Tag: Agent Deployment

Create a Solution (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Test and manage agents (20–25%)
   --> Implement application lifecycle management (ALM) for agents in Copilot Studio
      --> Create a Solution (in Microsoft Copilot Studio
)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As Microsoft Copilot Studio projects become larger and more complex, organizations require a structured way to package, transport, version, and deploy their AI agents across environments. Microsoft Power Platform provides this capability through Solutions.

Solutions are one of the most important concepts in Application Lifecycle Management (ALM). Rather than moving individual agents, topics, flows, connectors, or Dataverse tables independently, solutions package all related components together into a deployable unit.

For the AB-620 exam, you should understand:

  • Why solutions exist
  • Managed vs unmanaged solutions
  • Solution-aware components
  • Creating solutions
  • Adding Copilot Studio assets
  • Dependencies
  • Solution publishers
  • Versioning
  • Deployment best practices

What is a Solution?

A solution is a container that stores one or more Power Platform components as a single application.

Instead of managing individual assets, developers manage the entire business solution.

A solution can contain:

  • Copilot Studio agents
  • Topics
  • Agent instructions
  • Knowledge sources
  • Power Automate flows
  • AI prompts
  • Custom connectors
  • Dataverse tables
  • Security roles
  • Environment variables
  • Connection references
  • Plugins
  • Model-driven apps
  • Canvas apps

Think of a solution as similar to:

  • A Visual Studio project
  • A software package
  • A deployment artifact

Everything needed for the application travels together.


Why Solutions Are Important

Without solutions:

  • Components are isolated
  • Deployment becomes manual
  • Dependencies are lost
  • Versioning is difficult
  • Collaboration becomes risky

Solutions provide:

  • Repeatable deployments
  • Source control compatibility
  • Version tracking
  • Easier testing
  • Safer production releases
  • Consistent ALM

Where Solutions Fit into ALM

Typical lifecycle:

Development Environment

Unmanaged Solution

Testing Environment

Managed Solution

Production

Each environment receives a controlled deployment.


Types of Solutions

There are two solution types.

Unmanaged Solutions

Used during development.

Characteristics:

  • Editable
  • Components can be changed
  • Developers add new assets
  • Easy debugging
  • Supports ongoing work

Developers almost always work with unmanaged solutions.


Managed Solutions

Used for deployment.

Characteristics:

  • Read-only
  • Protects components
  • Supports upgrades
  • Prevents accidental editing
  • Ideal for production

Production environments typically receive managed solutions.


Managed vs Unmanaged

FeatureUnmanagedManaged
EditableYesNo
Used during developmentYesNo
Used in productionRarelyYes
Supports customizationYesLimited
Supports upgradesYesYes
Protects intellectual propertyNoYes

Solution Components

A solution may contain numerous Power Platform assets.

Common Copilot Studio components include:

  • Agents
  • Topics
  • AI instructions
  • Generative answers configuration
  • Knowledge sources
  • Variables
  • Prompt libraries
  • Authentication settings
  • Power Automate flows
  • Custom connectors
  • REST API tools
  • Azure integrations

When exporting a solution, all selected components travel together.


Solution Publishers

Every solution belongs to a publisher.

A publisher defines:

  • Customization prefix
  • Display name
  • Versioning ownership
  • Component naming

Example:

Publisher:

Contoso

Customization prefix:

cts

Objects become:

cts_Agent

cts_OrderFlow

cts_CustomerTable

Using a publisher prevents naming collisions between organizations.


Creating a Solution

The general process is:

  1. Open Power Apps Maker Portal.
  2. Select Solutions.
  3. Choose New Solution.
  4. Enter:
    • Display Name
    • Name
    • Publisher
    • Version Number
  5. Save.

The solution is now ready for development.


Adding a Copilot Studio Agent

Once the solution exists:

  1. Open the solution.
  2. Select Add Existing.
  3. Choose Copilot Studio Agent.
  4. Select the desired agent.
  5. Confirm.

The agent now becomes solution-aware.


Creating New Components Inside a Solution

Best practice is to create components directly inside the solution.

Instead of:

Create agent

Later add to solution

Prefer:

Create solution

Create agent inside solution

This automatically tracks dependencies.


Dependencies

Many Power Platform assets depend upon others.

Example:

Agent

Topic

Power Automate Flow

Connector

Dataverse Table

Removing one component may break another.

Solutions automatically identify many dependencies during export.


Dependency Checking

Before export, Power Platform verifies:

  • Missing connectors
  • Missing flows
  • Missing tables
  • Missing environment variables
  • Missing references

If dependencies are absent, deployment may fail.

Always resolve dependency warnings before exporting.


Connection References

Instead of storing connection information directly inside components, solutions use connection references.

Benefits include:

  • Easier deployment
  • Secure authentication
  • Environment independence
  • Reduced configuration effort

Example:

Development

Uses:

Dev SQL Database

Production

Uses:

Production SQL Database

Only the connection reference changes.

The solution remains identical.


Environment Variables

Environment variables store values that differ between environments.

Examples include:

Development:

https://devapi.company.com

Testing:

https://testapi.company.com

Production:

https://api.company.com

Rather than editing every component, only the environment variable changes.


Solution Versioning

Solutions include version numbers.

Typical format:

Major.Minor.Build.Revision

Example:

1.0.0.0

Later versions:

1.1.0.0

2.0.0.0

Version numbers help administrators:

  • Track releases
  • Apply upgrades
  • Roll back deployments
  • Identify installed versions

Exporting a Solution

After development:

  1. Open solution.
  2. Select Export.
  3. Choose:
    • Managed
    • Unmanaged
  4. Validate dependencies.
  5. Download solution package.

The result is typically a compressed solution file.


Importing a Solution

Destination environment:

  1. Open Solutions.
  2. Select Import.
  3. Upload solution.
  4. Resolve connection references.
  5. Configure environment variables.
  6. Complete installation.

Upgrading Solutions

Instead of deleting and reinstalling, managed solutions support upgrades.

Benefits include:

  • Preserve existing configuration
  • Retain data
  • Maintain references
  • Apply improvements
  • Minimize downtime

Patch Solutions

For small fixes, organizations can create patches.

Patch examples:

  • Bug fixes
  • Minor topic corrections
  • Updated prompts
  • Small workflow improvements

Patches avoid deploying an entirely new solution.


Solution Layers

Power Platform supports solution layering.

Example:

Base Solution

Department Solution

Customer Customizations

Higher layers override lower layers without modifying the original solution.

This supports extensibility.


Best Practices

Microsoft recommends:

  • Always use solutions.
  • Use unmanaged solutions for development.
  • Deploy managed solutions to production.
  • Create components inside solutions.
  • Use meaningful version numbers.
  • Use environment variables.
  • Use connection references.
  • Create custom publishers.
  • Keep solutions focused on one business application.
  • Test imports before production deployment.
  • Maintain source control for solution files.

Common Exam Tips

Know the differences between:

  • Managed vs unmanaged solutions
  • Connection references vs environment variables
  • Publisher vs solution
  • Export vs import
  • Patch vs upgrade
  • Components vs dependencies

Remember:

Development = Unmanaged

Production = Managed


Exam Summary

For the AB-620 exam, understand that solutions are the foundation of ALM within Microsoft Copilot Studio and the Power Platform. Solutions package all application components—including agents, topics, flows, connectors, prompts, and Dataverse assets—into a deployable unit that supports versioning, collaboration, testing, and production deployment. Microsoft recommends developing in unmanaged solutions, deploying managed solutions to production, using connection references and environment variables for environment-specific settings, and managing dependencies carefully to ensure reliable deployments.


Practice Exam Questions

Question 1

Why should developers create Copilot Studio agents inside a solution whenever possible?

A. It automatically increases AI model accuracy.

B. It ensures components and dependencies are tracked together.

C. It removes the need for Power Automate.

D. It encrypts the agent automatically.

Answer: B

Explanation: Creating components inside a solution allows Power Platform to manage dependencies and simplifies deployment across environments.


Question 2

Which solution type should typically be deployed to a production environment?

A. Temporary solution

B. Local solution

C. Managed solution

D. Unmanaged solution

Answer: C

Explanation: Managed solutions are intended for production because they protect components from unintended modification and support controlled upgrades.


Question 3

Which component allows the same solution to connect to different databases in development and production without modifying the agent?

A. Security roles

B. Topics

C. Connection references

D. AI Builder models

Answer: C

Explanation: Connection references enable environment-specific connections while allowing the solution to remain unchanged.


Question 4

What is the primary purpose of environment variables?

A. Encrypt Dataverse tables

B. Store authentication tokens

C. Improve AI response quality

D. Store configuration values that differ between environments

Answer: D

Explanation: Environment variables allow values such as API URLs, endpoints, and configuration settings to change between environments without editing solution components.


Question 5

What is the role of a solution publisher?

A. To execute Power Automate flows

B. To host Azure AI Search indexes

C. To define ownership and customization prefixes for solution components

D. To manage Application Insights telemetry

Answer: C

Explanation: Publishers provide customization prefixes and identify the organization responsible for the solution.


Question 6

Before exporting a solution, why should dependency warnings be resolved?

A. To reduce licensing costs

B. To help ensure the solution imports successfully in another environment

C. To improve AI response speed

D. To increase token limits

Answer: B

Explanation: Missing dependencies can prevent successful deployment or cause runtime failures after import.


Question 7

Which statement best describes an unmanaged solution?

A. It is read-only after deployment.

B. It cannot contain Copilot Studio agents.

C. It is intended primarily for production deployments.

D. It is editable and primarily used during development.

Answer: D

Explanation: Unmanaged solutions support ongoing development because components remain editable.


Question 8

A development team needs to deliver a small bug fix without deploying an entirely new release. Which approach is most appropriate?

A. Delete and recreate the solution.

B. Create a new publisher.

C. Create a patch solution.

D. Export the unmanaged solution to production.

Answer: C

Explanation: Patch solutions are designed for small updates and bug fixes while minimizing deployment impact.


Question 9

Which statement accurately describes solution version numbers?

A. They are optional and ignored during upgrades.

B. They identify releases and help manage upgrades over time.

C. They apply only to Power Automate flows.

D. They determine Azure AI model selection.

Answer: B

Explanation: Version numbers help administrators identify installed releases and manage upgrades throughout the application lifecycle.


Question 10

An organization wants to move a Copilot Studio agent, its topics, Power Automate flows, custom connectors, and Dataverse assets together between environments. What is the recommended approach?

A. Export each component individually.

B. Copy components manually.

C. Rebuild the application in each environment.

D. Package the components in a Power Platform solution.

Answer: D

Explanation: Solutions provide a single deployment package that preserves relationships, dependencies, and configuration across environments.


Go to the AB-620 Exam Prep Hub main page

Choose an evaluation method (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Test and manage agents (20–25%)
   --> Evaluate agent performance
      --> Choose an evaluation method


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Building an AI agent is only the first step in delivering a successful solution. An equally important responsibility is evaluating whether the agent performs as intended. Microsoft Copilot Studio includes evaluation capabilities that help developers assess the quality, accuracy, safety, and effectiveness of AI-generated responses before an agent is deployed to production.

Selecting the appropriate evaluation method depends on several factors, including:

  • The purpose of the agent
  • Whether the agent is knowledge-based or action-based
  • Whether responses are deterministic or generative
  • The organization’s quality requirements
  • The level of automation desired

For the AB-620 exam, you should understand:

  • Available evaluation methods
  • When to use each method
  • What each method measures
  • How evaluations improve agent quality
  • Best practices for evaluating AI agents

Why Evaluation Is Important

Generative AI systems are probabilistic rather than deterministic. Unlike traditional software that always produces identical output for identical input, AI-generated responses may vary slightly while still being correct.

Evaluation helps determine whether responses are:

  • Accurate
  • Relevant
  • Grounded
  • Complete
  • Safe
  • Helpful
  • Consistent

Without evaluation, organizations risk deploying agents that:

  • Hallucinate facts
  • Provide incomplete answers
  • Use incorrect tools
  • Return outdated information
  • Violate organizational policies

Goals of Agent Evaluation

Evaluation should answer questions such as:

  • Did the agent answer correctly?
  • Was the correct knowledge source used?
  • Was the response grounded?
  • Was the appropriate tool invoked?
  • Was sensitive information protected?
  • Was the response relevant?
  • Did the conversation remain on topic?
  • Did the agent accomplish the user’s goal?

Types of Evaluation Methods

Microsoft Copilot Studio supports multiple evaluation approaches.

The primary categories include:

  • Manual evaluation
  • Automated evaluation
  • AI-assisted evaluation
  • Test set evaluation
  • Human review
  • Continuous monitoring

Each serves a different purpose.


Manual Evaluation

Manual evaluation involves developers or business users interacting directly with the agent.

Typical process:

  1. Ask questions.
  2. Review responses.
  3. Identify problems.
  4. Improve prompts or tools.
  5. Repeat testing.

Advantages

  • Simple
  • Fast for small projects
  • Easy to understand
  • Good during development

Limitations

  • Difficult to scale
  • Subjective
  • Time consuming
  • Not repeatable

Automated Evaluation

Automated evaluation uses predefined test cases to measure agent performance.

Examples include:

  • Running test sets
  • Validating expected responses
  • Measuring pass/fail rates
  • Comparing versions

Benefits include:

  • Repeatability
  • Consistency
  • Speed
  • Regression testing

AI-Assisted Evaluation

AI models can help assess the quality of responses.

Instead of only comparing exact wording, AI can evaluate:

  • Semantic correctness
  • Relevance
  • Helpfulness
  • Completeness
  • Faithfulness to source material

For example:

User asks:

“How do I reset my password?”

The expected response might vary in wording while still being completely correct.

AI-assisted evaluation recognizes that multiple valid responses may exist.


Human Evaluation

Human reviewers examine conversations and determine whether responses meet organizational expectations.

Human reviewers may assess:

  • Tone
  • Accuracy
  • Professionalism
  • Policy compliance
  • User satisfaction

Human evaluation is especially valuable for:

  • Customer service
  • Healthcare
  • Legal
  • Financial services

Test Set Evaluation

A test set contains predefined prompts with expected outcomes.

Running a test set provides:

  • Pass/fail results
  • Quality metrics
  • Regression detection
  • Coverage across scenarios

Test sets are recommended before production deployments.


Continuous Evaluation

Evaluation should continue after deployment.

Production monitoring identifies:

  • New failure patterns
  • Frequently unanswered questions
  • Knowledge gaps
  • Tool failures
  • User frustration

Continuous evaluation supports ongoing improvement.


Evaluation Criteria

Several quality dimensions are commonly evaluated.


1. Correctness

Does the response answer the question accurately?

Example:

User:

“How many vacation days do I have?”

Correct response:

Returns the actual balance from HR.

Incorrect response:

Invents a number.


2. Relevance

Is the response related to the user’s request?

Poor relevance often results from:

  • Incorrect knowledge retrieval
  • Poor prompting
  • Wrong tool selection

3. Groundedness

Groundedness measures whether responses are supported by trusted enterprise data.

Grounded responses:

  • Reference indexed documents
  • Use Azure AI Search
  • Avoid unsupported claims

Ungrounded responses may hallucinate.


4. Completeness

Does the response fully answer the user’s question?

Poor example:

User:

“How do I submit travel expenses?”

Response:

“Use the expense portal.”

Better response:

  • Portal name
  • Required documents
  • Approval workflow
  • Submission deadline

5. Safety

Safety evaluations identify:

  • Harmful content
  • Sensitive information exposure
  • Offensive language
  • Policy violations

Safety is essential for enterprise deployments.


6. Tool Accuracy

If the agent invokes external tools, verify:

  • Correct tool selected
  • Correct parameters supplied
  • Successful execution
  • Correct result returned

7. Conversation Quality

Evaluate whether the conversation flows naturally.

Examples include:

  • Appropriate follow-up questions
  • Context awareness
  • Smooth transitions
  • Helpful clarification requests

Selecting an Evaluation Method

Different scenarios require different evaluation methods.

ScenarioRecommended Evaluation
New prototypeManual testing
Regression testingAutomated test sets
Knowledge retrievalGroundedness evaluation
API actionsTool execution validation
Customer serviceHuman + automated evaluation
Production agentContinuous monitoring
Multi-agent orchestrationDelegation and routing evaluation

Evaluating Knowledge-Based Agents

Knowledge agents should be evaluated for:

  • Correct document retrieval
  • Citation quality
  • Freshness of information
  • Hallucination prevention
  • Accurate summaries

Typical questions include:

  • Did Azure AI Search retrieve the correct content?
  • Was the answer grounded?
  • Was outdated content used?

Evaluating Action-Based Agents

Agents that execute business processes require additional evaluation.

Verify:

  • Tool selection
  • Authentication
  • API success
  • Parameter accuracy
  • Business outcome

Example:

User:

“Create an IT ticket.”

