The AB-900 exam, Microsoft 365 Copilot and Agent Administration Fundamentals, validates your ability to manage core Microsoft 365 services and administer Copilot and agent features. This exam is designed for IT professionals and administrators who need foundational knowledge of Microsoft 365 architecture, governance, and emerging AI-powered tools. This page maps the exam syllabus, outlines study strategies, and connects you to focused preparation resources. Whether you're new to Microsoft 365 administration or expanding your skill set, understanding the core topics and question formats will help you prepare efficiently.
Use this topic map to guide your study for Microsoft AB-900 (Microsoft 365 Copilot and Agent Administration Fundamentals) within the Microsoft 365 path.
The AB-900 exam uses a mix of question types to assess both conceptual knowledge and practical decision-making in real administrative scenarios.
Questions progress in difficulty and emphasize practical application, meaning you must connect theory to real-world administration challenges.
An effective study plan breaks the syllabus into weekly blocks, pairs concept review with practice questions, and includes timed mock exams to build confidence. Allocate time proportionally to each domain, but prioritize hands-on familiarity with Microsoft 365 admin centers and Copilot interfaces.
Explore other Microsoft certifications: view all Microsoft exams.
Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to AB-900 and cover practical scenarios with clear explanations.
Visit the exam page to download the PDF, Online Practice Test, or get a Bundle Discount offer for both formats: Microsoft 365 Copilot and Agent Administration Fundamentals.
Data protection and governance typically account for a significant portion of the exam, reflecting the growing importance of compliance and security in Microsoft 365 environments. However, all three domains are tested, so balanced preparation across core features, administration, and governance is essential for a strong score.
In practice, these domains overlap constantly. For example, when deploying Copilot to Teams users, you must understand Teams architecture (core features), configure access and permissions (administration), and apply data loss prevention policies (governance). Understanding these connections helps you answer scenario-based questions and handle real-world tasks.
Hands-on practice is highly valuable because the exam includes scenario-based and simulation-style questions that require familiarity with admin interfaces. Prioritize exploring the Microsoft 365 admin center, Exchange admin center, and SharePoint admin center; practice common tasks like creating policies, managing users, and reviewing audit logs.
Many candidates confuse similar features across services or overlook the distinction between user-facing capabilities and administrative controls. Others rush through scenario questions without fully reading the organizational context, leading to incorrect decisions. Slow down on multi-part scenarios and always consider governance implications alongside functional requirements.
In your final week, review weak topic areas identified in practice tests, complete one full-length timed mock exam, and revisit scenario-based questions to sharpen decision-making. Avoid cramming new content; instead, consolidate what you've learned and build confidence through targeted review and realistic practice.
Your company has a Microsoft SharePoint site named Site1. Site1 contains all the policies of the company s HR department. The policies are saved as Microsoft Word documents.
All users have read access to Site1.
The HR department manager reports that user requests about the policies are NOT being addressed in a timely manner, especially around major holidays.
You need to recommend a solution to enable the users to find the HR department policies. The solution must provide the users with a list of common queries and ensure that responses are grounded only in Site1.
What should you include in the recommendation?
The correct answer is C. a custom Microsoft 365 Copilot agent. Microsoft Learn explains that Agent Builder in Microsoft 365 Copilot lets you create agents with specific instructions, dedicated knowledge sources, and starter prompts. Starter prompts are designed to help users understand the most common supported scenarios, which directly matches the requirement to provide users with a list of common queries. Microsoft also documents that an agent can be grounded in selected SharePoint sites, folders, or files, allowing the response scope to be targeted to the HR policy content in Site1 rather than broad enterprise or web data.
The other options do not fit the requirement. Copilot in Word is document-focused and is not intended to create a reusable, shared query experience grounded only in one SharePoint source. Copilot notebooks group materials and chats, but they are not the right tool for publishing a guided HR policy assistant with starter prompts. Researcher is designed for broader, multi-step research using work data and web content, so it does not satisfy the requirement to keep answers grounded only in Site1.
