneDrive administration.

Why SharePoint Advanced Management Is Important

Organizations often have:

  • Thousands of SharePoint sites
  • Millions of documents
  • Numerous external users
  • Complex permission structures
  • Years of accumulated sharing links

As these environments grow, administrators face challenges such as:

  • Overshared files
  • Forgotten external sharing
  • Stale permissions
  • Sensitive documents accessible by too many users
  • Inactive or abandoned sites

SharePoint Advanced Management provides tools to identify and address these issues before they become security incidents.

Key Capabilities of SharePoint Advanced Management

SharePoint Advanced Management includes several capabilities designed to improve governance.

1. Data Access Governance Reporting

Administrators can:

  • Identify overshared sites
  • Review sharing activity
  • Analyze permission configurations
  • Discover external access
  • Locate high-risk collaboration sites

These reports provide visibility into who can access organizational content.

2. Site Lifecycle Management

Organizations frequently create project sites that remain active long after projects end.

SharePoint Advanced Management helps administrators:

  • Identify inactive sites
  • Review site ownership
  • Archive or delete unused sites
  • Reduce unnecessary content exposure

Proper lifecycle management reduces security risks while improving overall governance.

3. Oversharing Insights

Administrators can identify:

  • Sites shared broadly
  • Anonymous sharing links
  • Guest access
  • Sensitive sites with excessive permissions
  • Large-scale permission inheritance issues

These insights are particularly valuable before deploying Microsoft 365 Copilot.

4. Site Ownership Management

SharePoint sites require responsible owners.

Advanced Management helps administrators identify:

  • Sites without owners
  • Inactive owners
  • Ownership inconsistencies

Proper ownership improves accountability and ensures permissions are reviewed regularly.

5. Sharing Governance

Administrators can evaluate:

  • External sharing
  • Anonymous links
  • Organization-wide access
  • Sharing policies
  • Guest permissions

This helps organizations reduce unnecessary collaboration risks.

6. Restricted Site Access

One of the most important SharePoint Advanced Management capabilities is Restricted Site Access.

What is Restricted Site Access?

Restricted Site Access allows administrators to temporarily limit access to a SharePoint site.

When enabled:

  • Most users lose access to the site.
  • Only designated administrators or approved users can access the content.
  • Copilot and Microsoft Search continue to respect the updated permissions because they always honor Microsoft 365 security trimming.

This feature is useful when a site contains highly sensitive information or requires investigation.

Why Use Restricted Site Access?

Organizations may need to immediately reduce access when:

  • Sensitive information has been overshared.
  • A security investigation is underway.
  • Legal or regulatory reviews are occurring.
  • Confidential merger or acquisition documents are stored.
  • Human Resources investigations are active.
  • Executive leadership documents require additional protection.
  • Sensitive intellectual property is being reviewed.

Rather than deleting the site, administrators can quickly restrict access while remediation occurs.

How Restricted Site Access Works

The feature temporarily changes access behavior by allowing only explicitly authorized users to access the site.

Typical workflow:

  1. Administrator identifies a high-risk site.
  2. Restricted Site Access is enabled.
  3. Only approved users retain access.
  4. Administrators investigate permissions.
  5. Oversharing issues are corrected.
  6. Normal access is restored when appropriate.

Benefits of Restricted Site Access

Organizations gain several advantages:

Rapid Risk Reduction

Potential data exposure is reduced immediately.

Supports Investigations

Investigators can examine permissions without widespread user access.

Improves Governance

Administrators gain time to review sharing settings before reopening access.

Protects Sensitive Information

Highly confidential documents remain accessible only to authorized personnel.

Supports Compliance

Temporary restrictions can assist with legal, regulatory, or internal compliance reviews.

Relationship with Microsoft 365 Copilot

Microsoft 365 Copilot respects Microsoft 365 permissions.

If a site becomes restricted:

  • Copilot cannot retrieve information from that site for users who no longer have permission.
  • Microsoft Search also honors the updated permissions.
  • Other Microsoft 365 services continue using the same security model.

Restricted Site Access therefore reduces the likelihood that Copilot will surface sensitive content from that site.

Relationship with Microsoft Purview

SharePoint Advanced Management and Microsoft Purview work together.

