Exchange, SharePoint, and Teams Objects

Key Takeaways

  • Exchange manages mailboxes, shared mailboxes, distribution groups, and mail flow rules; Copilot in Outlook accesses only email the user can read.
  • SharePoint sites, document libraries, and sharing links are primary Copilot content sources; 'Anyone' links create oversharing risk.
  • Teams teams and channels are backed by SharePoint; Copilot in Teams respects channel membership and Teams policies.
  • Copilot does not bypass permissions — exposure issues trace to mailbox delegation, site permissions, or overshared links.
  • Distinguish workload objects (mailbox, site, channel) from policies (sharing, messaging, app permission) on exam scenarios.
Last updated: July 2026

Quick Answer: Exchange Online manages mailboxes and distribution groups. SharePoint manages sites, document libraries, and permissions. Teams manages teams, channels, policies, and app permissions. Copilot in Outlook, SharePoint, and Teams can only access content the signed-in user already has permission to read.

Domain 1 of AB-900 tests whether you understand the core objects in each workload admin center and how those objects affect Copilot data exposure. Copilot does not bypass permissions — if a user can read a mailbox or SharePoint file, Copilot can include that content in responses. Misconfigured sharing or delegation directly increases AI risk.

Exchange Online Objects

The Exchange admin center (admin.exchange.microsoft.com) manages email infrastructure:

ObjectPurposeCopilot Relevance
User mailboxPrimary email storage for a licensed userCopilot in Outlook reads email the user can access in their mailbox
Shared mailboxTeam inbox without a separate license (up to 50 GB)Copilot surfaces shared mailbox content only if the user has Full Access permission
Distribution groupEmail list that forwards to multiple recipientsNot a mailbox — Copilot does not "read" distribution groups as content stores
Mail-enabled security groupSecurity group that also receives emailUsed for access control and email distribution
Resource mailboxRoom or equipment bookingGenerally outside Copilot content scope
Mail flow rules (transport rules)Apply conditions/actions to messages in transitCan block sensitive data before it reaches Copilot-indexed mailboxes

Mailbox Permissions That Matter for Copilot

  • Full Access — another user can open the shared mailbox; Copilot in Outlook may surface that content when the delegate works in the shared mailbox context.
  • Send As / Send on Behalf — sending permissions only; does not grant read access to mailbox content.
  • Folder-level permissions — granular access within a mailbox; Copilot respects Exchange folder permissions.

On the Exam: A scenario about Copilot summarizing email the user "should not see" often traces back to mailbox delegation or overshared calendar/meeting content, not a Copilot bug.

SharePoint Objects

The SharePoint admin center manages collaboration storage:

ObjectPurposeCopilot Relevance
SiteContainer for team or communication contentCopilot indexes site content into the semantic index respecting permissions
Document libraryFile storage within a site (default library is "Documents")Primary source of files Copilot cites in Word, Excel, and chat
ListStructured data (tasks, issues, tracking)Can be grounded in Copilot responses if user has access
Site collectionGroup of sites under one admin boundarySharing and storage policies can apply at this level
Sharing link"Anyone," "People in organization," or specific people"Anyone" links are a top oversharing risk for Copilot exposure
Site permissionsOwners, Members, Visitors groupsCopilot cannot surface content from sites the user cannot access

SharePoint Sharing Policies

Admins configure tenant-wide sharing in the SharePoint admin center:

  • Anyone links — accessible without authentication; highest Copilot exposure risk.
  • People in your organization — requires sign-in with org account.
  • Specific people — most restrictive link type.
  • External sharing — guest access settings control B2B collaboration.

Common Trap: Copilot does not create new permissions. Remediating oversharing requires fixing SharePoint permissions and sharing links, not disabling Copilot globally.

Microsoft Teams Objects

The Teams admin center (admin.teams.microsoft.com) manages collaboration and meetings:

ObjectPurposeCopilot Relevance
TeamGroup of people with shared channels and filesBacked by a Microsoft 365 Group and SharePoint site
ChannelConversation space within a team (Standard or Private)Copilot in Teams chat accesses channel messages the user can read
Private channelRestricted membership with separate SharePoint siteCopilot respects private channel membership boundaries
Meeting policyControls meeting features (recording, transcription)Copilot meeting features inherit policy settings
Messaging policyControls chat, Giphy, memes, and editingGoverns what users can do in Teams chat where Copilot assists
App permission policyControls which apps/agents users can installGoverns custom Copilot Studio agents deployed to Teams
Teams app setup policyPins apps to the Teams clientCan pin Copilot or custom agents for users

Teams and SharePoint Connection

Every standard Teams channel stores files in a SharePoint document library behind the team. When Copilot references a file shared in Teams, it is ultimately reading SharePoint content through Microsoft Graph with the user's existing permissions.

Admin Center Quick Reference

TaskAdmin CenterObject
Create a shared mailbox for support@company.comExchangeShared mailbox
Restrict external sharing to specific domainsSharePointSharing policy
Block users from installing unapproved Teams appsTeamsApp permission policy
Add a user to a private channelTeamsPrivate channel membership
Set storage quota for a site collectionSharePointSite storage
Create a mail flow rule to block SSN patternsExchangeMail flow rule

Copilot Exposure Checklist

When investigating unexpected Copilot content in Exchange, SharePoint, or Teams, trace access in this order:

  1. Verify the user's group memberships in Entra ID — M365 Groups grant access to team sites and shared mailboxes.
  2. Review SharePoint site permissions — Owners, Members, and Visitors groups control file access.
  3. Audit active sharing links — expire "Anyone" and org-wide links on sensitive sites.
  4. Confirm Teams channel membership — private channels restrict access to invited members only.
  5. Remediate in the source admin center — fix permissions in SharePoint or Exchange; Copilot settings do not override data access.

This checklist applies the Microsoft Graph delegated-permissions model: Copilot surfaces what the user can already reach.

Objects vs Policies: Exam Distinction

AB-900 separates objects (mailboxes, sites, teams, channels) from policies (sharing, messaging, meeting, app permission). A question asking you to "prevent users from installing third-party Teams apps" is a policy question (Teams app permission policy). A question asking you to "give the finance team a shared inbox" is an object question (Exchange shared mailbox). Train yourself to identify whether the stem targets a thing or a rule.

Test Your Knowledge

A user reports Copilot in Outlook summarized emails from a mailbox they do not own. What is the most likely cause?

A
B
C
D
Test Your Knowledge

Which SharePoint sharing link type poses the highest Copilot data exposure risk?

A
B
C
D
Test Your Knowledge

Where are files shared in a standard Teams channel ultimately stored?

A
B
C
D
Test Your Knowledge

Which Teams admin center object controls whether users can install unapproved third-party apps?

A
B
C
D