Zero Trust and Security Basics

Key Takeaways

  • Zero Trust principles: verify explicitly, use least-privilege access, and assume breach.
  • M365 implements Zero Trust through Entra Conditional Access, MFA, PIM, Intune device compliance, and Purview data protection.
  • Copilot amplifies permission mistakes — Zero Trust controls must be in place before AI rollout.
  • Service Health monitors availability; Purview Audit logs activity; Identity Secure Score recommends identity improvements.
  • Least privilege applies to both SharePoint permission levels and admin roles like Copilot Administrator vs Global Administrator.
  • Microsoft Defender XDR correlates endpoint, email, identity, and cloud-app signals for threat detection — distinct from Purview data governance.
Last updated: July 2026

Quick Answer: Zero Trust means "never trust, always verify." Microsoft's model has three principles: verify explicitly, use least-privilege access, and assume breach. In Microsoft 365, Zero Trust is implemented through Entra ID, Conditional Access, MFA, device compliance, encryption, and continuous monitoring.

AB-900 places Zero Trust in Domain 1 because Copilot amplifies the impact of weak identity and overshared data. A Zero Trust foundation ensures that every Copilot query runs in the context of a verified user, compliant device, and least-privilege permissions.

The Three Zero Trust Principles

PrincipleMeaningM365 Implementation
Verify explicitlyAlways authenticate and authorize based on all available data pointsMFA, Conditional Access, device compliance checks, risk-based policies
Use least privilege accessLimit user access with JIT and JEA (just-enough-access)PIM, role-based admin roles (Copilot Administrator vs Global Admin), SharePoint permission levels
Assume breachMinimize blast radius and segment access; analyze telemetryMicrosoft Defender, Purview audit, Insider Risk Management, encryption

On the Exam: Match the principle to the control. "Require MFA and compliant devices for admin portal access" is verify explicitly. "Assign Copilot Administrator instead of Global Admin" is least privilege. "Enable audit logging and Insider Risk alerts" supports assume breach.

Zero Trust Pillars in Microsoft 365

Microsoft maps Zero Trust across six technology pillars. AB-900 emphasizes these four:

1. Identity (Entra ID)

  • MFA and passwordless authentication
  • Conditional Access policies
  • PIM for privileged roles
  • Identity Secure Score monitoring

2. Devices (Microsoft Intune)

  • Device compliance policies (patch level, encryption, jailbreak detection)
  • Conditional Access requiring compliant devices
  • Mobile Application Management (MAM) for BYOD scenarios

3. Applications

  • App consent policies in Entra ID
  • Teams app permission policies
  • Integrated apps governance in M365 admin center for Copilot plugins

4. Data

  • Sensitivity labels and encryption (Purview Information Protection)
  • DLP policies preventing exfiltration
  • SharePoint sharing restrictions
  • Data residency controls for regulated industries

Zero Trust and Copilot: Why It Matters

Copilot introduces a new data access pattern: AI retrieves and synthesizes content across mailboxes, files, chats, and meetings in seconds. Without Zero Trust:

  • A compromised account with broad SharePoint access could extract sensitive content through Copilot chat.
  • An admin with standing Global Admin could change Copilot settings without MFA or approval.
  • A non-compliant personal device could sign in and access Copilot with org data.

Zero Trust controls shrink the attack surface:

RiskZero Trust Control
Stolen passwordMFA + Conditional Access
Compromised admin accountPIM + separate Copilot Administrator role
Unmanaged device accessDevice compliance requirement in Conditional Access
Overshared data in Copilot responsesSharePoint sharing policies + Purview access governance
Unmonitored AI activityPurview audit and DSPM for AI

Security Basics Beyond Zero Trust

AB-900 also tests foundational M365 security concepts:

ConceptDescription
Defense in depthLayer multiple controls (identity, device, data, network) so one failure does not expose everything
EncryptionData encrypted at rest and in transit; sensitivity labels can add rights-managed encryption
Audit loggingMicrosoft Purview Audit records user and admin activity including Copilot interactions
Data residencyGeographic location where tenant data is stored at rest; Copilot processing stays within tenant boundary
Customer LockboxRequires admin approval before Microsoft support accesses tenant content
Service Trust PortalMicrosoft's compliance documentation (SOC, ISO, HIPAA BAA availability)

Service Health vs Security Monitoring

ToolPurpose
Service Health dashboard (M365 admin center)Monitors Exchange, SharePoint, Teams, Copilot availability and incidents
Microsoft Purview AuditForensic log of who did what including Copilot activity
Microsoft DefenderThreat detection and response across identities, endpoints, email
Identity Secure ScoreIdentity posture recommendations

Common Trap: Service Health tells you Copilot is down; it does not tell you who used Copilot or what data was accessed. Usage analytics come from the Copilot Usage Report; forensic investigation uses Purview Audit.