Microsoft Purview focuses on:

  • Data classification
  • Sensitivity labels
  • Data Loss Prevention (DLP)
  • Insider Risk Management
  • Data Lifecycle Management
  • Compliance

SharePoint Advanced Management focuses on:

  • Site governance
  • Permissions
  • Oversharing
  • Site administration
  • Access analysis
  • Restricted Site Access

Together they provide comprehensive protection for Microsoft 365 data.

Relationship with Microsoft Defender

Microsoft Defender identifies threats such as:

  • Compromised accounts
  • Suspicious user activity
  • Malware
  • Phishing attacks

If Defender identifies suspicious activity involving a SharePoint site, administrators may choose to enable Restricted Site Access while investigating the incident.

Best Practices

Microsoft recommends the following practices:

  • Regularly review Data Access Governance reports.
  • Minimize broad “Everyone” permissions.
  • Review external sharing frequently.
  • Assign active site owners.
  • Archive inactive sites.
  • Apply sensitivity labels to sensitive content.
  • Use Restricted Site Access only when necessary.
  • Review restricted sites periodically and restore normal access when appropriate.
  • Combine SharePoint Advanced Management with Microsoft Purview and Microsoft Defender for layered protection.
  • Follow the principle of least privilege.

Exam Tips

Remember these key points for the AB-900 exam:

  • SharePoint Advanced Management focuses on governance and security for SharePoint and OneDrive.
  • It helps identify and remediate oversharing.
  • Restricted Site Access temporarily limits access to sensitive SharePoint sites.
  • Copilot always respects SharePoint permissions, including restricted sites.
  • Restricted Site Access is useful during investigations or when sensitive information has been overshared.
  • SharePoint Advanced Management complements Microsoft Purview rather than replacing it.
  • Proper site ownership and lifecycle management reduce long-term security risks.

Practice Exam Questions

Question 1

Which primary problem does SharePoint Advanced Management help organizations address?

A. Windows operating system updates

B. Oversharing and governance of SharePoint content

C. SQL Server performance tuning

D. Microsoft Teams meeting scheduling

Correct Answer: B

Explanation: SharePoint Advanced Management provides governance tools that help identify oversharing, manage permissions, and improve the security of SharePoint and OneDrive environments.

Question 2

What is the purpose of Restricted Site Access?

A. Permanently delete SharePoint sites

B. Encrypt every document within a site

C. Temporarily limit access to a SharePoint site for authorized users only

D. Automatically archive inactive sites

Correct Answer: C

Explanation: Restricted Site Access allows administrators to temporarily restrict access to a site while investigating or protecting sensitive information.

Question 3

Why is SharePoint Advanced Management valuable before deploying Microsoft 365 Copilot?

A. It increases Copilot response speed.

B. It upgrades Microsoft Graph.

C. It removes all external users automatically.

D. It helps identify overshared content that Copilot could otherwise access based on existing permissions.

Correct Answer: D

Explanation: Since Copilot honors existing permissions, reducing oversharing before deployment helps minimize the risk of exposing sensitive information.

Question 4

Which capability is included in SharePoint Advanced Management?

A. Azure virtual machine backup

B. Microsoft Intune device enrollment

C. Data Access Governance reporting

D. Windows Server patch management

Correct Answer: C

Explanation: Data Access Governance reporting is a core capability that helps administrators analyze permissions and identify overshared content.

Question 5

What happens when Restricted Site Access is enabled?

A. Microsoft 365 Copilot ignores the restriction.

B. Only approved users and administrators retain access to the site.

C. All SharePoint sites become read-only.

D. External sharing is permanently disabled across the tenant.

Correct Answer: B

Explanation: Restricted Site Access limits access to authorized users, and Copilot continues to respect those permissions.

Question 6

Which Microsoft service primarily complements SharePoint Advanced Management by classifying and protecting sensitive information?

A. Microsoft Purview

B. Microsoft Paint

C. Windows Defender Firewall

D. Microsoft Project

Correct Answer: A

Explanation: Microsoft Purview provides data classification, labeling, DLP, and compliance capabilities that complement SharePoint governance features.

Question 7

Which scenario is an appropriate use case for Restricted Site Access?

A. Scheduling recurring Teams meetings

B. Updating Microsoft 365 licenses

C. Protecting a SharePoint site containing confidential merger documents during negotiations

D. Increasing SharePoint storage capacity

Correct Answer: C

Explanation: Restricting access to highly confidential content during sensitive business activities helps reduce the risk of accidental exposure.

