AB-900 Exam Dumps - Microsoft 365 Certified: Copilot and Agent Administration Fundamentals Questions and Answers

The correct answer is adding a public DNS record . Microsoft documents that when you add a custom domain to Microsoft 365, you must first prove ownership of that domain before Microsoft 365 can use it for services such as Exchange Online, SharePoint, and user sign-ins. The standard verification method described by Microsoft is to add a DNS record at your domain registrar or DNS hosting provider. Microsoft commonly uses a TXT record for verification, although in some cases an MX record can also be used depending on the setup flow. This is why “adding a public DNS record” is the right completion for the sentence.

The other choices are not the standard Microsoft 365 domain verification process. Microsoft’s admin guidance does not use confirming your business address , uploading a certificate , or uploading a webpage as the normal method for proving ownership of a domain in Microsoft 365. Domain verification is specifically tied to DNS because DNS is the authoritative public system used to prove control over the domain name.

The correct answer is B. using a custom agent that is grounded in work data . Microsoft Learn states that agents that access shared tenant data , such as SharePoint or Graph Connector content, are billed based on metered consumption . Microsoft also describes pay-as-you-go for Microsoft 365 as applying to agents in Microsoft 365 Copilot Chat , where organizations pay only for the messages used instead of assigning a full Microsoft 365 Copilot license. That is exactly the scenario described in option B: a custom agent grounded in work data.

The other options are not the intended pay-as-you-go scenario. A Teams meeting recap and Copilot in Word are standard Microsoft 365 Copilot application experiences tied to licensed Copilot functionality, not metered agent consumption. Researcher is an advanced Microsoft 365 Copilot agent available as part of Microsoft 365 Copilot capabilities, not the documented example of pay-as-you-go replacing a Copilot license. Microsoft’s pay-as-you-go guidance centers on agent-based usage , especially agents grounded in organizational work data.

The correct answer is C. Microsoft Defender for Endpoint . Microsoft documents that Defender for Endpoint is the Microsoft security solution for endpoint devices , including Windows 11 , and that it lets security teams investigate incidents, alerts, affected devices, files, processes, and remediation actions in the Microsoft Defender portal. Microsoft’s investigation guidance specifically describes using Defender for Endpoint to review alerts and investigate affected devices from the devices list, alerts queue, and incident views.

The other options do not match this requirement. Microsoft Entra ID Protection is for risky users and risky sign-ins, not device incident investigation. Microsoft Purview Insider Risk Management focuses on risky user behavior such as data theft or exfiltration, not endpoint security alerts from Windows devices. Microsoft Defender for Identity monitors on-premises and hybrid identity signals from Active Directory environments, not Windows 11 endpoint incidents. For security incidents and alerts raised from organization-managed Windows 11 devices, Microsoft’s documented solution is Microsoft Defender for Endpoint .

Communications Compliance uses OCR (optical character recognition) and machine learning to detect offensive or risky text inside images , including those in SharePoint and OneDrive.

By default, Communications Compliance pseudonymizes user identities to reduce investigator bias. Admins can later deanonymize if needed.

It does not add disclaimers. It silently monitors communications and flags policy violations; disclaimers are handled by Exchange transport rules, not Communications Compliance.

The correct answer is Microsoft Graph . Microsoft documents that Microsoft 365 Copilot accesses organizational content and context through Microsoft Graph . Microsoft Graph provides the user’s work context, including items such as emails, chats, meetings, files, contacts, and calendar data , along with relationship and activity signals that help Copilot ground and rank responses. Microsoft also explains that Copilot combines organizational content with the user’s working context, such as recent chat conversations, email exchanges on a topic, and the meeting the user is currently in. Those are exactly the kinds of signals described in the question, including collaboration history and document relevance.

The other options do not fit this sentence. Microsoft Copilot Studio is used to build and customize copilots and agents. Microsoft Purview is for compliance, governance, and data protection. Microsoft Viva Insights provides workplace analytics and insights, but it is not the core service described by Microsoft as supplying the contextual signals that ground Microsoft 365 Copilot responses. Therefore, the only option that correctly completes the sentence is Microsoft Graph .

provide control over how users can access cloud apps.

The correct answer is provide control over how users can access cloud apps . Microsoft Learn defines Microsoft Entra Conditional Access as the Zero Trust policy engine that uses if-then logic to make access decisions. Microsoft states that Conditional Access policies determine who can access resources, what resources they can access, and under what conditions . These policies can require actions such as multifactor authentication, compliant devices, or other controls before allowing access to applications and services like Microsoft 365. That means Conditional Access is specifically used to control how users access cloud apps .