Evaluation checks:

  • Was the ticket created?
  • Was the correct connector called?
  • Was the correct priority assigned?

Evaluating Multi-Agent Solutions

For multi-agent solutions, assess:

  • Proper routing
  • Correct child-agent selection
  • Delegation accuracy
  • Context preservation
  • Final response quality

Failures may occur if:

  • Wrong agent receives the request
  • Delegation loops occur
  • Context is lost between agents

Evaluating Generative Answers

Generative AI introduces additional evaluation dimensions.

Evaluate:

  • Hallucination rate
  • Factual accuracy
  • Grounding quality
  • Readability
  • Tone
  • Completeness
  • Citation quality
  • Confidence

Metrics Used During Evaluation

Organizations often monitor:

  • Pass rate
  • Failure rate
  • Response accuracy
  • Latency
  • Tool success rate
  • Grounding score
  • Hallucination frequency
  • User satisfaction
  • Resolution rate
  • Escalation frequency

Common Evaluation Mistakes

Avoid these common mistakes:

  • Testing only happy-path scenarios
  • Ignoring edge cases
  • Measuring wording instead of meaning
  • Forgetting regression testing
  • Not testing tool failures
  • Ignoring production feedback
  • Using outdated test cases
  • Evaluating only accuracy while ignoring safety

Best Practices

Use Multiple Evaluation Methods

Combine:

  • Manual review
  • Automated testing
  • AI-assisted evaluation
  • Human review

No single method is sufficient for all scenarios.


Create Realistic Test Cases

Use prompts based on actual user behavior instead of artificial examples.


Evaluate Regularly

Run evaluations:

  • Before deployment
  • After prompt changes
  • After connector updates
  • After knowledge updates
  • After model upgrades

Monitor Production

Evaluation should continue after deployment using telemetry, analytics, and user feedback.


Improve Continuously

Use evaluation results to:

  • Refine prompts
  • Improve knowledge sources
  • Fix tools
  • Expand test sets
  • Enhance user experience

Exam Tips

For the AB-620 exam, remember:

  • Different evaluation methods serve different purposes.
  • Automated evaluations support regression testing.
  • AI-assisted evaluations assess semantic quality rather than exact wording.
  • Groundedness is essential for knowledge-based agents.
  • Tool accuracy is critical for action-based agents.
  • Human review remains important for high-risk business scenarios.
  • Evaluation is an ongoing lifecycle activity, not a one-time task.
  • Combining multiple evaluation methods produces the most reliable assessment.

Practice Exam Questions

Question 1

A development team wants to verify that recent prompt changes have not broken existing functionality. Which evaluation method is most appropriate?

A. Automated test set evaluation

B. User satisfaction surveys

C. Manual exploratory testing only

D. Random production monitoring

Answer: A

Explanation: Automated test sets provide repeatable regression testing, allowing teams to verify that previously working scenarios continue to function after changes.


Question 2

Which evaluation criterion determines whether an agent’s response is supported by trusted enterprise data rather than generated from unsupported assumptions?

A. Latency

B. Groundedness

C. Conversation length

D. User engagement

Answer: B

Explanation: Groundedness measures whether responses are based on authoritative data sources, helping reduce hallucinations.


Question 3

A customer service manager wants to assess whether responses are polite, professional, and aligned with company communication standards. Which evaluation method is most appropriate?

A. Automated pass/fail testing

B. API performance testing

C. Human evaluation

D. Network diagnostics

Answer: C

Explanation: Human reviewers are best suited to evaluating tone, professionalism, empathy, and adherence to organizational communication standards.


Question 4

Why is AI-assisted evaluation useful for generative AI responses?

A. It requires every correct answer to match expected wording exactly.

B. It automatically retrains the language model.

C. It eliminates the need for human reviewers.

D. It evaluates semantic correctness even when responses are worded differently.

Answer: D

Explanation: AI-assisted evaluation focuses on meaning and correctness rather than exact text matches, making it well suited for generative responses.


Question 5

Which evaluation criterion confirms that an agent selected the correct connector and completed a requested business action?

A. Tool accuracy

B. Conversation length

C. Groundedness

D. Response formatting

Answer: A

Explanation: Tool accuracy verifies that the appropriate tool was invoked with the correct parameters and that the desired action was completed successfully.


Question 6

Which type of evaluation should continue after an agent is deployed to production?

A. Prototype evaluation only

B. Continuous monitoring and evaluation

C. Initial prompt validation only

D. Installation verification

Answer: B

Explanation: Production monitoring helps identify new issues, emerging user needs, and opportunities for continuous improvement.


Question 7

A developer wants to verify that a knowledge-based agent retrieved the correct document and provided an accurate citation. Which area is being evaluated?

A. Authentication

B. Delegation

C. Knowledge retrieval and groundedness

D. UI rendering

Answer: C

Explanation: Knowledge retrieval evaluations determine whether the correct source was used and whether responses remain grounded in trusted content.


Question 8

What is the primary advantage of automated evaluation compared to manual testing?

A. It permanently stores every user conversation.

B. It guarantees zero hallucinations.

C. It automatically writes new prompts.

D. It provides repeatable, consistent testing across multiple runs.

Answer: D

Explanation: Automated evaluation enables consistent execution of predefined tests, making regression testing reliable and scalable.


Question 9

Which combination provides the most comprehensive assessment of an enterprise AI agent?

A. Manual testing only

B. Human evaluation only

C. Automated testing only

D. A combination of manual, automated, AI-assisted, and human evaluation

Answer: D

Explanation: Each evaluation method measures different aspects of agent quality. Combining them provides the most complete assessment.


Question 10

An evaluation determines that an agent answered the user’s question correctly but omitted several important procedural steps. Which quality criterion needs improvement?

A. Safety

B. Completeness

C. Authentication

D. Latency

Answer: B

Explanation: Completeness measures whether the response fully addresses the user’s request with sufficient detail and context.


Go to the AB-620 Exam Prep Hub main page

Create a test set (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Test and manage agents (20–25%)
   --> Evaluate agent performance
      --> Create a test set


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important responsibilities of an AI Agent Builder is ensuring that an agent consistently produces accurate, relevant, and safe responses. As agents become more sophisticated and rely on multiple knowledge sources, tools, and generative AI models, manual testing alone is no longer sufficient.

Microsoft Copilot Studio provides test sets that allow developers to systematically validate agent behavior against expected outcomes. Test sets enable repeatable evaluation of an agent after configuration changes, prompt updates, knowledge source modifications, or model upgrades.

For the AB-620 exam, you should understand:

  • What test sets are
  • Why they are important
  • How to create and manage them
  • How they integrate with agent evaluation
  • Best practices for maintaining reliable test coverage

What Is a Test Set?

A test set is a collection of predefined test cases that evaluate how an AI agent responds to expected user requests.

Each test case generally contains:

  • A sample user prompt
  • The expected behavior or outcome
  • Evaluation criteria
  • Pass/fail results after execution

Instead of manually asking the same questions every time changes are made, developers can rerun the entire test set to determine whether the agent continues to behave correctly.


Why Test Sets Matter

Without structured testing:

  • New prompts may unintentionally break previous functionality.
  • Updated knowledge sources may introduce incorrect answers.
  • Tool changes may fail silently.
  • Model updates may alter response quality.

Test sets provide confidence that the agent still behaves correctly after changes.

Benefits include:

  • Repeatable testing
  • Faster validation
  • Regression testing
  • Improved response quality
  • Easier troubleshooting
  • Better release confidence

Test Set vs Manual Testing

Manual TestingTest Set
Performed interactivelyExecuted repeatedly
Difficult to reproduceFully repeatable
Human remembers questionsQuestions stored permanently
Time consumingAutomated evaluation
Easy to miss scenariosCovers many scenarios consistently

When Should You Create a Test Set?

Create a test set whenever:

  • Building a new agent
  • Adding new topics
  • Adding knowledge sources
  • Adding tools
  • Integrating APIs
  • Updating prompts
  • Deploying a new version
  • Performing regression testing

Components of a Test Case

A typical test case includes several important elements.

1. User Input

The question or request submitted to the agent.

Example:

“Show me my remaining vacation balance.”


2. Expected Behavior

The desired outcome.

Examples include:

  • Calls HR connector
  • Retrieves employee record
  • Returns vacation balance
  • Does not hallucinate data

3. Expected Response

Depending on the evaluation method, expected responses may include:

  • Specific wording
  • Required information
  • Correct tool usage
  • Accurate citation
  • Proper formatting

4. Evaluation Result

After execution the test produces results such as:

  • Pass
  • Fail
  • Partial success
  • Confidence score (where applicable)

Types of Test Cases

A comprehensive test set should include multiple categories.

Happy Path Tests

Expected user behavior.

Example:

“Reset my password.”


Alternative Wording

Different ways users ask the same question.

Examples:

  • I forgot my password
  • Help me log in
  • I can’t sign in

Edge Cases

Unusual but valid requests.

Example:

“Can I reset someone else’s password?”


Invalid Requests

Questions the agent should decline.

Example:

“Delete every employee record.”


Ambiguous Questions

The agent should ask follow-up questions.

Example:

“Book a meeting.”

Expected behavior:

“Who should I invite?”


Tool Failure Tests

Verify graceful handling of failures.

Example:

API unavailable.

Expected response:

“The HR system is temporarily unavailable.”


Knowledge Tests

Ensure retrieval from enterprise knowledge.

Example:

“What is the travel reimbursement policy?”


Security Tests

Confirm proper authorization.

Example:

Employee requests another employee’s payroll information.

Expected behavior:

Access denied.


Creating a Test Set

The general workflow is:

Step 1

Open the agent in Copilot Studio.


Step 2

Navigate to testing or evaluation features.


Step 3

Create a new test set.


Step 4

Add individual test cases.

Each includes:

  • Prompt
  • Expected behavior
  • Expected response

Step 5

Save the test set.


Step 6

Run the evaluation.


Step 7

Review results.


Step 8

Improve the agent if failures occur.


Step 9

Run the test set again.


Organizing Test Sets

Large enterprise agents often use multiple test sets.

Examples:

  • HR Agent
  • Finance Agent
  • IT Help Desk
  • Customer Service
  • Sales Support

Within each, additional test groups may cover:

  • Authentication
  • Knowledge retrieval
  • API actions
  • Escalation
  • Security
  • Generative responses

Regression Testing

Regression testing verifies that new changes do not introduce unexpected problems.

Example:

Original agent answers:

“How do I request PTO?”

A new HR connector is added.

Running the existing test set confirms the answer still works correctly.

Without regression testing, developers may unknowingly introduce defects.


Testing Knowledge Retrieval

Knowledge-based agents should verify:

  • Correct document selected
  • Correct section retrieved
  • Accurate citation
  • Relevant answer
  • No hallucinated content

Example test:

Question:

“What is the expense reimbursement limit?”

Expected:

  • Searches indexed documents
  • Retrieves finance policy
  • Returns correct limit
  • Includes citation if configured

Testing Tool Invocation

For action-based agents, verify that the correct tool is selected.

Example:

User:

“Create a support ticket.”

Expected:

  • IT connector invoked
  • Ticket created
  • Ticket number returned

Failure examples:

  • Wrong connector called
  • No connector called
  • Hallucinated confirmation

Testing Multi-Agent Solutions

If delegation is used, verify:

  • Correct child agent selected
  • Successful delegation
  • Response returned
  • Parent continues conversation properly

Testing Generative AI

Generative responses require additional evaluation.

Verify:

  • Factual accuracy
  • Completeness
  • Grounding
  • Tone
  • Safety
  • Relevance

Evaluating Test Results

After execution, review:

  • Overall pass rate
  • Failed cases
  • Tool execution
  • Knowledge retrieval
  • Response quality
  • Latency
  • Error messages

Common questions include:

  • Did the correct tool run?
  • Was the answer accurate?
  • Was sensitive data protected?
  • Was grounding successful?

Common Reasons Tests Fail

Failures often result from:

  • Prompt changes
  • Missing connector permissions
  • API failures
  • Incorrect tool selection
  • Poor grounding
  • Hallucinations
  • Missing documents
  • Authentication problems
  • Incorrect routing

Best Practices

Microsoft recommends several best practices.

Build Early

Create test cases while building the agent.


Cover Real User Questions

Use production-like prompts whenever possible.


Include Variations

People ask the same question differently.

Test all common variations.


Test Negative Scenarios

Don’t only verify success.

Test:

  • Errors
  • Permission failures
  • Invalid input
  • Ambiguous requests

Keep Test Sets Updated

Whenever the agent changes:

  • Add new tests
  • Remove obsolete tests
  • Update expected responses

Run Tests Frequently

Execute the full test set:

  • Before deployment
  • After model updates
  • After connector updates
  • After knowledge updates
  • After prompt revisions

Exam Tips

For the AB-620 exam, remember:

  • Test sets enable repeatable evaluation.
  • They support regression testing.
  • Good test cases include expected behavior.
  • Test sets should include positive, negative, and edge-case scenarios.
  • Multi-agent solutions require delegation testing.
  • Tool-based agents require tool invocation validation.
  • Knowledge agents require grounding verification.
  • Test sets improve deployment confidence.

Practice Exam Questions

Question 1

Why is creating a test set preferable to relying solely on manual testing?

A. It permanently stores conversation history for users.

B. It provides repeatable, consistent evaluation of agent behavior.

C. It automatically retrains the language model.

D. It removes the need for production monitoring.

Answer: B

Explanation: Test sets allow the same scenarios to be executed repeatedly, making regression testing and validation much more reliable than manual testing.


Question 2

Which type of scenario should always be included in a comprehensive test set?

A. Only successful user interactions

B. Only connector failures

C. Positive, negative, and edge-case scenarios

D. Only knowledge retrieval questions

Answer: C

Explanation: Comprehensive testing includes normal requests, invalid inputs, ambiguous questions, security scenarios, and failure conditions.


Question 3

A developer updates an HR connector used by an agent. What is the best next step?

A. Run the existing test set to perform regression testing.

B. Delete all previous test cases.

C. Retrain the foundation model.

D. Create a new environment.

Answer: A

Explanation: Regression testing verifies that previously working functionality continues to operate after changes.


Question 4

Which component defines what a successful test should accomplish?

A. Conversation history

B. Agent version

C. Workspace settings

D. Expected behavior

Answer: D

Explanation: Expected behavior specifies the desired outcome that the agent should achieve during the test.


Question 5

A knowledge-based agent answers a company policy question using outdated information. Which area of testing should identify this issue?

A. User authentication testing

B. Knowledge retrieval testing

C. Network latency testing

D. Adaptive Card rendering

Answer: B

Explanation: Knowledge retrieval tests verify that the correct documents are located and that accurate, grounded information is returned.


Question 6

When testing an action that creates a support ticket, what should the evaluation confirm?

A. Only that the response is grammatically correct

B. Only that the response is polite

C. That the correct tool or connector was invoked successfully

D. That the conversation contains at least three turns

Answer: C

Explanation: Action-based tests should verify successful tool invocation and the expected outcome of that action.


Question 7

Why should multiple phrasings of the same request be included in a test set?

A. To increase the size of the knowledge base

B. To improve authentication

C. To ensure the agent recognizes natural language variations

D. To reduce connector latency

Answer: C

Explanation: Users ask the same question in many different ways, and the agent should respond correctly to common variations.


Question 8

Which situation best represents an edge-case test?

A. “Reset my password.”

B. “Show today’s weather.”

C. “Create a support ticket.”

D. “Can I reset another employee’s password?”

Answer: D

Explanation: This unusual but valid request tests whether the agent correctly handles authorization and security.


Question 9

An agent delegates requests to multiple child agents. What should testing verify?

A. That delegation occurs to the appropriate child agent and responses are returned correctly

B. That every child agent uses the same prompt

C. That delegation is disabled after deployment

D. That all child agents share one knowledge source

Answer: A

Explanation: Multi-agent testing ensures that routing, delegation, and response aggregation function as designed.


Question 10

Which statement best describes the primary purpose of regression testing?

A. Measuring internet bandwidth

B. Evaluating user satisfaction surveys

C. Ensuring that recent changes have not broken existing functionality

D. Generating additional knowledge documents

Answer: C

Explanation: Regression testing validates that existing capabilities continue to work correctly after updates to prompts, connectors, tools, or knowledge sources.


Go to the AB-620 Exam Prep Hub main page

Monitor agents by using Application Insights (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Integrate agents with Azure
      --> Monitor agents by using Application Insights


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As AI agents become more sophisticated and business-critical, monitoring their health, performance, reliability, and user interactions becomes essential. An AI agent that responds slowly, generates errors, experiences high failure rates, or consumes excessive resources can negatively impact business operations and user satisfaction.

Microsoft Copilot Studio integrates with Azure Application Insights, a feature of Azure Monitor, to provide comprehensive telemetry, diagnostics, and performance monitoring. Application Insights collects operational data from agents, allowing administrators and developers to observe agent behavior, troubleshoot issues, measure usage, and optimize performance over time.

For the AB-620 exam, you should understand how Application Insights integrates with Copilot Studio, what telemetry it collects, how to analyze monitoring data, and how monitoring supports production AI solutions.


What is Azure Application Insights?

Azure Application Insights is an application performance monitoring (APM) service within Azure Monitor.

It helps organizations:

  • Monitor application availability
  • Track performance
  • Diagnose failures
  • Analyze user behavior
  • Detect anomalies
  • Monitor dependencies
  • Measure response times
  • Identify bottlenecks
  • Generate alerts
  • Improve application reliability

Application Insights provides near real-time visibility into the operational health of applications, including AI-powered agents.


Why Monitor Copilot Studio Agents?

Production AI agents interact with users continuously. Monitoring helps answer questions such as:

  • Is the agent available?
  • Are conversations completing successfully?
  • Are responses taking too long?
  • Are external APIs failing?
  • Which topics are most frequently triggered?
  • Where are users abandoning conversations?
  • Are authentication failures occurring?
  • Are knowledge searches succeeding?
  • Is latency increasing?
  • Are recent deployments causing problems?

Without monitoring, identifying these issues can be difficult.


Monitoring Architecture

A typical monitoring architecture includes:

User
Copilot Studio Agent
Conversation Execution
Telemetry Collection
Application Insights
Azure Monitor
Dashboards
Alerts
Analytics
Logs

Every conversation can generate telemetry that is stored for analysis.


What is Telemetry?

Telemetry is operational data automatically collected from applications.

For Copilot Studio agents, telemetry may include:

  • Conversation start
  • Conversation end
  • User session
  • Topic activation
  • Tool execution
  • API calls
  • Response times
  • Exceptions
  • Authentication events
  • Dependency calls
  • Custom events
  • Prompt execution
  • Generative AI activity
  • User feedback
  • Errors

Telemetry provides the raw information used to monitor system health.


Types of Telemetry

Application Insights collects several categories of telemetry.

Requests

Measures requests processed by the agent.

Examples include:

  • User messages
  • Conversation requests
  • HTTP requests
  • API invocations

Useful metrics include:

  • Duration
  • Success rate
  • Failure rate

Dependencies

Tracks external services called by the agent.

Examples include:

  • REST APIs
  • Azure AI Search
  • Dataverse
  • SQL Database
  • SharePoint
  • Power Platform connectors
  • Azure OpenAI
  • Azure AI Foundry
  • External web services

Dependency tracking helps identify slow or failing external systems.


Exceptions

Captures unexpected errors.

Examples include:

  • Authentication failures
  • Timeout exceptions
  • API failures
  • Missing parameters
  • Invalid requests
  • Permission errors

Developers can use exception details to troubleshoot failures.


Traces

Trace telemetry records detailed execution information.

Examples include:

  • Topic execution
  • Diagnostic messages
  • Workflow progress
  • Variable values
  • Decision branches

Traces are especially useful during debugging.


Events

Custom events capture important business activities.

Examples:

  • Order submitted
  • Employee onboarded
  • Ticket created
  • Payment completed
  • Appointment scheduled

Organizations can define custom events for business-specific monitoring.


Availability

Availability monitoring tests whether an application is reachable.

It can detect:

  • Service outages
  • Connectivity failures
  • Regional problems
  • Downtime

Availability tests help ensure production agents remain accessible.


Metrics Commonly Monitored

Common operational metrics include:

  • Total conversations
  • Active users
  • Average response time
  • Request duration
  • API latency
  • Conversation completion rate
  • Conversation abandonment
  • Error count
  • Exception rate
  • Failed requests
  • CPU utilization (supporting resources)
  • Memory utilization (supporting resources)
  • Dependency performance
  • Token consumption (when available)
  • Cost trends

Integrating Copilot Studio with Application Insights

High-level integration typically includes:

  1. Create an Azure Application Insights resource.
  2. Enable monitoring.
  3. Connect the Copilot Studio environment.
  4. Configure telemetry collection.
  5. Deploy the agent.
  6. Review incoming telemetry.
  7. Build dashboards.
  8. Configure alerts.
  9. Monitor production activity.

Azure Monitor Integration

Application Insights is part of Azure Monitor.

Azure Monitor provides:

  • Centralized monitoring
  • Metrics
  • Log Analytics
  • Alerts
  • Dashboards
  • Workbooks
  • Automation
  • Diagnostic settings

Application Insights contributes telemetry to Azure Monitor, where it can be analyzed alongside other Azure resources.


Log Analytics

Telemetry is stored in Log Analytics, enabling powerful querying using Kusto Query Language (KQL).

Administrators can answer questions such as:

  • Which conversations failed today?
  • Which topics generate the most errors?
  • Which users experience timeouts?
  • What APIs are the slowest?
  • Which connector has the highest latency?
  • How many conversations exceeded five seconds?

Example Monitoring Scenarios

Scenario 1

Users report slow responses.

Application Insights reveals:

  • Average response time increased from 2 seconds to 12 seconds.
  • Azure AI Search dependency latency increased dramatically.

The administrator investigates the search service.


Scenario 2

A new deployment causes failures.

Monitoring identifies:

  • Spike in exceptions.
  • Failed API calls.
  • Authentication errors.

The deployment is rolled back.


Scenario 3

An external REST API becomes unavailable.

Application Insights shows:

  • Dependency failures
  • Timeout exceptions
  • Increased conversation failures

Administrators quickly identify the external dependency rather than blaming Copilot Studio.


Dashboards

Application Insights dashboards visualize operational health.

Typical dashboard components include:

  • Conversation volume
  • Requests per minute
  • Active users
  • Success rate
  • Failure rate
  • Exceptions
  • Response times
  • API latency
  • Dependency health
  • Geographic usage
  • Availability
  • Performance trends

Dashboards allow administrators to monitor systems without manually querying logs.


Alerts

Alerts automatically notify administrators when thresholds are exceeded.

Examples include:

  • Response time exceeds five seconds.
  • Error rate exceeds 3%.
  • Availability drops below 99%.
  • API failures increase suddenly.
  • Authentication failures spike.
  • Conversation completion rate decreases.

Alerts can trigger:

  • Email
  • SMS
  • Microsoft Teams notifications
  • Azure Automation
  • Logic Apps
  • Webhooks

Distributed Tracing

Many enterprise agents call multiple services during a single conversation.

Example:

User
Copilot Studio
Azure AI Search
REST API
Dataverse
Azure AI Foundry
Response

Application Insights correlates these operations into a single end-to-end transaction.

This allows administrators to identify exactly where delays occur.


Correlation IDs

Each conversation can be assigned a correlation ID.

This enables:

  • End-to-end tracing
  • Cross-service diagnostics
  • Root cause analysis
  • Log correlation
  • Easier troubleshooting

Correlation IDs are especially valuable in distributed AI systems.


Monitoring Generative AI Operations

Application Insights can help monitor:

  • Prompt execution
  • Model latency
  • API failures
  • Retrieval operations
  • Tool execution
  • Conversation completion
  • Dependency failures
  • User feedback events

While model-specific metrics may come from Azure AI Foundry or Azure OpenAI, Application Insights provides operational telemetry surrounding those interactions.


Security Considerations

Monitoring should avoid collecting sensitive information.

Best practices include:

  • Avoid storing secrets.
  • Minimize personal information.
  • Mask sensitive values.
  • Follow organizational compliance policies.
  • Apply RBAC to monitoring resources.
  • Encrypt telemetry in transit and at rest.
  • Retain logs according to governance requirements.

Cost Considerations

Application Insights pricing depends largely on:

  • Data ingestion volume
  • Log retention
  • Query frequency
  • Exported telemetry

Organizations should balance monitoring detail with storage costs.

Strategies include:

  • Sample telemetry.
  • Adjust retention periods.
  • Remove unnecessary events.
  • Archive historical logs.

Best Practices

  • Enable monitoring before production deployment.
  • Create dashboards for key performance indicators.
  • Configure proactive alerts.
  • Monitor dependency health.
  • Use distributed tracing.
  • Track conversation completion rates.
  • Review exceptions regularly.
  • Use KQL to investigate issues.
  • Protect sensitive telemetry.
  • Continuously optimize based on monitoring insights.

Common Exam Tips

For the AB-620 exam, remember the following:

  • Application Insights is part of Azure Monitor.
  • It provides application performance monitoring (APM).
  • It collects telemetry from running applications.
  • Telemetry includes requests, dependencies, exceptions, traces, events, and availability data.
  • Dependency monitoring helps diagnose failures in external systems.
  • Log Analytics uses Kusto Query Language (KQL) for querying telemetry.
  • Alerts can automatically notify administrators of operational issues.
  • Distributed tracing correlates activity across multiple services.
  • Correlation IDs enable end-to-end diagnostics.
  • Monitoring supports performance optimization, troubleshooting, and operational reliability.

Practice Exam Questions

Question 1

An administrator wants to determine why users are experiencing slow responses from a Copilot Studio agent. Which Azure service provides detailed performance telemetry for troubleshooting?

A. Azure Storage

B. Azure Application Insights

C. Microsoft Entra ID

D. Azure Key Vault

Answer: B

Explanation: Application Insights collects detailed telemetry such as response times, dependency performance, and exceptions, making it the primary service for diagnosing performance issues.


Question 2

Which type of Application Insights telemetry tracks calls from a Copilot Studio agent to Azure AI Search or external REST APIs?

A. Requests

B. Exceptions

C. Dependencies

D. Availability

Answer: C

Explanation: Dependency telemetry measures calls to external services, databases, connectors, APIs, and Azure resources, allowing administrators to identify slow or failing dependencies.


Question 3

A developer wants to investigate authentication failures generated during agent execution. Which telemetry type should they examine first?

A. Exceptions

B. Availability

C. Metrics

D. Workbooks

Answer: A

Explanation: Authentication failures typically generate exception telemetry, which records detailed information about errors encountered during execution.


Question 4

What is the primary purpose of distributed tracing in Application Insights?

A. Encrypt conversation history

B. Automatically translate telemetry

C. Compress monitoring data

D. Correlate activity across multiple services in a single transaction

Answer: D

Explanation: Distributed tracing connects telemetry from multiple services involved in processing a single request, enabling end-to-end diagnostics.


Question 5

Which language is used to query Application Insights data stored in Log Analytics?

A. T-SQL

B. Power Query M

C. DAX

D. Kusto Query Language (KQL)

Answer: D

Explanation: Log Analytics uses Kusto Query Language (KQL) to query, filter, summarize, and analyze telemetry data.


Question 6

An operations team wants to receive an email whenever an agent’s average response time exceeds five seconds. Which Azure Monitor capability should they configure?

A. Alerts

B. Availability tests

C. Workbooks

D. Sampling

Answer: A

Explanation: Azure Monitor alerts automatically notify administrators when configured thresholds or conditions are met.


Question 7

Which monitoring metric would BEST help determine whether users are abandoning conversations before completion?

A. CPU utilization

B. Conversation completion and abandonment rates

C. Azure subscription quota

D. Virtual machine availability

Answer: B

Explanation: Completion and abandonment metrics directly measure how successfully users finish conversations with the agent.


Question 8

Why are correlation IDs valuable when troubleshooting AI agents?

A. They reduce Azure costs.

B. They increase model accuracy.

C. They link telemetry across multiple services for a single conversation.

D. They automatically encrypt logs.

Answer: C

Explanation: Correlation IDs associate related telemetry from different services, making it easier to trace a request from start to finish.


Question 9

Which best practice helps protect sensitive information when using Application Insights?

A. Store authentication secrets in telemetry for debugging.

B. Collect every possible user input permanently.

C. Disable encryption to improve performance.

D. Mask sensitive data and apply role-based access control (RBAC).

Answer: D

Explanation: Sensitive information should be masked or excluded from telemetry, and access should be restricted using RBAC to support security and compliance.


Question 10

What is the primary benefit of monitoring external dependencies such as Azure AI Search, Dataverse, and REST APIs?

A. It automatically upgrades connectors.

B. It identifies latency and failures occurring outside the Copilot Studio agent itself.

C. It eliminates the need for application logging.

D. It reduces token consumption by language models.

Answer: B

Explanation: Dependency monitoring helps determine whether performance issues or failures originate in external services rather than within the agent, significantly speeding up root cause analysis.


Go to the AB-620 Exam Prep Hub main page

Add REST APIs to an agent (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Add tools to agents
      --> Add REST APIs to an agent


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Learning Objectives

After completing this section, you should be able to:

  • Explain REST APIs.
  • Understand how REST API tools work in Copilot Studio.
  • Configure REST API tools.
  • Configure authentication.
  • Build requests.
  • Parse responses.
  • Use API outputs in conversations.
  • Apply Microsoft security best practices.

What is a REST API?

A REST (Representational State Transfer) API is a web service that allows applications to communicate over HTTP using standard operations.

Rather than interacting directly with databases or applications, agents communicate with REST APIs to retrieve or update information.

REST APIs are one of the most common integration mechanisms used in enterprise software.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Payment services
  • AI services
  • Internal business applications

Why Use REST APIs in Copilot Studio?

REST APIs enable agents to interact with virtually any application that exposes HTTP endpoints.

Common use cases include:

  • Retrieving customer records
  • Creating support tickets
  • Updating inventory
  • Booking appointments
  • Querying AI models
  • Processing payments
  • Accessing proprietary business systems

Unlike standard connectors, REST APIs allow organizations to integrate with services that do not already have a connector.


REST API Tool Architecture

A typical architecture looks like this:

User
Copilot Studio Agent
REST API Tool
HTTP Request
REST API Endpoint
Enterprise Application
HTTP Response
Agent Response

The REST API tool acts as the communication layer between the agent and the external service.


REST Principles

REST APIs generally use:

  • HTTP
  • URLs
  • Resources
  • Standard HTTP methods
  • JSON payloads

Example resource:

https://api.company.com/customers/10025

HTTP Methods

The AB-620 exam expects familiarity with the most common HTTP methods.

GET

Retrieves information.

Example:

GET /customers/10025

Used when reading data.


POST

Creates a new resource.

Example:

POST /orders

Used to create records.


PUT

Replaces an existing resource.

Example:

PUT /customers/10025

Often used for full updates.


PATCH

Updates part of a resource.

Example:

PATCH /customers/10025

Updates only specified fields.


DELETE

Deletes a resource.

Example:

DELETE /orders/501

REST API Requests

A request generally contains:

  • Endpoint URL
  • HTTP method
  • Authentication
  • Headers
  • Parameters
  • Optional request body

Example:

GET https://api.company.com/orders/12345
Authorization: Bearer <token>
Accept: application/json

Authentication Methods

Authentication is frequently tested on the exam.

Common methods include:

OAuth 2.0

Most common for enterprise applications.

Advantages:

  • Secure
  • Token-based
  • Supports delegated access

Microsoft Entra ID

Used for Microsoft-secured APIs.

Examples:

  • Microsoft Graph
  • Azure services
  • Internal enterprise APIs

API Key

Common for:

  • AI services
  • Third-party APIs
  • Internal APIs

The API key is usually sent in a request header.


Basic Authentication

Supported by some legacy systems.

Generally discouraged for modern enterprise deployments.


Configuring a REST API Tool

Typical steps include:

  1. Open the agent.
  2. Navigate to Tools.
  3. Select Add Tool.
  4. Choose REST API.
  5. Provide the endpoint URL.
  6. Configure authentication.
  7. Configure operations.
  8. Save the tool.

The REST API can now be invoked by the agent during conversations.


Endpoint Configuration

The endpoint identifies the resource.

Example:

https://api.contoso.com/orders

Additional path parameters may be used.

Example:

/orders/{OrderID}

Path Parameters

Path parameters identify specific resources.

Example:

/orders/45213

where:

OrderID = 45213

Query Parameters

Query parameters filter results.

Example:

/orders?status=Pending

Multiple query parameters may be combined.

Example:

/products?category=Electronics&warehouse=West

Headers

Headers provide additional information.

Examples include:

  • Authorization
  • Accept
  • Content-Type
  • User-Agent
  • API version

Example:

Authorization: Bearer token
Content-Type: application/json

Request Body

POST, PUT, and PATCH operations often include JSON.

Example:

{
"customerID":12345,
"priority":"High",
"description":"Damaged shipment"
}

The request body supplies the data the API needs.


JSON

JSON (JavaScript Object Notation) is the most common REST payload format.

Example response:

{
"OrderID":12345,
"Status":"Shipped",
"Carrier":"Contoso Logistics",
"Tracking":"ABC987654"
}

Copilot Studio parses these values into variables that can be used in subsequent conversation steps.


