Microsoft AB-900 Exam Questions

The correct answer is B. Data explorer. Microsoft Learn states that Data explorer in Microsoft Purview shows a current snapshot of items that have been classified as a sensitive information type in your organization. Microsoft's sensitive information type documentation specifically lists examples such as social security numbers and credit card numbers, which means Data explorer is the appropriate portal feature for identifying files and emails that contain those data types. Data explorer is designed to help administrators see where sensitive data exists across supported Microsoft 365 locations.

The other options are less appropriate for this task. Information Protection reports focus more broadly on label and protection reporting. Information Protection policies are for configuring classification and protection behavior, not for finding existing files and emails containing SSNs or credit card numbers. Activity explorer is primarily used to review user and policy-related activities, such as label changes or DLP events, rather than to provide the direct sensitive-data inventory view requested here. Since the question asks to identify the files and emails containing specific sensitive information types, Microsoft's documented answer is Data explorer.

The correct answer is B. data loss prevention (DLP) policies. Microsoft Learn states that Microsoft Purview Data Loss Prevention helps organizations identify, monitor, and automatically protect sensitive information across Microsoft 365 locations such as Exchange, SharePoint, OneDrive, Teams, and devices. Microsoft specifically documents scenarios for preventing sensitive items from being shared with external users in SharePoint and OneDrive, and DLP policies can also block or restrict sharing based on sensitive information types, labels, or policy conditions. This is exactly the control used when the requirement is to stop users from sharing corporate financial data outside the organization.

Option A is incorrect because retention labels manage how long content is kept or deleted, not whether it can be shared externally. Option C is incorrect because role groups are used for permissions and administrative access delegation, not content-sharing prevention. Option D is incorrect because Insider Risk Management is designed to detect and investigate risky user behavior, not to directly block external sharing transactions in the way DLP policies do. For proactive enforcement of external-sharing restrictions on sensitive financial information, Microsoft's documented solution is DLP policies.

The correct answer is D. an app registration. Microsoft Learn states that to delegate identity and access management functions to Microsoft Entra ID, an application must be registered with a Microsoft Entra tenant. When you register an application, you create its identity configuration in Microsoft Entra, and a corresponding service principal is created so the application can authenticate and integrate with the tenant. This is the standard Microsoft mechanism for allowing a third-party cloud service or app to authenticate to Microsoft Entra.

The correct answer is C. Site lifecycle management. In the SharePoint admin center, Microsoft includes a Site ownership policy under Site lifecycle management that can identify sites with too few owners and drive remediation. Microsoft documents that this policy can detect sites with fewer than the required number of owners, notify site owners, and if the issue is not fixed, enforce an action such as making the site read-only. That directly matches the requirement that sites with fewer than two owners be marked as read-only when they are not remediated.

The other options do not fit this scenario. Site-level access restriction is about controlling who can access a site, not enforcing ownership-count governance. Data access governance reports help identify oversharing and permissions exposure, but they do not enforce a minimum-owner remediation policy that makes sites read-only. Block download policy for SharePoint and OneDrive is used to restrict downloading from unmanaged devices or similar access scenarios, not to handle insufficient site ownership. Therefore, the Microsoft-documented feature to configure is Site lifecycle management.

The correct answers are A and D because both tasks are supported directly in the Exchange admin center (EAC). Microsoft Learn states that administrators can manage mail flow rules in Exchange Online from the EAC under Mail flow > Rules, which includes creating and managing transport rules for organizational email handling. Microsoft Learn also states that administrators can create shared mailboxes in the EAC under Recipients > Mailboxes, where a shared mailbox can be added and then delegated to users.

Option B is incorrect because adding a custom domain is normally done in the Microsoft 365 admin center, specifically on the Domains page. Although Exchange can later work with accepted domains and related mail flow settings, the act of adding and verifying a custom domain is not an Exchange admin center task. Option C is incorrect because license assignment is handled through Microsoft 365 or Microsoft Entra administrative tools, not the Exchange admin center.