Configure advanced agent responses with API and Send HTTP requests (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure advanced agent responses with API and Send HTTP requests


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most powerful capabilities of Microsoft Copilot Studio is the ability to extend an agent beyond conversational AI. While generative AI enables agents to answer questions from knowledge sources, enterprise agents frequently need to retrieve live information, update business systems, trigger workflows, or communicate with applications that exist outside Microsoft 365.

This is accomplished through APIs (Application Programming Interfaces) and HTTP requests.

For the AB-620 exam, you should understand not only how to configure HTTP requests within Copilot Studio, but also when they should be used, how they are secured, how data flows through requests and responses, and how these capabilities support enterprise-grade AI agents.


Learning Objectives

After studying this topic, you should be able to:

  • Explain why APIs are important in enterprise AI agents.
  • Understand the HTTP communication model.
  • Differentiate HTTP request methods.
  • Configure HTTP requests in Copilot Studio.
  • Pass parameters to external services.
  • Authenticate API requests.
  • Parse API responses.
  • Use returned data within agent conversations.
  • Recognize best practices for secure integrations.

Why Use APIs in Copilot Studio?

Generative AI can answer questions based on available knowledge.

However, business processes usually require interaction with systems that contain live operational data.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Financial systems
  • Ticketing systems
  • Booking systems
  • Custom business applications
  • Third-party SaaS platforms

Rather than simply answering questions, an agent can:

  • Retrieve customer account information
  • Create service tickets
  • Update CRM records
  • Submit purchase requests
  • Check inventory
  • Reserve meeting rooms
  • Retrieve shipping status
  • Submit vacation requests
  • Trigger approval workflows

This transforms the agent from an information assistant into an intelligent business application.


When to Use HTTP Requests

Microsoft Copilot Studio supports several methods of integrating external systems.

These include:

  • Microsoft Power Platform connectors
  • REST APIs
  • Custom connectors
  • Agent tools
  • Microsoft Graph
  • Azure services

HTTP requests are typically used when:

  • No prebuilt connector exists.
  • A custom application exposes a REST API.
  • You need full control over requests.
  • The API supports operations unavailable through existing connectors.
  • You need to communicate directly with enterprise services.

What is an API?

An Application Programming Interface (API) allows one application to communicate with another.

Instead of manually opening software and entering information, software applications exchange data automatically.

Example:

A user asks:

“What is the shipping status of Order 48291?”

Instead of searching documents:

The agent:

  1. Calls the shipping API.
  2. Sends Order ID 48291.
  3. Receives current shipping information.
  4. Formats the response.
  5. Displays it to the user.

The user experiences a natural conversation while the agent communicates with backend systems.


REST APIs

Most modern enterprise systems expose REST APIs.

REST (Representational State Transfer) is an architectural style for web services.

REST APIs typically use:

  • HTTP
  • URLs
  • JSON
  • Standard HTTP methods

Example endpoint:

https://company.com/api/customers/1052

The agent sends an HTTP request.

The service returns JSON.


HTTP Fundamentals

HTTP is the communication protocol used by browsers, websites, cloud services, and APIs.

Every HTTP request contains:

  • URL
  • Method
  • Headers
  • Parameters
  • Body (optional)

The server then returns:

  • Status code
  • Headers
  • Response body

Anatomy of an HTTP Request

Example:

GET https://api.company.com/orders/48291

Headers

Authorization: Bearer token
Accept: application/json

Response

{
"OrderNumber":"48291",
"Status":"Shipped",
"Carrier":"UPS"
}

The agent can extract these values and use them during the conversation.


HTTP Methods

Understanding HTTP methods is important for the AB-620 exam.

GET

Retrieves information.

Example:

Get customer details

No data is modified.

Examples:

  • Get customer profile
  • Get inventory
  • Get weather
  • Get shipping status

Safe operation.


POST

Creates new information.

Examples:

  • Create support ticket
  • Submit expense report
  • Create employee record

Example request:

POST /tickets

Body:

{
"Priority":"High",
"Description":"Printer not working"
}

PUT

Replaces an existing resource.

Example:

Update the complete employee record.

Entire object is replaced.


PATCH

Updates part of a resource.

Example:

Only update:

Customer Phone Number

instead of replacing the entire customer record.

PATCH is generally more efficient than PUT for partial updates.


DELETE

Removes a resource.

Example:

Delete reservation.

Delete temporary record.

Delete shopping cart.

Because DELETE permanently removes data, organizations often restrict access.


URL Components

Understanding URL structure is important.

Example:

https://api.company.com/customers/1052/orders?year=2025

Breakdown:

Protocol

https

Host

api.company.com

Resource

customers

Path Parameter

1052

Subresource

orders

Query Parameter

year=2025

Path Parameters

Path parameters identify a specific resource.

Example

/customers/1052

Customer ID

1052

is embedded within the URL.

Often used for:

  • Employee ID
  • Customer ID
  • Product ID
  • Ticket ID

Query Parameters

Query parameters filter information.

Example

/orders?status=Open

Another example

/products?category=Laptops

Query parameters are optional and do not change the endpoint itself.


HTTP Headers

Headers provide metadata about the request.

Common headers include:

Authorization

Bearer Token

Accept

application/json

Content-Type

application/json

User-Agent

Application identification.

Custom headers

Many enterprise APIs require organization-specific headers.


Request Body

GET requests usually do not include a request body.

POST, PUT, and PATCH commonly include one.

Example

{
"EmployeeID":102,
"Department":"Finance"
}

The body contains the information being submitted.


JSON

Most APIs communicate using JSON.

Example

{
"CustomerID": 1052,
"Name": "John Smith",
"Status": "Gold",
"RewardPoints": 8400
}

The agent can retrieve individual values such as:

  • Name
  • Status
  • RewardPoints

and include them in responses.


Authentication

Most enterprise APIs require authentication.

Without authentication:

The request is rejected.

Authentication verifies:

  • Who is calling
  • Whether permission exists
  • Which resources are accessible

Common Authentication Methods

API Keys

Simple authentication method.

Example

x-api-key:

Advantages:

  • Easy

Disadvantages:

  • Less secure
  • Key management required

OAuth 2.0

Most Microsoft services use OAuth.

Workflow:

User authenticates.

Identity provider issues access token.

Agent sends Bearer token.

API validates token.

Request proceeds.

OAuth supports:

  • Delegated permissions
  • Application permissions
  • Token expiration
  • Refresh tokens

It is considered the enterprise standard.


Microsoft Entra ID

Many enterprise APIs authenticate through Microsoft Entra ID.

Benefits include:

  • Centralized identity
  • Role-based access
  • Conditional Access
  • Multifactor Authentication
  • Secure token management

This is the preferred authentication mechanism for Microsoft enterprise environments.


Configuring HTTP Requests in Copilot Studio

Within Copilot Studio, HTTP requests can be configured as actions or tools that execute during conversations.

A typical configuration includes:

  1. Define the endpoint URL.
  2. Select the HTTP method.
  3. Configure authentication.
  4. Add headers.
  5. Add parameters.
  6. Configure the request body if needed.
  7. Send the request.
  8. Capture the response.
  9. Store returned values in variables.
  10. Continue the conversation using the returned data.

Passing Dynamic Values

Most APIs require information supplied by the user.

Example:

User says:

“Check order 84592.”

The conversation stores:

OrderID = 84592

The HTTP request inserts that variable into:

https://api.company.com/orders/84592

instead of using a hardcoded value.

Dynamic parameters make APIs reusable across conversations.


Using Responses in Conversations

After receiving JSON, Copilot Studio can:

  • Store values
  • Display values
  • Evaluate conditions
  • Pass values into other actions
  • Use values inside prompts
  • Populate Adaptive Cards
  • Trigger additional API calls

Example:

API returns:

{
"Status":"Delivered",
"Carrier":"FedEx",
"Date":"2026-06-14"
}

The agent responds:

“Your package was delivered on June 14 by FedEx.”

The user never sees the underlying API call.


Best Practices

When designing HTTP integrations:

  • Prefer HTTPS over HTTP.
  • Never hard-code secrets.
  • Use secure authentication mechanisms.
  • Validate user input before sending requests.
  • Minimize the amount of sensitive data transmitted.
  • Return only information required by the conversation.
  • Reuse existing connectors when appropriate instead of creating unnecessary custom integrations.
  • Document API endpoints and expected responses.
  • Test APIs independently before integrating them into an agent.
  • Design requests to be idempotent where appropriate, particularly for update operations.