Variables

Inputs can originate from:

  • User messages
  • Conversation variables
  • Previous tool outputs
  • Adaptive Card inputs
  • AI-extracted entities

Example:

User:

Check order 55421.

Variable:

OrderID = 55421

The REST API request uses this variable as a path or query parameter.


Response Mapping

REST API responses can populate conversation variables.

Example:

{
"Customer":"John Smith",
"Status":"Delivered",
"DeliveryDate":"2026-10-04"
}

The agent can then:

  • Respond naturally
  • Display an Adaptive Card
  • Make branching decisions
  • Invoke another tool
  • Store values for later use

Security Considerations

REST APIs often expose sensitive enterprise data.

Microsoft recommends:

  • Secure authentication
  • HTTPS only
  • Least privilege
  • Avoid exposing secrets
  • Validate inputs
  • Protect sensitive outputs

Best Practices

Keep APIs Focused

Each endpoint should perform one clear task.


Validate Inputs

Reject invalid values before sending requests.


Use Secure Authentication

Prefer:

  • OAuth 2.0
  • Microsoft Entra ID

Avoid storing secrets directly in requests whenever possible.


Return Only Required Data

Smaller responses improve:

  • Performance
  • Security
  • Readability

Use Clear Endpoint Names

Good examples:

/customers
/orders
/inventory

Poor examples:

/process1
/action
/data

Common Exam Scenarios

You should be able to determine when a REST API tool is the appropriate choice.

Examples include:

  • Integrating with a proprietary application that does not have a Power Platform connector.
  • Calling an external AI service.
  • Accessing an internal business API.
  • Invoking a third-party SaaS application that exposes a REST interface.
  • Rapidly integrating with an existing HTTP-based service without creating a reusable custom connector.

These scenarios frequently appear in the form of architecture or design questions on the AB-620 exam.


Key Takeaways from the topics covered so far

  • REST API tools allow Copilot Studio agents to interact directly with HTTP-based services.
  • REST APIs use standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • Authentication commonly uses OAuth 2.0, Microsoft Entra ID, or API keys.
  • Requests consist of endpoints, headers, parameters, and (when appropriate) JSON request bodies.
  • JSON responses are parsed into variables that can drive conversation flow and subsequent tool invocations.
  • Secure design, proper authentication, and least-privilege access are essential best practices.

Securing REST API Integrations

Security is one of the most heavily tested areas of the AB-620 exam. Microsoft expects AI Agent Builders to understand not only how to connect to an API, but also how to do so securely.

A poorly secured API can expose sensitive business information, customer data, and backend systems.


Authentication Overview

Most enterprise REST APIs require authentication before they process requests.

Common authentication methods include:

  • API Keys
  • OAuth 2.0
  • Microsoft Entra ID (Azure AD)
  • Bearer Tokens
  • Basic Authentication (legacy)

API Keys

An API Key is a unique secret value issued by an API provider.

Example:

GET https://api.company.com/orders
Headers
x-api-key:
A1B2C3D4E5

Advantages

  • Easy to configure
  • Simple to understand
  • Good for internal services

Disadvantages

  • Less secure than OAuth
  • Keys may expire
  • Keys must be protected

OAuth 2.0

OAuth is the preferred authentication method for modern enterprise applications.

Instead of sending usernames and passwords:

  1. User signs in
  2. Identity provider authenticates user
  3. Access token is issued
  4. API validates token

Benefits

  • Strong security
  • Supports delegated permissions
  • Supports application permissions
  • Token expiration
  • Token revocation

Microsoft Entra ID Authentication

Many Microsoft services use Microsoft Entra ID.

Examples include:

  • Microsoft Graph
  • SharePoint
  • Outlook
  • Teams
  • Azure Management APIs

Advantages

  • Central identity management
  • Conditional Access
  • Multi-factor authentication
  • Role-based access control

Bearer Tokens

Many REST APIs require an Authorization header.

Example

Authorization:
Bearer eyJhbGciOi...

The token proves that the caller has already authenticated.


Basic Authentication

Older systems may still require:

Authorization:
Basic Base64(username:password)

This method is generally discouraged for new solutions.

Reasons:

  • Lower security
  • Password management
  • Credential exposure risks

Managing Secrets

Never hard-code:

  • Passwords
  • API Keys
  • Tokens

Instead:

  • Store credentials securely
  • Use connection references
  • Use environment variables
  • Use secure authentication providers

Request Headers

Headers provide additional information.

Common headers include:

Authorization
Content-Type
Accept
User-Agent

Example

Content-Type:
application/json

This tells the server JSON is being sent.


Query Parameters

Many APIs accept filtering.

Example

GET
/customers?city=Seattle

Instead of returning every customer:

The API returns only Seattle customers.

Benefits

  • Faster
  • Smaller payloads
  • Lower cost

Pagination

Large APIs rarely return all records.

Instead they return pages.

Example

GET
/orders?page=1

Next request:

page=2

Benefits

  • Better performance
  • Smaller responses
  • Lower memory usage

Rate Limits

Most enterprise APIs limit requests.

Example

1000 requests/hour

If exceeded:

429 Too Many Requests

Best practices

  • Retry later
  • Respect Retry-After headers
  • Reduce unnecessary requests

Handling Errors

REST APIs commonly return status codes.

CodeMeaning
200Success
201Created
204No Content
400Bad Request
401Unauthorized
403Forbidden
404Not Found
408Timeout
429Too Many Requests
500Internal Server Error

Agents should handle these responses gracefully.


Logging API Activity

Developers should monitor:

  • Request success
  • Failures
  • Latency
  • Authentication failures
  • Timeouts

Useful for:

  • Troubleshooting
  • Performance tuning
  • Compliance
  • Auditing

Monitoring API Performance

Key metrics include:

Average response time

Error rate

Success rate

Retry count

Timeout frequency

API availability


Best Practices

Design

  • Keep APIs focused.
  • Follow REST conventions.
  • Use meaningful endpoints.
  • Version APIs.

Security

  • Prefer OAuth.
  • Encrypt traffic using HTTPS.
  • Protect secrets.
  • Validate input.
  • Apply least privilege.

Performance

  • Filter results.
  • Cache where appropriate.
  • Minimize payload size.
  • Use pagination.
  • Avoid unnecessary API calls.

Reliability

  • Handle failures gracefully.
  • Retry transient errors.
  • Log important events.
  • Monitor health.
  • Test regularly.

REST APIs vs Custom Connectors

REST API ToolCustom Connector
Direct API definitionReusable connector
Good for individual APIsGood for many apps
Can require manual configurationSimpler for repeated use
FlexibleMore standardized
Ideal for rapid integrationIdeal for enterprise reuse

Exam Tips

Remember these important distinctions:

  • REST APIs allow direct integration with external services.
  • APIs use HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • JSON is the primary request and response format.
  • Authentication is commonly handled through OAuth 2.0 or Microsoft Entra ID.
  • API responses should be validated before use.
  • Agents should gracefully handle failures and retries.
  • Secure secrets should never be hard-coded.
  • Monitoring and logging are essential for production deployments.
  • Pagination and filtering improve performance.
  • Custom connectors simplify reuse of REST APIs across Power Platform solutions.

Practice Exam Questions

Question 1

A Copilot Studio agent needs to retrieve customer information from an external CRM without modifying any data. Which HTTP method should the REST API use?

A. POST

B. PUT

C. GET

D. PATCH

Answer: C

Explanation: GET retrieves data without changing server resources. POST creates resources, PUT replaces them, and PATCH partially updates them.


Question 2

Which authentication method is generally recommended for enterprise REST API integrations?

A. Basic Authentication

B. OAuth 2.0

C. Anonymous Access

D. Shared Password Files

Answer: B

Explanation: OAuth 2.0 provides secure, token-based authentication with delegated permissions and is preferred for enterprise APIs.


Question 3

A REST API returns HTTP status code 401 Unauthorized. What does this most likely indicate?

A. The requested resource does not exist.

B. The server encountered an internal error.

C. Authentication credentials are missing or invalid.

D. The request exceeded the rate limit.

Answer: C

Explanation: A 401 response indicates that the request lacks valid authentication credentials.


Question 4

Why should API keys never be hard-coded into an agent?

A. They increase API response times.

B. They prevent JSON serialization.

C. They disable HTTPS encryption.

D. They can be exposed and compromise security.

Answer: D

Explanation: Hard-coded secrets are difficult to rotate and may be exposed through source code or logs.


Question 5

An API returns 429 Too Many Requests. What is the most appropriate response by the agent?

A. Continue sending requests immediately.

B. Retry after waiting according to the API’s guidance.

C. Switch to Basic Authentication.

D. Ignore the error.

Answer: B

Explanation: HTTP 429 indicates that the client has exceeded rate limits. The agent should wait and retry appropriately.


Question 6

Which request header typically specifies the authentication token for a REST API?

A. Accept

B. Content-Type

C. Authorization

D. Cache-Control

Answer: C

Explanation: The Authorization header carries bearer tokens or other authentication credentials.


Question 7

Why do many APIs implement pagination?

A. To encrypt responses.

B. To reduce the amount of data returned in a single request.

C. To replace authentication.

D. To prevent HTTPS connections.

Answer: B

Explanation: Pagination improves performance and scalability by limiting the number of records returned per request.


Question 8

Which format is most commonly used for REST API request and response bodies?

A. CSV

B. XML

C. YAML

D. JSON

Answer: D

Explanation: JSON is lightweight, widely supported, and the standard format for modern REST APIs.


Question 9

When integrating a REST API into Copilot Studio, why is validating API responses important?

A. It guarantees that authentication is unnecessary.

B. It eliminates network latency.

C. It ensures returned data is complete and expected before the agent uses it.

D. It automatically encrypts responses.

Answer: C

Explanation: Response validation helps prevent errors and ensures the agent processes reliable, expected data.


Question 10

Why might a development team choose a Power Platform custom connector instead of directly configuring a REST API in every agent?

A. Custom connectors eliminate the need for authentication.

B. Custom connectors can only connect to Microsoft services.

C. Custom connectors replace HTTP methods.

D. Custom connectors provide reusable, centrally managed API definitions across multiple solutions.

Answer: D

Explanation: Custom connectors simplify maintenance, standardize integrations, and enable reuse across multiple apps, flows, and Copilot Studio agents.


Go to the AB-620 Exam Prep Hub main page

Configure advanced agent responses with API and Send HTTP requests (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure advanced agent responses with API and Send HTTP requests


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most powerful capabilities of Microsoft Copilot Studio is the ability to extend an agent beyond conversational AI. While generative AI enables agents to answer questions from knowledge sources, enterprise agents frequently need to retrieve live information, update business systems, trigger workflows, or communicate with applications that exist outside Microsoft 365.

This is accomplished through APIs (Application Programming Interfaces) and HTTP requests.

For the AB-620 exam, you should understand not only how to configure HTTP requests within Copilot Studio, but also when they should be used, how they are secured, how data flows through requests and responses, and how these capabilities support enterprise-grade AI agents.


Learning Objectives

After studying this topic, you should be able to:

  • Explain why APIs are important in enterprise AI agents.
  • Understand the HTTP communication model.
  • Differentiate HTTP request methods.
  • Configure HTTP requests in Copilot Studio.
  • Pass parameters to external services.
  • Authenticate API requests.
  • Parse API responses.
  • Use returned data within agent conversations.
  • Recognize best practices for secure integrations.

Why Use APIs in Copilot Studio?

Generative AI can answer questions based on available knowledge.

However, business processes usually require interaction with systems that contain live operational data.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Financial systems
  • Ticketing systems
  • Booking systems
  • Custom business applications
  • Third-party SaaS platforms

Rather than simply answering questions, an agent can:

  • Retrieve customer account information
  • Create service tickets
  • Update CRM records
  • Submit purchase requests
  • Check inventory
  • Reserve meeting rooms
  • Retrieve shipping status
  • Submit vacation requests
  • Trigger approval workflows

This transforms the agent from an information assistant into an intelligent business application.


When to Use HTTP Requests

Microsoft Copilot Studio supports several methods of integrating external systems.

These include:

  • Microsoft Power Platform connectors
  • REST APIs
  • Custom connectors
  • Agent tools
  • Microsoft Graph
  • Azure services

HTTP requests are typically used when:

  • No prebuilt connector exists.
  • A custom application exposes a REST API.
  • You need full control over requests.
  • The API supports operations unavailable through existing connectors.
  • You need to communicate directly with enterprise services.

What is an API?

An Application Programming Interface (API) allows one application to communicate with another.

Instead of manually opening software and entering information, software applications exchange data automatically.

Example:

A user asks:

“What is the shipping status of Order 48291?”

Instead of searching documents:

The agent:

  1. Calls the shipping API.
  2. Sends Order ID 48291.
  3. Receives current shipping information.
  4. Formats the response.
  5. Displays it to the user.

The user experiences a natural conversation while the agent communicates with backend systems.


REST APIs

Most modern enterprise systems expose REST APIs.

REST (Representational State Transfer) is an architectural style for web services.

REST APIs typically use:

  • HTTP
  • URLs
  • JSON
  • Standard HTTP methods

Example endpoint:

https://company.com/api/customers/1052

The agent sends an HTTP request.

The service returns JSON.


HTTP Fundamentals

HTTP is the communication protocol used by browsers, websites, cloud services, and APIs.

Every HTTP request contains:

  • URL
  • Method
  • Headers
  • Parameters
  • Body (optional)

The server then returns:

  • Status code
  • Headers
  • Response body

Anatomy of an HTTP Request

Example:

GET https://api.company.com/orders/48291

Headers

Authorization: Bearer token
Accept: application/json

Response

{
"OrderNumber":"48291",
"Status":"Shipped",
"Carrier":"UPS"
}

The agent can extract these values and use them during the conversation.


HTTP Methods

Understanding HTTP methods is important for the AB-620 exam.

GET

Retrieves information.

Example:

Get customer details

No data is modified.

Examples:

  • Get customer profile
  • Get inventory
  • Get weather
  • Get shipping status

Safe operation.


POST

Creates new information.

Examples:

  • Create support ticket
  • Submit expense report
  • Create employee record

Example request:

POST /tickets

Body:

{
"Priority":"High",
"Description":"Printer not working"
}

PUT

Replaces an existing resource.

Example:

Update the complete employee record.

Entire object is replaced.


PATCH

Updates part of a resource.

Example:

Only update:

Customer Phone Number

instead of replacing the entire customer record.

PATCH is generally more efficient than PUT for partial updates.


DELETE

Removes a resource.

Example:

Delete reservation.

Delete temporary record.

Delete shopping cart.

Because DELETE permanently removes data, organizations often restrict access.


URL Components

Understanding URL structure is important.

Example:

https://api.company.com/customers/1052/orders?year=2025

Breakdown:

Protocol

https

Host

api.company.com

Resource

customers

Path Parameter

1052

Subresource

orders

Query Parameter

year=2025

Path Parameters

Path parameters identify a specific resource.

Example

/customers/1052

Customer ID

1052

is embedded within the URL.

Often used for:

  • Employee ID
  • Customer ID
  • Product ID
  • Ticket ID

Query Parameters

Query parameters filter information.

Example

/orders?status=Open

Another example

/products?category=Laptops

Query parameters are optional and do not change the endpoint itself.


HTTP Headers

Headers provide metadata about the request.

Common headers include:

Authorization

Bearer Token

Accept

application/json

Content-Type

application/json

User-Agent

Application identification.

Custom headers

Many enterprise APIs require organization-specific headers.


Request Body

GET requests usually do not include a request body.

POST, PUT, and PATCH commonly include one.

Example

{
"EmployeeID":102,
"Department":"Finance"
}

The body contains the information being submitted.


JSON

Most APIs communicate using JSON.

Example

{
"CustomerID": 1052,
"Name": "John Smith",
"Status": "Gold",
"RewardPoints": 8400
}

The agent can retrieve individual values such as:

  • Name
  • Status
  • RewardPoints

and include them in responses.


Authentication

Most enterprise APIs require authentication.

Without authentication:

The request is rejected.

Authentication verifies:

  • Who is calling
  • Whether permission exists
  • Which resources are accessible

Common Authentication Methods

API Keys

Simple authentication method.

Example

x-api-key:

Advantages:

  • Easy

Disadvantages:

  • Less secure
  • Key management required

OAuth 2.0

Most Microsoft services use OAuth.

Workflow:

User authenticates.

Identity provider issues access token.

Agent sends Bearer token.

API validates token.

Request proceeds.

OAuth supports:

  • Delegated permissions
  • Application permissions
  • Token expiration
  • Refresh tokens

It is considered the enterprise standard.


Microsoft Entra ID

Many enterprise APIs authenticate through Microsoft Entra ID.

