Tag: Agent Development

Create a Solution (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Test and manage agents (20–25%)
   --> Implement application lifecycle management (ALM) for agents in Copilot Studio
      --> Create a Solution (in Microsoft Copilot Studio
)

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As Microsoft Copilot Studio projects become larger and more complex, organizations require a structured way to package, transport, version, and deploy their AI agents across environments. Microsoft Power Platform provides this capability through Solutions.

Solutions are one of the most important concepts in Application Lifecycle Management (ALM). Rather than moving individual agents, topics, flows, connectors, or Dataverse tables independently, solutions package all related components together into a deployable unit.

For the AB-620 exam, you should understand:

  • Why solutions exist
  • Managed vs unmanaged solutions
  • Solution-aware components
  • Creating solutions
  • Adding Copilot Studio assets
  • Dependencies
  • Solution publishers
  • Versioning
  • Deployment best practices

What is a Solution?

A solution is a container that stores one or more Power Platform components as a single application.

Instead of managing individual assets, developers manage the entire business solution.

A solution can contain:

  • Copilot Studio agents
  • Topics
  • Agent instructions
  • Knowledge sources
  • Power Automate flows
  • AI prompts
  • Custom connectors
  • Dataverse tables
  • Security roles
  • Environment variables
  • Connection references
  • Plugins
  • Model-driven apps
  • Canvas apps

Think of a solution as similar to:

  • A Visual Studio project
  • A software package
  • A deployment artifact

Everything needed for the application travels together.


Why Solutions Are Important

Without solutions:

  • Components are isolated
  • Deployment becomes manual
  • Dependencies are lost
  • Versioning is difficult
  • Collaboration becomes risky

Solutions provide:

  • Repeatable deployments
  • Source control compatibility
  • Version tracking
  • Easier testing
  • Safer production releases
  • Consistent ALM

Where Solutions Fit into ALM

Typical lifecycle:

Development Environment

Unmanaged Solution

Testing Environment

Managed Solution

Production

Each environment receives a controlled deployment.


Types of Solutions

There are two solution types.

Unmanaged Solutions

Used during development.

Characteristics:

  • Editable
  • Components can be changed
  • Developers add new assets
  • Easy debugging
  • Supports ongoing work

Developers almost always work with unmanaged solutions.


Managed Solutions

Used for deployment.

Characteristics:

  • Read-only
  • Protects components
  • Supports upgrades
  • Prevents accidental editing
  • Ideal for production

Production environments typically receive managed solutions.


Managed vs Unmanaged

FeatureUnmanagedManaged
EditableYesNo
Used during developmentYesNo
Used in productionRarelyYes
Supports customizationYesLimited
Supports upgradesYesYes
Protects intellectual propertyNoYes

Solution Components

A solution may contain numerous Power Platform assets.

Common Copilot Studio components include:

  • Agents
  • Topics
  • AI instructions
  • Generative answers configuration
  • Knowledge sources
  • Variables
  • Prompt libraries
  • Authentication settings
  • Power Automate flows
  • Custom connectors
  • REST API tools
  • Azure integrations

When exporting a solution, all selected components travel together.


Solution Publishers

Every solution belongs to a publisher.

A publisher defines:

  • Customization prefix
  • Display name
  • Versioning ownership
  • Component naming

Example:

Publisher:

Contoso

Customization prefix:

cts

Objects become:

cts_Agent

cts_OrderFlow

cts_CustomerTable

Using a publisher prevents naming collisions between organizations.


Creating a Solution

The general process is:

  1. Open Power Apps Maker Portal.
  2. Select Solutions.
  3. Choose New Solution.
  4. Enter:
    • Display Name
    • Name
    • Publisher
    • Version Number
  5. Save.

The solution is now ready for development.


Adding a Copilot Studio Agent

Once the solution exists:

  1. Open the solution.
  2. Select Add Existing.
  3. Choose Copilot Studio Agent.
  4. Select the desired agent.
  5. Confirm.

The agent now becomes solution-aware.


Creating New Components Inside a Solution

Best practice is to create components directly inside the solution.

Instead of:

Create agent

Later add to solution

Prefer:

Create solution

Create agent inside solution

This automatically tracks dependencies.


Dependencies

Many Power Platform assets depend upon others.

Example:

Agent

Topic

Power Automate Flow

Connector

Dataverse Table

Removing one component may break another.

Solutions automatically identify many dependencies during export.


Dependency Checking

Before export, Power Platform verifies:

  • Missing connectors
  • Missing flows
  • Missing tables
  • Missing environment variables
  • Missing references

If dependencies are absent, deployment may fail.

Always resolve dependency warnings before exporting.


Connection References

Instead of storing connection information directly inside components, solutions use connection references.

Benefits include:

  • Easier deployment
  • Secure authentication
  • Environment independence
  • Reduced configuration effort

Example:

Development

Uses:

Dev SQL Database

Production

Uses:

Production SQL Database

Only the connection reference changes.

The solution remains identical.


Environment Variables

Environment variables store values that differ between environments.

Examples include:

Development:

https://devapi.company.com

Testing:

https://testapi.company.com

Production:

https://api.company.com

Rather than editing every component, only the environment variable changes.


Solution Versioning

Solutions include version numbers.

Typical format:

Major.Minor.Build.Revision

Example:

1.0.0.0

Later versions:

1.1.0.0

2.0.0.0

Version numbers help administrators:

  • Track releases
  • Apply upgrades
  • Roll back deployments
  • Identify installed versions

Exporting a Solution

After development:

  1. Open solution.
  2. Select Export.
  3. Choose:
    • Managed
    • Unmanaged
  4. Validate dependencies.
  5. Download solution package.

The result is typically a compressed solution file.


Importing a Solution

Destination environment:

  1. Open Solutions.
  2. Select Import.
  3. Upload solution.
  4. Resolve connection references.
  5. Configure environment variables.
  6. Complete installation.

Upgrading Solutions

Instead of deleting and reinstalling, managed solutions support upgrades.

Benefits include:

  • Preserve existing configuration
  • Retain data
  • Maintain references
  • Apply improvements
  • Minimize downtime

Patch Solutions

For small fixes, organizations can create patches.

Patch examples:

  • Bug fixes
  • Minor topic corrections
  • Updated prompts
  • Small workflow improvements

Patches avoid deploying an entirely new solution.


Solution Layers

Power Platform supports solution layering.

Example:

Base Solution

Department Solution

Customer Customizations

Higher layers override lower layers without modifying the original solution.

This supports extensibility.


Best Practices

Microsoft recommends:

  • Always use solutions.
  • Use unmanaged solutions for development.
  • Deploy managed solutions to production.
  • Create components inside solutions.
  • Use meaningful version numbers.
  • Use environment variables.
  • Use connection references.
  • Create custom publishers.
  • Keep solutions focused on one business application.
  • Test imports before production deployment.
  • Maintain source control for solution files.

Common Exam Tips

Know the differences between:

  • Managed vs unmanaged solutions
  • Connection references vs environment variables
  • Publisher vs solution
  • Export vs import
  • Patch vs upgrade
  • Components vs dependencies

Remember:

Development = Unmanaged

Production = Managed


Exam Summary

For the AB-620 exam, understand that solutions are the foundation of ALM within Microsoft Copilot Studio and the Power Platform. Solutions package all application components—including agents, topics, flows, connectors, prompts, and Dataverse assets—into a deployable unit that supports versioning, collaboration, testing, and production deployment. Microsoft recommends developing in unmanaged solutions, deploying managed solutions to production, using connection references and environment variables for environment-specific settings, and managing dependencies carefully to ensure reliable deployments.


Practice Exam Questions

Question 1

Why should developers create Copilot Studio agents inside a solution whenever possible?

A. It automatically increases AI model accuracy.

B. It ensures components and dependencies are tracked together.

C. It removes the need for Power Automate.

D. It encrypts the agent automatically.

Answer: B

Explanation: Creating components inside a solution allows Power Platform to manage dependencies and simplifies deployment across environments.


Question 2

Which solution type should typically be deployed to a production environment?

A. Temporary solution

B. Local solution

C. Managed solution

D. Unmanaged solution

Answer: C

Explanation: Managed solutions are intended for production because they protect components from unintended modification and support controlled upgrades.


Question 3

Which component allows the same solution to connect to different databases in development and production without modifying the agent?

A. Security roles

B. Topics

C. Connection references

D. AI Builder models

Answer: C

Explanation: Connection references enable environment-specific connections while allowing the solution to remain unchanged.


Question 4

What is the primary purpose of environment variables?

A. Encrypt Dataverse tables

B. Store authentication tokens

C. Improve AI response quality

D. Store configuration values that differ between environments

Answer: D

Explanation: Environment variables allow values such as API URLs, endpoints, and configuration settings to change between environments without editing solution components.


Question 5

What is the role of a solution publisher?

A. To execute Power Automate flows

B. To host Azure AI Search indexes

C. To define ownership and customization prefixes for solution components

D. To manage Application Insights telemetry

Answer: C

Explanation: Publishers provide customization prefixes and identify the organization responsible for the solution.


Question 6

Before exporting a solution, why should dependency warnings be resolved?

A. To reduce licensing costs

B. To help ensure the solution imports successfully in another environment

C. To improve AI response speed

D. To increase token limits

Answer: B

Explanation: Missing dependencies can prevent successful deployment or cause runtime failures after import.


Question 7

Which statement best describes an unmanaged solution?

A. It is read-only after deployment.

B. It cannot contain Copilot Studio agents.

C. It is intended primarily for production deployments.

D. It is editable and primarily used during development.

Answer: D

Explanation: Unmanaged solutions support ongoing development because components remain editable.


Question 8

A development team needs to deliver a small bug fix without deploying an entirely new release. Which approach is most appropriate?

A. Delete and recreate the solution.

B. Create a new publisher.

C. Create a patch solution.

D. Export the unmanaged solution to production.

Answer: C

Explanation: Patch solutions are designed for small updates and bug fixes while minimizing deployment impact.


Question 9

Which statement accurately describes solution version numbers?

A. They are optional and ignored during upgrades.

B. They identify releases and help manage upgrades over time.

C. They apply only to Power Automate flows.

D. They determine Azure AI model selection.

Answer: B

Explanation: Version numbers help administrators identify installed releases and manage upgrades throughout the application lifecycle.


Question 10

An organization wants to move a Copilot Studio agent, its topics, Power Automate flows, custom connectors, and Dataverse assets together between environments. What is the recommended approach?

A. Export each component individually.

B. Copy components manually.

C. Rebuild the application in each environment.

D. Package the components in a Power Platform solution.

Answer: D

Explanation: Solutions provide a single deployment package that preserves relationships, dependencies, and configuration across environments.


Go to the AB-620 Exam Prep Hub main page

Choose an evaluation method (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Test and manage agents (20–25%)
   --> Evaluate agent performance
      --> Choose an evaluation method


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Building an AI agent is only the first step in delivering a successful solution. An equally important responsibility is evaluating whether the agent performs as intended. Microsoft Copilot Studio includes evaluation capabilities that help developers assess the quality, accuracy, safety, and effectiveness of AI-generated responses before an agent is deployed to production.

Selecting the appropriate evaluation method depends on several factors, including:

  • The purpose of the agent
  • Whether the agent is knowledge-based or action-based
  • Whether responses are deterministic or generative
  • The organization’s quality requirements
  • The level of automation desired

For the AB-620 exam, you should understand:

  • Available evaluation methods
  • When to use each method
  • What each method measures
  • How evaluations improve agent quality
  • Best practices for evaluating AI agents

Why Evaluation Is Important

Generative AI systems are probabilistic rather than deterministic. Unlike traditional software that always produces identical output for identical input, AI-generated responses may vary slightly while still being correct.

Evaluation helps determine whether responses are:

  • Accurate
  • Relevant
  • Grounded
  • Complete
  • Safe
  • Helpful
  • Consistent

Without evaluation, organizations risk deploying agents that:

  • Hallucinate facts
  • Provide incomplete answers
  • Use incorrect tools
  • Return outdated information
  • Violate organizational policies

Goals of Agent Evaluation

Evaluation should answer questions such as:

  • Did the agent answer correctly?
  • Was the correct knowledge source used?
  • Was the response grounded?
  • Was the appropriate tool invoked?
  • Was sensitive information protected?
  • Was the response relevant?
  • Did the conversation remain on topic?
  • Did the agent accomplish the user’s goal?

Types of Evaluation Methods

Microsoft Copilot Studio supports multiple evaluation approaches.

The primary categories include:

  • Manual evaluation
  • Automated evaluation
  • AI-assisted evaluation
  • Test set evaluation
  • Human review
  • Continuous monitoring

Each serves a different purpose.


Manual Evaluation

Manual evaluation involves developers or business users interacting directly with the agent.

Typical process:

  1. Ask questions.
  2. Review responses.
  3. Identify problems.
  4. Improve prompts or tools.
  5. Repeat testing.

Advantages

  • Simple
  • Fast for small projects
  • Easy to understand
  • Good during development

Limitations

  • Difficult to scale
  • Subjective
  • Time consuming
  • Not repeatable

Automated Evaluation

Automated evaluation uses predefined test cases to measure agent performance.

Examples include:

  • Running test sets
  • Validating expected responses
  • Measuring pass/fail rates
  • Comparing versions

Benefits include:

  • Repeatability
  • Consistency
  • Speed
  • Regression testing

AI-Assisted Evaluation

AI models can help assess the quality of responses.

Instead of only comparing exact wording, AI can evaluate:

  • Semantic correctness
  • Relevance
  • Helpfulness
  • Completeness
  • Faithfulness to source material

For example:

User asks:

“How do I reset my password?”

The expected response might vary in wording while still being completely correct.

AI-assisted evaluation recognizes that multiple valid responses may exist.


Human Evaluation

Human reviewers examine conversations and determine whether responses meet organizational expectations.

Human reviewers may assess:

  • Tone
  • Accuracy
  • Professionalism
  • Policy compliance
  • User satisfaction

Human evaluation is especially valuable for:

  • Customer service
  • Healthcare
  • Legal
  • Financial services

Test Set Evaluation

A test set contains predefined prompts with expected outcomes.

Running a test set provides:

  • Pass/fail results
  • Quality metrics
  • Regression detection
  • Coverage across scenarios

Test sets are recommended before production deployments.


Continuous Evaluation

Evaluation should continue after deployment.

Production monitoring identifies:

  • New failure patterns
  • Frequently unanswered questions
  • Knowledge gaps
  • Tool failures
  • User frustration

Continuous evaluation supports ongoing improvement.


Evaluation Criteria

Several quality dimensions are commonly evaluated.


1. Correctness

Does the response answer the question accurately?

Example:

User:

“How many vacation days do I have?”

Correct response:

Returns the actual balance from HR.

Incorrect response:

Invents a number.


2. Relevance

Is the response related to the user’s request?

Poor relevance often results from:

  • Incorrect knowledge retrieval
  • Poor prompting
  • Wrong tool selection

3. Groundedness

Groundedness measures whether responses are supported by trusted enterprise data.

Grounded responses:

  • Reference indexed documents
  • Use Azure AI Search
  • Avoid unsupported claims

Ungrounded responses may hallucinate.


4. Completeness

Does the response fully answer the user’s question?

Poor example:

User:

“How do I submit travel expenses?”

Response:

“Use the expense portal.”

Better response:

  • Portal name
  • Required documents
  • Approval workflow
  • Submission deadline

5. Safety

Safety evaluations identify:

  • Harmful content
  • Sensitive information exposure
  • Offensive language
  • Policy violations

Safety is essential for enterprise deployments.


6. Tool Accuracy

If the agent invokes external tools, verify:

  • Correct tool selected
  • Correct parameters supplied
  • Successful execution
  • Correct result returned

7. Conversation Quality

Evaluate whether the conversation flows naturally.

Examples include:

  • Appropriate follow-up questions
  • Context awareness
  • Smooth transitions
  • Helpful clarification requests

Selecting an Evaluation Method

Different scenarios require different evaluation methods.

ScenarioRecommended Evaluation
New prototypeManual testing
Regression testingAutomated test sets
Knowledge retrievalGroundedness evaluation
API actionsTool execution validation
Customer serviceHuman + automated evaluation
Production agentContinuous monitoring
Multi-agent orchestrationDelegation and routing evaluation

Evaluating Knowledge-Based Agents

Knowledge agents should be evaluated for:

  • Correct document retrieval
  • Citation quality
  • Freshness of information
  • Hallucination prevention
  • Accurate summaries

Typical questions include:

  • Did Azure AI Search retrieve the correct content?
  • Was the answer grounded?
  • Was outdated content used?

Evaluating Action-Based Agents

Agents that execute business processes require additional evaluation.

Verify:

  • Tool selection
  • Authentication
  • API success
  • Parameter accuracy
  • Business outcome

Example:

User:

“Create an IT ticket.”