Exam Tips

For the AB-620 exam, remember the following:

  • REST APIs are the primary mechanism for integrating enterprise systems.
  • HTTP requests enable agents to retrieve live data and perform actions.
  • GET retrieves data, POST creates data, PUT replaces data, PATCH partially updates data, and DELETE removes data.
  • Authentication is typically performed using OAuth 2.0 or Microsoft Entra ID in enterprise environments.
  • JSON is the most common format for request and response payloads.
  • Dynamic variables collected during conversations are frequently inserted into URLs, query parameters, headers, or request bodies.
  • Agent responses are generated by parsing API responses and presenting the returned data in a conversational format.
  • Security, authentication, and proper handling of API responses are core skills emphasized throughout the AB-620 exam.

Quick Orientation Summary

In the topics above, you learned the fundamentals of using APIs and HTTP requests in Microsoft Copilot Studio, including REST principles, HTTP methods, authentication, request construction, and response handling.

In the next set of topics below, we will build upon that foundation by exploring advanced implementation techniques, enterprise design patterns, security considerations, performance optimization, and common exam scenarios.


Advanced HTTP Integration Patterns

Enterprise AI agents rarely execute a single API call. Instead, they often perform multiple requests, make decisions based on returned data, and coordinate actions across several systems.

Common integration patterns include:

  • Sequential API requests
  • Conditional API execution
  • Parallel data retrieval
  • Data enrichment
  • Multi-system orchestration
  • Event-driven integrations

These patterns allow an agent to perform sophisticated business processes while maintaining a natural conversational experience.


Sequential API Calls

Sometimes one API request provides information needed by another request.

Example:

User asks:

“Show me all orders for customer John Smith.”

Workflow:

  1. Search Customers API
  2. Retrieve Customer ID
  3. Pass Customer ID to Orders API
  4. Retrieve order list
  5. Present results

Example flow:

User Question
Search Customer API
Customer ID Returned
Retrieve Orders API
Return Orders

This pattern is common in CRM and ERP integrations.


Conditional API Execution

An agent may determine whether another API call is necessary.

Example:

Get Order Status
Delivered?
/ \
Yes No
↓ ↓
End Call Shipping API

Conditional execution reduces unnecessary API calls while improving performance.


Data Enrichment

Multiple systems often contain complementary information.

Example:

CRM:

  • Customer name
  • Email

ERP:

  • Orders

Shipping system:

  • Tracking

The agent combines all three into one response.

Example:

Customer: John Smith
Gold Member
Last Order: June 10
Tracking Number: 874623

The user experiences a single conversation despite multiple backend requests.


Working with JSON Responses

Most enterprise APIs return JSON.

Example:

{
"customer": {
"id": 125,
"name": "John Smith",
"status": "Gold",
"orders": [
{
"number": 4521,
"total": 275
},
{
"number": 4528,
"total": 118
}
]
}
}

The agent may extract:

  • customer.name
  • customer.status
  • orders[0].number
  • orders[1].total

Understanding nested JSON structures is valuable for the exam.


Mapping JSON to Variables

Returned values are commonly stored as variables.

Example:

CustomerName
John Smith
MembershipStatus
Gold
RewardPoints
12450

These variables can later be referenced in prompts, Adaptive Cards, conditions, or additional HTTP requests.


Chaining Multiple Requests

Many business processes require several connected API operations.

Example:

Vacation request:

Employee submits request
Retrieve manager
Check leave balance
Create approval
Notify manager
Update HR system

Each step may involve a separate HTTP request.


Long-Running Operations

Some APIs require time to complete.

Examples include:

  • AI document analysis
  • Video processing
  • Image generation
  • Data exports
  • Large database operations

Typical workflow:

Submit Job
Receive Job ID
Check Status API
Completed?
Retrieve Results

This polling pattern is common in cloud services.


HTTP Status Codes

Understanding status codes is essential.

200 OK

The request completed successfully.


201 Created

A new resource was successfully created.

Example:

Create support ticket.


202 Accepted

The request has been accepted but processing continues.

Often used for asynchronous operations.


204 No Content

The operation succeeded without returning data.

Common with DELETE requests.


400 Bad Request

The request is invalid.

Possible causes:

  • Missing fields
  • Invalid parameters
  • Incorrect formatting

401 Unauthorized

Authentication failed.

Usually indicates:

  • Invalid token
  • Expired token
  • Missing credentials

403 Forbidden

Authentication succeeded.

