Microsoft · AB-900
Validates knowledge of Microsoft 365 core services, data protection, governance, and Copilot and agent administration. Covers Microsoft Entra, Microsoft Purview, and the admin centers for Exchange Online, SharePoint, and Teams.
Questions
700
Duration
60 minutes
Passing Score
700/1000
Difficulty
FoundationalLast Updated
Mar 2026
Use this AB-900 practice exam to prepare for Microsoft 365 Certified: Copilot and Agent Administration Fundamentals (AB-900) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 700 questions for Microsoft AB-900, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Core Features and Objects of Microsoft 365 Services, Microsoft 365 Security Principles and Zero Trust, Microsoft Entra and Conditional Access, Microsoft Purview Data Protection and Governance, and Data Security Implications of Microsoft 365 Copilot. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft 365 Certified: Copilot and Agent Administration Fundamentals (AB-900) is a beginner-level certification that validates foundational knowledge of Microsoft 365 core services, security, data protection, governance, and the administration of Microsoft 365 Copilot and AI agents. It demonstrates the ability to support, secure, and protect an AI-enabled Microsoft 365 environment. The exam covers the full breadth of the Microsoft 365 ecosystem, including Exchange Online, SharePoint, Microsoft Teams, Microsoft Entra for identity and access management, and Microsoft Purview for compliance and data protection.
First made available as a beta and reaching general availability on January 27, 2026, AB-900 reflects the growing organizational need to govern AI-powered productivity tools responsibly. It addresses how Microsoft Graph influences Copilot responses, how permissions and sensitivity labels protect data in Copilot interactions, and how administrators can monitor and manage both Copilot licenses and AI agents through the Microsoft 365 admin center, Microsoft Power Platform admin center, and related tooling. It is the entry-level counterpart to more advanced Copilot and Microsoft 365 administration role-based certifications.
This certification is designed for IT administrators, support engineers, and helpdesk professionals who work in or are entering Microsoft 365 environments where Copilot and AI agents are being deployed. It is appropriate for those in roles such as Microsoft 365 administrator, junior cloud administrator, IT generalist, or modern workplace engineer who need to demonstrate foundational competence in managing and securing AI-driven productivity tools.
The certification is also well-suited for business technology professionals, compliance officers, or governance specialists who interact with Microsoft Purview, Microsoft Entra, and Copilot administration. Candidates should have experience with AI-driven productivity tools and modern IT management practices, and a working familiarity with Microsoft 365 admin centers.
There are no formal prerequisites required to sit for the AB-900 exam. However, Microsoft recommends candidates have hands-on familiarity with Microsoft 365 core services and admin centers, including Exchange Online, SharePoint in Microsoft 365, Microsoft Teams, Microsoft Entra, and Microsoft Purview. Candidates should understand core security concepts such as authentication methods, conditional access policies, Zero Trust principles, and single sign-on (SSO).
Practical experience with AI-driven productivity tools and a basic understanding of how Microsoft 365 Copilot accesses organizational data via Microsoft Graph is strongly recommended. Familiarity with licensing models, user and group management, and compliance tooling in Microsoft Purview will also help candidates succeed on the exam.
The AB-900 exam is a proctored assessment with a 45-minute time limit. It may include interactive components in addition to traditional question formats. The exam is delivered in English through Pearson VUE, and students and educators may also schedule through Certiport. A score of 700 out of 1000 is required to pass.
Most questions cover features that are Generally Available (GA), though questions on Preview features may appear if those features are commonly used. Candidates who need the exam in a non-English language may request an additional 30 minutes. If a candidate fails, they may retake the exam after 24 hours; subsequent retake wait times vary per Microsoft's retake policy.
Earning the AB-900 certification positions professionals as credible administrators in organizations adopting Microsoft 365 Copilot and AI agents, a rapidly expanding segment of enterprise IT. It serves as a foundation for more advanced Microsoft 365 certifications, such as the Microsoft 365 Certified: Administrator Expert or role-based associate certifications covering security, compliance, and identity. As organizations accelerate AI tool deployment, the ability to govern, secure, and administer Copilot environments is increasingly listed as a required or preferred qualification in Microsoft 365 administrator job postings.
Because AB-900 is a foundational-level certification, it is particularly valuable for professionals transitioning into cloud administration or seeking to formalize existing knowledge. It complements other Microsoft fundamentals certifications and is recognized in procurement, compliance, and IT operations roles where demonstrable knowledge of AI governance in Microsoft 365 is required. Salary impact varies by region and role, but Microsoft 365 administrators with AI governance skills are increasingly in demand as enterprises scale Copilot deployments.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 700 questions.
