Add REST APIs to an agent (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Add tools to agents
      --> Add REST APIs to an agent


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Learning Objectives

After completing this section, you should be able to:

  • Explain REST APIs.
  • Understand how REST API tools work in Copilot Studio.
  • Configure REST API tools.
  • Configure authentication.
  • Build requests.
  • Parse responses.
  • Use API outputs in conversations.
  • Apply Microsoft security best practices.

What is a REST API?

A REST (Representational State Transfer) API is a web service that allows applications to communicate over HTTP using standard operations.

Rather than interacting directly with databases or applications, agents communicate with REST APIs to retrieve or update information.

REST APIs are one of the most common integration mechanisms used in enterprise software.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Payment services
  • AI services
  • Internal business applications

Why Use REST APIs in Copilot Studio?

REST APIs enable agents to interact with virtually any application that exposes HTTP endpoints.

Common use cases include:

  • Retrieving customer records
  • Creating support tickets
  • Updating inventory
  • Booking appointments
  • Querying AI models
  • Processing payments
  • Accessing proprietary business systems

Unlike standard connectors, REST APIs allow organizations to integrate with services that do not already have a connector.


REST API Tool Architecture

A typical architecture looks like this:

User
Copilot Studio Agent
REST API Tool
HTTP Request
REST API Endpoint
Enterprise Application
HTTP Response
Agent Response

The REST API tool acts as the communication layer between the agent and the external service.


REST Principles

REST APIs generally use:

  • HTTP
  • URLs
  • Resources
  • Standard HTTP methods
  • JSON payloads

Example resource:

https://api.company.com/customers/10025

HTTP Methods

The AB-620 exam expects familiarity with the most common HTTP methods.

GET

Retrieves information.

Example:

GET /customers/10025

Used when reading data.


POST

Creates a new resource.

Example:

POST /orders

Used to create records.


PUT

Replaces an existing resource.

Example:

PUT /customers/10025

Often used for full updates.


PATCH

Updates part of a resource.

Example:

PATCH /customers/10025

Updates only specified fields.


DELETE

Deletes a resource.

Example:

DELETE /orders/501

REST API Requests

A request generally contains:

  • Endpoint URL
  • HTTP method
  • Authentication
  • Headers
  • Parameters
  • Optional request body

Example:

GET https://api.company.com/orders/12345
Authorization: Bearer <token>
Accept: application/json

Authentication Methods

Authentication is frequently tested on the exam.

Common methods include:

OAuth 2.0

Most common for enterprise applications.

Advantages:

  • Secure
  • Token-based
  • Supports delegated access

Microsoft Entra ID

Used for Microsoft-secured APIs.

Examples:

  • Microsoft Graph
  • Azure services
  • Internal enterprise APIs

API Key

Common for:

  • AI services
  • Third-party APIs
  • Internal APIs

The API key is usually sent in a request header.


Basic Authentication

Supported by some legacy systems.

Generally discouraged for modern enterprise deployments.


Configuring a REST API Tool

Typical steps include:

  1. Open the agent.
  2. Navigate to Tools.
  3. Select Add Tool.
  4. Choose REST API.
  5. Provide the endpoint URL.
  6. Configure authentication.
  7. Configure operations.
  8. Save the tool.

The REST API can now be invoked by the agent during conversations.


Endpoint Configuration

The endpoint identifies the resource.

Example:

https://api.contoso.com/orders

Additional path parameters may be used.

Example:

/orders/{OrderID}

Path Parameters

Path parameters identify specific resources.

Example:

/orders/45213

where:

OrderID = 45213

Query Parameters

Query parameters filter results.

Example:

/orders?status=Pending

Multiple query parameters may be combined.

Example:

/products?category=Electronics&warehouse=West

Headers

Headers provide additional information.

Examples include:

  • Authorization
  • Accept
  • Content-Type
  • User-Agent
  • API version

Example:

Authorization: Bearer token
Content-Type: application/json

Request Body

POST, PUT, and PATCH operations often include JSON.

Example:

{
"customerID":12345,
"priority":"High",
"description":"Damaged shipment"
}

The request body supplies the data the API needs.


JSON

JSON (JavaScript Object Notation) is the most common REST payload format.

Example response:

{
"OrderID":12345,
"Status":"Shipped",
"Carrier":"Contoso Logistics",
"Tracking":"ABC987654"
}

Copilot Studio parses these values into variables that can be used in subsequent conversation steps.


Variables

Inputs can originate from:

  • User messages
  • Conversation variables
  • Previous tool outputs
  • Adaptive Card inputs
  • AI-extracted entities

Example:

User:

Check order 55421.

Variable:

OrderID = 55421

The REST API request uses this variable as a path or query parameter.


Response Mapping

REST API responses can populate conversation variables.

Example:

{
"Customer":"John Smith",
"Status":"Delivered",
"DeliveryDate":"2026-10-04"
}

The agent can then:

  • Respond naturally
  • Display an Adaptive Card
  • Make branching decisions
  • Invoke another tool
  • Store values for later use

Security Considerations

REST APIs often expose sensitive enterprise data.

Microsoft recommends:

  • Secure authentication
  • HTTPS only
  • Least privilege
  • Avoid exposing secrets
  • Validate inputs
  • Protect sensitive outputs

Best Practices

Keep APIs Focused

Each endpoint should perform one clear task.


Validate Inputs

Reject invalid values before sending requests.


Use Secure Authentication

Prefer:

  • OAuth 2.0
  • Microsoft Entra ID

Avoid storing secrets directly in requests whenever possible.


Return Only Required Data

Smaller responses improve:

  • Performance
  • Security
  • Readability

Use Clear Endpoint Names

Good examples:

/customers
/orders
/inventory

Poor examples:

/process1
/action
/data

Common Exam Scenarios

You should be able to determine when a REST API tool is the appropriate choice.

Examples include:

  • Integrating with a proprietary application that does not have a Power Platform connector.
  • Calling an external AI service.
  • Accessing an internal business API.
  • Invoking a third-party SaaS application that exposes a REST interface.
  • Rapidly integrating with an existing HTTP-based service without creating a reusable custom connector.

These scenarios frequently appear in the form of architecture or design questions on the AB-620 exam.


Key Takeaways from the topics covered so far

  • REST API tools allow Copilot Studio agents to interact directly with HTTP-based services.
  • REST APIs use standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • Authentication commonly uses OAuth 2.0, Microsoft Entra ID, or API keys.
  • Requests consist of endpoints, headers, parameters, and (when appropriate) JSON request bodies.
  • JSON responses are parsed into variables that can drive conversation flow and subsequent tool invocations.
  • Secure design, proper authentication, and least-privilege access are essential best practices.

Securing REST API Integrations

Security is one of the most heavily tested areas of the AB-620 exam. Microsoft expects AI Agent Builders to understand not only how to connect to an API, but also how to do so securely.

A poorly secured API can expose sensitive business information, customer data, and backend systems.


Authentication Overview

Most enterprise REST APIs require authentication before they process requests.

Common authentication methods include:

  • API Keys
  • OAuth 2.0
  • Microsoft Entra ID (Azure AD)
  • Bearer Tokens
  • Basic Authentication (legacy)

API Keys

An API Key is a unique secret value issued by an API provider.

Example:

GET https://api.company.com/orders
Headers
x-api-key:
A1B2C3D4E5

Advantages

  • Easy to configure
  • Simple to understand
  • Good for internal services

Disadvantages

  • Less secure than OAuth
  • Keys may expire
  • Keys must be protected

OAuth 2.0

OAuth is the preferred authentication method for modern enterprise applications.

Instead of sending usernames and passwords:

  1. User signs in
  2. Identity provider authenticates user
  3. Access token is issued
  4. API validates token

Benefits

  • Strong security
  • Supports delegated permissions
  • Supports application permissions
  • Token expiration
  • Token revocation

Microsoft Entra ID Authentication

Many Microsoft services use Microsoft Entra ID.

Examples include:

  • Microsoft Graph
  • SharePoint
  • Outlook
  • Teams
  • Azure Management APIs

Advantages

  • Central identity management
  • Conditional Access
  • Multi-factor authentication
  • Role-based access control

Bearer Tokens

Many REST APIs require an Authorization header.

Example

Authorization:
Bearer eyJhbGciOi...

The token proves that the caller has already authenticated.


Basic Authentication

Older systems may still require:

Authorization:
Basic Base64(username:password)

This method is generally discouraged for new solutions.

Reasons:

  • Lower security
  • Password management
  • Credential exposure risks

Managing Secrets

Never hard-code:

  • Passwords
  • API Keys
  • Tokens

Instead:

  • Store credentials securely
  • Use connection references
  • Use environment variables
  • Use secure authentication providers

Request Headers

Headers provide additional information.

Common headers include:

Authorization
Content-Type
Accept
User-Agent

Example

Content-Type:
application/json

This tells the server JSON is being sent.


Query Parameters

Many APIs accept filtering.

Example

GET
/customers?city=Seattle

Instead of returning every customer:

The API returns only Seattle customers.

Benefits

  • Faster
  • Smaller payloads
  • Lower cost

Pagination

Large APIs rarely return all records.

Instead they return pages.

Example

GET
/orders?page=1

Next request:

page=2

Benefits

  • Better performance
  • Smaller responses
  • Lower memory usage

Rate Limits

Most enterprise APIs limit requests.

Example

1000 requests/hour

If exceeded:

429 Too Many Requests

Best practices

  • Retry later
  • Respect Retry-After headers
  • Reduce unnecessary requests

Handling Errors

REST APIs commonly return status codes.

CodeMeaning
200Success
201Created
204No Content
400Bad Request
401Unauthorized
403Forbidden
404Not Found
408Timeout
429Too Many Requests
500Internal Server Error

Agents should handle these responses gracefully.