Question 8

Which governance activity helps reduce long-term security risks in SharePoint?

A. Creating additional anonymous sharing links

B. Allowing all users full control of every site

C. Disabling Microsoft Search

D. Reviewing inactive sites and assigning active site owners

Correct Answer: D

Explanation: Proper site ownership and lifecycle management reduce abandoned sites and improve ongoing governance.

Question 9

How does Microsoft 365 Copilot interact with a site that has Restricted Site Access enabled?

A. Copilot bypasses the restriction for administrators only.

B. Copilot ignores SharePoint permissions.

C. Copilot respects the updated permissions and cannot retrieve content for unauthorized users.

D. Copilot copies restricted files into Microsoft Graph.

Correct Answer: C

Explanation: Copilot always honors Microsoft 365 permissions. If a user cannot access a restricted site, Copilot cannot use its content in responses for that user.

Question 10

Which statement best describes SharePoint Advanced Management?

A. It replaces Microsoft Purview entirely.

B. It is focused on SharePoint and OneDrive governance, permissions, lifecycle management, and oversharing protection.

C. It functions as an antivirus solution.

D. It manages Microsoft Entra ID authentication policies.

Correct Answer: B

Explanation: SharePoint Advanced Management provides advanced governance capabilities for SharePoint and OneDrive, including oversharing detection, site lifecycle management, permission analysis, and Restricted Site Access.

Go to the AB-900 Exam Prep Hub main page

Data Governance, Microsoft Certification, AI Governance, AI Security, AB-900, security

Run a data access governance report in SharePoint (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify and monitor oversharing in SharePoint in Microsoft 365
      --> Run a data access governance report in SharePoint

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

That is an excellent next topic for the AB-900 exam because it combines SharePoint governance, Microsoft Purview, and Copilot data security. Although the feature continues to evolve, the exam focuses on understanding what the report is, when to use it, and what problems it helps administrators solve, rather than memorizing every UI step.

Why Data Access Governance Matters

One of the largest security challenges in Microsoft 365 is oversharing. Over time, organizations accumulate millions of files, thousands of SharePoint sites, and numerous Microsoft Teams workspaces. Permissions often become increasingly complex as users:

  • Share files externally
  • Create anonymous sharing links
  • Grant access to “Everyone”
  • Add guests to Teams
  • Break inheritance on folders
  • Forget to remove temporary permissions

As organizations adopt Microsoft 365 Copilot, overshared content becomes an even greater concern because Copilot can surface information that a user already has permission to access—even if that access was unintentionally granted.

Microsoft provides Data Access Governance (DAG) capabilities in SharePoint to help administrators discover, understand, and remediate excessive access before it becomes a security issue.

What is Data Access Governance?

Data Access Governance is a collection of reporting and analysis capabilities within SharePoint Advanced Management that helps administrators answer questions such as:

  • Which sites are accessible by everyone?
  • Which files are overshared?
  • Which sites have external users?
  • Which sites contain highly sensitive information?
  • Which permissions may expose confidential content?
  • Which sites should be reviewed?

Rather than examining permissions one site at a time, administrators receive organization-wide visibility.

Primary Goals of Data Access Governance

Data Access Governance helps organizations:

  • Discover overshared sites
  • Review permissions
  • Reduce excessive access
  • Identify high-risk collaboration
  • Improve Microsoft 365 security posture
  • Prepare for Microsoft 365 Copilot deployment
  • Reduce accidental data exposure
  • Support compliance initiatives

Why It Is Important for Microsoft 365 Copilot

Microsoft 365 Copilot never ignores permissions.

Instead, it retrieves content using the same security model that governs Microsoft 365.

If a user has permission to open a document manually, Copilot can potentially reference that document when generating responses.

For example:

Suppose Human Resources accidentally grants the entire company read access to salary spreadsheets.

Without Copilot:

  • Most employees may never discover the files.

With Copilot:

A user might ask:

“Summarize employee compensation data.”

Because the files are already accessible, Copilot could retrieve them.

The problem is not Copilot—it is the underlying permissions.

Data Access Governance helps identify these permission problems before they become security risks.

