Microsoft 365 Copilot and Agent Administration Fundamentals AB-900 Exam Questions

Answer : B

The correct answer is B. Data explorer. Microsoft Learn states that Data explorer in Microsoft Purview shows a current snapshot of items that have been classified as a sensitive information type in your organization. Microsoft's sensitive information type documentation specifically lists examples such as social security numbers and credit card numbers, which means Data explorer is the appropriate portal feature for identifying files and emails that contain those data types. Data explorer is designed to help administrators see where sensitive data exists across supported Microsoft 365 locations.

The other options are less appropriate for this task. Information Protection reports focus more broadly on label and protection reporting. Information Protection policies are for configuring classification and protection behavior, not for finding existing files and emails containing SSNs or credit card numbers. Activity explorer is primarily used to review user and policy-related activities, such as label changes or DLP events, rather than to provide the direct sensitive-data inventory view requested here. Since the question asks to identify the files and emails containing specific sensitive information types, Microsoft's documented answer is Data explorer.

Answer : C

The correct answer is C. the Microsoft 365 admin center. Microsoft Learn documents a specific Copilot image generation setting in the Microsoft 365 admin center under Copilot > Settings > Copilot actions > Copilot image generation. Microsoft states that when this scenario is allowed, users can ask Copilot to create, design, and edit images. When it is not allowed, Copilot does not generate images and instead responds with stock or brand images. This directly matches the requirement to prevent users from generating images by using Copilot.

The other options are incorrect because Microsoft does not document this control as being managed from Defender, Purview, or Entra for this scenario. Microsoft also separately notes that organizations can control access to Designer image generation through policy, but the admin experience for managing the Microsoft 365 Copilot scenario itself is explicitly surfaced in the Microsoft 365 admin center. Therefore, for an exam question focused on where an admin should go to disable image generation in Copilot, the best and documented answer is the Microsoft 365 admin center.

Answer : A, D

The correct answers are A and D because both tasks are supported directly in the Exchange admin center (EAC). Microsoft Learn states that administrators can manage mail flow rules in Exchange Online from the EAC under Mail flow > Rules, which includes creating and managing transport rules for organizational email handling. Microsoft Learn also states that administrators can create shared mailboxes in the EAC under Recipients > Mailboxes, where a shared mailbox can be added and then delegated to users.

Option B is incorrect because adding a custom domain is normally done in the Microsoft 365 admin center, specifically on the Domains page. Although Exchange can later work with accepted domains and related mail flow settings, the act of adding and verifying a custom domain is not an Exchange admin center task. Option C is incorrect because license assignment is handled through Microsoft 365 or Microsoft Entra administrative tools, not the Exchange admin center.

Answer : B

The correct answer is B. using a custom agent that is grounded in work data. Microsoft Learn states that agents that access shared tenant data, such as SharePoint or Graph Connector content, are billed based on metered consumption. Microsoft also describes pay-as-you-go for Microsoft 365 as applying to agents in Microsoft 365 Copilot Chat, where organizations pay only for the messages used instead of assigning a full Microsoft 365 Copilot license. That is exactly the scenario described in option B: a custom agent grounded in work data.

The other options are not the intended pay-as-you-go scenario. A Teams meeting recap and Copilot in Word are standard Microsoft 365 Copilot application experiences tied to licensed Copilot functionality, not metered agent consumption. Researcher is an advanced Microsoft 365 Copilot agent available as part of Microsoft 365 Copilot capabilities, not the documented example of pay-as-you-go replacing a Copilot license. Microsoft's pay-as-you-go guidance centers on agent-based usage, especially agents grounded in organizational work data.

Answer : B

The correct answer is B. data loss prevention (DLP) policies. Microsoft Learn states that Microsoft Purview Data Loss Prevention helps organizations identify, monitor, and automatically protect sensitive information across Microsoft 365 locations such as Exchange, SharePoint, OneDrive, Teams, and devices. Microsoft specifically documents scenarios for preventing sensitive items from being shared with external users in SharePoint and OneDrive, and DLP policies can also block or restrict sharing based on sensitive information types, labels, or policy conditions. This is exactly the control used when the requirement is to stop users from sharing corporate financial data outside the organization.

Option A is incorrect because retention labels manage how long content is kept or deleted, not whether it can be shared externally. Option C is incorrect because role groups are used for permissions and administrative access delegation, not content-sharing prevention. Option D is incorrect because Insider Risk Management is designed to detect and investigate risky user behavior, not to directly block external sharing transactions in the way DLP policies do. For proactive enforcement of external-sharing restrictions on sensitive financial information, Microsoft's documented solution is DLP policies.

Answer : A, D

The correct answers are A and D because Microsoft Entra Identity Secure Score is based on identity security recommendations, and Microsoft Learn specifically lists recommendations such as ''Designate more than one Global Administrator'' and ''Do not expire passwords.'' That means the number of global administrators in the tenant and whether password expiration is disabled directly influence the Identity Secure Score. Microsoft also notes that the score measures how closely an organization aligns with Microsoft's recommended identity security best practices.

Option B is incorrect because SharePoint site permissions are related to SharePoint and Microsoft 365 workload permissions, not to the Entra identity-focused scoring model. Option C is incorrect because user location may be evaluated in Conditional Access and Zero Trust scenarios, but it is not itself listed as a direct Identity Secure Score factor in the Microsoft Entra recommendations referenced by Microsoft Learn. Identity Secure Score is driven by tracked identity recommendations and security configurations, not by simple geographic placement of users.

Answer : D

The correct answer is D. the Microsoft 365 admin center. Microsoft Learn states that users with a Microsoft 365 Copilot license can use Copilot capabilities, and Microsoft specifically points administrators to the Microsoft 365 admin center and its setup guidance to assign the required licenses to users. Microsoft also documents that the Researcher and Analyst agents were deployed to existing users with Microsoft 365 Copilot licenses and that administrators govern these agents through the Microsoft 365 admin center.

The other portals are not the primary place for this task. Microsoft Entra admin center focuses on identity and access, Microsoft Purview focuses on compliance and governance, and Microsoft Defender focuses on security operations and threat protection. None of those is the main admin experience Microsoft documents for assigning Microsoft 365 Copilot access and managing the availability of Researcher and Analyst. Because the goal is to enable a user to use Microsoft 365 Copilot and its Microsoft-provided agents, the correct administrative tool is the Microsoft 365 admin center.