This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
--> Add tools to agents
--> Add REST APIs to an agent
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Learning Objectives
After completing this section, you should be able to:
- Explain REST APIs.
- Understand how REST API tools work in Copilot Studio.
- Configure REST API tools.
- Configure authentication.
- Build requests.
- Parse responses.
- Use API outputs in conversations.
- Apply Microsoft security best practices.
What is a REST API?
A REST (Representational State Transfer) API is a web service that allows applications to communicate over HTTP using standard operations.
Rather than interacting directly with databases or applications, agents communicate with REST APIs to retrieve or update information.
REST APIs are one of the most common integration mechanisms used in enterprise software.
Examples include:
- CRM systems
- ERP systems
- HR applications
- Inventory systems
- Payment services
- AI services
- Internal business applications
Why Use REST APIs in Copilot Studio?
REST APIs enable agents to interact with virtually any application that exposes HTTP endpoints.
Common use cases include:
- Retrieving customer records
- Creating support tickets
- Updating inventory
- Booking appointments
- Querying AI models
- Processing payments
- Accessing proprietary business systems
Unlike standard connectors, REST APIs allow organizations to integrate with services that do not already have a connector.
REST API Tool Architecture
A typical architecture looks like this:
User↓Copilot Studio Agent↓REST API Tool↓HTTP Request↓REST API Endpoint↓Enterprise Application↓HTTP Response↓Agent Response
The REST API tool acts as the communication layer between the agent and the external service.
REST Principles
REST APIs generally use:
- HTTP
- URLs
- Resources
- Standard HTTP methods
- JSON payloads
Example resource:
https://api.company.com/customers/10025
HTTP Methods
The AB-620 exam expects familiarity with the most common HTTP methods.
GET
Retrieves information.
Example:
GET /customers/10025
Used when reading data.
POST
Creates a new resource.
Example:
POST /orders
Used to create records.
PUT
Replaces an existing resource.
Example:
PUT /customers/10025
Often used for full updates.
PATCH
Updates part of a resource.
Example:
PATCH /customers/10025
Updates only specified fields.
DELETE
Deletes a resource.
Example:
DELETE /orders/501
REST API Requests
A request generally contains:
- Endpoint URL
- HTTP method
- Authentication
- Headers
- Parameters
- Optional request body
Example:
GET https://api.company.com/orders/12345Authorization: Bearer <token>Accept: application/json
Authentication Methods
Authentication is frequently tested on the exam.
Common methods include:
OAuth 2.0
Most common for enterprise applications.
Advantages:
- Secure
- Token-based
- Supports delegated access
Microsoft Entra ID
Used for Microsoft-secured APIs.
Examples:
- Microsoft Graph
- Azure services
- Internal enterprise APIs
API Key
Common for:
- AI services
- Third-party APIs
- Internal APIs
The API key is usually sent in a request header.
Basic Authentication
Supported by some legacy systems.
Generally discouraged for modern enterprise deployments.
Configuring a REST API Tool
Typical steps include:
- Open the agent.
- Navigate to Tools.
- Select Add Tool.
- Choose REST API.
- Provide the endpoint URL.
- Configure authentication.
- Configure operations.
- Save the tool.
The REST API can now be invoked by the agent during conversations.
Endpoint Configuration
The endpoint identifies the resource.
Example:
https://api.contoso.com/orders
Additional path parameters may be used.
Example:
/orders/{OrderID}
Path Parameters
Path parameters identify specific resources.
Example:
/orders/45213
where:
OrderID = 45213
Query Parameters
Query parameters filter results.
Example:
/orders?status=Pending
Multiple query parameters may be combined.
Example:
/products?category=Electronics&warehouse=West
Headers
Headers provide additional information.
Examples include:
- Authorization
- Accept
- Content-Type
- User-Agent
- API version
Example:
Authorization: Bearer tokenContent-Type: application/json
Request Body
POST, PUT, and PATCH operations often include JSON.
Example:
{ "customerID":12345, "priority":"High", "description":"Damaged shipment"}
The request body supplies the data the API needs.
JSON
JSON (JavaScript Object Notation) is the most common REST payload format.
Example response:
{ "OrderID":12345, "Status":"Shipped", "Carrier":"Contoso Logistics", "Tracking":"ABC987654"}
Copilot Studio parses these values into variables that can be used in subsequent conversation steps.
Variables
Inputs can originate from:
- User messages
- Conversation variables
- Previous tool outputs
- Adaptive Card inputs
- AI-extracted entities
Example:
User:
Check order 55421.
Variable:
OrderID = 55421
The REST API request uses this variable as a path or query parameter.
Response Mapping
REST API responses can populate conversation variables.
Example:
{ "Customer":"John Smith", "Status":"Delivered", "DeliveryDate":"2026-10-04"}
The agent can then:
- Respond naturally
- Display an Adaptive Card
- Make branching decisions
- Invoke another tool
- Store values for later use
Security Considerations
REST APIs often expose sensitive enterprise data.
