This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
--> Configure topics
--> Configure advanced agent responses with API and Send HTTP requests
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.
Introduction
One of the most powerful capabilities of Microsoft Copilot Studio is the ability to extend an agent beyond conversational AI. While generative AI enables agents to answer questions from knowledge sources, enterprise agents frequently need to retrieve live information, update business systems, trigger workflows, or communicate with applications that exist outside Microsoft 365.
This is accomplished through APIs (Application Programming Interfaces) and HTTP requests.
For the AB-620 exam, you should understand not only how to configure HTTP requests within Copilot Studio, but also when they should be used, how they are secured, how data flows through requests and responses, and how these capabilities support enterprise-grade AI agents.
Learning Objectives
After studying this topic, you should be able to:
- Explain why APIs are important in enterprise AI agents.
- Understand the HTTP communication model.
- Differentiate HTTP request methods.
- Configure HTTP requests in Copilot Studio.
- Pass parameters to external services.
- Authenticate API requests.
- Parse API responses.
- Use returned data within agent conversations.
- Recognize best practices for secure integrations.
Why Use APIs in Copilot Studio?
Generative AI can answer questions based on available knowledge.
However, business processes usually require interaction with systems that contain live operational data.
Examples include:
- CRM systems
- ERP systems
- HR applications
- Inventory systems
- Financial systems
- Ticketing systems
- Booking systems
- Custom business applications
- Third-party SaaS platforms
Rather than simply answering questions, an agent can:
- Retrieve customer account information
- Create service tickets
- Update CRM records
- Submit purchase requests
- Check inventory
- Reserve meeting rooms
- Retrieve shipping status
- Submit vacation requests
- Trigger approval workflows
This transforms the agent from an information assistant into an intelligent business application.
When to Use HTTP Requests
Microsoft Copilot Studio supports several methods of integrating external systems.
These include:
- Microsoft Power Platform connectors
- REST APIs
- Custom connectors
- Agent tools
- Microsoft Graph
- Azure services
HTTP requests are typically used when:
- No prebuilt connector exists.
- A custom application exposes a REST API.
- You need full control over requests.
- The API supports operations unavailable through existing connectors.
- You need to communicate directly with enterprise services.
What is an API?
An Application Programming Interface (API) allows one application to communicate with another.
Instead of manually opening software and entering information, software applications exchange data automatically.
Example:
A user asks:
“What is the shipping status of Order 48291?”
Instead of searching documents:
The agent:
- Calls the shipping API.
- Sends Order ID 48291.
- Receives current shipping information.
- Formats the response.
- Displays it to the user.
The user experiences a natural conversation while the agent communicates with backend systems.
REST APIs
Most modern enterprise systems expose REST APIs.
REST (Representational State Transfer) is an architectural style for web services.
REST APIs typically use:
- HTTP
- URLs
- JSON
- Standard HTTP methods
Example endpoint:
https://company.com/api/customers/1052
The agent sends an HTTP request.
The service returns JSON.
HTTP Fundamentals
HTTP is the communication protocol used by browsers, websites, cloud services, and APIs.
Every HTTP request contains:
- URL
- Method
- Headers
- Parameters
- Body (optional)
The server then returns:
- Status code
- Headers
- Response body
Anatomy of an HTTP Request
Example:
GET https://api.company.com/orders/48291
Headers
Authorization: Bearer tokenAccept: application/json
Response
{ "OrderNumber":"48291", "Status":"Shipped", "Carrier":"UPS"}
The agent can extract these values and use them during the conversation.
HTTP Methods
Understanding HTTP methods is important for the AB-620 exam.
GET
Retrieves information.
Example:
Get customer details
No data is modified.
Examples:
- Get customer profile
- Get inventory
- Get weather
- Get shipping status
Safe operation.
POST
Creates new information.
Examples:
- Create support ticket
- Submit expense report
- Create employee record
Example request:
POST /tickets
Body:
{ "Priority":"High", "Description":"Printer not working"}
PUT
Replaces an existing resource.
Example:
Update the complete employee record.
Entire object is replaced.
PATCH
Updates part of a resource.
Example:
Only update:
Customer Phone Number
instead of replacing the entire customer record.
PATCH is generally more efficient than PUT for partial updates.
DELETE
Removes a resource.
Example:
Delete reservation.
Delete temporary record.
Delete shopping cart.
Because DELETE permanently removes data, organizations often restrict access.
URL Components
Understanding URL structure is important.
Example:
https://api.company.com/customers/1052/orders?year=2025
Breakdown:
Protocol
https
Host
api.company.com
Resource
customers
Path Parameter
1052
Subresource
orders
Query Parameter
year=2025
Path Parameters
Path parameters identify a specific resource.
Example
/customers/1052
Customer ID
1052
is embedded within the URL.
Often used for:
- Employee ID
- Customer ID
- Product ID
- Ticket ID
Query Parameters
Query parameters filter information.
Example
/orders?status=Open
Another example
/products?category=Laptops
Query parameters are optional and do not change the endpoint itself.
HTTP Headers
Headers provide metadata about the request.
Common headers include:
Authorization
Bearer Token
Accept
application/json
Content-Type
application/json
User-Agent
Application identification.
Custom headers
Many enterprise APIs require organization-specific headers.
Request Body
GET requests usually do not include a request body.
POST, PUT, and PATCH commonly include one.
Example
{ "EmployeeID":102, "Department":"Finance"}
The body contains the information being submitted.
JSON
Most APIs communicate using JSON.
Example
{ "CustomerID": 1052, "Name": "John Smith", "Status": "Gold", "RewardPoints": 8400}
The agent can retrieve individual values such as:
- Name
- Status
- RewardPoints
and include them in responses.
Authentication
Most enterprise APIs require authentication.
Without authentication:
The request is rejected.
Authentication verifies:
- Who is calling
- Whether permission exists
- Which resources are accessible
Common Authentication Methods
API Keys
Simple authentication method.
Example
x-api-key:
Advantages:
- Easy
Disadvantages:
- Less secure
- Key management required
OAuth 2.0
Most Microsoft services use OAuth.
Workflow:
User authenticates.
↓
Identity provider issues access token.
↓
Agent sends Bearer token.
↓
API validates token.
↓
Request proceeds.
OAuth supports:
- Delegated permissions
- Application permissions
- Token expiration
- Refresh tokens
It is considered the enterprise standard.
Microsoft Entra ID
Many enterprise APIs authenticate through Microsoft Entra ID.
Benefits include:
- Centralized identity
- Role-based access
- Conditional Access
- Multifactor Authentication
- Secure token management
This is the preferred authentication mechanism for Microsoft enterprise environments.
Configuring HTTP Requests in Copilot Studio
Within Copilot Studio, HTTP requests can be configured as actions or tools that execute during conversations.
A typical configuration includes:
- Define the endpoint URL.
- Select the HTTP method.
- Configure authentication.
- Add headers.
- Add parameters.
- Configure the request body if needed.
- Send the request.
- Capture the response.
- Store returned values in variables.
- Continue the conversation using the returned data.
Passing Dynamic Values
Most APIs require information supplied by the user.
Example:
User says:
“Check order 84592.”
The conversation stores:
OrderID = 84592
The HTTP request inserts that variable into:
https://api.company.com/orders/84592
instead of using a hardcoded value.
Dynamic parameters make APIs reusable across conversations.
Using Responses in Conversations
After receiving JSON, Copilot Studio can:
- Store values
- Display values
- Evaluate conditions
- Pass values into other actions
- Use values inside prompts
- Populate Adaptive Cards
- Trigger additional API calls
Example:
API returns:
{ "Status":"Delivered", "Carrier":"FedEx", "Date":"2026-06-14"}
The agent responds:
“Your package was delivered on June 14 by FedEx.”
The user never sees the underlying API call.
Best Practices
When designing HTTP integrations:
- Prefer HTTPS over HTTP.
- Never hard-code secrets.
- Use secure authentication mechanisms.
- Validate user input before sending requests.
- Minimize the amount of sensitive data transmitted.
- Return only information required by the conversation.
- Reuse existing connectors when appropriate instead of creating unnecessary custom integrations.
- Document API endpoints and expected responses.
- Test APIs independently before integrating them into an agent.
- Design requests to be idempotent where appropriate, particularly for update operations.
Exam Tips
For the AB-620 exam, remember the following:
- REST APIs are the primary mechanism for integrating enterprise systems.
- HTTP requests enable agents to retrieve live data and perform actions.
- GET retrieves data, POST creates data, PUT replaces data, PATCH partially updates data, and DELETE removes data.
- Authentication is typically performed using OAuth 2.0 or Microsoft Entra ID in enterprise environments.
- JSON is the most common format for request and response payloads.
- Dynamic variables collected during conversations are frequently inserted into URLs, query parameters, headers, or request bodies.
- Agent responses are generated by parsing API responses and presenting the returned data in a conversational format.
- Security, authentication, and proper handling of API responses are core skills emphasized throughout the AB-620 exam.
Quick Orientation Summary
In the topics above, you learned the fundamentals of using APIs and HTTP requests in Microsoft Copilot Studio, including REST principles, HTTP methods, authentication, request construction, and response handling.
In the next set of topics below, we will build upon that foundation by exploring advanced implementation techniques, enterprise design patterns, security considerations, performance optimization, and common exam scenarios.
Advanced HTTP Integration Patterns
Enterprise AI agents rarely execute a single API call. Instead, they often perform multiple requests, make decisions based on returned data, and coordinate actions across several systems.
Common integration patterns include:
- Sequential API requests
- Conditional API execution
- Parallel data retrieval
- Data enrichment
- Multi-system orchestration
- Event-driven integrations
These patterns allow an agent to perform sophisticated business processes while maintaining a natural conversational experience.
Sequential API Calls
Sometimes one API request provides information needed by another request.
Example:
User asks:
“Show me all orders for customer John Smith.”
Workflow:
- Search Customers API
- Retrieve Customer ID
- Pass Customer ID to Orders API
- Retrieve order list
- Present results
Example flow:
User Question ↓Search Customer API ↓Customer ID Returned ↓Retrieve Orders API ↓Return Orders
This pattern is common in CRM and ERP integrations.
Conditional API Execution
An agent may determine whether another API call is necessary.
Example:
Get Order Status ↓Delivered? / \ Yes No ↓ ↓End Call Shipping API
Conditional execution reduces unnecessary API calls while improving performance.
Data Enrichment
Multiple systems often contain complementary information.
Example:
CRM:
- Customer name
ERP:
- Orders
Shipping system:
- Tracking
The agent combines all three into one response.
Example:
Customer: John Smith
Gold Member
Last Order: June 10
Tracking Number: 874623
The user experiences a single conversation despite multiple backend requests.
Working with JSON Responses
Most enterprise APIs return JSON.
Example:
{ "customer": { "id": 125, "name": "John Smith", "status": "Gold", "orders": [ { "number": 4521, "total": 275 }, { "number": 4528, "total": 118 } ]}}
The agent may extract:
- customer.name
- customer.status
- orders[0].number
- orders[1].total
Understanding nested JSON structures is valuable for the exam.
Mapping JSON to Variables
Returned values are commonly stored as variables.
Example:
CustomerName↓John Smith
MembershipStatus↓Gold
RewardPoints↓12450
These variables can later be referenced in prompts, Adaptive Cards, conditions, or additional HTTP requests.
Chaining Multiple Requests
Many business processes require several connected API operations.
Example:
Vacation request:
Employee submits request ↓Retrieve manager ↓Check leave balance ↓Create approval ↓Notify manager ↓Update HR system
Each step may involve a separate HTTP request.
Long-Running Operations
Some APIs require time to complete.
Examples include:
- AI document analysis
- Video processing
- Image generation
- Data exports
- Large database operations
Typical workflow:
Submit Job↓Receive Job ID↓Check Status API↓Completed?↓Retrieve Results
This polling pattern is common in cloud services.
HTTP Status Codes
Understanding status codes is essential.
200 OK
The request completed successfully.
201 Created
A new resource was successfully created.
Example:
Create support ticket.
202 Accepted
The request has been accepted but processing continues.
Often used for asynchronous operations.
204 No Content
The operation succeeded without returning data.
Common with DELETE requests.
400 Bad Request
The request is invalid.
Possible causes:
- Missing fields
- Invalid parameters
- Incorrect formatting
401 Unauthorized
Authentication failed.
Usually indicates:
- Invalid token
- Expired token
- Missing credentials
403 Forbidden
Authentication succeeded.
Permission is denied.
Example:
User lacks required role.
404 Not Found
Requested resource does not exist.
429 Too Many Requests
Rate limit exceeded.
Clients should wait before retrying.
500 Internal Server Error
Unexpected server failure.
Retry may succeed later.
Error Handling Strategies
Good enterprise agents never expose raw API errors directly to users.
Poor response:
Error 500.
Better response:
“The customer database is temporarily unavailable. Please try again in a few minutes.”
The technical details should be logged while presenting a friendly message.
Retry Logic
Temporary failures should not always terminate a conversation.
Good candidates for retries:
- Network timeout
- Temporary server outage
- HTTP 429
- HTTP 503
Poor candidates:
- Invalid credentials
- Missing permissions
- Incorrect request format
Retry strategies typically use exponential backoff to reduce server load.
Timeouts
Every HTTP request should define an appropriate timeout.
Without one:
- Conversations may hang.
- User experience suffers.
- Resources remain occupied.
Enterprise solutions balance responsiveness with backend processing time.
Logging
Successful enterprise solutions record important execution details.
Typical information includes:
- Timestamp
- Endpoint
- Status code
- Duration
- User ID (when appropriate)
- Correlation ID
- Request outcome
Sensitive information such as passwords or tokens should never be logged.
Security Best Practices
For the AB-620 exam, security is heavily emphasized.
Recommended practices include:
- Always use HTTPS.
- Store secrets securely.
- Use OAuth or Microsoft Entra ID whenever possible.
- Implement least-privilege access.
- Validate all user input.
- Sanitize request data.
- Encrypt sensitive information.
- Rotate credentials regularly.
- Monitor API usage.
- Audit access to critical resources.
Protecting Sensitive Information
Avoid exposing:
- Passwords
- Tokens
- API keys
- Internal URLs
- Database identifiers
- Personally identifiable information (PII)
Agents should display only the information users are authorized to see.
Rate Limiting
External APIs often restrict request volume.
Example:
500 requests/hour
If exceeded:
HTTP 429
Design strategies include:
- Request batching
- Caching
- Retry delays
- Limiting unnecessary calls
Performance Optimization
Well-designed agents minimize latency.
Optimization techniques include:
- Reuse previously retrieved information.
- Avoid duplicate API calls.
- Cache frequently requested data.
- Request only required fields.
- Combine related operations when supported.
- Minimize payload sizes.
- Execute independent requests in parallel where appropriate.
Choosing Between Connectors and HTTP Requests
In Copilot Studio, both connectors and HTTP requests provide integration capabilities.
| Use Connectors When | Use HTTP Requests When |
|---|---|
| Microsoft provides a supported connector | No connector exists |
| Standard authentication is sufficient | Full control over requests is required |
| Low-code development is preferred | Custom APIs must be accessed |
| Minimal maintenance is desired | Specialized API features are needed |
| Enterprise governance favors managed connectors | Advanced REST functionality is required |
The exam may ask you to choose the most appropriate integration method.
Common Enterprise Scenarios
Customer Support
- Retrieve account
- Create ticket
- Update ticket
- Escalate issue
Sales
- Search CRM
- Retrieve opportunities
- Update customer records
- Generate quotes
Human Resources
- Vacation requests
- Employee lookup
- Benefits information
- Payroll inquiries
Finance
- Expense submission
- Invoice lookup
- Budget approval
- Payment status
IT Help Desk
- Password reset
- Device lookup
- Software requests
- Incident management
Common Exam Pitfalls
Watch for these common mistakes:
- Using POST when GET is appropriate.
- Sending sensitive information in URLs instead of secure request bodies or headers.
- Hard-coding API keys.
- Ignoring authentication requirements.
- Assuming every successful request returns HTTP 200 (201, 202, and 204 are also successful responses).
- Failing to validate user input before making API calls.
- Displaying raw server errors to users.
- Using HTTP requests when an existing connector is the better choice.
- Not accounting for rate limits or transient failures.
- Returning more data than necessary, increasing security and performance risks.
AB-620 Exam Tips
Remember these key points:
- APIs enable agents to interact with live enterprise systems.
- REST and JSON are the dominant standards for enterprise integrations.
- OAuth 2.0 and Microsoft Entra ID are preferred authentication methods.
- Understand the purpose of each HTTP method.
- Differentiate client errors (4xx) from server errors (5xx).
- Design secure, maintainable, and reusable integrations.
- Handle failures gracefully with retries where appropriate.
- Protect sensitive information throughout the integration process.
- Choose connectors when possible and HTTP requests when customization is required.
Topic Summary
An enterprise Copilot Studio agent becomes significantly more powerful when it can communicate with external systems through APIs and HTTP requests. By combining conversational AI with secure integrations, organizations can automate business processes, retrieve live operational data, and perform transactions across enterprise applications.
For the AB-620 exam, focus on understanding the complete lifecycle of an HTTP request, authentication mechanisms, JSON handling, response processing, error handling, and secure integration design. These concepts are foundational to designing enterprise-grade AI agent solutions.
Practice Exam Questions
Question 1
A Copilot Studio agent must retrieve a customer’s current loyalty points without modifying any data. Which HTTP method should be used?
A. POST
B. GET
C. PATCH
D. DELETE
Answer: B
Explanation: GET is used to retrieve information without modifying server-side resources.
Question 2
An API returns HTTP status code 401 Unauthorized. What is the most likely cause?
A. The requested resource does not exist.
B. The request exceeded the rate limit.
C. Authentication credentials are missing or invalid.
D. The request completed successfully.
Answer: C
Explanation: A 401 status indicates that authentication failed because valid credentials were not provided or have expired.
Question 3
A developer needs to update only a customer’s phone number. Which HTTP method is most appropriate?
A. PUT
B. POST
C. PATCH
D. GET
Answer: C
Explanation: PATCH performs partial updates, making it ideal for modifying a single property without replacing the entire resource.
Question 4
Which authentication mechanism is recommended for securing enterprise APIs integrated with Microsoft Copilot Studio?
A. Anonymous authentication
B. Basic authentication using hardcoded credentials
C. OAuth 2.0 with Microsoft Entra ID
D. Query string authentication
Answer: C
Explanation: OAuth 2.0 integrated with Microsoft Entra ID provides secure, token-based authentication and centralized identity management.
Question 5
An agent receives the following response:
{ "Status":"Approved", "Manager":"Karen Lee"}
What should the agent do next?
A. Ignore the response.
B. Store the values in variables for use later in the conversation.
C. Convert the response into XML.
D. Retry the request immediately.
Answer: B
Explanation: JSON values are typically parsed and stored in variables for use in responses, conditions, or subsequent actions.
Question 6
A REST API limits clients to 1,000 requests per hour. Which design strategy best helps avoid exceeding this limit?
A. Retry every request immediately.
B. Disable authentication.
C. Cache frequently requested data and avoid unnecessary calls.
D. Send duplicate requests for verification.
Answer: C
Explanation: Caching and reducing redundant API calls are common strategies for working within rate limits.
Question 7
A company already has a fully supported Microsoft Power Platform connector for its CRM system. Which integration approach should generally be chosen?
A. Build every interaction using raw HTTP requests.
B. Use the existing connector unless custom functionality requires direct API access.
C. Export CRM data to spreadsheets.
D. Replace the CRM with a custom application.
Answer: B
Explanation: Managed connectors simplify development, maintenance, authentication, and governance, making them the preferred option when available.
Question 8
Which status code indicates that a new resource has been successfully created?
A. 200
B. 201
C. 404
D. 500
Answer: B
Explanation: HTTP 201 Created indicates that a new resource was successfully created by the server.
Question 9
What is the primary benefit of chaining multiple API requests within an agent flow?
A. It reduces authentication requirements.
B. It eliminates the need for variables.
C. It enables complex business processes that span multiple systems.
D. It guarantees faster execution than a single request.
Answer: C
Explanation: Chained API calls allow agents to orchestrate multi-step workflows involving several enterprise applications.
Question 10
Why should an agent avoid displaying raw HTTP error messages directly to users?
A. HTTP errors are never useful.
B. Raw errors may expose technical details and create a poor user experience.
C. HTTP errors always indicate a network problem.
D. Users cannot understand status codes.
Answer: B
Explanation: Enterprise agents should present friendly, actionable messages while logging technical details internally to maintain security and usability.
Go to the AB-620 Exam Prep Hub main page