Preview — answers shown1. Northwind Traders is configuring Conditional Access policies and wants to implement the strongest authentication method to protect against phishing attacks targeting administrator accounts. Which authentication strength level should they require? (Select one!)
Explanation
Phishing-resistant MFA strength is a built-in Conditional Access authentication strength that requires methods specifically designed to resist phishing attacks, including FIDO2 security keys, Windows Hello for Business, and certificate-based authentication. These methods are bound to hardware or specific devices and cannot be intercepted by phishing attacks. MFA strength allows any MFA combination including methods vulnerable to phishing. Passwordless MFA strength eliminates passwords but includes methods that may still be susceptible to sophisticated phishing. Security defaults cannot coexist with Conditional Access policies and provide less granular control.
2. Contoso's IT administrator is configuring the sharing settings for agents in the Microsoft 365 admin center. The organization wants only the AI Development team to be able to share agents broadly with anyone in the organization, while other users should only be able to share agents with specific individuals. Which sharing configuration should the administrator select? (Select one!)
Explanation
The Agent sharing settings in the Microsoft 365 admin center provide three options. The 'Allow specific groups of users to share with anyone in the organization' option restricts broad sharing permissions to designated groups while still allowing other users to share directly with specific individuals. This precisely matches Contoso's requirement where only the AI Development team can share broadly. Allowing all users to share would grant broad sharing to everyone. Setting no users can share would still allow direct sharing with specific individuals but would prevent the AI Development team from sharing broadly. Conditional Access policies control authentication and access conditions, not agent sharing behavior. Note that only agents built with Agent Builder are governed by this sharing control.
3. Litware Inc. has a SharePoint Online environment with multiple site types. The marketing department needs a site to broadcast company news and announcements to a broad audience with an attractive layout, while the engineering team needs a collaborative workspace where all members can edit documents equally. Which two site types should the SharePoint administrator create for these respective teams? (Select two!)
Multiple correct answersExplanation
A communication site is ideal for the marketing department because communication sites are designed for broadcasting information to broad audiences with attractive layouts and formatting options. They follow a model of fewer authors and many readers, which aligns with a department publishing news and announcements. A team site connected to a Microsoft 365 Group is the right choice for the engineering team because team sites provide collaborative workspaces where all members have equal edit permissions through document libraries, lists, and pages. The Microsoft 365 Group connection automatically provisions a shared mailbox, calendar, Teams workspace, and Planner. A hub site provides shared navigation and branding across associated sites but is not a content site itself. Channel sites are automatically created for private or shared Teams channels. Communication sites are not connected to Microsoft 365 Groups by default.
4. Contoso is preparing for a Copilot deployment and wants to ensure data governance before rollout. They need to identify SharePoint sites that have been shared with 'Everyone' or 'Everyone Except External Users' groups, which could lead to oversharing through Copilot. Which tool provides reports identifying sites with these broad sharing patterns? (Select one!)
Explanation
SharePoint Advanced Management (SAM) provides Data Access Governance (DAG) reports that specifically identify sites with potentially overshared content. These reports show sites shared with Everyone or Everyone Except External Users groups, sites with large numbers of sharing links, and sites with high guest access. Site access reviews can be initiated from these reports, delegating remediation to site owners. Microsoft Purview Content Explorer shows labeled and sensitive content inventory but does not specifically report on sharing patterns. Defender for Cloud Apps focuses on SaaS application security rather than SharePoint sharing analysis. Microsoft 365 admin center usage reports show adoption and usage metrics, not sharing governance data.
5. Fabrikam's IT team is configuring retention policies for Microsoft 365 Copilot interactions. The legal department requires that all user prompts and AI responses be retained for five years. Where should the administrator configure the retention policy location to capture Copilot interactions? (Select one!)
Explanation
To retain or delete Copilot user prompts and AI responses, administrators should select the Microsoft Copilot Experiences location when configuring a retention policy in Microsoft Purview Data Lifecycle Management. This is a dedicated location specifically designed to target Copilot interaction data. While Copilot data is technically stored in user mailboxes, selecting Exchange Online mailboxes would not specifically target Copilot interactions and would apply to all email content. The Microsoft Teams chats location targets Teams chat messages, not Copilot-specific interactions. The SharePoint Online sites location targets document content stored in SharePoint, not the prompts and responses from Copilot sessions. Using the dedicated Microsoft Copilot Experiences location ensures precise retention targeting.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam