πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 1
Domain 1 β€” Module 6 of 10 60%
6 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 1: M365 Core Features & Objects Premium ⏱ ~11 min read

Zero Trust: Never Trust, Always Verify

Zero Trust is the security philosophy behind everything in Microsoft 365. Three principles that change how you think about security β€” and that the exam tests heavily.

What is Zero Trust?

β˜• Simple explanation

Imagine a building where everyone has to show ID at every door β€” not just the front entrance.

In the old security model, once you got past the front door (the corporate firewall), you were trusted everywhere. Walk freely, open any office, access any file.

Zero Trust says: no. Every door checks your ID. Every time. Even if you just walked through the door next to it. Even if you work here. Even if you’ve been here for 20 years.

Why? Because threats come from inside too. A compromised account, a stolen laptop, a malicious insider β€” if they’re already β€œinside,” the old model can’t stop them.

Zero Trust is a security framework based on the principle that no user, device, or network should be automatically trusted β€” regardless of their location or previous authentication status.

It replaces the traditional β€œcastle-and-moat” model (trust everything inside the network) with continuous verification at every access point. Microsoft implements Zero Trust across six pillars: identity, devices, applications, data, infrastructure, and networks.

The three core principles

These three principles are tested on almost every security question:

PrincipleWhat It MeansExample
Verify explicitlyAlways authenticate and authorise based on all available data pointsCheck the user’s identity, device health, location, AND the sensitivity of what they’re accessing
Use least privilege accessGive only the minimum permissions needed, for only as long as neededMaya gets Exchange Admin (not Global Admin). PIM gives time-limited elevation.
Assume breachDesign systems as if an attacker is already insideSegment networks, encrypt data at rest and in transit, monitor for anomalies
πŸ’‘ Exam tip: recognising Zero Trust principles in questions

The exam often describes a scenario and asks β€œwhich Zero Trust principle does this follow?”

Pattern recognition:

  • If the answer involves checking multiple factors before granting access β†’ Verify explicitly
  • If the answer involves limiting permissions or time-bound access β†’ Least privilege
  • If the answer involves monitoring, segmentation, or encryption β†’ Assume breach

Sometimes questions combine principles: β€œCheck the user’s device compliance (verify explicitly) and only grant read access (least privilege) to sensitive files.”

Zero Trust in Microsoft 365 β€” the six pillars

Microsoft applies Zero Trust across six areas:

Zero Trust pillars and their M365 implementations
FeatureM365 ServiceExample
πŸ†” IdentityMicrosoft Entra IDMFA, Conditional Access, PIM
πŸ’» DevicesIntune, Defender for EndpointDevice compliance, health checks
πŸ“± ApplicationsEntra App Registration, Defender for Cloud AppsApp permissions, shadow IT detection
πŸ“„ DataMicrosoft PurviewSensitivity labels, DLP, encryption
πŸ—οΈ InfrastructureAzure, Defender for CloudSecure configurations, monitoring
🌐 NetworksGlobal Secure AccessNetwork segmentation, secure connections
πŸ’‘ Scenario: Clearfield Council implements Zero Trust

Director Chen rolls out Zero Trust across Clearfield Council:

  1. Identity: MFA required for all users + Conditional Access blocks sign-ins from unknown locations
  2. Devices: Only Intune-managed devices can access M365 (personal phones blocked)
  3. Applications: All third-party apps require admin approval before users can consent
  4. Data: Sensitivity labels auto-applied to documents containing personal data
  5. Infrastructure: All admin accounts require PIM activation (time-limited, approved)
  6. Networks: Remote access only through Global Secure Access (no open VPN)

Each layer adds protection. If one layer fails (e.g., a password is compromised), the other layers still protect the organisation.

Microsoft Secure Score

Secure Score is a measurement of your organisation’s security posture:

  • Scores range from 0 to a maximum based on your subscriptions
  • Higher = more secure
  • Based on recommended actions (enable MFA, block legacy auth, etc.)
  • Found in the Microsoft Defender portal (security.microsoft.com)

Key exam concept: Secure Score tells you HOW well you’ve implemented Zero Trust. It’s a dashboard, not a policy β€” it recommends actions but doesn’t enforce them.

🎬 Video walkthrough

🎬 Video coming soon

Zero Trust Explained β€” AB-900 Module 6

Zero Trust Explained β€” AB-900 Module 6

~9 min

Flashcards

Question

What are the three core Zero Trust principles?

Click or press Enter to reveal answer

Answer

1) Verify explicitly β€” always authenticate using all available data. 2) Use least privilege access β€” minimum permissions, minimum time. 3) Assume breach β€” design as if an attacker is already inside.

Click to flip back
Question

What are the six pillars of Zero Trust in Microsoft 365?

Click or press Enter to reveal answer

Answer

Identity (Entra ID), Devices (Intune/Defender), Applications (app controls), Data (Purview), Infrastructure (Azure/Defender), Networks (Global Secure Access).

Click to flip back
Question

What is Microsoft Secure Score?

Click or press Enter to reveal answer

Answer

A measurement of your organisation's security posture, based on recommended actions. Found in the Microsoft Defender portal. It recommends improvements but doesn't enforce them β€” it's a dashboard, not a policy.

Click to flip back

Knowledge Check

Knowledge Check

Northwave's CISO Jordan wants to ensure that even if an employee's password is compromised, an attacker can't access sensitive files. Which Zero Trust principle should Jordan focus on?
Knowledge CheckSelect all that apply

Maya assigned a temporary Global Admin role to herself for 4 hours to perform a critical configuration change, which then automatically revoked. Which TWO Zero Trust principles does this demonstrate? (Select 2)

Next up: Authentication β€” from passwords to passkeys, the methods Microsoft 365 uses to prove you are who you say you are.

← Previous

Users, Groups & Licensing

Next β†’

Authentication: Passwords, MFA & Beyond

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.