The Microsoft 365 Copilot and Agent Administration Fundamentals (AB-900)

The correct answer is D. a sensitivity label policy . In Microsoft Purview, creating a sensitivity label by itself does not make it available to users. Microsoft Learn states that after you create sensitivity labels, you must publish them by creating a label policy so that users and groups can see and apply those labels in Microsoft 365 apps and services. Publishing controls which labels are available and to whom they are shown. This is why a sensitivity label policy is required to ensure that users can apply Label1 to files.

The other options do not meet the requirement. Auto-labeling policies apply labels automatically when content matches conditions, but they are not the primary mechanism for simply making a label available for user selection. A trainable classifier is used to identify content categories, not to publish a label. A retention label policy publishes retention labels for records and lifecycle purposes, which is different from sensitivity labeling for classification and protection. Therefore, the correct Microsoft-documented method to let users apply Label1 to files is to publish it using a sensitivity label policy .

The correct answer is D. an app registration . Microsoft Learn states that to delegate identity and access management functions to Microsoft Entra ID , an application must be registered with a Microsoft Entra tenant . When you register an application, you create its identity configuration in Microsoft Entra, and a corresponding service principal is created so the application can authenticate and integrate with the tenant. This is the standard Microsoft mechanism for allowing a third-party cloud service or app to authenticate to Microsoft Entra.

The other options do not provide the app identity required for authentication. Multifactor authentication (MFA) strengthens user sign-ins, but it does not onboard a third-party service as an application identity in Entra. Conditional Access enforces access policies after authentication and authorization decisions are being made; it does not create the application identity itself. A Microsoft 365 Copilot connector is used to bring external data into Microsoft 365 experiences, not to let a third-party cloud service authenticate to Microsoft Entra. Therefore, the correct configuration is an app registration .

The correct answer is C. Site lifecycle management . In the SharePoint admin center, Microsoft includes a Site ownership policy under Site lifecycle management that can identify sites with too few owners and drive remediation. Microsoft documents that this policy can detect sites with fewer than the required number of owners, notify site owners, and if the issue is not fixed, enforce an action such as making the site read-only . That directly matches the requirement that sites with fewer than two owners be marked as read-only when they are not remediated.

The other options do not fit this scenario. Site-level access restriction is about controlling who can access a site, not enforcing ownership-count governance. Data access governance reports help identify oversharing and permissions exposure, but they do not enforce a minimum-owner remediation policy that makes sites read-only. Block download policy for SharePoint and OneDrive is used to restrict downloading from unmanaged devices or similar access scenarios, not to handle insufficient site ownership. Therefore, the Microsoft-documented feature to configure is Site lifecycle management .

The correct answer is B. the Microsoft Purview DSPM for AI solution . Microsoft documents that Data Security Posture Management for AI (DSPM for AI) in Microsoft Purview provides a central place to secure data for AI apps and proactively monitor AI use , including Copilots and agents . Microsoft also states that DSPM for AI helps organizations identify where sensitive content is used in AI interactions , review Copilot prompts and responses , analyze usage patterns , assess exposure and oversharing risks, and get recommendations for protections such as sensitivity labels and DLP policy coverage.

The other options do not fit this requirement. Microsoft Viva Insights focuses on productivity and work-pattern analytics, not sensitive-data protection in Copilot interactions. Microsoft Security Copilot is a security assistant for analysts, not the Purview governance solution that analyzes sensitive content use in Copilot and recommends data protections. Insider Risk Management is for identifying risky user behavior, not for broad AI interaction posture analysis and protection recommendations. Microsoft specifically positions DSPM for AI as the “front door” for discovering, monitoring, and protecting AI-related data usage in Microsoft 365 Copilot.

The correct answers are C and D . Microsoft Learn explains that agents created with Agent Builder in Microsoft 365 Copilot allow you to define specific instructions that extend Microsoft 365 Copilot for a business scenario. Microsoft also documents that you can add knowledge sources such as specific public websites and SharePoint content so the agent can reason over targeted information instead of relying only on the default chat experience. Those two capabilities directly match the needs in options C and D.

