How to Pass Microsoft 365 Copilot & Agent Administration Fundamentals (AB-900)

A practical, source-backed guide to passing Microsoft Exam AB-900 (Microsoft 365 Certified: Copilot and Agent Administration Fundamentals) — the AI- and Copilot-focused Fundamentals exam that replaced the retired MS-900.

Last reviewed June 8, 2026. Exam logistics change — always confirm current details on the official certification site before you book.

Take a timed mock exam →

Exam at a glance

Exam AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals earns you the Microsoft 365 Certified: Copilot and Agent Administration Fundamentals credential. It is a Beginner-level, Administrator-role Fundamentals exam, and it is the AI- and Copilot-focused successor to the retired MS-900 (Microsoft 365 Fundamentals, which retired on 31 March 2026).

What to expect:

The three skills-measured groups and their weights are:

  1. Identify the core features and objects of Microsoft 365 services — 30-35%
  2. Understand data protection and governance for Microsoft 365 and Copilot — 35-40%
  3. Perform basic administrative tasks for Copilot and agents — 25-30%

How it is scored

AB-900 uses Microsoft’s scaled scoring model. Your raw answers are converted to a score between 1 and 1000, and 700 is the pass line. Because it’s scaled, 700 is not the same as answering 70% correctly — the conversion accounts for question difficulty. The practical takeaways: there is no penalty for guessing, so answer every question; and you don’t need to be perfect in any one area, since strong performance across domains can offset a weaker one. The largest domain (data protection and governance, up to 40%) carries the most weight, so prioritize it.

Eligibility & cost

There are no prerequisites — anyone can register. Microsoft’s audience profile assumes you’re familiar with Microsoft 365 core services, identity and access, security, data protection, governance, and now Microsoft 365 Copilot and agents, plus the main admin centers (Microsoft 365, Exchange Online, SharePoint, Teams, Entra, Purview, and Power Platform). Schedule through Pearson VUE (or Certiport if you’re a student or educator). Register with a personal Microsoft account, not a work/school account — Microsoft warns that records tied to an org account can be lost if you leave that organization. Pricing is set per country/region at checkout; if you’ve taken a Fundamentals exam before, expect a similar fee in your market.

Study plan

A focused two-to-three-week plan works well for most candidates:

  1. Start from the official AB-900 study guide. Use the skills-measured bullets as your checklist — every objective is fair game.
  2. Take the free Microsoft Learn learning paths for Microsoft 365, Copilot, and Purview, then the free practice assessment linked from the certification page to gauge readiness.
  3. Get into the admin centers. Use a Microsoft 365 trial or a developer tenant to click through the Microsoft 365 admin center, Exchange/SharePoint/Teams admin centers, Microsoft Entra, Microsoft Purview, and the Power Platform admin center.
  4. Go deep on the data-governance domain (Purview, DLP, sensitivity labels, Insider Risk, DSPM for AI, eDiscovery content search) because it’s the heaviest.
  5. Learn the Copilot and agent admin tasks — licensing models (monthly vs. pay-as-you-go), enabling/disabling features, usage monitoring with Copilot Analytics, prompt management, and the agent lifecycle/approval flow.
  6. Use the exam sandbox to get comfortable with the question UI before exam day.

Mindset & strategy

This is a fundamentals exam: it tests whether you can identify, describe, and recognize the right tool or concept — not whether you can deeply configure it. When a question gives a scenario, ask “which Microsoft service or admin center solves this?” rather than memorizing every setting. Watch your pace — with ~45 minutes for ~40-60 items you have roughly a minute each, so flag tough questions, keep moving, and return to them. Eliminate obviously wrong choices first; distractors are often real Microsoft products used in the wrong context.

Master the domains

Core Microsoft 365 Services & Identity Core Microsoft 365 Services & Identity 33% Data Protection & Governance for Copilot Data Protection & Governance for Copilot 39% Copilot & Agent Administration Copilot & Agent Administration 28%
Domain weights — spend your study time in proportion.

Common pitfalls

After you pass

Your certification appears in your Microsoft Learn transcript, where you can share and print it and post the badge to LinkedIn. Because it’s a Fundamentals credential, there’s nothing to renew — it doesn’t expire. Use it as a launch pad toward role-based credentials such as the SC-900 / SC-300 security and identity track, or Microsoft 365 administrator and Power Platform certifications, where the Copilot, Purview, and agent skills you just learned go deeper.

The week before & exam day

In the final week, take the official practice assessment again and review any objective where you score low; re-read the study-guide bullets one last time. Run the exam sandbox so the interface holds no surprises. If testing online, check your system and run the compatibility test in advance, clear your desk, and confirm a stable connection and a quiet, well-lit room. Have your government-issued ID ready and join your appointment early. During the exam, answer every question (no guessing penalty), flag the hard ones, and use any remaining time to revisit flagged items. Read each question fully — fundamentals questions often hinge on a single qualifying word.

Quick-reference: exam tips by domain

Pulled from every term in this subject — a fast last-pass before exam day.

Data Protection & Governance for Copilot

  • Activity Explorer — Activity explorer shows what users did with sensitive data, such as label changes or DLP matches; it reports actions, whereas Content/Data explorer report where sensitive data resides.
  • Microsoft Purview Communication Compliance — Communication Compliance flags policy violations such as harassment, sensitive data, or regulatory breaches, and can review Copilot interactions for inappropriate content.
  • Microsoft Purview Compliance Manager — Compliance Manager identifies compliance risks and recommendations through improvement actions and prebuilt assessments mapped to standards and regulations.
  • Content Search in Purview eDiscovery — Content search is the tool to locate specific files and emails across Microsoft 365; it is now part of the unified Microsoft Purview eDiscovery experience.
  • How Copilot Accesses Data — Copilot enforces existing permissions, so it never surfaces data a user could not otherwise open, but oversharing of source content still exposes that content to Copilot.
  • SharePoint Data Access Governance Report — Run a data access governance report in the SharePoint admin center to pinpoint sites with risky sharing links before enabling Copilot.
  • Data Classification — Data classification underpins both sensitivity labels and DLP by detecting sensitive information types such as credit card or passport numbers.
  • Microsoft Purview Data Explorer — Use Data explorer to identify and locate sensitive information at rest across Microsoft 365; access is highly restricted via the Data Explorer List/Content viewer roles. It differs from Activity explorer, which reports actions on data.
  • Microsoft Purview Data Lifecycle Management — Retention policies apply broad retain/delete actions to whole workloads (Exchange, SharePoint), while retention labels give granular item-level control that can override policies; a common pattern is retain-then-delete.
  • Microsoft Purview Data Loss Prevention (DLP) — A DLP policy that uses the Microsoft 365 Copilot location (Custom template only) can exclude items with specific sensitivity labels from being used in Copilot responses; admins triage matches as DLP alerts in the Purview portal.
  • Microsoft Purview Data Security Posture Management (DSPM) for AI — DSPM for AI automatically runs a weekly data risk assessment on the top 100 SharePoint sites by usage and offers one-click policies to protect AI data.
  • Microsoft Purview Information Protection — Information Protection is the solution that delivers sensitivity labels and encryption; pair it with DLP to both label and restrict sensitive content.
  • Microsoft Purview Insider Risk Management — Insider Risk Management offers a Risky AI usage policy template that scores risky Copilot prompts and responses (such as prompt injection or access to protected material) and feeds signals to DSPM for AI.
  • Microsoft Graph — Microsoft Graph brings emails, chats, documents, and meetings into the Copilot prompt, but only content the user is permitted to access.
  • Microsoft Purview — Purview is the umbrella product covering Information Protection, DLP, Insider Risk Management, Communication Compliance, Data Lifecycle Management, eDiscovery, and DSPM for AI.
  • Responsible AI Principles — Memorize all six responsible AI principles; accountability and transparency are frequently tested as the foundation of human oversight.
  • Restricted Content Discovery (RCD) — Use Restricted Content Discovery as a fast, per-site setting to exclude high-risk overshared sites from Copilot while permissions are reviewed, without changing the site's permissions.
  • Sensitivity Labels — When a label applies encryption, Copilot only returns content if the user has the EXTRACT usage right, and new Copilot-created content inherits the highest-priority label of its sources.
  • SharePoint Advanced Management (SAM) — SAM features are included when at least one Microsoft 365 Copilot license is assigned (no minimum), and they enable Restricted Content Discovery and restricted site access to govern Copilot's data sources.
  • SharePoint Oversharing — Generative AI amplifies oversharing, so remediate broad 'Anyone' links and over-permissioned sites before broadly deploying Copilot.