What the Data Access Governance Report Shows

The report provides administrators with visibility into SharePoint permissions and sharing configurations across the tenant.

Common information includes:

  • Site owners
  • Site sensitivity
  • External sharing status
  • Number of members
  • Anonymous links
  • Organization-wide access
  • Guest access
  • Sharing activity
  • Permission inheritance
  • Access patterns
  • High-risk sites
  • Overshared content indicators

Rather than searching manually, administrators can prioritize the highest-risk locations.

Types of Oversharing That Can Be Identified

The report can identify situations such as:

Organization-wide access

Sites accessible by:

  • Everyone
  • Everyone except external users
  • Large security groups

These sites often expose more content than intended.

Anonymous Links

Files shared through links that require no authentication.

These links may remain active long after they are needed.

Guest Access

Sites containing:

  • External users
  • Partner accounts
  • Vendor accounts

Administrators can verify whether guest access is still appropriate.

Excessive Sharing

Examples include:

  • Large numbers of shared files
  • Broad sharing permissions
  • Public document libraries
  • Open collaboration spaces

Sensitive Sites

The report can identify sites that contain:

  • Financial information
  • HR records
  • Legal documents
  • Intellectual property
  • Customer information

Combined with Microsoft Purview sensitivity labels, administrators gain better visibility into where important information resides.

Typical Workflow

Administrators generally follow this process:

Step 1

Open SharePoint administration tools.

Step 2

Generate or review a Data Access Governance report.

Step 3

Review identified risks.

Examples:

  • Overshared sites
  • External sharing
  • Everyone permissions
  • Sensitive content

Step 4

Investigate high-risk sites.

Questions include:

  • Does this access need to exist?
  • Are guests still required?
  • Is inheritance broken?
  • Should permissions be reduced?

Step 5

Take corrective action.

Possible actions include:

  • Remove permissions
  • Restrict sharing
  • Apply sensitivity labels
  • Disable anonymous links
  • Reduce guest access
  • Educate site owners

Step 6

Run reports regularly to verify improvements.

Relationship with Microsoft Purview

Data Access Governance works alongside Microsoft Purview.

Purview answers questions such as:

  • What sensitive data exists?
  • How is it classified?
  • Which labels are applied?
  • Are DLP policies triggered?

SharePoint Data Access Governance answers:

  • Who can access the data?
  • Is the data overshared?
  • Which sites expose information?
  • Which permissions should be reviewed?

Together they provide both:

  • Content awareness
  • Permission awareness

Relationship with Microsoft 365 Copilot

Data Access Governance helps administrators prepare for Copilot by reducing permission-related risks.

Benefits include:

  • Finding overshared SharePoint sites
  • Identifying unnecessary permissions
  • Reducing broad access
  • Reviewing guest sharing
  • Protecting confidential information
  • Improving search security
  • Supporting Zero Trust principles

Best Practices

Microsoft recommends that organizations:

  • Review sharing reports regularly.
  • Audit external access periodically.
  • Minimize “Everyone” permissions.
  • Remove unused guest accounts.
  • Apply sensitivity labels to important sites.
  • Use Microsoft Purview DLP alongside SharePoint governance.
  • Educate site owners on responsible sharing.
  • Review high-risk collaboration sites before deploying Copilot broadly.
  • Follow the principle of least privilege.
  • Continuously monitor permission changes.

Common Exam Tips

Remember these key points:

  • Data Access Governance focuses on permissions and access, not document content.
  • It helps identify oversharing across SharePoint.
  • It is especially valuable before deploying Microsoft 365 Copilot.
  • Copilot respects existing Microsoft 365 permissions.
  • Oversharing is a permissions problem, not a Copilot problem.
  • Reports help administrators prioritize high-risk sites for remediation.
  • Data Access Governance complements Microsoft Purview rather than replacing it.

Practice Exam Questions

Question 1

Why would an administrator run a Data Access Governance report in SharePoint?

A. To update SharePoint servers

B. To identify overshared sites and permission risks

C. To encrypt all documents automatically

D. To generate Microsoft 365 licenses

Correct Answer: B

Explanation: Data Access Governance helps administrators identify sites with excessive permissions, external sharing, and other access-related risks.

Question 2

Which issue is Data Access Governance primarily designed to identify?

