Copilot and Agent Administration Fundamentals (AB-900) - My Experience and Recommendations
TLDR
The Copilot and Agent Administration Fundamentals certification (AB-900) validates a basic level of understanding what it takes to support and govern an AI enabled Microsoft 365 environment. This covers core Microsoft 365 services and security principles, governance, data protection, and the administration of Copilot and agents. There is some overlap with AI-900 (AI Fundamentals) in terms of evaluating knowledge around core agentic concepts and Copilot / Copilot Studio.
I think most 900 certifications are worth undertaking if it's an area you work in or are interested in given they have a relatively low entry point, but AB-900 is a unique one in the sense that I think it's not really targeted at fundamentals around a tech area or product (like, say, AI, Power Platform, Security, or Data) but a specific element of Copilot and agent management. To put that another way, I think something like PL-900 or AI-900 is useful even to those who don't work in the field, but AB-900 felt like it's mostly only going to be useful for those who will be working or planning to work in or around Microsoft 365 administration, security, or AI enablement. Even at only 45 minutes of an exam, I wouldn't recommend it as a target for most.
Who is the AB-900 Certification Aimed At?
The AB-900 exam targets professionals who need to understand the fundamentals of administering and governing Copilot and agents within Microsoft 365. Ideal candidates include (existing or aspiring):
| Role | Relevance to AB-900 |
|---|---|
| M365 Administrators | Core audience. Those responsible for managing tenants, licensing, and the day to day operations of Microsoft 365. |
| IT Support / Helpdesk | Professionals who need foundational knowledge of Copilot capabilities and common troubleshooting scenarios. |
| Security & Compliance Analysts | Those involved in data protection, governance, and ensuring responsible AI adoption. |
| AI Adoption Leads | Individuals driving Copilot and agent rollout across an organisation, including change management and usage monitoring. |
Beyond these roles, I think value is limited, but it could be worth looking at the learning path for targeted ups killing such as understanding how Copilot accesses data through the Microsoft Graph, how permissions cascade, and what governance controls exist.
Exam Preparation
I took the exam during its beta period in November 2025 while I was at Microsoft Ignite. As a result of taking the exam right after it was announced, I did so with no preparation at all. The MSLearn pathway was quickly available, which isn't always the case for beta exams.
Familiarity with Microsoft Purview, Microsoft Entra, and the SharePoint admin centre in particular will serve you well. The exam also leans into governance and data protection, so if these are areas you have less exposure to, it is worth spending additional time there.
Resources:
- AB-900 Landing Page
- AB-900 Study Guide
- MSLearn: Introduction to Microsoft 365 and AI Administration
- Microsoft Purview Documentation
- Microsoft 365 Copilot Documentation
My Experience and Recommendations
Unlike my experience with other fundamentals certifications, this was the first 900 level exam that I actually struggled for time, so don't get too held up on any individual questions.
- Governance is the main event. The largest skill domain (35 to 40%) covers data protection and governance, and this was reflected heavily in my experience. Microsoft Purview, sensitivity labels, DLP policies, data classification, and DSPM for AI all featured prominently. You need to understand not just what these tools do, but when and why you would use them.
- Entra ID knowledge is essential. Questions around Microsoft Entra covered conditional access policies, MFA, SSO, Identity Secure Score, and Privileged Identity Management (PIM). Understanding how identity and access controls form the foundation of a secure Copilot deployment is critical.
- Understand how Copilot accesses data. A recurring theme was the relationship between Copilot and the Microsoft Graph. You need to understand how Copilot respects existing permissions, and any sharing or permissions issues in SharePoint or OneDrive. Questions are likely to cover operational elements such as data access governance reports and using SharePoint Advanced Management to identify and remediate risks.
- Agent functionality and limitations came up more than expected. For a fundamentals exam, there was a fair amount of content around creating, testing, publishing, and governing agents. You are likely to be evaluated on the differences between built in Copilot capabilities and custom agents at a very high level. These questions aren't difficult, they just felt a little outside the core of evaluating administration knowledge.
- Business value and adoption are tested. Expect questions around Copilot licensing models (monthly licence vs pay as you go), monitoring adoption through Copilot Analytics, and understanding the use cases for advanced agents like Researcher and Analyst.
- Know your admin centres. You need clarity on which admin centre is used for what. Exchange Online for mailboxes and distribution lists, SharePoint for sites and permissions, Teams for channels and policies, Entra for identity, Purview for compliance. Questions often tested whether you could identify the correct admin centre for a given task - you should also understand the approval process for agents, and how to monitor their usage.
Overall, the AB-900 is a solid certification for anyone looking to demonstrate foundational competence in administering and governing Copilot and agents within Microsoft 365. But I would only really recommend it to M365 administrators and anyone involved in Copilot enablement who wants to validate their understanding.