Core Microsoft 365 Services & Identity

  • Audit logs — Use the audit log to review who did what and when; Entra audit and sign-in logs cover identity events, while the Purview audit log covers workload activity across Microsoft 365.
  • Authentication methods — Authentication answers who you are while authorization answers what you can do; phishing-resistant methods like FIDO2 and passkeys are stronger than passwords or SMS.
  • Authorization — Do not confuse the two: authentication verifies identity, authorization grants the level of access; least-privilege authorization is a core Zero Trust principle.
  • Conditional Access — Think signals plus decision: if a sign-in matches the assignment conditions, the policy grants, blocks, or requires extra controls like MFA; it is a key tool for troubleshooting blocked sign-ins.
  • Microsoft Defender XDR — XDR means extended detection and response; Defender XDR automatically correlates related alerts into a single incident so SOC teams see the full attack, and threat intelligence is the knowledge about actors and techniques that powers those detections.
  • App registrations and Enterprise applications — App registration = global blueprint (application object); enterprise application = service principal, the local identity admins use to grant or revoke an app's access and configure single sign-on.
  • Exchange Online admin center — Map the object to the center: mailboxes and distribution lists are configured in the Exchange admin center (EAC), not the Microsoft 365 admin center.
  • Identity Secure Score — It is recalculated every 24 hours and provides improvement actions; a higher percentage means stronger identity posture and it is available to free and paid customers.
  • License types for users and groups — Group-based licensing assigns licenses automatically to all members of a group; a user must have the right license (for example a Microsoft 365 Copilot license) before the corresponding feature becomes available.
  • Microsoft 365 admin center — The Microsoft 365 admin center is where you add and verify custom domain names and configure org settings; specialized workloads have their own admin centers reached from its left-nav.
  • Microsoft Entra — Microsoft Entra ID is the renamed Azure Active Directory and is the identity provider behind Microsoft 365 sign-in, conditional access, and SSO.
  • Multifactor authentication (MFA) — MFA dramatically reduces account compromise and is commonly enforced through Conditional Access; an MFA prompt is also a typical requirement to activate a privileged role in PIM.
  • Privileged Identity Management (PIM) — PIM enables just-in-time, eligible role assignments so admins activate elevated access only when needed, often requiring MFA, justification, or approval; this enforces least privilege.
  • Risky sign-ins — When troubleshooting blocked or challenged logins, check sign-in logs and the risky sign-ins report alongside Conditional Access and MFA settings to find the cause.
  • SharePoint in Microsoft 365 admin center — Sites contain libraries, libraries contain folders and files; default site groups map to permission levels Owners (Full Control), Members (Edit), and Visitors (Read), and the SharePoint admin center manages sites tenant-wide while site owners manage permissions within a site.
  • Single sign-on (SSO) — SSO improves user experience and security by reducing the number of credentials users manage and the number of passwords exposed to phishing.
  • Microsoft Teams admin center — Teams contain channels, and policies assigned in the Teams admin center control what users can do; configure teams, channels, and policies here rather than in the Microsoft 365 admin center.
  • Users and groups — Use security groups to assign access and Microsoft 365 groups to grant a team a shared mailbox, calendar, and SharePoint site; manage access by group rather than per user.
  • Zero Trust — Memorize the three Zero Trust principles in order — verify explicitly, least privilege, assume breach; Zero Trust is a strategy, not a single product.