Benefits include:

  • Centralized identity
  • Role-based access
  • Conditional Access
  • Multifactor Authentication
  • Secure token management

This is the preferred authentication mechanism for Microsoft enterprise environments.


Configuring HTTP Requests in Copilot Studio

Within Copilot Studio, HTTP requests can be configured as actions or tools that execute during conversations.

A typical configuration includes:

  1. Define the endpoint URL.
  2. Select the HTTP method.
  3. Configure authentication.
  4. Add headers.
  5. Add parameters.
  6. Configure the request body if needed.
  7. Send the request.
  8. Capture the response.
  9. Store returned values in variables.
  10. Continue the conversation using the returned data.

Passing Dynamic Values

Most APIs require information supplied by the user.

Example:

User says:

“Check order 84592.”

The conversation stores:

OrderID = 84592

The HTTP request inserts that variable into:

https://api.company.com/orders/84592

instead of using a hardcoded value.

Dynamic parameters make APIs reusable across conversations.


Using Responses in Conversations

After receiving JSON, Copilot Studio can:

  • Store values
  • Display values
  • Evaluate conditions
  • Pass values into other actions
  • Use values inside prompts
  • Populate Adaptive Cards
  • Trigger additional API calls

Example:

API returns:

{
"Status":"Delivered",
"Carrier":"FedEx",
"Date":"2026-06-14"
}

The agent responds:

“Your package was delivered on June 14 by FedEx.”

The user never sees the underlying API call.


Best Practices

When designing HTTP integrations:

  • Prefer HTTPS over HTTP.
  • Never hard-code secrets.
  • Use secure authentication mechanisms.
  • Validate user input before sending requests.
  • Minimize the amount of sensitive data transmitted.
  • Return only information required by the conversation.
  • Reuse existing connectors when appropriate instead of creating unnecessary custom integrations.
  • Document API endpoints and expected responses.
  • Test APIs independently before integrating them into an agent.
  • Design requests to be idempotent where appropriate, particularly for update operations.

Exam Tips

For the AB-620 exam, remember the following:

  • REST APIs are the primary mechanism for integrating enterprise systems.
  • HTTP requests enable agents to retrieve live data and perform actions.
  • GET retrieves data, POST creates data, PUT replaces data, PATCH partially updates data, and DELETE removes data.
  • Authentication is typically performed using OAuth 2.0 or Microsoft Entra ID in enterprise environments.
  • JSON is the most common format for request and response payloads.
  • Dynamic variables collected during conversations are frequently inserted into URLs, query parameters, headers, or request bodies.
  • Agent responses are generated by parsing API responses and presenting the returned data in a conversational format.
  • Security, authentication, and proper handling of API responses are core skills emphasized throughout the AB-620 exam.

Quick Orientation Summary

In the topics above, you learned the fundamentals of using APIs and HTTP requests in Microsoft Copilot Studio, including REST principles, HTTP methods, authentication, request construction, and response handling.

In the next set of topics below, we will build upon that foundation by exploring advanced implementation techniques, enterprise design patterns, security considerations, performance optimization, and common exam scenarios.


Advanced HTTP Integration Patterns

Enterprise AI agents rarely execute a single API call. Instead, they often perform multiple requests, make decisions based on returned data, and coordinate actions across several systems.

Common integration patterns include:

  • Sequential API requests
  • Conditional API execution
  • Parallel data retrieval
  • Data enrichment
  • Multi-system orchestration
  • Event-driven integrations

These patterns allow an agent to perform sophisticated business processes while maintaining a natural conversational experience.


Sequential API Calls

Sometimes one API request provides information needed by another request.

Example:

User asks:

“Show me all orders for customer John Smith.”

Workflow:

  1. Search Customers API
  2. Retrieve Customer ID
  3. Pass Customer ID to Orders API
  4. Retrieve order list
  5. Present results

Example flow:

User Question
Search Customer API
Customer ID Returned
Retrieve Orders API
Return Orders

This pattern is common in CRM and ERP integrations.


Conditional API Execution

An agent may determine whether another API call is necessary.

Example:

Get Order Status
Delivered?
/ \
Yes No
↓ ↓
End Call Shipping API

Conditional execution reduces unnecessary API calls while improving performance.


Data Enrichment

Multiple systems often contain complementary information.

Example:

CRM:

  • Customer name
  • Email

ERP:

  • Orders

Shipping system:

  • Tracking

The agent combines all three into one response.

Example:

Customer: John Smith
Gold Member
Last Order: June 10
Tracking Number: 874623

The user experiences a single conversation despite multiple backend requests.


Working with JSON Responses

Most enterprise APIs return JSON.

Example:

{
"customer": {
"id": 125,
"name": "John Smith",
"status": "Gold",
"orders": [
{
"number": 4521,
"total": 275
},
{
"number": 4528,
"total": 118
}
]
}
}

The agent may extract:

  • customer.name
  • customer.status
  • orders[0].number
  • orders[1].total

Understanding nested JSON structures is valuable for the exam.


Mapping JSON to Variables

Returned values are commonly stored as variables.

Example:

CustomerName
John Smith
MembershipStatus
Gold
RewardPoints
12450

These variables can later be referenced in prompts, Adaptive Cards, conditions, or additional HTTP requests.


Chaining Multiple Requests

Many business processes require several connected API operations.

Example:

Vacation request:

Employee submits request
Retrieve manager
Check leave balance
Create approval
Notify manager
Update HR system

Each step may involve a separate HTTP request.


Long-Running Operations

Some APIs require time to complete.

Examples include:

  • AI document analysis
  • Video processing
  • Image generation
  • Data exports
  • Large database operations

Typical workflow:

Submit Job
Receive Job ID
Check Status API
Completed?
Retrieve Results

This polling pattern is common in cloud services.


HTTP Status Codes

Understanding status codes is essential.

200 OK

The request completed successfully.


201 Created

A new resource was successfully created.

Example:

Create support ticket.


202 Accepted

The request has been accepted but processing continues.

Often used for asynchronous operations.


204 No Content

The operation succeeded without returning data.

Common with DELETE requests.


400 Bad Request

The request is invalid.

Possible causes:

  • Missing fields
  • Invalid parameters
  • Incorrect formatting

401 Unauthorized

Authentication failed.

Usually indicates:

  • Invalid token
  • Expired token
  • Missing credentials

403 Forbidden

Authentication succeeded.

Permission is denied.

Example:

User lacks required role.


404 Not Found

Requested resource does not exist.


429 Too Many Requests

Rate limit exceeded.

Clients should wait before retrying.


500 Internal Server Error

Unexpected server failure.

Retry may succeed later.


Error Handling Strategies

Good enterprise agents never expose raw API errors directly to users.

Poor response:

Error 500.

Better response:

“The customer database is temporarily unavailable. Please try again in a few minutes.”

The technical details should be logged while presenting a friendly message.


Retry Logic

Temporary failures should not always terminate a conversation.

Good candidates for retries:

  • Network timeout
  • Temporary server outage
  • HTTP 429
  • HTTP 503

Poor candidates:

  • Invalid credentials
  • Missing permissions
  • Incorrect request format

Retry strategies typically use exponential backoff to reduce server load.


Timeouts

Every HTTP request should define an appropriate timeout.

Without one:

  • Conversations may hang.
  • User experience suffers.
  • Resources remain occupied.

Enterprise solutions balance responsiveness with backend processing time.


Logging

Successful enterprise solutions record important execution details.

Typical information includes:

  • Timestamp
  • Endpoint
  • Status code
  • Duration
  • User ID (when appropriate)
  • Correlation ID
  • Request outcome

Sensitive information such as passwords or tokens should never be logged.


Security Best Practices

For the AB-620 exam, security is heavily emphasized.

Recommended practices include:

  • Always use HTTPS.
  • Store secrets securely.
  • Use OAuth or Microsoft Entra ID whenever possible.
  • Implement least-privilege access.
  • Validate all user input.
  • Sanitize request data.
  • Encrypt sensitive information.
  • Rotate credentials regularly.
  • Monitor API usage.
  • Audit access to critical resources.

Protecting Sensitive Information

Avoid exposing:

  • Passwords
  • Tokens
  • API keys
  • Internal URLs
  • Database identifiers
  • Personally identifiable information (PII)

Agents should display only the information users are authorized to see.


Rate Limiting

External APIs often restrict request volume.

Example:

500 requests/hour

If exceeded:

HTTP 429

Design strategies include:

  • Request batching
  • Caching
  • Retry delays
  • Limiting unnecessary calls

Performance Optimization

Well-designed agents minimize latency.

Optimization techniques include:

  • Reuse previously retrieved information.
  • Avoid duplicate API calls.
  • Cache frequently requested data.
  • Request only required fields.
  • Combine related operations when supported.
  • Minimize payload sizes.
  • Execute independent requests in parallel where appropriate.

Choosing Between Connectors and HTTP Requests

In Copilot Studio, both connectors and HTTP requests provide integration capabilities.

Use Connectors WhenUse HTTP Requests When
Microsoft provides a supported connectorNo connector exists
Standard authentication is sufficientFull control over requests is required
Low-code development is preferredCustom APIs must be accessed
Minimal maintenance is desiredSpecialized API features are needed
Enterprise governance favors managed connectorsAdvanced REST functionality is required

The exam may ask you to choose the most appropriate integration method.


Common Enterprise Scenarios

Customer Support

  • Retrieve account
  • Create ticket
  • Update ticket
  • Escalate issue

Sales

  • Search CRM
  • Retrieve opportunities
  • Update customer records
  • Generate quotes

Human Resources

  • Vacation requests
  • Employee lookup
  • Benefits information
  • Payroll inquiries

Finance

  • Expense submission
  • Invoice lookup
  • Budget approval
  • Payment status

IT Help Desk

  • Password reset
  • Device lookup
  • Software requests
  • Incident management

Common Exam Pitfalls

Watch for these common mistakes:

  • Using POST when GET is appropriate.
  • Sending sensitive information in URLs instead of secure request bodies or headers.
  • Hard-coding API keys.
  • Ignoring authentication requirements.
  • Assuming every successful request returns HTTP 200 (201, 202, and 204 are also successful responses).
  • Failing to validate user input before making API calls.
  • Displaying raw server errors to users.
  • Using HTTP requests when an existing connector is the better choice.
  • Not accounting for rate limits or transient failures.
  • Returning more data than necessary, increasing security and performance risks.

AB-620 Exam Tips

Remember these key points:

  • APIs enable agents to interact with live enterprise systems.
  • REST and JSON are the dominant standards for enterprise integrations.
  • OAuth 2.0 and Microsoft Entra ID are preferred authentication methods.
  • Understand the purpose of each HTTP method.
  • Differentiate client errors (4xx) from server errors (5xx).
  • Design secure, maintainable, and reusable integrations.
  • Handle failures gracefully with retries where appropriate.
  • Protect sensitive information throughout the integration process.
  • Choose connectors when possible and HTTP requests when customization is required.

Topic Summary

An enterprise Copilot Studio agent becomes significantly more powerful when it can communicate with external systems through APIs and HTTP requests. By combining conversational AI with secure integrations, organizations can automate business processes, retrieve live operational data, and perform transactions across enterprise applications.

For the AB-620 exam, focus on understanding the complete lifecycle of an HTTP request, authentication mechanisms, JSON handling, response processing, error handling, and secure integration design. These concepts are foundational to designing enterprise-grade AI agent solutions.


Practice Exam Questions

Question 1

A Copilot Studio agent must retrieve a customer’s current loyalty points without modifying any data. Which HTTP method should be used?

A. POST

B. GET

C. PATCH

D. DELETE

Answer: B

Explanation: GET is used to retrieve information without modifying server-side resources.


Question 2

An API returns HTTP status code 401 Unauthorized. What is the most likely cause?

A. The requested resource does not exist.

B. The request exceeded the rate limit.

C. Authentication credentials are missing or invalid.

D. The request completed successfully.

Answer: C

Explanation: A 401 status indicates that authentication failed because valid credentials were not provided or have expired.


Question 3

A developer needs to update only a customer’s phone number. Which HTTP method is most appropriate?

A. PUT

B. POST

C. PATCH

D. GET

Answer: C

Explanation: PATCH performs partial updates, making it ideal for modifying a single property without replacing the entire resource.


Question 4

Which authentication mechanism is recommended for securing enterprise APIs integrated with Microsoft Copilot Studio?

A. Anonymous authentication

B. Basic authentication using hardcoded credentials

C. OAuth 2.0 with Microsoft Entra ID

D. Query string authentication

Answer: C

Explanation: OAuth 2.0 integrated with Microsoft Entra ID provides secure, token-based authentication and centralized identity management.


Question 5

An agent receives the following response:

{
"Status":"Approved",
"Manager":"Karen Lee"
}

What should the agent do next?

A. Ignore the response.

B. Store the values in variables for use later in the conversation.

C. Convert the response into XML.

D. Retry the request immediately.

Answer: B

Explanation: JSON values are typically parsed and stored in variables for use in responses, conditions, or subsequent actions.


Question 6

A REST API limits clients to 1,000 requests per hour. Which design strategy best helps avoid exceeding this limit?

A. Retry every request immediately.

B. Disable authentication.

C. Cache frequently requested data and avoid unnecessary calls.

D. Send duplicate requests for verification.

Answer: C

Explanation: Caching and reducing redundant API calls are common strategies for working within rate limits.


Question 7

A company already has a fully supported Microsoft Power Platform connector for its CRM system. Which integration approach should generally be chosen?

A. Build every interaction using raw HTTP requests.

B. Use the existing connector unless custom functionality requires direct API access.

C. Export CRM data to spreadsheets.

D. Replace the CRM with a custom application.

Answer: B

Explanation: Managed connectors simplify development, maintenance, authentication, and governance, making them the preferred option when available.


Question 8

Which status code indicates that a new resource has been successfully created?

A. 200

B. 201

C. 404

D. 500

Answer: B

Explanation: HTTP 201 Created indicates that a new resource was successfully created by the server.


Question 9

What is the primary benefit of chaining multiple API requests within an agent flow?

A. It reduces authentication requirements.

B. It eliminates the need for variables.

C. It enables complex business processes that span multiple systems.

D. It guarantees faster execution than a single request.

Answer: C

Explanation: Chained API calls allow agents to orchestrate multi-step workflows involving several enterprise applications.


Question 10

Why should an agent avoid displaying raw HTTP error messages directly to users?

A. HTTP errors are never useful.

B. Raw errors may expose technical details and create a poor user experience.

C. HTTP errors always indicate a network problem.

D. Users cannot understand status codes.

Answer: B

Explanation: Enterprise agents should present friendly, actionable messages while logging technical details internally to maintain security and usability.


Go to the AB-620 Exam Prep Hub main page

Configure agent response formatting (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure agent response formatting


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important responsibilities of an AI Agent Builder is designing responses that are easy for users to read, understand, and act upon. Even if an agent provides accurate information, poorly formatted responses can confuse users and reduce confidence in the solution.

Microsoft Copilot Studio provides several methods for formatting responses, ranging from simple text to sophisticated interactive experiences using Adaptive Cards. Choosing the correct response format depends on the audience, communication channel, business process, and complexity of the information being presented.

For the AB-620 exam, you should understand not only how to configure response formatting, but also when each formatting option should be used.


Why Response Formatting Matters

Well-designed responses help users:

  • Understand information quickly
  • Complete tasks efficiently
  • Reduce misunderstandings
  • Improve user satisfaction
  • Increase adoption of AI agents
  • Reduce unnecessary follow-up questions

Poorly formatted responses often lead to:

  • Long walls of text
  • Missing important information
  • Difficult navigation
  • User frustration
  • Increased support requests

Types of Agent Responses

Copilot Studio supports multiple response formats.

Plain Text Responses

The simplest response format.

Example:

Your request has been submitted successfully.

Advantages

  • Fast
  • Works across all channels
  • Universal compatibility

Limitations

  • Limited visual appeal
  • Difficult to organize large amounts of information
  • No interactive elements

Best used for:

  • Confirmations
  • Greetings
  • Short answers
  • Status messages

Rich Text Responses

Rich text improves readability by organizing information.

Examples include:

  • Headings
  • Paragraphs
  • Bullets
  • Numbered lists
  • Hyperlinks
  • Basic formatting

Example

Instead of:

Your laptop has shipped. Tracking number 123456. Expected delivery Friday.

Use:

Your Order Has Shipped

Tracking Number:

123456

Expected Delivery:

Friday

Rich text greatly improves the user experience.


Markdown Formatting

Many Copilot Studio responses support Markdown formatting.

Common Markdown elements include:

Bold

**Important**

Result:

Important


Italics

*Reminder*

Result:

Reminder


Lists

• Review your request
• Submit approval
• Wait for confirmation

or

1. Sign in
2. Select your project
3. Submit the request

Links

[Employee Portal](https://contoso.com)

Depending on the channel, links may appear as clickable hyperlinks.


