Master Copilot & Agent Administration Fundamentals - AB-900

Discover how Microsoft 365 is a layered cloud suite anchored by EntraID, with Exchange Online, SharePoint Online, OneDrive for Business, and Teams, plus Intune, Purview, and Defender XDR for security.

Discover Microsoft Entra ID and its key identity functions, including conditional access, identity secure score, PIM, and zero-trust access with Entra Internet and Private Access.

Identify who is requesting access in Microsoft 365 using Microsoft Entra ID, managing users, groups, and multi-factor authentication; security starts with identity, cloud-only and hybrid models via Entra Connect Sync.

Manage users and access by using groups—security, Microsoft 365, mailed enabled security groups, distribution, and dynamic groups—to automate provisioning and revoke access as roles change.

Learn how app registration defines an app's identity and how enterprise applications control access, including delegated and application permissions, roles, and conditional access policies, in copilot & agent administration fundamentals.

Navigate the Microsoft 365 admin center to manage users, groups, roles, licenses, domains, and global tenant settings, including access controls for SharePoint, Teams, and Viva reports.

Explore the Exchange Online Admin Center to manage mailboxes, groups, and mail flow rules, configure domain settings, alerts, and reports essential for Microsoft 365 communications.

Explore SharePoint permissions and how they determine who can view, edit, or manage site content: full control, edit, contribute, read. Understand groups, site versus item level permissions, sharing.

Manage Microsoft Teams permissions to secure and scale collaboration, including team creation and ownership, channel types (standard, private, shared), and policy-controlled external sharing in Microsoft 365 Groups.

Explore the zero trust security model and its three core principles: verify explicitly, least privileged access, and assume breach, within Azure and Microsoft 365, guided by the shared responsibility model.

begin a baseline zero trust assessment by gaining visibility into assets, users, devices, and gaps, and use Microsoft Secure Score and Purview Compliance Manager to improve security posture.

Explore the six pillars of zero trust—identity, devices, apps, data, infrastructure, and network—and see how Microsoft Enter ID, Intune, Defender for Cloud Apps, Purview, and Defender for Cloud enforce them.

Master the basics of authentication by proving your identity to access Microsoft 365 services, using methods like password, biometric, hardware key, or token, enabling single sign-on.

Learn modern authentication methods to move beyond passwords, reducing phishing and credential theft while improving sign-in experiences with passwordless options like Microsoft Authenticator, FIDO keys, and Windows Hello.

Master single sign-on by authenticating once to access all Microsoft 365 services, using tokens like EnterID, and safeguard against credential theft while improving user experience.

Learn how authorization governs access in Microsoft 365 with RBAC, roles, group memberships, and permissions, aided by conditional access, PIM, and access packages to support zero trust and least privilege.

Apply role-based access control in Microsoft 365 to enforce least privilege by assigning permissions through roles, not individuals, and implement Privileged Identity Management and group-based role assignments.

Understand resource-specific permissions across SharePoint, OneDrive, Teams, and mailboxes, including built-in roles (visitor, member, owner), guest policies, mailbox access, and shareable links, and see how RBAC complements these day-to-day controls.

Discover Microsoft Entra ID conditional access policies that use real-time signals to grant or deny access with adaptive, context-aware controls, including MFA and location-based conditions.

Explore Microsoft Secure Score and Identity Secure Score from Entra ID in Defender, view top actions, track progress, and compare security metrics across similar organizations.

Discover how privileged identity management in Microsoft Entra ID enforces just-in-time, least-privilege access by managing eligible and active roles, activations, approvals, MFA, and expirations.

Protect your organization with a unified, end-to-end threat protection ecosystem in Microsoft 365 that detects, prevents, and responds to threats across emails, endpoints, identities, and cloud applications.

Unify security signals with Defender XDR to reveal the full attack chain and accelerate investigations across endpoints, email, identity, and cloud apps, with pre-breach protection and post-breach response.

Defender for Office 365 delivers early-stage threat protection by blocking phishing, URL protection, and malicious attachments, while automating investigation and response and extending to Teams and zero-trust policies.

Explore baseline protections in Microsoft 365, including layered malware scanning, immediate threat response. Leverage Defender for Office P1 and P2 to guard against zero-day malware, phishing, and business email compromise.

Explore defender for endpoint as a full-stack EDR solution that combines antivirus, threat detection, automated investigation and response, attack surface reduction, device isolation, and vulnerability management for unified device protection.

Monitor identity signals from your domain controllers and authentication flows with Defender for Identity to detect credential theft, brute force, fast dehash attacks, golden ticket attacks, and lateral movement.

Gain visibility across all cloud apps to combat shadow IT with Defender for cloud apps, your cloud access security broker that enforces policies and prevents data leakage.

Explore Threat Explorer in Microsoft Defender for Office to gain visibility into ongoing email threats for incident investigations. Learn that Threat Explorer is available with Office 365 plan 2.

Master Microsoft Purview as a core data control tool for Defender XDR, understanding sensitive data exposure, regulatory violations, insider data theft, and data access anomalies to secure AI security.

Microsoft Purview provides data security, governance, and risk compliance across Microsoft 365 and AI workloads, enabling auto-labeling, encryption, DLP, and access controls to locate, classify, and monitor sensitive data.

Classify data in Microsoft Purview to gain visibility of sensitive information across Microsoft 365, enabling automatic protection and compliance with regulated data like personal, financial, and health information.

Apply sensitivity labels with Microsoft Purview to classify and protect data at item level, enabling encryption and access restrictions across apps and devices, with manual, automatic, recommended, or mandatory labeling.

Explore data loss prevention (DLP) within the Microsoft 365 ecosystem, including sensitivity labels, policy creation, workloads, and actions like blocking, warning, auditing, and restricting access.

Detect internal threats with insider risk management in Microsoft Purview, using behavior analytics, privacy controls, and Copilot integration to flag data exfiltration, policy violations, or risky AI usage for investigation.

Learn how Microsoft Preview's communication compliance detects language and behavior violations across Microsoft 365, with policy creation, scoping to groups, and anonymized reviewers, focusing on compliance rather than security threats.

Discover how data security posture management for AI gives AI usage visibility, data protection for Copilot interactions, and automatic oversharing detection to safely adopt AI.

Explore data lifecycle management in purview to retain or delete data across the MS365 stack using retention labels and policies. Set adaptive or static scopes and automated actions.

Track real-time activity in Purview with Activity Explorer for files, emails, and OneDrive events. Filter logs by user, location, and activity to inspect DLP rule matches and sensitivity label changes.

Explore data discovery in Microsoft Purview using Data Explorer to locate sensitive information, identify its location in OneDrive or SharePoint, and apply sensitive info types and labels.

Find, reserve, and review data across Microsoft 365 for compliance, legal, and investigation needs using content search and eDiscovery in Microsoft Purview, including case creation and legal holds.

Identify oversharing risks at scale in SharePoint using data access governance, which surfaces site-level reports on external sharing, missing owners, inactivity, and absent sensitivity labels, guiding remediation.

Explore SharePoint advanced management (SAM), built on oversharing detection and data access governance reports to reduce risk through enforcement, automation, and governance at scale.

Discover what Microsoft 365 Copilot is: an AI-powered assistant built into Word, Excel, PowerPoint, Outlook, and Teams that can generate, summarize, analyze, and transform content in real time.

Copilot acts as a data consumer governed by Entra ID and Purview, using users' permissions, labels, and DLP policies to determine what it can surface or summarize.

Explore how Microsoft 365 Copilot uses a coordinated architecture—apps, orchestration service, Microsoft Graph, and LLM—to securely govern data and prompts in Word, Excel, Outlook, and Teams.

Coordinate the orchestration service to evaluate prompts, determine relevant data sources, apply rules, and craft grounded prompts for LLMs, ensuring Copilot behaves consistently across Microsoft 365 apps.

