Zero Trust and Security Basics
Key Takeaways
- Zero Trust principles: verify explicitly, use least-privilege access, and assume breach.
- M365 implements Zero Trust through Entra Conditional Access, MFA, PIM, Intune device compliance, and Purview data protection.
- Copilot amplifies permission mistakes — Zero Trust controls must be in place before AI rollout.
- Service Health monitors availability; Purview Audit logs activity; Identity Secure Score recommends identity improvements.
- Least privilege applies to both SharePoint permission levels and admin roles like Copilot Administrator vs Global Administrator.
- Microsoft Defender XDR correlates endpoint, email, identity, and cloud-app signals for threat detection — distinct from Purview data governance.
Quick Answer: Zero Trust means "never trust, always verify." Microsoft's model has three principles: verify explicitly, use least-privilege access, and assume breach. In Microsoft 365, Zero Trust is implemented through Entra ID, Conditional Access, MFA, device compliance, encryption, and continuous monitoring.
AB-900 places Zero Trust in Domain 1 because Copilot amplifies the impact of weak identity and overshared data. A Zero Trust foundation ensures that every Copilot query runs in the context of a verified user, compliant device, and least-privilege permissions.
The Three Zero Trust Principles
| Principle | Meaning | M365 Implementation |
|---|---|---|
| Verify explicitly | Always authenticate and authorize based on all available data points | MFA, Conditional Access, device compliance checks, risk-based policies |
| Use least privilege access | Limit user access with JIT and JEA (just-enough-access) | PIM, role-based admin roles (Copilot Administrator vs Global Admin), SharePoint permission levels |
| Assume breach | Minimize blast radius and segment access; analyze telemetry | Microsoft Defender, Purview audit, Insider Risk Management, encryption |
On the Exam: Match the principle to the control. "Require MFA and compliant devices for admin portal access" is verify explicitly. "Assign Copilot Administrator instead of Global Admin" is least privilege. "Enable audit logging and Insider Risk alerts" supports assume breach.
Zero Trust Pillars in Microsoft 365
Microsoft maps Zero Trust across six technology pillars. AB-900 emphasizes these four:
1. Identity (Entra ID)
- MFA and passwordless authentication
- Conditional Access policies
- PIM for privileged roles
- Identity Secure Score monitoring
2. Devices (Microsoft Intune)
- Device compliance policies (patch level, encryption, jailbreak detection)
- Conditional Access requiring compliant devices
- Mobile Application Management (MAM) for BYOD scenarios
3. Applications
- App consent policies in Entra ID
- Teams app permission policies
- Integrated apps governance in M365 admin center for Copilot plugins
4. Data
- Sensitivity labels and encryption (Purview Information Protection)
- DLP policies preventing exfiltration
- SharePoint sharing restrictions
- Data residency controls for regulated industries
Zero Trust and Copilot: Why It Matters
Copilot introduces a new data access pattern: AI retrieves and synthesizes content across mailboxes, files, chats, and meetings in seconds. Without Zero Trust:
- A compromised account with broad SharePoint access could extract sensitive content through Copilot chat.
- An admin with standing Global Admin could change Copilot settings without MFA or approval.
- A non-compliant personal device could sign in and access Copilot with org data.
Zero Trust controls shrink the attack surface:
| Risk | Zero Trust Control |
|---|---|
| Stolen password | MFA + Conditional Access |
| Compromised admin account | PIM + separate Copilot Administrator role |
| Unmanaged device access | Device compliance requirement in Conditional Access |
| Overshared data in Copilot responses | SharePoint sharing policies + Purview access governance |
| Unmonitored AI activity | Purview audit and DSPM for AI |
Security Basics Beyond Zero Trust
AB-900 also tests foundational M365 security concepts:
| Concept | Description |
|---|---|
| Defense in depth | Layer multiple controls (identity, device, data, network) so one failure does not expose everything |
| Encryption | Data encrypted at rest and in transit; sensitivity labels can add rights-managed encryption |
| Audit logging | Microsoft Purview Audit records user and admin activity including Copilot interactions |
| Data residency | Geographic location where tenant data is stored at rest; Copilot processing stays within tenant boundary |
| Customer Lockbox | Requires admin approval before Microsoft support accesses tenant content |
| Service Trust Portal | Microsoft's compliance documentation (SOC, ISO, HIPAA BAA availability) |
Service Health vs Security Monitoring
| Tool | Purpose |
|---|---|
| Service Health dashboard (M365 admin center) | Monitors Exchange, SharePoint, Teams, Copilot availability and incidents |
| Microsoft Purview Audit | Forensic log of who did what including Copilot activity |
| Microsoft Defender | Threat detection and response across identities, endpoints, email |
| Identity Secure Score | Identity posture recommendations |
Common Trap: Service Health tells you Copilot is down; it does not tell you who used Copilot or what data was accessed. Usage analytics come from the Copilot Usage Report; forensic investigation uses Purview Audit.
