🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 2
Domain 2 — Module 5 of 10 50%
15 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 2: Data Protection & Governance Premium ⏱ ~12 min read

DSPM for AI & Data Lifecycle

Data Security Posture Management for AI watches how your data is used with Copilot and other AI tools. Data Lifecycle Management controls how long data lives. Both are essential for Copilot governance.

Two critical concepts for the AI era

☕ Simple explanation

DSPM for AI is like a GPS tracker on your data when it travels through AI tools. It shows: “This confidential document was accessed by Copilot 47 times this week by 12 different users.” It helps you answer: “Is our sensitive data being used safely with AI?”

Data Lifecycle Management is like an expiry date on food. Some data must be kept for 7 years (legal records). Some data should be deleted after 90 days (old chat logs). Retention policies automate this — keep what you need, delete what you don’t, and never lose something you’re legally required to keep.

DSPM for AI (Data Security Posture Management for AI) is a Purview capability that discovers, monitors, and governs how organisational data interacts with AI tools like Microsoft 365 Copilot. It provides visibility into AI activity, identifies sensitive data exposure through AI, and helps enforce data protection policies in AI-enabled environments.

Data Lifecycle Management encompasses retention policies (how long to keep data), retention labels (per-item retention rules), and disposition (what happens when retention expires). It ensures regulatory compliance, reduces storage costs, and prevents premature deletion of legally required records.

DSPM for AI — governing your AI data

What DSPM for AI shows you

InsightWhy It Matters
Which sensitive data AI accessesAre labelled documents being surfaced by Copilot?
Who’s using AI with sensitive dataAre the right people accessing the right data through AI?
Unlabelled data being used in AIData without sensitivity labels is a blind spot
AI interaction volumeHow heavily is your org using Copilot with sensitive content?
Risky AI patternsUsers prompting Copilot for data they shouldn’t have access to
💡 Scenario: Northwave discovers AI blind spots

After deploying Copilot, Priya (Compliance) checks DSPM for AI and finds:

  • 2,400 documents accessed by Copilot in the first month
  • 340 of those had sensitivity labels (good — protected)
  • 2,060 had NO labels (bad — blind spot)
  • 15 users used Copilot to access data in SharePoint sites they hadn’t directly visited before

Actions:

  1. Priority: auto-label the 2,060 unlabelled documents (Information Protection)
  2. Review the 15 users’ access patterns — were they accessing data through oversharing?
  3. Set up DSPM alerts for unlabelled data accessed by Copilot
  4. Report to Jordan (CISO) — “Our labelling coverage is only 14%. Copilot exposes the gap.”

Key exam concept: DSPM for AI doesn’t block anything — it provides VISIBILITY. It tells you what’s happening so you can take action with other tools (labels, DLP, permissions). Think of it as the dashboard, not the brakes.

Data Lifecycle Management — retention and deletion

Retention policies vs retention labels

Retention policies vs retention labels
FeatureRetention PolicyRetention Label
ScopeApplied to locations (entire mailbox, entire site)Applied to individual items (specific document, email)
How appliedAdmin configures for locationsManual, auto-applied, or recommended
FlexibilityBroad — same rules for everything in the locationGranular — different rules per item
Use caseKeep all email for 3 yearsKeep this specific contract for 10 years
Legal holdNot designed for thisSupports legal holds on specific items

Retention actions

SettingWhat Happens
Retain onlyKeep data for X period, then do nothing (user can still delete before)
Retain then deleteKeep for X period, then auto-delete
Delete onlyAuto-delete after X period (no retention requirement)
💡 Scenario: Clearfield Council's retention rules

Clearfield Council has regulatory requirements:

  • Council meeting minutes → retain for 10 years, then delete (retention label, auto-applied to “Council Minutes” library)
  • General email → retain for 3 years, then delete (retention policy on all Exchange mailboxes)
  • Teams chat → retain for 1 year, then delete (retention policy on Teams)
  • Active investigation documents → legal hold, retain indefinitely (retention label, manually applied by legal team)

The key principle: retain what you must, delete what you should, and never lose what you’re legally required to keep.

🎬 Video walkthrough

🎬 Video coming soon

DSPM for AI & Data Lifecycle — AB-900 Module 15

DSPM for AI & Data Lifecycle — AB-900 Module 15

~10 min

Flashcards

Question

What does DSPM for AI do?

Click or press Enter to reveal answer

Answer

Discovers and monitors how organisational data interacts with AI tools like Copilot. Shows which sensitive/unlabelled data AI accesses, who's using AI with sensitive data, and risky AI patterns. Provides visibility, not enforcement.

Click to flip back
Question

What's the difference between a retention policy and a retention label?

Click or press Enter to reveal answer

Answer

Retention policy = broad rules applied to locations (entire mailbox, entire site). Retention label = granular rules applied to individual items (specific document, email). Labels also support legal holds.

Click to flip back
Question

What are the three retention actions?

Click or press Enter to reveal answer

Answer

1) Retain only — keep data, user can still delete. 2) Retain then delete — keep for X period, then auto-delete. 3) Delete only — auto-delete after X period, no retention.

Click to flip back

Knowledge Check

Knowledge Check

After deploying Copilot, Northwave finds that 80% of documents accessed by Copilot have no sensitivity labels. Which Purview tool revealed this insight?

Next up: How Copilot Accesses Your Data — the Microsoft Graph connection and why data governance is the foundation of safe Copilot deployment.

← Previous

Insider Risk & Communication Compliance

Next →

How Copilot Accesses Your Data

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.