Explore how Microsoft Graph serves as the data access layer for a Microsoft 365 stack, retrieved emails, files, meetings, chats, and calendars within the sign-in context.

Copilot generates responses with LLMs hosted in the Azure OpenAI environment inside your tenant, ensuring tenant-isolated processing where data never leaves, isn’t used for training, and isn’t persisted.

Discover how Copilot agents extend prompts with persistent, domain-specific assistance that can answer questions, retrieve information, and manage multi-step tasks across conversations, specializing in areas such as HR policies.

outlines four main categories of agents in Microsoft 365 Copilot: pre-built, SharePoint site, everyday user, and advanced agents, covering creation, governance, and connectivity to external sources.

Explore prebuild agents for Copilot 365 license, including the analyst, researcher, idea coach, writing coach, and prompt coach, with use cases, limitations, and tips for troubleshooting prompts.

Explore two routes to create agents: use Copilot Studio for non-technical users and developers, or create SharePoint agents directly in SharePoint, including cross-site sharing and Teams integration.

Compare Microsoft 365 Copilot and Agents, showing Copilot as reactive and user-driven, embedded in Excel, Outlook, and Teams, while Agents run automatically with their own permissions.

Explore the operational limitations of agents, including AI output limits, hallucinations, and over-permission risks under the least-privilege principle, and learn validation, data quality, and prompt practices for reliable automation.

Navigate the three Copilot licenses—free Copilot Chat (web interface), paid Microsoft 365 Copilot, and Copilot Studio for agents—understand per-user and pay-as-you-go models, data access, and enterprise limits.

Contrast per-user licensing and pay-as-you-go for Microsoft Copilot, highlight predictable vs consumption-based costs, and monitor usage to decide licensing while noting feature and workload limitations.

Compare E3 and E5 licensing differences, including manual and automatic labeling, DLP across teams and endpoints, and copilot control at scale for enterprise and regulated environments.

Administrators control copilot with global and granular settings, including per-app and per-user scope, to enable or disable features like web search and drafting.

Learn how to assign Copilot licenses efficiently by using groups in the Microsoft 365 admin center, with individual assignments reserved for small or VIP users.

Enable pay-as-you-go Copilot by creating a billing policy, linking it to a subscription with owner or contributor access, setting budgets and scope for users or groups, and monitoring usage.

Monitor pay-as-you-go copilot spend from two places: the Microsoft 365 Admin Center and the Azure cost analysis. Remove high-usage users from pay-as-you-go, assign licenses, and set up alerts and budgets.

Monitor Copilot usage and adoption across apps, licenses, and users using the Microsoft 365 admin center, Viva Insights, and Power BI to assess adoption, time saved, and benchmarks.

Learn to create, save, edit, share, and schedule prompts in copilot to govern team workflows. Scheduling requires a copilot license and admin policies can restrict it.

Create Copilot agents quickly in Copilot Chat or Copilot Studio, choosing templates, naming, and instructions, define knowledge scope to specific sites or files, set capabilities, test, and migrate for integrations.

Explore Copilot Studio to create agents, configure them, test, and publish. Describe an agent with a prompt or start from templates, then customize knowledge, tools, and triggers.

Configure a blank Copilot Studio agent by naming it, selecting a model, adding knowledge and tools, then setting triggers, topics, security, and licensing before publishing.

Create SharePoint agents directly in SharePoint, not Copilot Studio, with edit permissions, configure name, purpose, icon, up to 20 sources, and behavior, then test and save in the Copilot folder.

Edit agents throughout their lifecycle in the Copilot chat, SharePoint agents, or Copilot Studio, and save changes; the default SharePoint agent cannot be edited, so create a custom one.

Explore the differences between Copilot chat and Copilot Studio access, and compare licensing models for agents: free chat, Studio licenses (trial vs paid), and pay-as-you-go or pre-purchase for premium features.

Configure user access for copilot agents in the portal by sharing with the organization or specific users, and manage licenses, publishing through copilot studio, and permissions.