A. SQL database corruption

B. Printer failures

C. Oversharing of SharePoint content

D. Network latency

Correct Answer: C

Explanation: The primary purpose is to detect oversharing and excessive permissions across SharePoint.

Question 3

Why is Data Access Governance especially important before deploying Microsoft 365 Copilot?

A. Copilot automatically changes permissions.

B. Copilot ignores SharePoint security.

C. Copilot copies all SharePoint files.

D. Copilot can reference content users already have permission to access.

Correct Answer: D

Explanation: Copilot honors existing permissions. Overshared content may therefore appear in Copilot responses if users already have legitimate access.

Question 4

Which type of access represents a potential oversharing risk?

A. Anonymous sharing links

B. Azure subscription ownership

C. Exchange mailbox size

D. Microsoft Teams background images

Correct Answer: A

Explanation: Anonymous links allow access without authentication and should be reviewed carefully.

Question 5

What question does Data Access Governance primarily help answer?

A. Which users have excessive access to SharePoint content?

B. Which Windows updates are missing?

C. Which devices need antivirus software?

D. Which Microsoft 365 licenses should be purchased?

Correct Answer: A

Explanation: Data Access Governance focuses on permissions, sharing, and access to SharePoint content.

Question 6

Which Microsoft 365 principle is supported by regularly reviewing Data Access Governance reports?

A. Unlimited collaboration

B. Least privilege

C. Maximum storage allocation

D. Unlimited guest access

Correct Answer: B

Explanation: Regular reviews help ensure users have only the permissions necessary to perform their work.

Question 7

Which type of SharePoint site would likely appear as higher risk in a Data Access Governance report?

A. A private HR site with restricted access

B. A site shared with only one administrator

C. A site containing sensitive files that is accessible to everyone

D. A newly created empty site

Correct Answer: C

Explanation: Sensitive information combined with broad permissions represents a significant oversharing risk.

Question 8

How does Data Access Governance complement Microsoft Purview?

A. Both products only classify documents.

B. Data Access Governance focuses on permissions, while Purview focuses on data protection and governance.

C. They perform identical functions.

D. Purview replaces SharePoint permissions.

Correct Answer: B

Explanation: Purview governs and protects data, while Data Access Governance helps administrators understand who has access to that data.

Question 9

Which action should an administrator consider after identifying an overshared SharePoint site?

A. Delete all documents immediately.

B. Disable Microsoft 365 Copilot.

C. Purchase additional SharePoint storage.

D. Review and reduce unnecessary permissions.

Correct Answer: D

Explanation: The appropriate response is to evaluate existing permissions and remove excessive or unnecessary access while maintaining business needs.

Question 10

Which statement about Microsoft 365 Copilot and Data Access Governance is true?

A. Data Access Governance prevents all Copilot responses.

B. Copilot bypasses SharePoint permissions when generating answers.

C. Data Access Governance helps reduce the risk of Copilot surfacing overshared information by identifying excessive permissions.

D. Copilot encrypts all SharePoint documents before using them.

Correct Answer: C

Explanation: By identifying and remediating overshared permissions, Data Access Governance helps ensure Copilot only surfaces information that users are appropriately authorized to access.

Go to the AB-900 Exam Prep Hub main page

AB-900, Microsoft Certification

Identify the appropriate objects to configure by using the SharePoint in Microsoft 365 Admin Center (sites, libraries, and folders) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Identify the core features and objects of Microsoft 365 services (30–35%)
   --> Identify the core objects of Microsoft 365 services
      --> Identify the appropriate objects to configure by using the SharePoint in Microsoft 365 Admin Center (sites, libraries, and folders)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

SharePoint Online is Microsoft’s cloud-based collaboration and content management platform included with Microsoft 365. It enables organizations to store, organize, share, and manage information securely.

The SharePoint admin center allows administrators to configure and manage SharePoint resources across the organization. For the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam, it is important to understand the key SharePoint objects:

  • Sites
  • Document libraries
  • Folders

These objects form the structure used to organize files and collaboration content throughout Microsoft 365.

What Is SharePoint Online?

SharePoint Online is a service that provides:

  • Document storage
  • Team collaboration
  • Content management
  • Intranet sites
  • File sharing
  • Integration with Microsoft Teams and OneDrive

SharePoint acts as the underlying storage platform for many Microsoft 365 services.