Your organization has a Microsoft 365 subscription.
You need to evaluate your organization's Identity Secure Score.
Which two factors affect the score? Each correct answer presents a complete the solution.
NOTE: Each correct selection is worth one point.
The correct answers are B and C. Microsoft documents that Identity Secure Score in Microsoft Entra is based on identity security recommendations, including recommendations such as ''Designate more than one Global Administrator'' and ''Do not expire passwords.'' Those recommendations directly map to the number of global administrators and whether passwords are set to never expire, so both factors affect the score.
Your organization has a Microsoft 365 subscription.
Which two tasks can you perform by using the Exchange admin center? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
The correct answers are A and D because both tasks are supported directly in the Exchange admin center (EAC). Microsoft Learn states that administrators can manage mail flow rules in Exchange Online from the EAC under Mail flow > Rules, which includes creating and managing transport rules for organizational email handling. Microsoft Learn also states that administrators can create shared mailboxes in the EAC under Recipients > Mailboxes, where a shared mailbox can be added and then delegated to users.
Option B is incorrect because adding a custom domain is normally done in the Microsoft 365 admin center, specifically on the Domains page. Although Exchange can later work with accepted domains and related mail flow settings, the act of adding and verifying a custom domain is not an Exchange admin center task. Option C is incorrect because license assignment is handled through Microsoft 365 or Microsoft Entra administrative tools, not the Exchange admin center.
Your organization has a Microsoft 365 subscription.
All users have Microsoft 365 Copilot licenses.
You need to identify where sensitive content is being used during Copilot interactions, analyze the content usage patterns, and provide recommendations on applying the appropriate protections.
What should you use?
The correct answer is B. the Microsoft Purview DSPM for AI solution. Microsoft documents that Data Security Posture Management for AI (DSPM for AI) in Microsoft Purview provides a central place to secure data for AI apps and proactively monitor AI use, including Copilots and agents. Microsoft also states that DSPM for AI helps organizations identify where sensitive content is used in AI interactions, review Copilot prompts and responses, analyze usage patterns, assess exposure and oversharing risks, and get recommendations for protections such as sensitivity labels and DLP policy coverage.
The other options do not fit this requirement. Microsoft Viva Insights focuses on productivity and work-pattern analytics, not sensitive-data protection in Copilot interactions. Microsoft Security Copilot is a security assistant for analysts, not the Purview governance solution that analyzes sensitive content use in Copilot and recommends data protections. Insider Risk Management is for identifying risky user behavior, not for broad AI interaction posture analysis and protection recommendations. Microsoft specifically positions DSPM for AI as the ''front door'' for discovering, monitoring, and protecting AI-related data usage in Microsoft 365 Copilot.
Your organization has a Microsoft 365 subscription.
All users are assigned Microsoft 365 Copilot licenses.
Some users report receiving Copilot responses that contain information from a Microsoft SharePoint site named Finance. The users report that the information is commercially sensitive.
You need to prevent Copilot from providing responses that contain information from the Finance site.
What should you do?
The correct answer is D. From the Finance site, configure permissions. Microsoft states that Microsoft 365 Copilot honors existing Microsoft 365 permissions and only grounds responses in content that the signed-in user is already allowed to access. That means if users are getting Finance-site content in Copilot responses, those users likely still have permission to that SharePoint content. The direct fix is to review and correct the site, library, folder, or file permissions on the Finance site so only the intended users retain access.
The other options do not directly solve this requirement. Information Barriers are designed for communication and collaboration segmentation scenarios, not for ordinary site-level oversharing remediation. A Defender data connector is unrelated to SharePoint permission enforcement. Conditional Access controls sign-in and session access conditions, but it does not selectively remove Copilot grounding from one SharePoint site for users who still have site permissions. Because Copilot uses SharePoint and Microsoft Graph permissions as its boundary, the Microsoft-documented corrective action is to fix the Finance site permissions.
