AB-900: The New Microsoft Copilot Certification and How to Pass It

If you work with Microsoft 365, you’ve probably noticed Copilot appearing everywhere. Microsoft is pushing hard to make AI-assisted productivity the default, and that means IT teams need to understand how to manage it properly.

The AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals exam is Microsoft’s answer to that skills gap. It’s a fundamentals-level certification aimed at people who need to understand how Copilot works, how to govern it, and how to manage the growing ecosystem of AI agents in a Microsoft 365 environment.

I’ve looked through the exam objectives and training materials. Here’s my take on what you actually need to know.

Why This Certification Exists

Copilot isn’t just another feature toggle in the admin center. It pulls data from across your Microsoft 365 tenant via the Microsoft Graph - emails, documents, Teams chats, SharePoint sites. If your permissions aren’t locked down properly, Copilot can surface information that users probably shouldn’t have easy access to.

On top of that, Microsoft has opened up the ability to create custom AI agents through Copilot Studio. These agents can be shared internally or published to your organisation. Someone needs to govern that. Someone needs to understand the approval workflows, the data exposure risks, and the compliance implications.

That’s what this certification is really about: making sure IT pros understand the governance side of AI in Microsoft 365, not just how to turn it on.

What the Exam Actually Tests

The exam breaks down into three areas, and the weighting tells you where to focus your study time:

Microsoft 365 Core Services (30-35%)

This isn’t Copilot-specific - it’s foundational M365 admin knowledge. If you’ve worked with the admin centers before, this should be familiar:

How licensing works for users and groups
Navigating the M365, Exchange, SharePoint, and Teams admin centers
Basic security concepts: Zero Trust principles, authentication methods, Conditional Access
Microsoft Entra (formerly Azure AD): users, groups, roles, audit logs
Privileged Identity Management basics
Interpreting the Identity Secure Score

Data Protection and Governance (35-40%)

This is the largest section and the most relevant to Copilot specifically:

Microsoft Purview capabilities: Information Protection, DLP, Insider Risk, Communication Compliance
How sensitivity labels work and when to use them
Data classification and retention policies
How Copilot accesses data through Microsoft Graph
The oversharing problem: what happens when Copilot surfaces content users technically have access to but shouldn’t see
Data Security Posture Management for AI (DSPM)
Responsible AI principles

Copilot and Agent Administration (25-30%)

The practical admin stuff:

Copilot licensing and access control
Usage monitoring and billing
Prompt governance
Creating agents in Copilot Studio
Testing and publishing agents
Agent approval workflows
Lifecycle management through M365 and Power Platform admin centers

Is It Worth Your Time?

Honestly, it depends on where you are in your career.

If you’re already an experienced M365 admin with active certifications, a lot of this will feel like revision. The Copilot-specific content is probably 30-40% of the exam. You could learn that from documentation without sitting another exam.

But if any of these apply to you, it’s probably worth doing:

Your organisation is rolling out Copilot and you need to get up to speed fast
You’re in a compliance or security role and need to understand AI governance
You’re newer to M365 administration and want a structured path
You want something on your CV that signals you’re keeping pace with AI developments

It’s a fundamentals exam, so it’s not difficult to pass. The value is more about demonstrating awareness than proving deep expertise.

Four-Week Study Plan

Here’s how I’d approach this if I were starting from scratch. Adjust the pace based on your existing M365 experience.

Week 1: Microsoft 365 Foundations

Goal: Make sure your core M365 admin knowledge is solid.

Day 1-2: Review the M365 admin center. Create users, assign licenses, understand the difference between assigned and inherited permissions
Day 3-4: Exchange admin center basics - mailboxes, distribution lists, mail flow rules
Day 5-6: SharePoint admin center - sites, permissions, sharing policies
Day 7: Teams admin center - teams, channels, meeting policies

Hands-on: If you don’t have access to a production tenant, sign up for the Microsoft 365 Developer Program. It gives you a free E5 tenant to experiment with.

Week 2: Security and Identity

Goal: Understand the security layer that underpins everything.

Day 1-2: Zero Trust principles - never trust, always verify, assume breach
Day 3: Authentication methods - passwords, MFA, passwordless, FIDO2
Day 4-5: Conditional Access policies - what they do, how to read them, common scenarios
Day 6: Microsoft Entra basics - users, groups, roles, enterprise apps
Day 7: Identity Secure Score - what it measures, how to improve it

Hands-on: Create a Conditional Access policy in your dev tenant. Block access from a specific location, then test it.

Week 3: Data Protection and Governance

Goal: This is the heaviest exam section. Spend proper time here.

Day 1-2: Microsoft Purview overview - the compliance portal, what each tool does
Day 3: Sensitivity labels - how they work, how they propagate, auto-labelling
Day 4: Data Loss Prevention (DLP) - policies, conditions, actions
Day 5: Insider Risk Management and Communication Compliance - what problems they solve
Day 6: Data lifecycle management - retention labels and policies
Day 7: How Copilot accesses data via Microsoft Graph - the oversharing risk

Hands-on: Create a sensitivity label and apply it to a document. Create a DLP policy that blocks sharing of files with credit card numbers.

Week 4: Copilot and Agents

Goal: Understand the Copilot-specific administration.

Day 1-2: Copilot licensing - which licenses include it, how to assign access
Day 3: Copilot usage monitoring - admin center reports, adoption metrics
Day 4: Prompt governance and responsible AI principles
Day 5-6: Copilot Studio - create a simple agent, test it, understand the publishing workflow
Day 7: Agent governance - approval process, lifecycle management, admin controls

Hands-on: If you have Copilot licenses, explore the admin settings. If not, watch the Microsoft Learn videos and review the documentation for Copilot Studio.

Final Prep

Take the exam sandbox to see the interface
Review the official study guide
When the practice assessment becomes available, take it

Resources

Free:

AB-900 Study Guide - the official skills outline
Microsoft Learn: AB-900T00 Course - free self-paced modules
Microsoft 365 Developer Program - free E5 tenant
Exam Sandbox - experience the exam interface

Paid:

Instructor-led AB-900T00 course through Microsoft Learning Partners
Third-party practice tests on Udemy, Whizlabs, etc.

The Bottom Line

AB-900 isn’t a difficult exam, but it covers ground that matters. The governance and data protection content is genuinely useful if your organisation is adopting Copilot - these are the conversations you’ll be having with security and compliance teams.

If you’re already certified in M365 administration, you could probably pass this with a weekend of focused study on the Copilot-specific content. If you’re newer to the space, the four-week plan above will get you there comfortably.

Either way, understanding how to govern AI tools in Microsoft 365 is becoming a core skill. This certification is one way to prove you’ve got it.