Copilot & Agent Administration

  • Agent — Compare built-in Copilot capabilities (general productivity in apps) against agents, which are scoped to specific tasks, data sources, and instructions.
  • Agent Access Control — Admins scope agent availability to all users, no users, or specific users and groups when configuring access or approving an agent.
  • Agent Approval Process — Find pending agents under Copilot Control System > Agents > Requests; review data sources and custom actions before choosing Publish or Reject.
  • Agent Builder — Agent Builder is for quick, lightweight agent creation in the chat UX; escalate to Copilot Studio for advanced needs, and you can copy an agent from one to the other.
  • Agent Lifecycle — Monitor agent usage and operational insights using both the Microsoft 365 admin center and the Power Platform admin center across the agent's lifecycle.
  • Analyst — Choose Analyst for data-science tasks like turning raw spreadsheets into insights; it can run Python code that users can inspect in real time and appears in Copilot Chat under Tools.
  • Assign Copilot Licenses — Copilot is an add-on license assigned per user; it may take up to 24 hours to appear after assignment.
  • Billing Policy — Pay-as-you-go for agents requires a billing policy, created in the Microsoft 365 admin center (Copilot > Billing & usage) and tied to an Azure subscription and resource group.
  • Copilot Analytics — For deep adoption analysis use Copilot Analytics in Viva Insights; for quick license and usage summaries use the Microsoft 365 admin center usage report.
  • Copilot Control System — Its three pillars are security and governance, management controls (licensing, agent lifecycle, customization), and measurement and reporting.
  • Copilot Feature Controls — Use the Copilot settings and Search controls in the Microsoft 365 admin center to enable or disable features and to block specific connectors.
  • Copilot Monthly License Model — Per-user, per-month licensing suits predictable, broad daily usage; agents come included for Microsoft 365 Copilot-licensed users with no extra action needed.
  • Copilot Studio — Use Copilot Studio for advanced agent scenarios; switch to it from the simpler Agent Builder when you need broader capabilities and connectors.
  • Microsoft 365 Copilot Usage Report — The admin center usage report gives basic adoption and per-app engagement metrics; data appears within about 72 hours of Copilot activity.
  • Custom Agent — Custom agents fit repeatable, organization-specific scenarios (HR onboarding, IT helpdesk) and are built in Agent Builder or Copilot Studio.
  • Declarative Agent — Declarative agents grounded only in instructions and public websites are available at no additional cost and are on by default.
  • Microsoft 365 Copilot — Microsoft 365 Copilot is licensed per user per month as an add-on, and its built-in capabilities work across Word, Excel, PowerPoint, Outlook, and Teams.
  • Pay-as-you-go (PAYG) — Pay-as-you-go fits occasional or unlicensed agent users; you set it up in the Microsoft 365 admin center under Copilot > Billing & usage by creating a billing policy tied to an Azure subscription.
  • Microsoft Power Platform admin center — Use the Power Platform admin center for Copilot Studio capacity and environment-level agent governance; Copilot pay-as-you-go billing policies are now set up in the Microsoft 365 admin center.
  • Prompt Management — In Copilot Prompt Gallery users can save, share to a team, schedule, and delete prompts; admins can export a user's saved, liked, and shared prompts with PowerShell.
  • Researcher — Use cases for Researcher involve deep, multi-source synthesis and decision-ready reports, not quick lookups or numeric data crunching; it appears in Copilot Chat under Tools.
  • SharePoint Agents Billing — Remember SharePoint agent interactions cost 12 messages each (2 for the answer plus 10 for tenant graph grounding) for unlicensed users, set up via the Microsoft 365 admin center.

Frequently asked questions

Is AB-900 the replacement for MS-900?
Yes. MS-900 (Microsoft 365 Fundamentals) retired on 31 March 2026, and AB-900 is its successor. AB-900 keeps the core Microsoft 365 identity, security, and admin-center fundamentals but re-centers the exam on AI: data protection and governance for Copilot, and the administration of Microsoft 365 Copilot and agents.
What score do I need to pass, and how is it scored?
You need 700 on a 1000-point scale. Microsoft uses scaled scoring, not a raw percentage, so 700 is not the same as 70% correct. You can pass even if you miss questions in one area, as long as your overall scaled score reaches 700.
How long is the exam and how many questions are there?
Microsoft states you have 45 minutes to complete the assessment (the full appointment is a bit longer for instructions and agreements). Microsoft does not publish an exact question count; Fundamentals exams typically have roughly 40-60 items, including multiple choice, multiple response, and possibly interactive components.
How much does AB-900 cost?
Microsoft lists only "Price based on the country or region in which the exam is proctored," so there is no single global price. The common US list price for Fundamentals exams is around $99 USD, but check the Pearson VUE checkout for your country for the exact amount.
Does the AB-900 certification expire?
No. Microsoft's official credential expiration policy states that Fundamentals certifications do not expire, so AB-900 requires no annual renewal. (A few early beta passers saw an incorrect expiry date in their profile; Microsoft confirmed that was a system error, not a policy change.)
What's the biggest content shift versus MS-900?
The heavy emphasis on Microsoft Purview and Copilot data governance. The largest domain (35-40%) is data protection and governance for Microsoft 365 and Copilot, covering sensitivity labels, DLP, Insider Risk Management, DSPM for AI, how Copilot accesses data via Microsoft Graph, responsible AI, and SharePoint oversharing — topics that barely existed on MS-900.
Do I need hands-on experience to pass?
It helps a lot but isn't strictly required. AB-900 is a Beginner-level Fundamentals exam, so conceptual understanding is enough to pass. However, several objectives are task-oriented (assigning Copilot licenses, creating an agent, running a SharePoint data access governance report, responding to DLP alerts), so time in the Microsoft 365, Purview, and Power Platform admin centers makes those questions much easier.
What product-name changes should I watch for?
Microsoft renames products frequently. Know that Azure AD is now Microsoft Entra ID, the security suite is Microsoft Defender XDR, and compliance/governance lives under Microsoft Purview (Information Protection, DLP, Insider Risk Management, Communication Compliance, Data Lifecycle Management, and DSPM for AI). Using the current names is important on the exam.

Sources