Logging API Activity

Developers should monitor:

  • Request success
  • Failures
  • Latency
  • Authentication failures
  • Timeouts

Useful for:

  • Troubleshooting
  • Performance tuning
  • Compliance
  • Auditing

Monitoring API Performance

Key metrics include:

Average response time

Error rate

Success rate

Retry count

Timeout frequency

API availability


Best Practices

Design

  • Keep APIs focused.
  • Follow REST conventions.
  • Use meaningful endpoints.
  • Version APIs.

Security

  • Prefer OAuth.
  • Encrypt traffic using HTTPS.
  • Protect secrets.
  • Validate input.
  • Apply least privilege.

Performance

  • Filter results.
  • Cache where appropriate.
  • Minimize payload size.
  • Use pagination.
  • Avoid unnecessary API calls.

Reliability

  • Handle failures gracefully.
  • Retry transient errors.
  • Log important events.
  • Monitor health.
  • Test regularly.

REST APIs vs Custom Connectors

REST API ToolCustom Connector
Direct API definitionReusable connector
Good for individual APIsGood for many apps
Can require manual configurationSimpler for repeated use
FlexibleMore standardized
Ideal for rapid integrationIdeal for enterprise reuse

Exam Tips

Remember these important distinctions:

  • REST APIs allow direct integration with external services.
  • APIs use HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • JSON is the primary request and response format.
  • Authentication is commonly handled through OAuth 2.0 or Microsoft Entra ID.
  • API responses should be validated before use.
  • Agents should gracefully handle failures and retries.
  • Secure secrets should never be hard-coded.
  • Monitoring and logging are essential for production deployments.
  • Pagination and filtering improve performance.
  • Custom connectors simplify reuse of REST APIs across Power Platform solutions.

Practice Exam Questions

Question 1

A Copilot Studio agent needs to retrieve customer information from an external CRM without modifying any data. Which HTTP method should the REST API use?

A. POST

B. PUT

C. GET

D. PATCH

Answer: C

Explanation: GET retrieves data without changing server resources. POST creates resources, PUT replaces them, and PATCH partially updates them.


Question 2

Which authentication method is generally recommended for enterprise REST API integrations?

A. Basic Authentication

B. OAuth 2.0

C. Anonymous Access

D. Shared Password Files

Answer: B

Explanation: OAuth 2.0 provides secure, token-based authentication with delegated permissions and is preferred for enterprise APIs.


Question 3

A REST API returns HTTP status code 401 Unauthorized. What does this most likely indicate?

A. The requested resource does not exist.

B. The server encountered an internal error.

C. Authentication credentials are missing or invalid.

D. The request exceeded the rate limit.

Answer: C

Explanation: A 401 response indicates that the request lacks valid authentication credentials.


Question 4

Why should API keys never be hard-coded into an agent?

A. They increase API response times.

B. They prevent JSON serialization.

C. They disable HTTPS encryption.

D. They can be exposed and compromise security.

Answer: D

Explanation: Hard-coded secrets are difficult to rotate and may be exposed through source code or logs.


Question 5

An API returns 429 Too Many Requests. What is the most appropriate response by the agent?

A. Continue sending requests immediately.

B. Retry after waiting according to the API’s guidance.

C. Switch to Basic Authentication.

D. Ignore the error.

Answer: B

Explanation: HTTP 429 indicates that the client has exceeded rate limits. The agent should wait and retry appropriately.


Question 6

Which request header typically specifies the authentication token for a REST API?

A. Accept

B. Content-Type

C. Authorization

D. Cache-Control

Answer: C

Explanation: The Authorization header carries bearer tokens or other authentication credentials.


Question 7

Why do many APIs implement pagination?

A. To encrypt responses.

B. To reduce the amount of data returned in a single request.

C. To replace authentication.

D. To prevent HTTPS connections.

Answer: B

Explanation: Pagination improves performance and scalability by limiting the number of records returned per request.


Question 8

Which format is most commonly used for REST API request and response bodies?

A. CSV

B. XML

C. YAML

D. JSON

Answer: D

Explanation: JSON is lightweight, widely supported, and the standard format for modern REST APIs.


Question 9

When integrating a REST API into Copilot Studio, why is validating API responses important?

A. It guarantees that authentication is unnecessary.

B. It eliminates network latency.

C. It ensures returned data is complete and expected before the agent uses it.

D. It automatically encrypts responses.

Answer: C

Explanation: Response validation helps prevent errors and ensures the agent processes reliable, expected data.


Question 10

Why might a development team choose a Power Platform custom connector instead of directly configuring a REST API in every agent?

A. Custom connectors eliminate the need for authentication.

B. Custom connectors can only connect to Microsoft services.

C. Custom connectors replace HTTP methods.

D. Custom connectors provide reusable, centrally managed API definitions across multiple solutions.

Answer: D

Explanation: Custom connectors simplify maintenance, standardize integrations, and enable reuse across multiple apps, flows, and Copilot Studio agents.


Go to the AB-620 Exam Prep Hub main page