Exchange, SharePoint, and Teams Objects
Key Takeaways
- Exchange manages mailboxes, shared mailboxes, distribution groups, and mail flow rules; Copilot in Outlook accesses only email the user can read.
- SharePoint sites, document libraries, and sharing links are primary Copilot content sources; 'Anyone' links create oversharing risk.
- Teams teams and channels are backed by SharePoint; Copilot in Teams respects channel membership and Teams policies.
- Copilot does not bypass permissions — exposure issues trace to mailbox delegation, site permissions, or overshared links.
- Distinguish workload objects (mailbox, site, channel) from policies (sharing, messaging, app permission) on exam scenarios.
Quick Answer: Exchange Online manages mailboxes and distribution groups. SharePoint manages sites, document libraries, and permissions. Teams manages teams, channels, policies, and app permissions. Copilot in Outlook, SharePoint, and Teams can only access content the signed-in user already has permission to read.
Domain 1 of AB-900 tests whether you understand the core objects in each workload admin center and how those objects affect Copilot data exposure. Copilot does not bypass permissions — if a user can read a mailbox or SharePoint file, Copilot can include that content in responses. Misconfigured sharing or delegation directly increases AI risk.
Exchange Online Objects
The Exchange admin center (admin.exchange.microsoft.com) manages email infrastructure:
| Object | Purpose | Copilot Relevance |
|---|---|---|
| User mailbox | Primary email storage for a licensed user | Copilot in Outlook reads email the user can access in their mailbox |
| Shared mailbox | Team inbox without a separate license (up to 50 GB) | Copilot surfaces shared mailbox content only if the user has Full Access permission |
| Distribution group | Email list that forwards to multiple recipients | Not a mailbox — Copilot does not "read" distribution groups as content stores |
| Mail-enabled security group | Security group that also receives email | Used for access control and email distribution |
| Resource mailbox | Room or equipment booking | Generally outside Copilot content scope |
| Mail flow rules (transport rules) | Apply conditions/actions to messages in transit | Can block sensitive data before it reaches Copilot-indexed mailboxes |
Mailbox Permissions That Matter for Copilot
- Full Access — another user can open the shared mailbox; Copilot in Outlook may surface that content when the delegate works in the shared mailbox context.
- Send As / Send on Behalf — sending permissions only; does not grant read access to mailbox content.
- Folder-level permissions — granular access within a mailbox; Copilot respects Exchange folder permissions.
On the Exam: A scenario about Copilot summarizing email the user "should not see" often traces back to mailbox delegation or overshared calendar/meeting content, not a Copilot bug.
SharePoint Objects
The SharePoint admin center manages collaboration storage:
| Object | Purpose | Copilot Relevance |
|---|---|---|
| Site | Container for team or communication content | Copilot indexes site content into the semantic index respecting permissions |
| Document library | File storage within a site (default library is "Documents") | Primary source of files Copilot cites in Word, Excel, and chat |
| List | Structured data (tasks, issues, tracking) | Can be grounded in Copilot responses if user has access |
| Site collection | Group of sites under one admin boundary | Sharing and storage policies can apply at this level |
| Sharing link | "Anyone," "People in organization," or specific people | "Anyone" links are a top oversharing risk for Copilot exposure |
| Site permissions | Owners, Members, Visitors groups | Copilot cannot surface content from sites the user cannot access |
SharePoint Sharing Policies
Admins configure tenant-wide sharing in the SharePoint admin center:
- Anyone links — accessible without authentication; highest Copilot exposure risk.
- People in your organization — requires sign-in with org account.
- Specific people — most restrictive link type.
- External sharing — guest access settings control B2B collaboration.
Common Trap: Copilot does not create new permissions. Remediating oversharing requires fixing SharePoint permissions and sharing links, not disabling Copilot globally.
Microsoft Teams Objects
The Teams admin center (admin.teams.microsoft.com) manages collaboration and meetings:
| Object | Purpose | Copilot Relevance |
|---|---|---|
| Team | Group of people with shared channels and files | Backed by a Microsoft 365 Group and SharePoint site |
| Channel | Conversation space within a team (Standard or Private) | Copilot in Teams chat accesses channel messages the user can read |
| Private channel | Restricted membership with separate SharePoint site | Copilot respects private channel membership boundaries |
| Meeting policy | Controls meeting features (recording, transcription) | Copilot meeting features inherit policy settings |
| Messaging policy | Controls chat, Giphy, memes, and editing | Governs what users can do in Teams chat where Copilot assists |
| App permission policy | Controls which apps/agents users can install | Governs custom Copilot Studio agents deployed to Teams |
| Teams app setup policy | Pins apps to the Teams client | Can pin Copilot or custom agents for users |
Teams and SharePoint Connection
Every standard Teams channel stores files in a SharePoint document library behind the team. When Copilot references a file shared in Teams, it is ultimately reading SharePoint content through Microsoft Graph with the user's existing permissions.
Admin Center Quick Reference
| Task | Admin Center | Object |
|---|---|---|
| Create a shared mailbox for support@company.com | Exchange | Shared mailbox |
| Restrict external sharing to specific domains | SharePoint | Sharing policy |
| Block users from installing unapproved Teams apps | Teams | App permission policy |
| Add a user to a private channel | Teams | Private channel membership |
| Set storage quota for a site collection | SharePoint | Site storage |
| Create a mail flow rule to block SSN patterns | Exchange | Mail flow rule |
Copilot Exposure Checklist
When investigating unexpected Copilot content in Exchange, SharePoint, or Teams, trace access in this order:
- Verify the user's group memberships in Entra ID — M365 Groups grant access to team sites and shared mailboxes.
- Review SharePoint site permissions — Owners, Members, and Visitors groups control file access.
- Audit active sharing links — expire "Anyone" and org-wide links on sensitive sites.
- Confirm Teams channel membership — private channels restrict access to invited members only.
- Remediate in the source admin center — fix permissions in SharePoint or Exchange; Copilot settings do not override data access.
This checklist applies the Microsoft Graph delegated-permissions model: Copilot surfaces what the user can already reach.
Objects vs Policies: Exam Distinction
AB-900 separates objects (mailboxes, sites, teams, channels) from policies (sharing, messaging, meeting, app permission). A question asking you to "prevent users from installing third-party Teams apps" is a policy question (Teams app permission policy). A question asking you to "give the finance team a shared inbox" is an object question (Exchange shared mailbox). Train yourself to identify whether the stem targets a thing or a rule.
A user reports Copilot in Outlook summarized emails from a mailbox they do not own. What is the most likely cause?
Which SharePoint sharing link type poses the highest Copilot data exposure risk?
Where are files shared in a standard Teams channel ultimately stored?
Which Teams admin center object controls whether users can install unapproved third-party apps?