For example:

  • Files shared in Teams are stored in SharePoint.
  • Documents used by Microsoft 365 Copilot may reside in SharePoint.
  • Organizational knowledge can be maintained through SharePoint sites.

The SharePoint Admin Center

The SharePoint admin center provides centralized administration for SharePoint Online.

Administrators can:

  • Create and manage sites.
  • Configure sharing settings.
  • Monitor storage usage.
  • Restore deleted sites.
  • Manage permissions.
  • Configure policies.
  • Control external access.

The SharePoint admin center focuses on organization-wide management rather than individual file management.

Understanding the SharePoint Hierarchy

SharePoint content is organized in a hierarchy:

Site
Document Library
Folders
Files

Understanding this structure is essential for the AB-900 exam.

SharePoint Sites

A site is the top-level container used to organize information and collaboration resources.

Sites can contain:

  • Document libraries
  • Lists
  • Pages
  • News posts
  • Permissions
  • Folders and files

Think of a site as a workspace for a team, department, or project.

Types of SharePoint Sites

Team Sites

Team sites support collaboration among groups of users.

Typical uses include:

  • Project teams
  • Departments
  • Committees

Features include:

  • Shared documents
  • Group calendars
  • Microsoft 365 Group integration
  • Teams integration

Example:

Finance Team Site

Communication Sites

Communication sites are designed for broadcasting information to larger audiences.

Examples include:

  • Company news portals
  • HR announcements
  • Corporate intranets

Communication sites emphasize publishing rather than collaboration.

Site Permissions

Each site has permissions that determine who can:

  • View content.
  • Edit files.
  • Manage settings.
  • Share information.

Permission management helps organizations secure information while enabling collaboration.

Site Storage

Sites consume storage from the organization’s SharePoint storage pool.

Administrators can monitor:

  • Storage usage
  • Growth trends
  • Available capacity

Storage management helps ensure sufficient space for users and workloads.

Document Libraries

A document library is a collection used to store and organize files within a SharePoint site.

Libraries can contain:

  • Documents
  • Spreadsheets
  • Presentations
  • PDFs
  • Images
  • Folders

A site may contain multiple libraries.

Example:

Finance Site

Libraries:

  • Budgets
  • Reports
  • Policies

Benefits of Document Libraries

Document libraries provide:

Centralized Storage

Files are stored in one location.

Version History

Multiple versions of documents can be maintained.

Metadata Support

Documents can include descriptive information.

Searchability

Users can quickly locate files.

Permissions

Libraries can have access controls.

Default Documents Library

Most SharePoint sites contain a default library called:

Documents

Users commonly upload files into this library when collaborating through Teams or SharePoint.

Library Permissions

Libraries can inherit permissions from the parent site or have unique permissions assigned.

This allows organizations to:

  • Restrict sensitive content.
  • Separate departments.
  • Protect confidential documents.

Folders

Folders are used within document libraries to further organize files.

Example:

Finance Site
   → Reports Library
        → 2025 Folder
             → Q1 Folder
                  → Budget.xlsx

Folders provide familiar file organization similar to Windows File Explorer.

Benefits of Folders

Folders help users:

  • Group related files.
  • Simplify navigation.
  • Organize projects.
  • Separate years, departments, or topics.

Files

Files are the actual content stored inside folders or libraries.

Examples:

  • Word documents
  • Excel workbooks
  • PowerPoint presentations
  • PDFs
  • Images

Files stored in SharePoint support:

  • Collaboration
  • Co-authoring
  • Search
  • Version history

Version History

SharePoint maintains previous versions of files.

Benefits include:

  • Recovering accidental changes.
  • Viewing historical versions.
  • Tracking modifications.
  • Supporting collaboration.

Versioning is especially valuable when multiple users edit documents.

Integration with Microsoft Teams

Many Teams channels store files inside SharePoint document libraries.

Example:

Marketing Team
General Channel
Files Tab
SharePoint Library

Although users may interact through Teams, the underlying storage is SharePoint.

Integration with OneDrive

OneDrive uses SharePoint technology behind the scenes.

Differences include:

ServicePurpose
OneDrivePersonal file storage
SharePointTeam and organizational storage

External Sharing

Administrators can configure whether users can share:

  • Sites
  • Libraries
  • Files
  • Folders

External sharing enables collaboration with:

  • Customers
  • Vendors
  • Partners

Organizations often balance collaboration with security requirements.