Code Blocks

Useful when returning:

  • JSON
  • XML
  • PowerShell
  • SQL
  • REST requests

Example

{
"status":"Complete"
}

Although primarily useful for IT scenarios, formatted code blocks improve readability significantly.


Using Variables in Responses

Most responses contain dynamic information.

Instead of static text:

Hello Customer

Use variables:

Hello {User.Name}

Examples include:

  • Customer name
  • Order number
  • Case ID
  • Ticket status
  • Product information
  • Appointment time

Dynamic responses create personalized conversations.

Example:

Instead of

Your appointment has been confirmed.

Return

Hello John,
Your appointment for Tuesday at 2:00 PM has been confirmed.

Formatting Dynamic Data

When displaying variables, consider formatting.

Examples include:

Dates

Instead of:

2026-07-03T18:30:00Z

Display

July 3, 2026
6:30 PM

Currency

Instead of:

1249.95

Display

$1,249.95

Percentages

Instead of

0.82

Display

82%

Proper formatting improves professionalism and reduces confusion.


Structuring Long Responses

Avoid overwhelming users with lengthy paragraphs.

Instead:

Break responses into logical sections.

Example:


Support Ticket Created

Ticket Number:

87421

Priority:

High

Estimated Response:

2 Hours

Next Steps

• Monitor your email

• Reply if additional information is requested

• Close the ticket after resolution


This structure is much easier to scan.


Using Adaptive Cards

Adaptive Cards provide rich interactive user experiences.

Instead of displaying only text, an Adaptive Card can include:

  • Images
  • Buttons
  • Forms
  • Multiple columns
  • Input fields
  • Choice selections
  • Action buttons
  • Hyperlinks

Example use cases:

  • Expense approval
  • Vacation requests
  • IT support forms
  • Purchase approvals
  • Customer surveys
  • Product recommendations

Adaptive Cards are especially valuable when users need to make decisions directly inside the conversation.


Benefits of Adaptive Cards

Advantages include:

  • Interactive experiences
  • Improved usability
  • Reduced typing
  • Consistent design
  • Mobile-friendly layouts
  • Better user engagement

Rather than asking:

Would you like Option A or Option B?

An Adaptive Card can present two buttons the user simply clicks.


Adaptive Card Components

Common elements include:

Text Blocks

Display formatted text.

Example:

Vacation Request

Images

Useful for:

  • Employee photos
  • Product images
  • Maps
  • Company logos

Fact Sets

Display key-value information.

Example

Employee:

John Smith

Department:

Finance

Status:

Pending


Input Controls

Examples include:

  • Text boxes
  • Date pickers
  • Toggle switches
  • Dropdown lists
  • Rating controls

Action Buttons

Examples:

Approve

Reject

View Details

Submit

Cancel

Buttons simplify user interaction.


Images in Responses

Images improve engagement when used appropriately.

Common examples include:

  • Product photos
  • Company logos
  • Equipment diagrams
  • Employee pictures
  • Charts

Avoid using decorative images that do not add business value.


Hyperlinks

Responses often direct users to other systems.

Examples:

  • Knowledge articles
  • HR portal
  • SharePoint
  • Microsoft Teams
  • ServiceNow
  • Dynamics 365
  • Internal documentation

Rather than displaying long URLs, use descriptive text.

Good example:

Open the Employee Benefits Portal

Poor example:

https://contoso.sharepoint.com/sites/hr/benefits/documents...

Tables

Some channels support table formatting.

Tables work well for:

  • Pricing
  • Inventory
  • Order summaries
  • Project status
  • Performance metrics

Example

ProductQuantityStatus
Laptop3Ready
Monitor2Backordered

Tables improve readability compared to long sentences.


Lists

Bulleted lists are excellent for:

  • Instructions
  • Requirements
  • Features
  • Benefits
  • Action items

Example

Before submitting:

  • Verify your information
  • Upload required documents
  • Review your answers
  • Click Submit

Response Tone

Formatting is not only visual—it also influences communication style.

Agents should be:

Professional

Friendly

Clear

Concise

Helpful

Avoid:

  • Excessive technical jargon
  • Large blocks of text
  • Ambiguous wording
  • Robotic language
  • Unnecessary repetition

AI-Generated Responses vs Authored Responses

Copilot Studio supports both authored and AI-generated responses.

Authored Responses

Created manually by the designer.

Advantages:

  • Predictable
  • Consistent
  • Easier compliance
  • Controlled wording

Best for:

  • Policies
  • Compliance
  • Legal information
  • HR guidance

AI-Generated Responses

Generated using enterprise knowledge sources and generative AI.

Advantages:

  • Dynamic
  • Flexible
  • Natural conversations
  • Less maintenance

Best for:

  • FAQs
  • Large knowledge bases
  • Documentation
  • Internal support

Designers should ensure AI-generated responses still follow organizational formatting guidelines.


Channel Considerations

Different deployment channels render responses differently.

Examples include:

  • Microsoft Teams
  • Web chat
  • Mobile applications
  • Custom websites
  • Power Apps
  • Omnichannel Customer Service

Not every channel supports every formatting feature.

Adaptive Cards, images, buttons, and Markdown may behave differently depending on the target platform.

Before deployment, always validate that responses render correctly on every supported channel.


Accessibility Considerations

Well-formatted responses should also be accessible.

Best practices include:

  • Use descriptive button labels.
  • Avoid relying solely on color to convey meaning.
  • Keep language simple and readable.
  • Organize information with headings and lists.
  • Provide alternative text for images where supported.
  • Ensure sufficient spacing between sections.
  • Keep interactive cards uncluttered.

Accessibility improves usability for all users and supports inclusive design principles.


Performance Considerations

Overly complex responses can affect user experience.

Recommendations include:

  • Avoid unnecessarily large Adaptive Cards.
  • Limit excessive images.
  • Keep responses concise.
  • Return only relevant information.
  • Avoid deeply nested card layouts.
  • Use buttons instead of requiring users to type common responses.

Simple, focused responses generally provide the best user experience.


Common Design Mistakes

Candidates should recognize poor response design.

Common mistakes include:

  • Returning paragraphs instead of structured content.
  • Showing raw JSON or API output to users.
  • Displaying poorly formatted dates and currencies.
  • Using inconsistent terminology.
  • Creating overly large Adaptive Cards.
  • Mixing multiple unrelated tasks into one response.
  • Ignoring channel limitations.
  • Forgetting to test rendering across deployment targets.

Best Practices

When configuring agent responses:

  • Choose the simplest format that satisfies the business requirement.
  • Use Markdown to improve readability.
  • Personalize responses with variables.
  • Display business data in user-friendly formats.
  • Use Adaptive Cards for interactive experiences.
  • Maintain consistent formatting across topics.
  • Design for accessibility.
  • Test responses on every deployment channel.
  • Keep messages concise and action-oriented.
  • Use buttons and structured layouts to reduce user effort.

AB-620 Exam Tips

For the exam, remember the following:

  • Understand the differences between plain text, Markdown, rich text, and Adaptive Cards.
  • Know when Adaptive Cards provide value over standard text responses.
  • Be familiar with using variables to personalize responses.
  • Understand how channel capabilities influence formatting choices.
  • Recognize when authored responses are preferable to AI-generated responses.
  • Know how formatting improves usability, accessibility, and user satisfaction.
  • Expect scenario-based questions requiring you to choose the most appropriate response format for a given business requirement.

This topic is frequently tested through scenarios in which you must balance user experience, maintainability, accessibility, and channel compatibility. A strong understanding of response formatting principles will help you design professional, effective AI agents in Microsoft Copilot Studio.


Practice Exam Questions


Question 1

A company is building a Copilot Studio agent that helps employees submit vacation requests. Users should be able to review the request details and either approve or cancel the submission without typing additional text.

Which response format should you use?

A. Plain text response

B. Adaptive Card with action buttons

C. Markdown with bullet lists

D. AI-generated response

Correct Answer: B

Explanation:

Adaptive Cards support interactive controls such as buttons, input fields, and forms. Since users need to take immediate action by selecting Approve or Cancel, an Adaptive Card provides the best user experience. Plain text and Markdown can display information but cannot provide rich interactive controls.


Question 2

An agent returns the following response:

Order Number: 84562
Status: Shipped
Expected Delivery: July 8

The designer wants the response to be easier to scan while maintaining compatibility across nearly all deployment channels.

Which approach should be used?

A. Convert the response into an Adaptive Card

B. Replace the response with AI-generated text

C. Format the response using Markdown headings and spacing

D. Display the information as raw JSON

Correct Answer: C

Explanation:

Markdown formatting improves readability while remaining compatible with most supported channels. An Adaptive Card could also work, but it introduces unnecessary complexity when only simple formatting is required.


Question 3

A Copilot Studio agent retrieves a customer’s first name from Microsoft Dataverse before responding.

How should the response be personalized?

A. Hard-code the customer’s name into every response.

B. Ask the customer to type their name every time.

C. Insert a variable that contains the customer’s name.

D. Return the customer ID instead.

Correct Answer: C

Explanation:

Variables allow responses to dynamically personalize information using data retrieved during the conversation. This reduces user effort and improves the conversational experience.


Question 4

A developer wants an agent to return troubleshooting instructions that include several PowerShell commands.

Which formatting option provides the clearest presentation?

A. Store the commands in a Fact Set.

B. Display the commands inside an image.

C. Place the commands inside an Adaptive Card button.

D. Format the commands using a code block.

Correct Answer: D

Explanation:

Code blocks preserve formatting and spacing, making PowerShell commands easier to read and copy. Images prevent copying, and buttons are intended for actions rather than displaying scripts.


Question 5

An HR agent returns employee handbook information that rarely changes and must always match company policy exactly.

Which response type is most appropriate?

A. Authored response

B. AI-generated response

C. Adaptive Card

D. Markdown-generated summary

Correct Answer: A

Explanation:

Policy and compliance information should use authored responses because administrators maintain complete control over wording and consistency. AI-generated responses may paraphrase information, which is undesirable for official policy.


Question 6

A product catalog agent must display several products with images, prices, descriptions, and “View Details” buttons.

Which response format is most appropriate?

A. Plain text

B. Markdown bullet list

C. Adaptive Card

D. Code block

Correct Answer: C

Explanation:

Adaptive Cards are designed for structured, interactive presentations that include images, buttons, and organized information, making them ideal for product catalogs.


Question 7

A support agent currently returns the following response:

Ticket created. Number 87321. Priority High. Assigned to Network Team. Estimated completion 2 hours.

What is the best improvement?

A. Replace the response with a hyperlink.

B. Separate the information into headings and labeled sections.

C. Convert the information into XML.

D. Remove the priority information.

Correct Answer: B

Explanation:

Organizing related information into labeled sections makes responses easier to scan and understand. The content remains the same while improving readability.


Question 8

An organization deploys the same agent to Microsoft Teams, a company website, and a mobile application.

Why should response formatting be tested on every deployment channel?

A. Every channel supports identical formatting capabilities.

B. Adaptive Cards only work on websites.

C. AI-generated responses cannot be used on Teams.

D. Different channels may render formatting and interactive components differently.

Correct Answer: D

Explanation:

Channel capabilities vary. Some channels support full Adaptive Cards and Markdown, while others may partially support or render features differently. Testing ensures a consistent user experience.


Question 9

An agent retrieves the following value from a database:

2026-08-14T13:30:00Z

What is the best way to present this information?

A. Display the raw timestamp.

B. Convert it to binary.

C. Format it into a user-friendly date and time.

D. Replace it with the database record ID.

Correct Answer: C

Explanation:

Users should see dates and times in an understandable format rather than technical timestamp values. Proper formatting improves usability and professionalism.


Question 10

A designer wants to improve accessibility for all users interacting with a Copilot Studio agent.

Which design choice best supports this goal?

A. Use descriptive button labels and well-structured responses.

B. Rely only on color to indicate status.

C. Replace text with images whenever possible.

D. Display all information in a single paragraph.

Correct Answer: A

Explanation:

Accessibility best practices include meaningful button labels, organized layouts, headings, and clear language. Relying solely on color or replacing text with images reduces accessibility, while large blocks of text make responses harder to understand.


Exam Readiness Checklist

Before taking the AB-620 exam, ensure you can:

  • ✔ Differentiate between plain text, Markdown, rich text, and Adaptive Cards.
  • ✔ Identify when to use authored versus AI-generated responses.
  • ✔ Configure dynamic responses using variables.
  • ✔ Select the most appropriate formatting for business scenarios.
  • ✔ Design responses that improve readability and usability.
  • ✔ Understand how deployment channels affect response rendering.
  • ✔ Apply accessibility best practices to agent responses.
  • ✔ Format dates, currencies, percentages, and other dynamic values appropriately.
  • ✔ Recognize when interactive controls improve the user experience.
  • ✔ Evaluate response formatting decisions based on business requirements, user experience, and maintainability.

These scenario-based questions reflect the style of the AB-620 certification exam, where selecting the most appropriate design choice is often more important than simply knowing a feature exists.


Go to the AB-620 Exam Prep Hub main page

Plan reusable agent components (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Plan an agent solution
      --> Plan reusable agent components


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the primary goals of enterprise software development is reuse. Rather than recreating the same functionality multiple times, organizations design components that can be shared across projects, reducing development effort, improving consistency, and simplifying maintenance.

This principle is equally important when designing AI agents in Microsoft Copilot Studio. Organizations often build multiple agents for different departments—such as HR, IT, Finance, Sales, Customer Service, and Operations—that perform similar tasks or use the same enterprise resources. By planning reusable agent components, organizations can reduce duplication, accelerate development, improve governance, and provide a consistent user experience.

For the AB-620 exam, you should understand how to identify reusable components, determine when they should be shared, and plan architectures that maximize reuse while maintaining security, scalability, and maintainability.


What Are Reusable Agent Components?

Reusable agent components are features, resources, or capabilities that can be used by multiple AI agents instead of being recreated for each solution.

Examples include:

  • Knowledge sources
  • Topics
  • Prompt templates
  • Tools
  • Connectors
  • REST API definitions
  • Child agents
  • Connected agents
  • Variables
  • Adaptive Card templates
  • Power Automate flows
  • Authentication configurations
  • Security policies
  • Conversation patterns

Rather than building these repeatedly, they can be designed once and leveraged across multiple AI solutions.


Why Reusability Matters

Planning reusable components provides numerous benefits.

Benefits include:

  • Faster development
  • Reduced maintenance
  • Lower implementation costs
  • Consistent user experience
  • Improved governance
  • Easier testing
  • Better security
  • Simplified updates
  • Reduced duplication
  • Greater scalability

Instead of updating ten separate implementations, developers update a single reusable component.


Characteristics of Good Reusable Components

Reusable components should be:

  • Modular
  • Independent
  • Well documented
  • Secure
  • Configurable
  • Maintainable
  • Reliable
  • Scalable
  • Versioned

Components should solve a specific problem without being tightly coupled to a single AI agent.


Identifying Reusable Functionality

During planning, architects should identify common business capabilities.

Examples include:

  • Password reset
  • Employee directory lookup
  • Leave balance retrieval
  • Knowledge search
  • Ticket creation
  • Appointment scheduling
  • Customer profile lookup
  • Product search
  • Status inquiries
  • FAQ responses

If multiple agents require the same capability, it is a strong candidate for reuse.


Reusable Topics

Topics define conversation logic within Copilot Studio.

Examples of reusable topics include:

  • Greeting users
  • Authentication
  • Collecting user information
  • Escalating to human agents
  • Error handling
  • Help requests
  • Feedback collection

Instead of recreating these conversations for every agent, organizations can standardize their design.

Benefits include:

  • Consistent conversations
  • Easier updates
  • Reduced testing effort

Reusable Prompt Templates

Many agents use similar prompts when interacting with generative AI.

Examples include:

  • Summarization prompts
  • Email drafting prompts
  • Translation prompts
  • Sentiment analysis prompts
  • Document analysis prompts
  • Classification prompts

Prompt templates provide:

  • Consistency
  • Improved AI output quality
  • Easier prompt engineering
  • Simplified maintenance

Planning reusable prompts also supports Responsible AI by promoting consistent instructions and reducing prompt variability.


Reusable Knowledge Sources

Enterprise knowledge is often shared across multiple departments.

Examples include:

  • HR policies
  • Employee handbook
  • Product documentation
  • Technical documentation
  • Internal procedures
  • Company FAQs

Rather than duplicating these resources, multiple agents can reference the same approved knowledge repositories.

Knowledge sources may include:

  • SharePoint
  • Microsoft Dataverse
  • Azure AI Search indexes
  • Approved websites
  • Internal document libraries

Shared knowledge promotes consistency and reduces conflicting answers.


Reusable Tools

Tools enable AI agents to perform actions.