Microsoft recommends:
- Secure authentication
- HTTPS only
- Least privilege
- Avoid exposing secrets
- Validate inputs
- Protect sensitive outputs
Best Practices
Keep APIs Focused
Each endpoint should perform one clear task.
Validate Inputs
Reject invalid values before sending requests.
Use Secure Authentication
Prefer:
- OAuth 2.0
- Microsoft Entra ID
Avoid storing secrets directly in requests whenever possible.
Return Only Required Data
Smaller responses improve:
- Performance
- Security
- Readability
Use Clear Endpoint Names
Good examples:
/customers/orders/inventory
Poor examples:
/process1/action/data
Common Exam Scenarios
You should be able to determine when a REST API tool is the appropriate choice.
Examples include:
- Integrating with a proprietary application that does not have a Power Platform connector.
- Calling an external AI service.
- Accessing an internal business API.
- Invoking a third-party SaaS application that exposes a REST interface.
- Rapidly integrating with an existing HTTP-based service without creating a reusable custom connector.
These scenarios frequently appear in the form of architecture or design questions on the AB-620 exam.
Key Takeaways from the topics covered so far
- REST API tools allow Copilot Studio agents to interact directly with HTTP-based services.
- REST APIs use standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
- Authentication commonly uses OAuth 2.0, Microsoft Entra ID, or API keys.
- Requests consist of endpoints, headers, parameters, and (when appropriate) JSON request bodies.
- JSON responses are parsed into variables that can drive conversation flow and subsequent tool invocations.
- Secure design, proper authentication, and least-privilege access are essential best practices.
Securing REST API Integrations
Security is one of the most heavily tested areas of the AB-620 exam. Microsoft expects AI Agent Builders to understand not only how to connect to an API, but also how to do so securely.
A poorly secured API can expose sensitive business information, customer data, and backend systems.
Authentication Overview
Most enterprise REST APIs require authentication before they process requests.
Common authentication methods include:
- API Keys
- OAuth 2.0
- Microsoft Entra ID (Azure AD)
- Bearer Tokens
- Basic Authentication (legacy)
API Keys
An API Key is a unique secret value issued by an API provider.
Example:
GET https://api.company.com/ordersHeadersx-api-key:A1B2C3D4E5
Advantages
- Easy to configure
- Simple to understand
- Good for internal services
Disadvantages
- Less secure than OAuth
- Keys may expire
- Keys must be protected
OAuth 2.0
OAuth is the preferred authentication method for modern enterprise applications.
Instead of sending usernames and passwords:
- User signs in
- Identity provider authenticates user
- Access token is issued
- API validates token
Benefits
- Strong security
- Supports delegated permissions
- Supports application permissions
- Token expiration
- Token revocation
Microsoft Entra ID Authentication
Many Microsoft services use Microsoft Entra ID.
Examples include:
- Microsoft Graph
- SharePoint
- Outlook
- Teams
- Azure Management APIs
Advantages
- Central identity management
- Conditional Access
- Multi-factor authentication
- Role-based access control
Bearer Tokens
Many REST APIs require an Authorization header.
Example
Authorization:Bearer eyJhbGciOi...
The token proves that the caller has already authenticated.
Basic Authentication
Older systems may still require:
Authorization:Basic Base64(username:password)
This method is generally discouraged for new solutions.
Reasons:
- Lower security
- Password management
- Credential exposure risks
Managing Secrets
Never hard-code:
- Passwords
- API Keys
- Tokens
Instead:
- Store credentials securely
- Use connection references
- Use environment variables
- Use secure authentication providers
Request Headers
Headers provide additional information.
Common headers include:
Authorization
Content-Type
Accept
User-Agent
Example
Content-Type:application/json
This tells the server JSON is being sent.
Query Parameters
Many APIs accept filtering.
Example
GET/customers?city=Seattle
Instead of returning every customer:
The API returns only Seattle customers.
Benefits
- Faster
- Smaller payloads
- Lower cost
Pagination
Large APIs rarely return all records.
Instead they return pages.
Example
GET/orders?page=1
Next request:
page=2
Benefits
- Better performance
- Smaller responses
- Lower memory usage
Rate Limits
Most enterprise APIs limit requests.
Example
1000 requests/hour
If exceeded:
429 Too Many Requests
Best practices
- Retry later
- Respect Retry-After headers
- Reduce unnecessary requests
Handling Errors
REST APIs commonly return status codes.
| Code | Meaning |
|---|---|
| 200 | Success |
| 201 | Created |
| 204 | No Content |
| 400 | Bad Request |
| 401 | Unauthorized |
| 403 | Forbidden |
| 404 | Not Found |
| 408 | Timeout |
| 429 | Too Many Requests |
| 500 | Internal Server Error |
Agents should handle these responses gracefully.
