Microsoft AB-900 Exam Questions

The correct answer is C. Site lifecycle management. In the SharePoint admin center, Microsoft includes a Site ownership policy under Site lifecycle management that can identify sites with too few owners and drive remediation. Microsoft documents that this policy can detect sites with fewer than the required number of owners, notify site owners, and if the issue is not fixed, enforce an action such as making the site read-only. That directly matches the requirement that sites with fewer than two owners be marked as read-only when they are not remediated.

The other options do not fit this scenario. Site-level access restriction is about controlling who can access a site, not enforcing ownership-count governance. Data access governance reports help identify oversharing and permissions exposure, but they do not enforce a minimum-owner remediation policy that makes sites read-only. Block download policy for SharePoint and OneDrive is used to restrict downloading from unmanaged devices or similar access scenarios, not to handle insufficient site ownership. Therefore, the Microsoft-documented feature to configure is Site lifecycle management.

The correct answers are A and D because both tasks are supported directly in the Exchange admin center (EAC). Microsoft Learn states that administrators can manage mail flow rules in Exchange Online from the EAC under Mail flow > Rules, which includes creating and managing transport rules for organizational email handling. Microsoft Learn also states that administrators can create shared mailboxes in the EAC under Recipients > Mailboxes, where a shared mailbox can be added and then delegated to users.

Option B is incorrect because adding a custom domain is normally done in the Microsoft 365 admin center, specifically on the Domains page. Although Exchange can later work with accepted domains and related mail flow settings, the act of adding and verifying a custom domain is not an Exchange admin center task. Option C is incorrect because license assignment is handled through Microsoft 365 or Microsoft Entra administrative tools, not the Exchange admin center.

The correct answer is B. data loss prevention (DLP) policies. Microsoft Learn states that Microsoft Purview Data Loss Prevention helps organizations identify, monitor, and automatically protect sensitive information across Microsoft 365 locations such as Exchange, SharePoint, OneDrive, Teams, and devices. Microsoft specifically documents scenarios for preventing sensitive items from being shared with external users in SharePoint and OneDrive, and DLP policies can also block or restrict sharing based on sensitive information types, labels, or policy conditions. This is exactly the control used when the requirement is to stop users from sharing corporate financial data outside the organization.

Option A is incorrect because retention labels manage how long content is kept or deleted, not whether it can be shared externally. Option C is incorrect because role groups are used for permissions and administrative access delegation, not content-sharing prevention. Option D is incorrect because Insider Risk Management is designed to detect and investigate risky user behavior, not to directly block external sharing transactions in the way DLP policies do. For proactive enforcement of external-sharing restrictions on sensitive financial information, Microsoft's documented solution is DLP policies.

The correct answers are A and D because both tasks are supported directly in the Exchange admin center (EAC). Microsoft Learn states that administrators can manage mail flow rules in Exchange Online from the EAC under Mail flow > Rules, which includes creating and managing transport rules for organizational email handling. Microsoft Learn also states that administrators can create shared mailboxes in the EAC under Recipients > Mailboxes, where a shared mailbox can be added and then delegated to users.

Option B is incorrect because adding a custom domain is normally done in the Microsoft 365 admin center, specifically on the Domains page. Although Exchange can later work with accepted domains and related mail flow settings, the act of adding and verifying a custom domain is not an Exchange admin center task. Option C is incorrect because license assignment is handled through Microsoft 365 or Microsoft Entra administrative tools, not the Exchange admin center.

The correct answer is D. Data Lifecycle Management. Microsoft Learn states that Microsoft Purview retention policies and retention labels, managed under Data Lifecycle Management, support three core outcomes: retain-only, delete-only, and retain and then delete. The requirement in this question is exact: keep email for seven years and then permanently delete it. That is a textbook retain and then delete retention configuration, which Microsoft documents as part of Purview's retention capabilities. Microsoft also recommends using Microsoft 365 retention policies and labels for retaining and deleting emails rather than relying on older Exchange-only approaches in most modern compliance scenarios.

The other options do not meet the requirement. Information Protection focuses on labeling and protecting sensitive information. Insider Risk Management is used to detect and investigate risky user behavior. Data Loss Prevention helps prevent inappropriate sharing or exfiltration of sensitive data. None of those are designed to enforce a timed seven-year retention period followed by automatic permanent deletion. The Microsoft Purview solution explicitly built for that lifecycle requirement is Data Lifecycle Management.