Permission is denied.

Example:

User lacks required role.


404 Not Found

Requested resource does not exist.


429 Too Many Requests

Rate limit exceeded.

Clients should wait before retrying.


500 Internal Server Error

Unexpected server failure.

Retry may succeed later.


Error Handling Strategies

Good enterprise agents never expose raw API errors directly to users.

Poor response:

Error 500.

Better response:

“The customer database is temporarily unavailable. Please try again in a few minutes.”

The technical details should be logged while presenting a friendly message.


Retry Logic

Temporary failures should not always terminate a conversation.

Good candidates for retries:

  • Network timeout
  • Temporary server outage
  • HTTP 429
  • HTTP 503

Poor candidates:

  • Invalid credentials
  • Missing permissions
  • Incorrect request format

Retry strategies typically use exponential backoff to reduce server load.


Timeouts

Every HTTP request should define an appropriate timeout.

Without one:

  • Conversations may hang.
  • User experience suffers.
  • Resources remain occupied.

Enterprise solutions balance responsiveness with backend processing time.


Logging

Successful enterprise solutions record important execution details.

Typical information includes:

  • Timestamp
  • Endpoint
  • Status code
  • Duration
  • User ID (when appropriate)
  • Correlation ID
  • Request outcome

Sensitive information such as passwords or tokens should never be logged.


Security Best Practices

For the AB-620 exam, security is heavily emphasized.

Recommended practices include:

  • Always use HTTPS.
  • Store secrets securely.
  • Use OAuth or Microsoft Entra ID whenever possible.
  • Implement least-privilege access.
  • Validate all user input.
  • Sanitize request data.
  • Encrypt sensitive information.
  • Rotate credentials regularly.
  • Monitor API usage.
  • Audit access to critical resources.

Protecting Sensitive Information

Avoid exposing:

  • Passwords
  • Tokens
  • API keys
  • Internal URLs
  • Database identifiers
  • Personally identifiable information (PII)

Agents should display only the information users are authorized to see.


Rate Limiting

External APIs often restrict request volume.

Example:

500 requests/hour

If exceeded:

HTTP 429

Design strategies include:

  • Request batching
  • Caching
  • Retry delays
  • Limiting unnecessary calls

Performance Optimization

Well-designed agents minimize latency.

Optimization techniques include:

  • Reuse previously retrieved information.
  • Avoid duplicate API calls.
  • Cache frequently requested data.
  • Request only required fields.
  • Combine related operations when supported.
  • Minimize payload sizes.
  • Execute independent requests in parallel where appropriate.

Choosing Between Connectors and HTTP Requests

In Copilot Studio, both connectors and HTTP requests provide integration capabilities.

Use Connectors WhenUse HTTP Requests When
Microsoft provides a supported connectorNo connector exists
Standard authentication is sufficientFull control over requests is required
Low-code development is preferredCustom APIs must be accessed
Minimal maintenance is desiredSpecialized API features are needed
Enterprise governance favors managed connectorsAdvanced REST functionality is required

The exam may ask you to choose the most appropriate integration method.


Common Enterprise Scenarios

Customer Support

  • Retrieve account
  • Create ticket
  • Update ticket
  • Escalate issue

Sales

  • Search CRM
  • Retrieve opportunities
  • Update customer records
  • Generate quotes

Human Resources

  • Vacation requests
  • Employee lookup
  • Benefits information
  • Payroll inquiries

Finance

  • Expense submission
  • Invoice lookup
  • Budget approval
  • Payment status

IT Help Desk

  • Password reset
  • Device lookup
  • Software requests
  • Incident management

Common Exam Pitfalls

Watch for these common mistakes:

  • Using POST when GET is appropriate.
  • Sending sensitive information in URLs instead of secure request bodies or headers.
  • Hard-coding API keys.
  • Ignoring authentication requirements.
  • Assuming every successful request returns HTTP 200 (201, 202, and 204 are also successful responses).
  • Failing to validate user input before making API calls.
  • Displaying raw server errors to users.
  • Using HTTP requests when an existing connector is the better choice.
  • Not accounting for rate limits or transient failures.
  • Returning more data than necessary, increasing security and performance risks.