Least Privilege in Practice
Zero Trust least privilege applies to both user data access and admin roles:
User data access:
- SharePoint Visitors (read-only) vs Members (edit) vs Owners (full control)
- Private Teams channels limit membership
- Disable "Anyone" sharing links at the tenant level
Admin role access:
- Copilot Administrator for Copilot settings (not Global Admin)
- Compliance Administrator for Purview policies
- PIM eligible assignments for Exchange/SharePoint/Global Admin
- Separate accounts for admin tasks (no daily browsing as Global Admin)
Worked Scenario: Zero Trust Before Copilot Rollout
A healthcare organization plans to deploy Copilot but must protect PHI (protected health information):
- Verify explicitly — Conditional Access requires MFA and compliant devices for all M365 app access including Copilot.
- Least privilege — Assign Copilot only to users who need it; use sensitivity labels on PHI documents.
- Assume breach — Enable Purview Audit (premium if extended retention needed), Insider Risk Management, and DSPM for AI.
- Data pillar — Disable web grounding in Copilot org settings to prevent public web supplementation.
- Sharing — Restrict SharePoint external sharing; run access governance reports before go-live.
- Monitor — Review Copilot Usage Report and Identity Secure Score monthly.
Each step maps to a Zero Trust principle and a specific admin tool AB-900 tests.
Zero Trust Maturity: What AB-900 Expects
AB-900 is a fundamentals exam. You need to:
- Name the three Zero Trust principles and match controls to each.
- Identify which Entra/Purview/M365 feature implements a described security goal.
- Recognize that Copilot inherits existing permissions — Zero Trust must be in place before rollout.
- Distinguish monitoring tools (Service Health, Secure Score, Copilot Usage Report, Purview Audit) by purpose.
You do not need to architect a full Zero Trust migration, but you must recommend the right first control for a given scenario.
Microsoft Defender XDR and Threat Protection
AB-900 Domain 1 also expects you to recognize Microsoft Defender threat protection capabilities that protect the Microsoft 365 tenant Copilot runs in. Microsoft Defender XDR (extended detection and response) correlates signals across endpoints, email, identities, and cloud apps so security teams can investigate and respond to attacks that could compromise accounts Copilot uses.
| Capability | What it does | Why AB-900 cares |
|---|---|---|
| Microsoft Defender for Endpoint | Detects and remediates device threats | Compromised devices can exfiltrate data Copilot can surface |
| Microsoft Defender for Office 365 | Protects email and collaboration from phishing/malware | Compromised mailboxes feed Copilot context and oversharing risk |
| Microsoft Defender for Identity | Detects identity-based attacks in on-prem/hybrid directories | Stolen credentials bypass Zero Trust assumptions |
| Microsoft Defender for Cloud Apps (MDCA) | Monitors SaaS app usage and risky sessions | Shadow IT and risky OAuth apps expand Copilot data reach |
| Defender XDR portal | Unified incidents, hunting, and automated investigation | Exam stems often ask which portal investigates cross-workload attacks |
On the Exam: If a stem mentions phishing, malware, compromised identity, or correlating alerts across email and endpoints, choose Microsoft Defender / Defender XDR — not Purview (compliance/governance) and not Entra Conditional Access alone (access policy). Zero Trust prevents weak access; Defender detects and responds when threats slip through.
Threat protection vs Purview: Defender answers "is this account or device under attack?" Purview answers "is this content classified, retained, and prevented from leaking?" Copilot governance needs both: Defender protects the identity/device plane; Purview protects the data plane Copilot reads.
Which Zero Trust principle is best illustrated by assigning Copilot Administrator instead of Global Administrator?
A regulated company wants to prevent Copilot from querying Bing and public web content. Which setting should the admin configure?
Which tool provides forensic logs of Copilot interactions for security investigation?
Requiring MFA and a compliant device before granting access to Microsoft 365 apps exemplifies which Zero Trust principle?