Examples include:

  • Connector-based tools
  • REST API tools
  • Custom actions
  • Power Automate flows
  • Model Context Protocol (MCP) tools

Reusable tools can perform common business functions such as:

  • Create support tickets
  • Retrieve customer information
  • Update CRM records
  • Send notifications
  • Query inventory
  • Schedule appointments

A single tool can be shared across multiple agents.


Reusable Connectors

Many organizations connect agents to the same enterprise systems.

Examples include:

  • Microsoft Dynamics 365
  • Microsoft Dataverse
  • Microsoft SharePoint
  • Microsoft Teams
  • Microsoft Outlook
  • SAP
  • ServiceNow
  • Salesforce

Instead of creating multiple integrations, organizations should reuse existing connectors whenever possible.

Benefits include:

  • Lower maintenance
  • Consistent authentication
  • Simplified governance

Reusable Power Automate Flows

Power Automate flows often encapsulate business logic that multiple agents require.

Examples include:

  • Creating approval requests
  • Sending notifications
  • Updating databases
  • Creating tickets
  • Synchronizing systems
  • Processing forms

Rather than embedding identical logic into every agent, reusable flows centralize business processes.


Child Agents

One of the most powerful reusable components in Copilot Studio is the child agent.

A child agent performs specialized tasks on behalf of one or more parent agents.

Example:

A company has:

  • HR Agent
  • IT Agent
  • Finance Agent
  • Facilities Agent

All four agents require identity verification before completing sensitive requests.

Instead of implementing verification four times, a reusable Identity Verification Child Agent performs authentication for every parent agent.

Benefits include:

  • Centralized maintenance
  • Consistent behavior
  • Reduced duplication
  • Easier governance

Connected Agents

Connected agents enable multiple specialized agents to collaborate.

Rather than creating one large monolithic agent, organizations build smaller agents that focus on specific business domains.

Example:

Customer Service Agent

Delegates to:

  • Billing Agent
  • Shipping Agent
  • Product Support Agent

Each specialized agent becomes reusable across multiple solutions.


Adaptive Card Templates

Adaptive Cards frequently display:

  • Forms
  • Approval requests
  • Employee information
  • Order summaries
  • Customer records

Instead of redesigning these interfaces repeatedly, organizations create reusable templates.

Benefits include:

  • Consistent UI
  • Easier maintenance
  • Faster development

Reusable Authentication

Authentication workflows are excellent candidates for reuse.

Examples include:

  • Microsoft Entra ID authentication
  • OAuth authentication
  • User verification
  • Multi-Factor Authentication (MFA)
  • Single Sign-On (SSO)

Using standardized authentication components improves both security and consistency.


Reusable Conversation Patterns

Many conversation patterns appear repeatedly.

Examples include:

  • Greeting users
  • Asking clarification questions
  • Confirming actions
  • Handling errors
  • Escalating conversations
  • Ending conversations

Standardizing these interactions improves the overall user experience.


Versioning Reusable Components

Reusable components evolve over time.

Organizations should maintain versions of:

  • Child agents
  • Prompt templates
  • Power Automate flows
  • API definitions
  • Knowledge sources

Versioning enables:

  • Safe updates
  • Rollback capabilities
  • Controlled deployments
  • Backward compatibility

Governance Considerations

Shared components should follow governance standards.

Planning should include:

  • Ownership
  • Documentation
  • Approval process
  • Version control
  • Security reviews
  • Testing
  • Monitoring
  • Change management

Clear governance prevents uncontrolled modifications.


Security Considerations

Reusable components often access enterprise resources.

Architects should ensure:

  • Least privilege permissions
  • Secure authentication
  • Secure connectors
  • Data Loss Prevention (DLP)
  • Audit logging
  • Role-Based Access Control (RBAC)

Security should never be sacrificed for reuse.


Designing Modular Components

Good reusable components follow modular design principles.

Each component should:

  • Perform one primary function
  • Have clearly defined inputs
  • Produce predictable outputs
  • Avoid unnecessary dependencies
  • Support multiple use cases

Modularity simplifies testing and maintenance.


When Not to Reuse

Not every component should be reused.

Avoid reuse when:

  • Logic is highly specific to one department.
  • Security requirements differ significantly.
  • Regulatory requirements require isolation.
  • Business rules are unique.
  • Performance would be negatively affected.

Reuse should never compromise maintainability or security.


Common Mistakes

Avoid these common mistakes:

  • Duplicating identical functionality across agents
  • Creating overly complex reusable components
  • Ignoring version control
  • Hardcoding configuration values
  • Sharing components without documentation
  • Reusing components with excessive permissions
  • Failing to test shared components after updates
  • Not assigning ownership

Best Practices

When planning reusable agent components:

  • Identify common functionality early in the design process.
  • Build modular, independent components.
  • Reuse child agents for specialized tasks.
  • Reuse connectors and Power Automate flows whenever possible.
  • Centralize enterprise knowledge sources.
  • Standardize prompt templates and conversation patterns.
  • Use Adaptive Card templates for consistent user interfaces.
  • Implement version control and governance.
  • Document reusable components thoroughly.
  • Continuously monitor and maintain shared assets.

Exam Tips

For the AB-620 exam, remember the following:

  • Reusable components reduce duplication and improve maintainability.
  • Child agents are ideal for reusable specialized business capabilities.
  • Connected agents enable collaboration between specialized AI agents.
  • Prompt templates improve consistency and simplify prompt engineering.
  • Shared knowledge sources help reduce inconsistent responses.
  • Power Automate flows encapsulate reusable business logic.
  • Adaptive Card templates provide reusable user interfaces.
  • Reusable connectors simplify enterprise integrations.
  • Version control is essential for shared components.
  • Reuse should improve efficiency without compromising security or governance.

Practice Exam Questions

Question 1

An organization has five different AI agents that all need to verify a user’s identity before performing sensitive operations. What is the most effective reusable design?

A. Implement separate identity verification logic within each agent.

B. Create a reusable child agent that performs identity verification for all parent agents.

C. Require each department to create its own authentication workflow.

D. Disable authentication to simplify the user experience.

Correct Answer: B

Explanation: A child agent is designed to encapsulate specialized functionality that can be reused by multiple parent agents. Centralizing identity verification improves consistency, reduces duplication, and simplifies maintenance.


Question 2

Which component is best suited for encapsulating reusable business processes such as sending approval requests or updating records in multiple systems?

A. Adaptive Card template

B. Conversation variable

C. Power Automate flow

D. Greeting topic

Correct Answer: C

Explanation: Power Automate flows encapsulate business logic and integrations, allowing multiple agents to reuse the same automated processes without duplicating implementation.


Question 3

Why should organizations use reusable prompt templates when developing multiple AI agents?

A. They eliminate the need for enterprise knowledge sources.

B. They reduce authentication requirements.

C. They ensure consistent AI instructions and simplify prompt maintenance.

D. They automatically create connectors.

Correct Answer: C

Explanation: Reusable prompt templates provide consistent instructions to the AI model, improve maintainability, and reduce the effort required to update prompts across multiple agents.


Question 4

Multiple AI agents need access to the same employee handbook and HR policies. What is the best architectural approach?

A. Copy the documents into each individual agent.

B. Store separate versions for each department.

C. Use different knowledge sources for every agent.

D. Use a shared enterprise knowledge repository that all authorized agents can access.

Correct Answer: D

Explanation: A centralized knowledge source ensures that all agents provide consistent, up-to-date information while reducing duplication and maintenance effort.


Question 5

Which characteristic is most important for a reusable agent component?

A. It should be tightly coupled to one specific business process.

B. It should perform a single well-defined function with minimal dependencies.

C. It should contain multiple unrelated capabilities.

D. It should require administrator permissions regardless of purpose.

Correct Answer: B

Explanation: Reusable components should be modular, focused on a single responsibility, and loosely coupled so they can be easily maintained and reused.


Question 6

Which reusable component helps standardize the appearance and layout of forms, approval requests, and information cards across multiple agents?

A. Adaptive Card template

B. REST API definition

C. Azure AI Search index

D. Environment variable

Correct Answer: A

Explanation: Adaptive Card templates provide reusable user interface layouts that ensure consistency while reducing duplicate design work.


Question 7

An organization wants specialized Billing, Shipping, and Technical Support agents to collaborate with a Customer Service agent. Which design approach best supports this requirement?

A. Create one large monolithic agent that handles every task.

B. Use connected agents that delegate requests to specialized agents.

C. Duplicate billing logic into every agent.

D. Build independent agents with no communication between them.

Correct Answer: B

Explanation: Connected agents allow specialized agents to collaborate, improving scalability, maintainability, and reuse across multiple business scenarios.


Question 8

Why is version control important for reusable agent components?

A. It eliminates the need for documentation.

B. It prevents components from being shared.

C. It enables controlled updates, rollback capabilities, and compatibility management.

D. It automatically creates new AI models.

Correct Answer: C

Explanation: Version control allows organizations to safely update shared components, roll back changes when necessary, and manage compatibility across multiple dependent agents.


Question 9

Which planning consideration helps ensure reusable components remain secure?

A. Grant every reusable component global administrator permissions.

B. Allow all agents unrestricted access to every connector.

C. Avoid documenting shared components.

D. Apply least-privilege permissions, RBAC, and governance policies to shared components.

Correct Answer: D

Explanation: Reusable components should follow the same security principles as any enterprise solution by using least privilege, role-based access control, and established governance practices.


Question 10

Which situation is least appropriate for creating a reusable component?

A. Multiple agents need the same ticket creation process.

B. Several departments use the same authentication workflow.

C. A business process is highly specialized, unique to one department, and subject to different regulatory requirements.

D. Multiple agents display the same approval form.

Correct Answer: C

Explanation: Reuse is most beneficial for common functionality. Highly specialized or regulated processes that differ significantly between departments are often better implemented as separate components to avoid unnecessary complexity or compliance risks.


Go to the AB-620 Exam Prep Hub main page

Plan channels and deployment (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Plan an agent solution
      --> Plan channels and deployment


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the final planning activities before building an AI agent is determining where users will interact with the agent and how the solution will be deployed. Even the most intelligent AI agent will not deliver business value if it is deployed to the wrong audience, through the wrong communication channels, or without proper governance.

In Microsoft Copilot Studio, channels are the communication platforms through which users interact with an agent, while deployment is the process of publishing, distributing, updating, and managing the agent across those channels.

For the AB-620 exam, you should understand how to:

  • Select the appropriate communication channels
  • Determine deployment strategies
  • Plan environments and lifecycle management
  • Consider authentication and security requirements
  • Plan for scalability and governance
  • Choose deployment approaches that align with business requirements

Planning these elements before implementation helps ensure that the agent reaches the intended users while remaining secure, manageable, and maintainable.


What Are Channels?

A channel is the interface through which users communicate with a Copilot Studio agent.

Examples include:

  • Microsoft Teams
  • Microsoft 365 Copilot
  • Web sites
  • Mobile applications
  • Custom applications
  • Omnichannel for Customer Service
  • Direct Line API
  • Custom integrations

Different channels serve different business needs and user experiences.


Why Channel Planning Is Important

Selecting the correct channel affects:

  • User adoption
  • Accessibility
  • Security
  • Authentication
  • User experience
  • Integration requirements
  • Deployment complexity
  • Maintenance

Choosing the wrong channel may result in poor usability, unnecessary development work, or security challenges.


Factors to Consider When Selecting Channels

When planning deployment channels, consider the following questions:

  • Who are the users?
  • Where do they already work?
  • What devices do they use?
  • Do they need authentication?
  • Is the audience internal or external?
  • Will users interact through text, voice, or both?
  • Does the channel support required features?
  • Are compliance requirements met?

These questions guide architects toward the most appropriate deployment strategy.


Common Deployment Channels

Microsoft Teams

Microsoft Teams is one of the most common deployment targets for Copilot Studio agents.

Typical scenarios include:

  • Employee self-service
  • IT help desk
  • HR support
  • Finance assistance
  • Internal knowledge search
  • Project management

Advantages include:

  • Integrated authentication with Microsoft Entra ID
  • Familiar user experience
  • Easy access for employees
  • Integration with Microsoft 365 services

Teams is generally the preferred channel for internal organizational agents.


Microsoft 365 Copilot

Organizations can integrate agents with Microsoft 365 Copilot to extend user capabilities across Microsoft applications.

Users may interact with agents while working in:

  • Outlook
  • Word
  • Excel
  • PowerPoint
  • Teams

Benefits include:

  • Seamless productivity workflows
  • Context-aware assistance
  • Access to Microsoft Graph data (subject to permissions)
  • Consistent user experience

Websites

Agents can be embedded into public or private websites.

Common uses include:

  • Customer support
  • Product information
  • FAQs
  • Sales assistance
  • Appointment scheduling

Website deployment is ideal for customer-facing solutions.


Mobile Applications

Organizations may embed agents into mobile apps.

Example scenarios:

  • Banking
  • Healthcare
  • Retail
  • Travel
  • Field service

Benefits include:

  • Convenient mobile access
  • Personalized experiences
  • Integration with mobile app functionality

Custom Applications

Organizations often integrate Copilot Studio agents into existing business applications.

Examples include:

  • ERP systems
  • CRM systems
  • Employee portals
  • Partner portals
  • Internal dashboards

This approach creates a unified experience without requiring users to switch applications.


Omnichannel for Customer Service

Customer service organizations often deploy agents through Omnichannel.

Benefits include:

  • Live agent handoff
  • Customer service routing
  • Persistent conversations
  • Integration with Dynamics 365 Customer Service

Direct Line API

The Direct Line API allows developers to integrate Copilot Studio agents into custom applications.

Advantages include:

  • Flexible deployment
  • Custom user interfaces
  • Mobile integration
  • Enterprise application integration

This option is best suited for organizations requiring customized experiences.


Internal vs. External Deployment

One of the first planning decisions is identifying the intended audience.

Internal Deployment

Internal users include:

  • Employees
  • Contractors
  • Business partners

Characteristics:

  • Microsoft Entra ID authentication
  • Enterprise security policies
  • Internal business systems
  • Sensitive organizational data

Examples:

  • HR assistant
  • IT help desk
  • Finance support

External Deployment

External users include:

  • Customers
  • Vendors
  • Citizens
  • Website visitors

Characteristics:

  • Public accessibility
  • Customer authentication (if required)
  • Strong security controls
  • High scalability

Examples:

  • Customer support
  • Product assistant
  • Service request agent

Authentication Considerations

Deployment planning should consider authentication requirements.

Examples:

Internal agents often use:

  • Microsoft Entra ID
  • Single Sign-On

Customer-facing agents may use:

  • Customer identity providers
  • OAuth
  • Anonymous access (when appropriate)

Authentication requirements often influence channel selection.


Deployment Environments

Copilot Studio solutions typically move through multiple environments during their lifecycle.

Common environments include:

Development

Purpose:

  • Build features
  • Experiment
  • Initial testing

Test

Purpose:

  • Functional testing
  • Integration testing
  • User acceptance testing (UAT)

Production

Purpose:

  • Live users
  • Business operations
  • Stable deployments

Separating environments reduces the risk of introducing untested changes into production.


Solution Lifecycle Management (ALM)

Deployment planning should include Application Lifecycle Management (ALM).

ALM includes:

  • Source control
  • Version management
  • Testing
  • Deployment
  • Rollback
  • Monitoring
  • Continuous improvement

A structured ALM process improves quality and reduces deployment risks.


Publishing an Agent

Before users can access an agent, it must be published.

Publishing typically includes:

  • Validating configuration
  • Saving changes
  • Publishing the latest version
  • Making updates available to deployment channels

Publishing does not automatically make every change visible until the updated version is deployed.


Version Management

Organizations should maintain multiple versions of their agents.

Benefits include:

  • Safe updates
  • Rollback capability
  • Controlled releases
  • Easier troubleshooting

Versioning is especially important for enterprise solutions with large user bases.


Environment Variables

Environment variables allow deployment configurations to change between environments without modifying the agent.

Examples:

  • API URLs
  • Database connections
  • Authentication endpoints
  • Service identifiers

Using environment variables simplifies deployments across development, testing, and production.


Security Considerations

Deployment planning should address:

  • Authentication
  • Authorization
  • Least privilege
  • Data protection
  • Conditional Access
  • Compliance
  • Data Loss Prevention (DLP)
  • Secure connectors

Security should be considered before deployment rather than after deployment.


Scalability Planning

Deployment planning should consider future growth.

Questions include:

  • How many users will access the agent?
  • Will usage spike during business hours?
  • Will multiple regions be supported?
  • How many enterprise integrations are involved?
  • Will additional channels be added later?

Planning for scalability helps prevent future redesigns.


User Experience Considerations

Choose channels based on how users naturally work.