Why SharePoint Objects Matter for Microsoft 365 Copilot

Microsoft 365 Copilot can reference content stored in SharePoint.

Examples include:

  • Policies
  • Meeting documents
  • Reports
  • Project files

Copilot only accesses information users already have permission to view.

Well-organized sites, libraries, and folders improve search quality and help Copilot provide more relevant responses.

SharePoint Admin Center Tasks

Administrators commonly:

Manage Sites

  • Create sites.
  • Delete sites.
  • Restore sites.

Configure Sharing

  • Internal sharing
  • External sharing

Monitor Storage

  • View usage
  • Allocate capacity

Manage Policies

  • Access controls
  • Site settings

Best Practices

Create Sites for Teams and Departments

Separate content logically.

Use Libraries for Major Categories

Avoid storing everything in a single library.

Use Folders Carefully

Too many nested folders can make navigation difficult.

Apply Appropriate Permissions

Protect sensitive content.

Maintain Consistent Naming Standards

Improve usability and search effectiveness.

Exam Tips

Remember these AB-900 concepts:

  • A site is the top-level SharePoint container.
  • Sites contain document libraries.
  • Libraries contain folders and files.
  • Team sites support collaboration.
  • Communication sites support publishing information.
  • SharePoint underlies file storage for Microsoft Teams.
  • OneDrive is intended for personal storage.
  • Version history helps recover previous file versions.
  • Permissions control access to sites, libraries, folders, and files.
  • Microsoft 365 Copilot respects existing SharePoint permissions.

Practice Exam Questions

Question 1

Which SharePoint object acts as the top-level container for collaboration resources?

A. Folder
B. Site
C. Document library
D. File

Correct Answer: B

Explanation: A site is the primary container that holds libraries, pages, lists, and permissions.

Question 2

Which SharePoint object directly stores files?

A. Team channel
B. Site collection
C. Document library
D. News page

Correct Answer: C

Explanation: Document libraries are collections designed specifically to store and organize files.

Question 3

A company wants to publish organization-wide news and announcements. Which type of SharePoint site is most appropriate?

A. Team site
B. Project site
C. Communication site
D. Personal site

Correct Answer: C

Explanation: Communication sites are optimized for sharing information with large audiences.

Question 4

What is the purpose of folders within a SharePoint library?

A. Create Microsoft 365 Groups
B. Assign licenses
C. Replace sites
D. Organize files into smaller categories

Correct Answer: D

Explanation: Folders provide additional organization within document libraries.

Question 5

Which statement about Microsoft Teams file storage is true?

A. Teams files are stored in Exchange Online.
B. Teams files are stored in OneNote.
C. Teams files are stored in SharePoint Online.
D. Teams files are stored only on local devices.

Correct Answer: C

Explanation: SharePoint Online serves as the underlying storage platform for Teams files.

Question 6

Which feature allows users to restore previous versions of a document?

A. Retention labels
B. Site templates
C. External sharing
D. Version history

Correct Answer: D

Explanation: Version history maintains older copies of files and supports recovery.

Question 7

What is the primary purpose of OneDrive?

A. Organizational intranet publishing
B. Team collaboration storage
C. Personal file storage
D. Email management

Correct Answer: C

Explanation: OneDrive is intended for individual users and personal work files.

Question 8

A SharePoint library can have its own permissions that differ from the parent site. What does this provide?

A. Independent security for specific content
B. Automatic licensing
C. Increased mailbox capacity
D. Dynamic distribution capabilities

Correct Answer: A

Explanation: Unique permissions allow administrators to protect sensitive libraries separately from the overall site.

Question 9

Which object is directly above folders in the SharePoint hierarchy?

A. Files
B. Lists
C. Pages
D. Document libraries

Correct Answer: D

Explanation: Libraries contain folders, which in turn contain files.

Question 10

Why are well-organized SharePoint sites beneficial for Microsoft 365 Copilot?

A. They bypass permissions.
B. They improve content discovery and relevance.
C. They automatically increase storage quotas.
D. They eliminate version history.

Correct Answer: B

Explanation: Organized SharePoint content helps Copilot retrieve more useful information while respecting user permissions.

Go to the AB-900 Exam Prep Hub main page