AB-620 Exam Tips

Remember these key points:

  • APIs enable agents to interact with live enterprise systems.
  • REST and JSON are the dominant standards for enterprise integrations.
  • OAuth 2.0 and Microsoft Entra ID are preferred authentication methods.
  • Understand the purpose of each HTTP method.
  • Differentiate client errors (4xx) from server errors (5xx).
  • Design secure, maintainable, and reusable integrations.
  • Handle failures gracefully with retries where appropriate.
  • Protect sensitive information throughout the integration process.
  • Choose connectors when possible and HTTP requests when customization is required.

Topic Summary

An enterprise Copilot Studio agent becomes significantly more powerful when it can communicate with external systems through APIs and HTTP requests. By combining conversational AI with secure integrations, organizations can automate business processes, retrieve live operational data, and perform transactions across enterprise applications.

For the AB-620 exam, focus on understanding the complete lifecycle of an HTTP request, authentication mechanisms, JSON handling, response processing, error handling, and secure integration design. These concepts are foundational to designing enterprise-grade AI agent solutions.


Practice Exam Questions

Question 1

A Copilot Studio agent must retrieve a customer’s current loyalty points without modifying any data. Which HTTP method should be used?

A. POST

B. GET

C. PATCH

D. DELETE

Answer: B

Explanation: GET is used to retrieve information without modifying server-side resources.


Question 2

An API returns HTTP status code 401 Unauthorized. What is the most likely cause?

A. The requested resource does not exist.

B. The request exceeded the rate limit.

C. Authentication credentials are missing or invalid.

D. The request completed successfully.

Answer: C

Explanation: A 401 status indicates that authentication failed because valid credentials were not provided or have expired.


Question 3

A developer needs to update only a customer’s phone number. Which HTTP method is most appropriate?

A. PUT

B. POST

C. PATCH

D. GET

Answer: C

Explanation: PATCH performs partial updates, making it ideal for modifying a single property without replacing the entire resource.


Question 4

Which authentication mechanism is recommended for securing enterprise APIs integrated with Microsoft Copilot Studio?

A. Anonymous authentication

B. Basic authentication using hardcoded credentials

C. OAuth 2.0 with Microsoft Entra ID

D. Query string authentication

Answer: C

Explanation: OAuth 2.0 integrated with Microsoft Entra ID provides secure, token-based authentication and centralized identity management.


Question 5

An agent receives the following response:

{
"Status":"Approved",
"Manager":"Karen Lee"
}

What should the agent do next?

A. Ignore the response.

B. Store the values in variables for use later in the conversation.

C. Convert the response into XML.

D. Retry the request immediately.

Answer: B

Explanation: JSON values are typically parsed and stored in variables for use in responses, conditions, or subsequent actions.


Question 6

A REST API limits clients to 1,000 requests per hour. Which design strategy best helps avoid exceeding this limit?

A. Retry every request immediately.

B. Disable authentication.

C. Cache frequently requested data and avoid unnecessary calls.

D. Send duplicate requests for verification.

Answer: C

Explanation: Caching and reducing redundant API calls are common strategies for working within rate limits.


Question 7

A company already has a fully supported Microsoft Power Platform connector for its CRM system. Which integration approach should generally be chosen?

A. Build every interaction using raw HTTP requests.

B. Use the existing connector unless custom functionality requires direct API access.

C. Export CRM data to spreadsheets.

D. Replace the CRM with a custom application.

Answer: B

Explanation: Managed connectors simplify development, maintenance, authentication, and governance, making them the preferred option when available.


Question 8

Which status code indicates that a new resource has been successfully created?

A. 200

B. 201

C. 404

D. 500

Answer: B

Explanation: HTTP 201 Created indicates that a new resource was successfully created by the server.


Question 9

What is the primary benefit of chaining multiple API requests within an agent flow?

A. It reduces authentication requirements.

B. It eliminates the need for variables.

C. It enables complex business processes that span multiple systems.

D. It guarantees faster execution than a single request.

Answer: C

Explanation: Chained API calls allow agents to orchestrate multi-step workflows involving several enterprise applications.


Question 10

Why should an agent avoid displaying raw HTTP error messages directly to users?

A. HTTP errors are never useful.

B. Raw errors may expose technical details and create a poor user experience.

C. HTTP errors always indicate a network problem.

D. Users cannot understand status codes.

Answer: B

Explanation: Enterprise agents should present friendly, actionable messages while logging technical details internally to maintain security and usability.


Go to the AB-620 Exam Prep Hub main page