Microsoft 365 Copilot and Agent Administration Fundamentals AB-900 Exam Questions

Answer : A

The correct answer is A. the Microsoft Defender portal. Microsoft documents that phishing investigation and analysis for email threats is handled in Microsoft Defender for Office 365 through the Microsoft Defender portal. Microsoft's phishing investigation guidance and email security reporting both point admins to Defender capabilities such as Threat Explorer, campaign views, and phish reports to understand the scope, affected users, and impact of phishing attacks.

The other options are not the primary investigation tool for this scenario. The Microsoft 365 admin center is mainly for tenant administration and usage reporting, not detailed phishing impact investigation. The Microsoft Entra admin center focuses on identity and access management, not email threat analysis. The Exchange admin center manages mail flow and Exchange settings, but Microsoft's current phishing investigation workflows are centered in the Microsoft Defender portal, where security analysts can review detections, remediation actions, and affected recipients.

Answer : B

The correct answer is B. data loss prevention (DLP) policies. Microsoft Learn states that Microsoft Purview Data Loss Prevention helps organizations identify, monitor, and automatically protect sensitive information across Microsoft 365 locations such as Exchange, SharePoint, OneDrive, Teams, and devices. Microsoft specifically documents scenarios for preventing sensitive items from being shared with external users in SharePoint and OneDrive, and DLP policies can also block or restrict sharing based on sensitive information types, labels, or policy conditions. This is exactly the control used when the requirement is to stop users from sharing corporate financial data outside the organization.

Option A is incorrect because retention labels manage how long content is kept or deleted, not whether it can be shared externally. Option C is incorrect because role groups are used for permissions and administrative access delegation, not content-sharing prevention. Option D is incorrect because Insider Risk Management is designed to detect and investigate risky user behavior, not to directly block external sharing transactions in the way DLP policies do. For proactive enforcement of external-sharing restrictions on sensitive financial information, Microsoft's documented solution is DLP policies.

Answer : C

The correct answer is C because Microsoft explains that authorization is the process of determining whether an authenticated identity is allowed to access a resource. Microsoft Learn distinguishes authorization from authentication by stating that authentication proves who you are, while authorization decides what you can access or do after identity has been established. In Microsoft 365 and the Microsoft identity platform, authorization commonly involves permissions, scopes, roles, and consent that control access to data and services such as Microsoft Graph, Exchange, SharePoint, or Teams.

Option A is incorrect because it refers more to external identity validation or federation concepts, not authorization itself. Option B describes authentication, not authorization, since it is about verifying identity claims. Option D describes a control such as multifactor authentication or Conditional Access requirements, which can happen before access is granted, but that still is not the definition of authorization. Authorization begins after identity verification and focuses on whether the identity has the right permissions for the requested resource.

Answer : C

The correct answer is C. Microsoft Graph. Microsoft documents that Microsoft 365 Copilot combines large language models with content and context from the Microsoft Graph to generate grounded responses. Microsoft Graph provides access to organizational data and signals across Microsoft 365 services, including SharePoint, OneDrive, Exchange, Teams, calendars, chats, files, and other work content. When SharePoint data is relevant to the prompt and the user already has permission to access it, Copilot uses Microsoft Graph as the layer that retrieves and grounds that corporate data for the response.

Answer : B, C

The correct answers are B and C. Microsoft documents that Identity Secure Score in Microsoft Entra is based on identity security recommendations, including recommendations such as ''Designate more than one Global Administrator'' and ''Do not expire passwords.'' Those recommendations directly map to the number of global administrators and whether passwords are set to never expire, so both factors affect the score.

Answer : C

The correct answer is C. Site lifecycle management. In the SharePoint admin center, Microsoft includes a Site ownership policy under Site lifecycle management that can identify sites with too few owners and drive remediation. Microsoft documents that this policy can detect sites with fewer than the required number of owners, notify site owners, and if the issue is not fixed, enforce an action such as making the site read-only. That directly matches the requirement that sites with fewer than two owners be marked as read-only when they are not remediated.

The other options do not fit this scenario. Site-level access restriction is about controlling who can access a site, not enforcing ownership-count governance. Data access governance reports help identify oversharing and permissions exposure, but they do not enforce a minimum-owner remediation policy that makes sites read-only. Block download policy for SharePoint and OneDrive is used to restrict downloading from unmanaged devices or similar access scenarios, not to handle insufficient site ownership. Therefore, the Microsoft-documented feature to configure is Site lifecycle management.

Answer : A, D

The correct answers are A and D because both tasks are supported directly in the Exchange admin center (EAC). Microsoft Learn states that administrators can manage mail flow rules in Exchange Online from the EAC under Mail flow > Rules, which includes creating and managing transport rules for organizational email handling. Microsoft Learn also states that administrators can create shared mailboxes in the EAC under Recipients > Mailboxes, where a shared mailbox can be added and then delegated to users.

Option B is incorrect because adding a custom domain is normally done in the Microsoft 365 admin center, specifically on the Domains page. Although Exchange can later work with accepted domains and related mail flow settings, the act of adding and verifying a custom domain is not an Exchange admin center task. Option C is incorrect because license assignment is handled through Microsoft 365 or Microsoft Entra administrative tools, not the Exchange admin center.