Option A is incorrect because grouping chats is a Copilot notebook scenario, not the reason to build an agent. Option B is incorrect in the context of creating an agent in the Microsoft 365 Copilot app . Agent Builder supports declarative agents with instructions, knowledge, and capabilities, but Microsoft Learn describes custom AI model control as part of custom engine agents built with tools such as Copilot Studio, SDKs, or Foundry, not as a standard Agent Builder feature in the Microsoft 365 Copilot app. Therefore, when the task is specifically to create an agent in the app, the valid reasons are custom instructions and reasoning over a specific website .

The correct answer is C because Microsoft explains that authorization is the process of determining whether an authenticated identity is allowed to access a resource . Microsoft Learn distinguishes authorization from authentication by stating that authentication proves who you are, while authorization decides what you can access or do after identity has been established. In Microsoft 365 and the Microsoft identity platform, authorization commonly involves permissions, scopes, roles, and consent that control access to data and services such as Microsoft Graph, Exchange, SharePoint, or Teams.

Option A is incorrect because it refers more to external identity validation or federation concepts, not authorization itself. Option B describes authentication , not authorization, since it is about verifying identity claims. Option D describes a control such as multifactor authentication or Conditional Access requirements, which can happen before access is granted, but that still is not the definition of authorization. Authorization begins after identity verification and focuses on whether the identity has the right permissions for the requested resource.

The correct answers are A and D because Microsoft Entra Identity Secure Score is based on identity security recommendations, and Microsoft Learn specifically lists recommendations such as “Designate more than one Global Administrator” and “Do not expire passwords.” That means the number of global administrators in the tenant and whether password expiration is disabled directly influence the Identity Secure Score. Microsoft also notes that the score measures how closely an organization aligns with Microsoft’s recommended identity security best practices.

Option B is incorrect because SharePoint site permissions are related to SharePoint and Microsoft 365 workload permissions, not to the Entra identity-focused scoring model. Option C is incorrect because user location may be evaluated in Conditional Access and Zero Trust scenarios, but it is not itself listed as a direct Identity Secure Score factor in the Microsoft Entra recommendations referenced by Microsoft Learn. Identity Secure Score is driven by tracked identity recommendations and security configurations, not by simple geographic placement of users.

The correct answer is A. Microsoft Entra ID Protection . Microsoft Learn explains that Microsoft Entra ID Protection detects sign-in risk and user risk and can work with Conditional Access risk policies to automatically respond when suspicious authentication activity is identified. Microsoft documents specifically state that organizations can configure sign-in risk policies and user risk policies to automate responses such as blocking access , requiring multifactor authentication , or forcing password changes when risky activity is detected. Microsoft also notes that some very high-confidence risky sign-ins are automatically blocked by built-in protections.

The other options do not match this function. Microsoft Defender for Office 365 focuses on email, collaboration, and threat protection for tools like Exchange Online and Teams, not sign-in risk blocking. Microsoft Entra Privileged Identity Management (PIM) manages privileged role activation and governance, not risky sign-in detection. Microsoft Defender for Identity detects identity-related threats in hybrid identity environments, but the Microsoft feature used to automatically block risky sign-ins is Microsoft Entra ID Protection .

The correct answer is C. a custom Microsoft 365 Copilot agent . Microsoft Learn explains that Agent Builder in Microsoft 365 Copilot lets you create agents with specific instructions , dedicated knowledge sources , and starter prompts . Starter prompts are designed to help users understand the most common supported scenarios, which directly matches the requirement to provide users with a list of common queries. Microsoft also documents that an agent can be grounded in selected SharePoint sites, folders, or files , allowing the response scope to be targeted to the HR policy content in Site1 rather than broad enterprise or web data.

The other options do not fit the requirement. Copilot in Word is document-focused and is not intended to create a reusable, shared query experience grounded only in one SharePoint source. Copilot notebooks group materials and chats, but they are not the right tool for publishing a guided HR policy assistant with starter prompts. Researcher is designed for broader, multi-step research using work data and web content, so it does not satisfy the requirement to keep answers grounded only in Site1.