πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 1
Domain 1 β€” Module 5 of 10 50%
5 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 1: M365 Core Features & Objects Premium ⏱ ~12 min read

Users, Groups & Licensing

Every person in your organisation is a user. Every user needs licenses. And groups make managing hundreds of users practical instead of painful.

Users, groups, and licenses β€” the foundation

β˜• Simple explanation

Think of your M365 tenant as a theme park.

Users are the visitors β€” each person has a unique ticket (account). Licenses are the wristbands that unlock different rides β€” a basic wristband gets you the free rides (Exchange, Teams), a premium wristband adds the VIP experiences (Copilot, advanced compliance).

Groups are tour groups β€” instead of giving each visitor their wristband individually, you say β€œeveryone in the Marketing tour group gets the premium wristband.” When a new person joins the tour, they automatically get the wristband too.

And admin roles are like staff badges β€” the park manager can do everything, but the ride operator can only manage their specific ride.

Every M365 tenant is built on users (identity objects in Microsoft Entra ID), groups (collections of users for permission and license management), and licenses (subscription entitlements that unlock M365 features).

License assignment can be direct (per-user) or group-based (inherited from an Entra ID group). Admin roles follow RBAC (Role-Based Access Control) β€” predefined or custom roles that scope administrative permissions to specific tasks or resources.

Group types in Microsoft 365

Group types in Microsoft 365
FeaturePurposeEmail?SharePoint Site?Best For
Microsoft 365 GroupCollaboration + shared resourcesTeams, projects, departments
Security groupAccess control + license assignmentPermissions, CA policies, license groups
Mail-enabled security groupSecurity + email distributionGroups that need both permissions AND email
Distribution groupEmail distribution onlyEmail lists (all-staff@, marketing@)

Exam tip: When the question says β€œassign Copilot licenses to a department” β†’ use a security group or M365 Group with group-based licensing. When it says β€œsend email to all staff” β†’ use a distribution group. Know the difference.

How licensing works

License hierarchy

Microsoft 365 E5 (the plan)
β”œβ”€β”€ Exchange Online (email)
β”œβ”€β”€ SharePoint Online (files)
β”œβ”€β”€ Teams (collaboration)
β”œβ”€β”€ Microsoft Entra ID P2 (premium identity)
β”œβ”€β”€ Microsoft Purview (compliance)
β”œβ”€β”€ Microsoft Defender (security)
└── ...plus 20+ more services

Each plan includes specific service plans (individual features). Admins can toggle individual service plans on/off per user if needed.

Microsoft 365 Copilot β€” an add-on license

Copilot is NOT included in E3/E5 β€” it’s a separate add-on license (Microsoft 365 Copilot) that requires a qualifying base plan (M365 Business Standard/Premium, E3, or E5).

πŸ’‘ Scenario: Maya licenses Northwave

Northwave’s 500 employees:

RoleCountLicenseCopilot?
Knowledge workers200M365 E5βœ… Copilot add-on (monthly)
Field engineers50M365 E3βœ… Copilot add-on (pay-as-you-go)
Frontline staff200M365 F3❌ No Copilot
Executives10M365 E5βœ… Copilot add-on (monthly)
Contractors40M365 E3❌ No Copilot

Maya uses security groups for each category β†’ assigns licenses at the group level β†’ new hires automatically get the right license.

Admin roles β€” RBAC

The exam tests whether you know: don’t give everyone Global Admin.

Common Microsoft 365 admin roles
FeatureWhat They Can DoUse Case
Global AdministratorEverything β€” full control over the entire tenantOnly 2-3 people (break-glass accounts)
User AdministratorCreate/manage users, reset passwords, manage groupsHelpdesk, IT support
License AdministratorAssign and manage licensesIT ops, procurement
Exchange AdministratorManage Exchange Online settingsEmail admin
SharePoint AdministratorManage SharePoint sites and settingsSite admin
Teams AdministratorManage Teams settings, policies, channelsTeams admin
Security AdministratorManage security policies, Defender settingsSecurity team
Compliance AdministratorManage Purview compliance featuresCompliance officer
Billing AdministratorManage billing, subscriptions, invoicesFinance/procurement
⚠️ Least privilege β€” the golden rule

Never give more access than needed. This is tested in every security-related exam question.

Bad: Everyone in IT is a Global Admin Good: Maya = User Admin + License Admin. Jordan (CISO) = Security Admin. Priya = Compliance Admin. Only the CTO has Global Admin (and a break-glass account).

Why it matters: A compromised Global Admin account can wipe the entire tenant. A compromised User Admin can only reset passwords. Limit the blast radius.

Where to assign: M365 admin center β†’ Users β†’ Active users β†’ Manage roles. Or Microsoft Entra admin center β†’ Roles and administrators.

🎬 Video walkthrough

🎬 Video coming soon

Users, Groups & Licensing β€” AB-900 Module 5

Users, Groups & Licensing β€” AB-900 Module 5

~10 min

Flashcards

Question

What's the difference between a Microsoft 365 Group and a security group?

Click or press Enter to reveal answer

Answer

M365 Group = collaboration (includes a shared mailbox, SharePoint site, Planner, and more). Security group = access control (used for permissions, conditional access, and license assignment). Security groups don't create shared resources.

Click to flip back
Question

Is Microsoft 365 Copilot included in M365 E3 or E5?

Click or press Enter to reveal answer

Answer

No β€” Copilot is a separate add-on license that requires a qualifying base plan (Business Standard/Premium, E3, or E5). You must purchase and assign it separately.

Click to flip back
Question

Why should you avoid making everyone a Global Administrator?

Click or press Enter to reveal answer

Answer

Least privilege principle β€” Global Admins have full control over the entire tenant. A compromised Global Admin account could wipe everything. Give specific roles (User Admin, License Admin, etc.) to limit the blast radius.

Click to flip back

Knowledge Check

Knowledge Check

Northwave needs to assign Microsoft 365 E5 licenses to all 200 knowledge workers. New hires should automatically get the license. What's the best approach?
Knowledge Check

Maya needs to manage Exchange Online settings but should NOT have access to SharePoint or Teams admin functions. Which role should she be assigned?

Next up: Zero Trust β€” the security philosophy that Microsoft 365 is built on, and why it matters for every admin decision.

← Previous

Microsoft Teams: Teams, Channels & Policies

Next β†’

Zero Trust: Never Trust, Always Verify

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.