Least Privilege in Practice

Zero Trust least privilege applies to both user data access and admin roles:

User data access:

  • SharePoint Visitors (read-only) vs Members (edit) vs Owners (full control)
  • Private Teams channels limit membership
  • Disable "Anyone" sharing links at the tenant level

Admin role access:

  • Copilot Administrator for Copilot settings (not Global Admin)
  • Compliance Administrator for Purview policies
  • PIM eligible assignments for Exchange/SharePoint/Global Admin
  • Separate accounts for admin tasks (no daily browsing as Global Admin)

Worked Scenario: Zero Trust Before Copilot Rollout

A healthcare organization plans to deploy Copilot but must protect PHI (protected health information):

  1. Verify explicitly — Conditional Access requires MFA and compliant devices for all M365 app access including Copilot.
  2. Least privilege — Assign Copilot only to users who need it; use sensitivity labels on PHI documents.
  3. Assume breach — Enable Purview Audit (premium if extended retention needed), Insider Risk Management, and DSPM for AI.
  4. Data pillar — Disable web grounding in Copilot org settings to prevent public web supplementation.
  5. Sharing — Restrict SharePoint external sharing; run access governance reports before go-live.
  6. Monitor — Review Copilot Usage Report and Identity Secure Score monthly.

Each step maps to a Zero Trust principle and a specific admin tool AB-900 tests.

Zero Trust Maturity: What AB-900 Expects

AB-900 is a fundamentals exam. You need to:

  • Name the three Zero Trust principles and match controls to each.
  • Identify which Entra/Purview/M365 feature implements a described security goal.
  • Recognize that Copilot inherits existing permissions — Zero Trust must be in place before rollout.
  • Distinguish monitoring tools (Service Health, Secure Score, Copilot Usage Report, Purview Audit) by purpose.

You do not need to architect a full Zero Trust migration, but you must recommend the right first control for a given scenario.

Microsoft Defender XDR and Threat Protection

AB-900 Domain 1 also expects you to recognize Microsoft Defender threat protection capabilities that protect the Microsoft 365 tenant Copilot runs in. Microsoft Defender XDR (extended detection and response) correlates signals across endpoints, email, identities, and cloud apps so security teams can investigate and respond to attacks that could compromise accounts Copilot uses.

CapabilityWhat it doesWhy AB-900 cares
Microsoft Defender for EndpointDetects and remediates device threatsCompromised devices can exfiltrate data Copilot can surface
Microsoft Defender for Office 365Protects email and collaboration from phishing/malwareCompromised mailboxes feed Copilot context and oversharing risk
Microsoft Defender for IdentityDetects identity-based attacks in on-prem/hybrid directoriesStolen credentials bypass Zero Trust assumptions
Microsoft Defender for Cloud Apps (MDCA)Monitors SaaS app usage and risky sessionsShadow IT and risky OAuth apps expand Copilot data reach
Defender XDR portalUnified incidents, hunting, and automated investigationExam stems often ask which portal investigates cross-workload attacks

On the Exam: If a stem mentions phishing, malware, compromised identity, or correlating alerts across email and endpoints, choose Microsoft Defender / Defender XDR — not Purview (compliance/governance) and not Entra Conditional Access alone (access policy). Zero Trust prevents weak access; Defender detects and responds when threats slip through.

Threat protection vs Purview: Defender answers "is this account or device under attack?" Purview answers "is this content classified, retained, and prevented from leaking?" Copilot governance needs both: Defender protects the identity/device plane; Purview protects the data plane Copilot reads.

Test Your Knowledge

Which Zero Trust principle is best illustrated by assigning Copilot Administrator instead of Global Administrator?

A
B
C
D
Test Your Knowledge

A regulated company wants to prevent Copilot from querying Bing and public web content. Which setting should the admin configure?

A
B
C
D
Test Your Knowledge

Which tool provides forensic logs of Copilot interactions for security investigation?

A
B
C
D
Test Your Knowledge

Requiring MFA and a compliant device before granting access to Microsoft 365 apps exemplifies which Zero Trust principle?

A
B
C
D