Examples:

Employees:

  • Microsoft Teams
  • Microsoft 365

Customers:

  • Company website
  • Mobile application

Developers:

  • Custom applications
  • Direct Line API

A familiar interface increases adoption.


Monitoring After Deployment

Deployment planning should include monitoring.

Monitor:

  • Usage statistics
  • Conversation success rates
  • Escalations
  • Failed authentications
  • Connector failures
  • API errors
  • User satisfaction
  • Performance metrics

Monitoring provides insight into how the agent performs in production and supports continuous improvement.


Governance Considerations

Enterprise deployments should follow governance policies.

These include:

  • Environment management
  • Connector governance
  • DLP policies
  • Identity management
  • Approval processes
  • Version control
  • Compliance requirements

Proper governance ensures that deployments remain secure and manageable over time.


Common Deployment Mistakes

Avoid these common mistakes:

  • Deploying directly to production without testing
  • Using production for development
  • Ignoring authentication requirements
  • Choosing channels unfamiliar to users
  • Failing to plan for scalability
  • Publishing without user acceptance testing
  • Ignoring governance policies
  • Deploying with excessive permissions
  • Not monitoring post-deployment performance

Best Practices

When planning channels and deployment:

  • Choose channels based on user needs and business scenarios.
  • Use Microsoft Teams for many internal employee solutions.
  • Use websites or mobile apps for customer-facing experiences.
  • Separate development, test, and production environments.
  • Implement a structured ALM process.
  • Use environment variables to simplify deployments.
  • Plan authentication before deployment.
  • Apply least-privilege security.
  • Monitor deployments continuously.
  • Plan for future scalability and expansion.

Exam Tips

For the AB-620 exam, remember the following:

  • A channel is where users interact with an AI agent.
  • Microsoft Teams is commonly used for internal employee-facing agents.
  • Websites and mobile applications are common channels for customer-facing agents.
  • Direct Line API enables integration into custom applications.
  • Separate development, test, and production environments.
  • Publishing makes updated agent versions available for deployment.
  • ALM includes version control, testing, deployment, and monitoring.
  • Environment variables simplify deployments across environments.
  • Authentication requirements often influence channel selection.
  • Governance and monitoring are essential components of deployment planning.

Practice Exam Questions

Question 1

A company wants employees to access an HR assistant without leaving their daily collaboration platform. Which deployment channel is the most appropriate?

A. Public website

B. Microsoft Teams

C. Direct Line API

D. Mobile banking application

Correct Answer: B

Explanation: Microsoft Teams is the preferred deployment channel for many internal employee-facing agents because employees already use Teams for daily collaboration and authentication is integrated with Microsoft Entra ID.


Question 2

Which deployment approach best supports safe testing before an AI agent is made available to production users?

A. Develop and publish directly to production

B. Use only a single production environment

C. Use separate development, test, and production environments

D. Allow users to test new features in production before validation

Correct Answer: C

Explanation: Separate environments allow developers to build, test, validate, and approve changes before they reach production users, reducing deployment risk.


Question 3

An organization wants to integrate a Copilot Studio agent into a custom-built enterprise application with its own user interface. Which deployment option is most appropriate?

A. Microsoft Teams

B. Microsoft 365 Copilot

C. Omnichannel for Customer Service

D. Direct Line API

Correct Answer: D

Explanation: The Direct Line API enables developers to embed Copilot Studio agents into custom applications while maintaining complete control over the user experience.


Question 4

Which factor should be considered first when selecting deployment channels for an AI agent?

A. The preferred programming language of the development team

B. The color scheme of the organization’s website

C. The storage size of the deployment package

D. The users who will interact with the agent and where they work

Correct Answer: D

Explanation: Channel selection should be driven by business requirements and user needs, including where users work and how they prefer to access the agent.


Question 5

What is the primary purpose of publishing an agent in Copilot Studio?

A. To permanently archive the current version

B. To enable the latest validated version for deployment to configured channels

C. To delete previous versions of the agent

D. To automatically create a backup of all enterprise systems

Correct Answer: B

Explanation: Publishing makes the latest approved version of the agent available for deployment and use through its configured channels.


Question 6

Which deployment scenario is most appropriate for a customer support chatbot available to anyone visiting a company’s public website?

A. Microsoft Teams deployment

B. Internal employee portal

C. Website deployment

D. Microsoft Outlook add-in

Correct Answer: C

Explanation: Public websites are commonly used for customer-facing AI agents that provide product information, FAQs, and customer support.


Question 7

Why are environment variables recommended when planning deployments across development, test, and production environments?

A. They eliminate the need for authentication.

B. They allow environment-specific settings, such as API endpoints, without modifying the agent.

C. They automatically publish new agent versions.

D. They replace version control systems.

Correct Answer: B

Explanation: Environment variables store configuration values that differ between environments, making deployments easier and reducing the need to modify application logic.


Question 8

Which activity is part of Application Lifecycle Management (ALM)?

A. Limiting conversations to one deployment channel

B. Removing authentication requirements

C. Disabling monitoring after deployment

D. Managing version control, testing, deployment, and updates

Correct Answer: D

Explanation: ALM encompasses the processes required to develop, test, deploy, maintain, and improve applications throughout their lifecycle.


Question 9

Which consideration is most important when selecting a deployment channel for an internal finance agent that accesses sensitive company information?

A. Entertainment features available on the platform

B. Number of emojis supported

C. Authentication, authorization, and enterprise security integration

D. The number of background themes available

Correct Answer: C

Explanation: Internal agents that access sensitive data must support strong authentication, authorization, and enterprise security controls to protect organizational information.


Question 10

After deploying an AI agent to production, which practice best supports continuous improvement?

A. Prevent users from submitting feedback.

B. Disable logging to improve performance.

C. Republish the agent every day regardless of changes.

D. Monitor usage, failures, user satisfaction, and performance metrics.

Correct Answer: D

Explanation: Monitoring production usage and operational metrics helps identify issues, measure adoption, optimize performance, and guide future enhancements to the agent.


Go to the AB-620 Exam Prep Hub main page

Monitor agents, including usage, operational insights, and agent lifecycle, by working with the Microsoft 365 Admin Center and the Microsoft Power Platform Admin Center (AB-900 Exam Prep)

This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Perform basic administrative tasks for Copilot and agents (25–30%)
   --> Perform basic administrative tasks for agents
      --> Monitor agents, including usage, operational insights, and agent lifecycle, by working with the Microsoft 365 Admin Center and the Microsoft Power Platform Admin Center


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations deploy more Microsoft 365 Copilot agents, effective administration extends beyond simply creating and publishing them. Administrators must continuously monitor agent usage, operational health, adoption, security, and lifecycle to ensure that agents continue to provide business value while meeting organizational governance and compliance requirements.

Microsoft provides two primary administrative portals for monitoring and managing agents:

  • Microsoft 365 admin center
  • Microsoft Power Platform admin center

Each portal serves a different purpose. The Microsoft 365 admin center focuses on Microsoft 365 services, Copilot adoption, licensing, and organizational administration, while the Power Platform admin center focuses on environments, Copilot Studio, Power Platform resources, and operational management of custom agents.

For the AB-900 exam, you should understand which portal is used for which administrative tasks, the types of monitoring information available, and the basic lifecycle of an agent.


Why Monitoring Agents Is Important

Monitoring helps administrators answer questions such as:

  • Are users actually using the agent?
  • Is the agent providing business value?
  • Are there operational issues?
  • Is adoption increasing?
  • Are users encountering errors?
  • Should the agent be updated or retired?
  • Are governance policies being followed?

Without monitoring, organizations cannot determine whether their AI investments are successful.


Administrative Portals

Microsoft 365 Admin Center

The Microsoft 365 admin center provides organization-wide administration for Microsoft 365 services, including Copilot.

Administrators commonly use it to:

  • View Copilot adoption
  • Monitor Copilot usage
  • Assign licenses
  • Manage users
  • Manage billing
  • View service health
  • Review reports
  • Monitor tenant-wide administration

It provides a business-level view of how Microsoft 365 Copilot is being used across the organization.


Microsoft Power Platform Admin Center

The Power Platform admin center focuses on the operational management of Power Platform resources, including custom agents created with Copilot Studio.

Administrators use it to:

  • Manage environments
  • Monitor agent health
  • Manage Dataverse resources
  • Review capacity
  • Configure security
  • Manage connectors
  • Review operational information
  • Manage Power Platform policies

It provides technical administration for custom AI solutions.


Monitoring Agent Usage

Usage monitoring helps organizations understand adoption.

Common usage metrics include:

  • Number of users
  • Active users
  • Conversations
  • Sessions
  • Frequency of use
  • Popular agents
  • Usage trends over time

These metrics help determine whether users are benefiting from the deployed agents.


Usage Scenarios

An administrator might monitor:

  • Daily active users
  • Weekly adoption growth
  • Monthly conversation counts
  • Frequently used agents
  • Least-used agents

Low adoption may indicate:

  • Lack of awareness
  • Poor training
  • Limited usefulness
  • Difficult user experience

Operational Insights

Operational insights help administrators understand how agents are performing.

Examples include:

  • Agent availability
  • Service status
  • Response success
  • Failed requests
  • Processing errors
  • Environment health
  • Connector status
  • Workflow execution

Operational monitoring focuses on technical performance rather than business adoption.


Examples of Operational Issues

Administrators may investigate:

  • Failed API connections
  • Broken Power Automate flows
  • Authentication failures
  • Connector problems
  • Environment capacity limits
  • Dataverse issues

Identifying these issues early minimizes disruption for users.


Monitoring Agent Lifecycle

Every agent follows a lifecycle from creation to retirement.

Typical lifecycle stages include:

  1. Planning
  2. Design
  3. Development
  4. Testing
  5. Approval
  6. Publishing
  7. Monitoring
  8. Updating
  9. Republishing
  10. Retirement

Administrators monitor agents throughout this lifecycle.


Lifecycle Management Activities

During an agent’s lifecycle, administrators may:

  • Update instructions
  • Improve prompts
  • Add new knowledge sources
  • Remove outdated content
  • Modify connectors
  • Improve security
  • Publish new versions
  • Disable obsolete agents
  • Archive retired agents

Lifecycle management is an ongoing process rather than a one-time task.


Adoption Monitoring

One important responsibility is measuring adoption.

Organizations often monitor:

  • Licensed users
  • Active users
  • Usage growth
  • Conversation volume
  • Department adoption
  • Business impact

High adoption generally indicates that users find the agent valuable.


Performance Monitoring

Performance monitoring focuses on the quality of the user experience.

Administrators may evaluate:

  • Response times
  • Reliability
  • Availability
  • Error rates
  • Successful interactions
  • Failed interactions

Consistent performance builds user confidence in AI solutions.


Security Monitoring

Monitoring also includes security.

Administrators watch for:

  • Unauthorized access
  • Permission issues
  • Authentication failures
  • Suspicious activity
  • Compliance alerts
  • Data access concerns

Security monitoring helps ensure that agents continue to comply with organizational policies.


Governance Monitoring

Governance activities include monitoring:

  • Approved agents
  • Published agents
  • Ownership
  • Data sources
  • Permissions
  • Connector usage
  • Compliance policies

Organizations should periodically review whether agents still meet governance requirements.


Environment Monitoring

The Power Platform admin center allows administrators to monitor environments that host agents.

Typical information includes:

  • Environment health
  • Capacity usage
  • Storage
  • Dataverse utilization
  • Resource allocation

Healthy environments help ensure reliable agent performance.


Monitoring Connectors

Many agents rely on connectors to access business systems.

Administrators may monitor:

  • Connector availability
  • Authentication status
  • Connection errors
  • Connector permissions
  • External system connectivity

Problems with connectors often result in incomplete or failed agent responses.


Monitoring User Feedback

Organizations should also gather user feedback.

Useful indicators include:

  • User satisfaction
  • Reported issues
  • Feature requests
  • Accuracy concerns
  • Suggested improvements

Feedback helps guide future improvements to the agent.


Retirement of Agents

Not every agent remains useful forever.

Administrators may retire agents when:

  • Business needs change.
  • New agents replace older versions.
  • Information becomes outdated.
  • Security risks increase.
  • Adoption declines significantly.

Retired agents should be archived or removed according to organizational governance policies.


Best Practices

Organizations should:

  • Monitor usage regularly.
  • Review adoption reports.
  • Monitor operational health.
  • Investigate errors promptly.
  • Review security frequently.
  • Track lifecycle status.
  • Keep documentation current.
  • Update agents regularly.
  • Remove obsolete agents.
  • Use both Microsoft 365 and Power Platform administration tools appropriately.

Microsoft 365 Admin Center vs. Power Platform Admin Center

Microsoft 365 Admin CenterPower Platform Admin Center
User administrationEnvironment administration
License managementDataverse management
Copilot adoptionAgent operations
Usage reportingEnvironment health
BillingConnector management
Service healthCapacity monitoring
Organization-wide administrationPower Platform governance
Copilot reportsOperational insights

Exam Tips

For the AB-900 exam, remember these key points:

  • The Microsoft 365 admin center focuses on Microsoft 365 administration, licensing, Copilot usage, adoption, and organizational reporting.
  • The Power Platform admin center focuses on operational management of custom agents, environments, connectors, Dataverse, and Power Platform resources.
  • Usage monitoring measures adoption and business value.
  • Operational insights focus on technical health and performance.
  • Agents should be monitored throughout their entire lifecycle.
  • Administrators should regularly review performance, governance, and security after an agent is deployed.

Practice Exam Questions

Question 1

Which administrative portal is primarily used to monitor Microsoft 365 Copilot adoption and licensing?

A. Microsoft 365 admin center

B. Microsoft Defender portal

C. Azure Portal

D. Microsoft Purview portal

Answer: A

Explanation: The Microsoft 365 admin center provides organization-wide administration, including Copilot licensing, adoption reports, and usage monitoring.


Question 2

What is the primary purpose of monitoring agent usage?

A. To increase internet bandwidth

B. To determine adoption and business value

C. To install software updates

D. To configure SharePoint permissions

Answer: B

Explanation: Usage metrics help organizations understand whether agents are delivering value and being actively used.


Question 3

Which portal is primarily responsible for monitoring environments, connectors, and Dataverse resources for custom agents?

A. Microsoft Entra admin center

B. Microsoft Purview portal

C. Microsoft Power Platform admin center

D. Exchange admin center

Answer: C

Explanation: The Power Platform admin center manages environments, Dataverse, connectors, capacity, and operational aspects of custom agents.


Question 4

Which metric best represents agent adoption?

A. CPU utilization

B. Network latency

C. Number of active users

D. Available storage space

Answer: C

Explanation: Active users are a key indicator of how widely an agent is being adopted.


Question 5

Which activity is part of an agent’s lifecycle after publication?

A. Ongoing monitoring and updates

B. Automatic deletion

C. Disabling Microsoft 365

D. Removing all connectors

Answer: A

Explanation: Administrators continuously monitor, update, and improve agents after they are deployed.


Question 6

Which of the following is considered an operational insight?

A. Number of licensed users

B. Employee vacation requests

C. Failed connector authentication

D. SharePoint storage quota purchase

Answer: C

Explanation: Operational insights include technical issues such as connector failures, authentication problems, and service errors.


Question 7

Why should administrators monitor agent performance?

A. To increase hardware prices

B. To ensure reliable responses and a positive user experience

C. To disable audit logs

D. To reduce Microsoft 365 storage

Answer: B

Explanation: Performance monitoring helps ensure agents remain reliable, responsive, and useful.


Question 8

Which administrative activity helps identify agents that are no longer providing business value?

A. Monitoring adoption trends

B. Updating Windows drivers

C. Installing Office applications

D. Configuring printers

Answer: A

Explanation: Declining adoption trends may indicate that an agent should be improved or retired.


Question 9

What should administrators monitor to help identify security concerns related to agents?

A. Desktop wallpaper settings

B. Keyboard layouts

C. Unauthorized access attempts and permission issues

D. Browser home pages

Answer: C

Explanation: Monitoring permissions, authentication failures, and unauthorized access helps maintain security.


Question 10

Which statement best describes the relationship between the Microsoft 365 admin center and the Microsoft Power Platform admin center?

A. Both portals perform exactly the same administrative functions.

B. The Microsoft 365 admin center is used only for Exchange Online.

C. The Power Platform admin center replaces the Microsoft 365 admin center for all administration.

D. The Microsoft 365 admin center focuses on organizational Microsoft 365 administration and Copilot usage, while the Power Platform admin center focuses on environments and operational management of custom agents.

Answer: D

Explanation: The two portals complement one another. The Microsoft 365 admin center provides tenant-wide administration, licensing, and adoption reporting, while the Power Platform admin center provides operational management of environments, connectors, Dataverse resources, and custom agents built with Copilot Studio.


Go to the AB-900 Exam Prep Hub main page