The other options are incorrect. Conditional Access policies are not configured by using the Microsoft Defender portal ; they are managed in the Microsoft Entra admin center . They are also not applied only to on-premises resources , because Microsoft documents Conditional Access primarily for cloud identities, cloud apps, and cloud-connected resources. Finally, Conditional Access does not require a Microsoft Exchange mailbox. It can be applied broadly across many Microsoft and third-party cloud applications integrated with Microsoft Entra.

The correct answer is D. Data Lifecycle Management . Microsoft Learn states that Microsoft Purview retention policies and retention labels, managed under Data Lifecycle Management , support three core outcomes: retain-only , delete-only , and retain and then delete . The requirement in this question is exact: keep email for seven years and then permanently delete it. That is a textbook retain and then delete retention configuration, which Microsoft documents as part of Purview’s retention capabilities. Microsoft also recommends using Microsoft 365 retention policies and labels for retaining and deleting emails rather than relying on older Exchange-only approaches in most modern compliance scenarios.

The other options do not meet the requirement. Information Protection focuses on labeling and protecting sensitive information. Insider Risk Management is used to detect and investigate risky user behavior. Data Loss Prevention helps prevent inappropriate sharing or exfiltration of sensitive data. None of those are designed to enforce a timed seven-year retention period followed by automatic permanent deletion. The Microsoft Purview solution explicitly built for that lifecycle requirement is Data Lifecycle Management .

The correct answer is B. Data explorer. Microsoft Learn states that Data explorer in Microsoft Purview shows a current snapshot of items that have been classified as a sensitive information type in your organization. Microsoft’s sensitive information type documentation specifically lists examples such as social security numbers and credit card numbers, which means Data explorer is the appropriate portal feature for identifying files and emails that contain those data types. Data explorer is designed to help administrators see where sensitive data exists across supported Microsoft 365 locations.

The other options are less appropriate for this task. Information Protection reports focus more broadly on label and protection reporting. Information Protection policies are for configuring classification and protection behavior, not for finding existing files and emails containing SSNs or credit card numbers. Activity explorer is primarily used to review user and policy-related activities, such as label changes or DLP events, rather than to provide the direct sensitive-data inventory view requested here. Since the question asks to identify the files and emails containing specific sensitive information types, Microsoft’s documented answer is Data explorer.

Microsoft Defender for Office 365 provides protection from phishing and malware attacks. Answer: Yes

Microsoft Defender for Identity monitors identities in Active Directory domains. Answer: Yes

Microsoft Defender Vulnerability Management provides protection for software as a service (SaaS) applications. Answer: No

The correct selections are Yes, Yes, No . Microsoft documents that Microsoft Defender for Office 365 protects email and collaboration workloads from threats such as phishing and malware , including zero-day malware and business email compromise scenarios. That makes statement 1 Yes .

Statement 2 is also Yes because Microsoft states that Microsoft Defender for Identity monitors identity signals from on-premises Active Directory and related identity infrastructure to detect suspicious activity and identity-based attacks. Microsoft further describes monitoring information generated from your organization’s Active Directory, network, and event activities.

Statement 3 is No because Microsoft Defender Vulnerability Management is focused on discovering and prioritizing vulnerabilities across devices and assets such as Windows, macOS, Linux, mobile platforms, and network devices. Microsoft’s SaaS application protection offering is Microsoft Defender for Cloud Apps , not Defender Vulnerability Management.

The correct selections are No, Yes, Yes . Statement 1 is No because Microsoft documents that Agent Builder in Microsoft 365 Copilot is included with the Microsoft 365 Copilot license , and agents built with that feature are part of that licensed experience. Microsoft also states that the capability is enabled by default in Microsoft 365 Copilot licensed tenants . While Copilot Chat users with qualifying Microsoft 365 licenses can access web-grounded chat experiences, creating Microsoft 365 Copilot agents in the app is documented under the Copilot-licensed Agent Builder experience, not as an E5-only entitlement.

Statement 2 is Yes because Microsoft states that Researcher and Analyst were deployed to users with Microsoft 365 Copilot licenses . Statement 3 is Yes because Microsoft says users can build agents in Agent Builder by using natural language or manually .