Logging API Activity
Developers should monitor:
- Request success
- Failures
- Latency
- Authentication failures
- Timeouts
Useful for:
- Troubleshooting
- Performance tuning
- Compliance
- Auditing
Monitoring API Performance
Key metrics include:
Average response time
Error rate
Success rate
Retry count
Timeout frequency
API availability
Best Practices
Design
- Keep APIs focused.
- Follow REST conventions.
- Use meaningful endpoints.
- Version APIs.
Security
- Prefer OAuth.
- Encrypt traffic using HTTPS.
- Protect secrets.
- Validate input.
- Apply least privilege.
Performance
- Filter results.
- Cache where appropriate.
- Minimize payload size.
- Use pagination.
- Avoid unnecessary API calls.
Reliability
- Handle failures gracefully.
- Retry transient errors.
- Log important events.
- Monitor health.
- Test regularly.
REST APIs vs Custom Connectors
| REST API Tool | Custom Connector |
|---|---|
| Direct API definition | Reusable connector |
| Good for individual APIs | Good for many apps |
| Can require manual configuration | Simpler for repeated use |
| Flexible | More standardized |
| Ideal for rapid integration | Ideal for enterprise reuse |
Exam Tips
Remember these important distinctions:
- REST APIs allow direct integration with external services.
- APIs use HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
- JSON is the primary request and response format.
- Authentication is commonly handled through OAuth 2.0 or Microsoft Entra ID.
- API responses should be validated before use.
- Agents should gracefully handle failures and retries.
- Secure secrets should never be hard-coded.
- Monitoring and logging are essential for production deployments.
- Pagination and filtering improve performance.
- Custom connectors simplify reuse of REST APIs across Power Platform solutions.
Practice Exam Questions
Question 1
A Copilot Studio agent needs to retrieve customer information from an external CRM without modifying any data. Which HTTP method should the REST API use?
A. POST
B. PUT
C. GET
D. PATCH
Answer: C
Explanation: GET retrieves data without changing server resources. POST creates resources, PUT replaces them, and PATCH partially updates them.
Question 2
Which authentication method is generally recommended for enterprise REST API integrations?
A. Basic Authentication
B. OAuth 2.0
C. Anonymous Access
D. Shared Password Files
Answer: B
Explanation: OAuth 2.0 provides secure, token-based authentication with delegated permissions and is preferred for enterprise APIs.
Question 3
A REST API returns HTTP status code 401 Unauthorized. What does this most likely indicate?
A. The requested resource does not exist.
B. The server encountered an internal error.
C. Authentication credentials are missing or invalid.
D. The request exceeded the rate limit.
Answer: C
Explanation: A 401 response indicates that the request lacks valid authentication credentials.
Question 4
Why should API keys never be hard-coded into an agent?
A. They increase API response times.
B. They prevent JSON serialization.
C. They disable HTTPS encryption.
D. They can be exposed and compromise security.
Answer: D
Explanation: Hard-coded secrets are difficult to rotate and may be exposed through source code or logs.
Question 5
An API returns 429 Too Many Requests. What is the most appropriate response by the agent?
A. Continue sending requests immediately.
B. Retry after waiting according to the API’s guidance.
C. Switch to Basic Authentication.
D. Ignore the error.
Answer: B
Explanation: HTTP 429 indicates that the client has exceeded rate limits. The agent should wait and retry appropriately.
Question 6
Which request header typically specifies the authentication token for a REST API?
A. Accept
B. Content-Type
C. Authorization
D. Cache-Control
Answer: C
Explanation: The Authorization header carries bearer tokens or other authentication credentials.
Question 7
Why do many APIs implement pagination?
A. To encrypt responses.
B. To reduce the amount of data returned in a single request.
C. To replace authentication.
D. To prevent HTTPS connections.
Answer: B
Explanation: Pagination improves performance and scalability by limiting the number of records returned per request.
Question 8
Which format is most commonly used for REST API request and response bodies?
A. CSV
B. XML
C. YAML
D. JSON
Answer: D
Explanation: JSON is lightweight, widely supported, and the standard format for modern REST APIs.
Question 9
When integrating a REST API into Copilot Studio, why is validating API responses important?
A. It guarantees that authentication is unnecessary.
B. It eliminates network latency.
C. It ensures returned data is complete and expected before the agent uses it.
D. It automatically encrypts responses.
Answer: C
Explanation: Response validation helps prevent errors and ensures the agent processes reliable, expected data.
Question 10
Why might a development team choose a Power Platform custom connector instead of directly configuring a REST API in every agent?
A. Custom connectors eliminate the need for authentication.
B. Custom connectors can only connect to Microsoft services.
C. Custom connectors replace HTTP methods.
D. Custom connectors provide reusable, centrally managed API definitions across multiple solutions.
Answer: D
Explanation: Custom connectors simplify maintenance, standardize integrations, and enable reuse across multiple apps, flows, and Copilot Studio agents.
Go to the AB-620 Exam Prep Hub main page