Evaluation checks:

  • Was the ticket created?
  • Was the correct connector called?
  • Was the correct priority assigned?

Evaluating Multi-Agent Solutions

For multi-agent solutions, assess:

  • Proper routing
  • Correct child-agent selection
  • Delegation accuracy
  • Context preservation
  • Final response quality

Failures may occur if:

  • Wrong agent receives the request
  • Delegation loops occur
  • Context is lost between agents

Evaluating Generative Answers

Generative AI introduces additional evaluation dimensions.

Evaluate:

  • Hallucination rate
  • Factual accuracy
  • Grounding quality
  • Readability
  • Tone
  • Completeness
  • Citation quality
  • Confidence

Metrics Used During Evaluation

Organizations often monitor:

  • Pass rate
  • Failure rate
  • Response accuracy
  • Latency
  • Tool success rate
  • Grounding score
  • Hallucination frequency
  • User satisfaction
  • Resolution rate
  • Escalation frequency

Common Evaluation Mistakes

Avoid these common mistakes:

  • Testing only happy-path scenarios
  • Ignoring edge cases
  • Measuring wording instead of meaning
  • Forgetting regression testing
  • Not testing tool failures
  • Ignoring production feedback
  • Using outdated test cases
  • Evaluating only accuracy while ignoring safety

Best Practices

Use Multiple Evaluation Methods

Combine:

  • Manual review
  • Automated testing
  • AI-assisted evaluation
  • Human review

No single method is sufficient for all scenarios.


Create Realistic Test Cases

Use prompts based on actual user behavior instead of artificial examples.


Evaluate Regularly

Run evaluations:

  • Before deployment
  • After prompt changes
  • After connector updates
  • After knowledge updates
  • After model upgrades

Monitor Production

Evaluation should continue after deployment using telemetry, analytics, and user feedback.


Improve Continuously

Use evaluation results to:

  • Refine prompts
  • Improve knowledge sources
  • Fix tools
  • Expand test sets
  • Enhance user experience

Exam Tips

For the AB-620 exam, remember:

  • Different evaluation methods serve different purposes.
  • Automated evaluations support regression testing.
  • AI-assisted evaluations assess semantic quality rather than exact wording.
  • Groundedness is essential for knowledge-based agents.
  • Tool accuracy is critical for action-based agents.
  • Human review remains important for high-risk business scenarios.
  • Evaluation is an ongoing lifecycle activity, not a one-time task.
  • Combining multiple evaluation methods produces the most reliable assessment.

Practice Exam Questions

Question 1

A development team wants to verify that recent prompt changes have not broken existing functionality. Which evaluation method is most appropriate?

A. Automated test set evaluation

B. User satisfaction surveys

C. Manual exploratory testing only

D. Random production monitoring

Answer: A

Explanation: Automated test sets provide repeatable regression testing, allowing teams to verify that previously working scenarios continue to function after changes.


Question 2

Which evaluation criterion determines whether an agent’s response is supported by trusted enterprise data rather than generated from unsupported assumptions?

A. Latency

B. Groundedness

C. Conversation length

D. User engagement

Answer: B

Explanation: Groundedness measures whether responses are based on authoritative data sources, helping reduce hallucinations.


Question 3

A customer service manager wants to assess whether responses are polite, professional, and aligned with company communication standards. Which evaluation method is most appropriate?

A. Automated pass/fail testing

B. API performance testing

C. Human evaluation

D. Network diagnostics

Answer: C

Explanation: Human reviewers are best suited to evaluating tone, professionalism, empathy, and adherence to organizational communication standards.


Question 4

Why is AI-assisted evaluation useful for generative AI responses?

A. It requires every correct answer to match expected wording exactly.

B. It automatically retrains the language model.

C. It eliminates the need for human reviewers.

D. It evaluates semantic correctness even when responses are worded differently.

Answer: D

Explanation: AI-assisted evaluation focuses on meaning and correctness rather than exact text matches, making it well suited for generative responses.


Question 5

Which evaluation criterion confirms that an agent selected the correct connector and completed a requested business action?

A. Tool accuracy

B. Conversation length

C. Groundedness

D. Response formatting

Answer: A

Explanation: Tool accuracy verifies that the appropriate tool was invoked with the correct parameters and that the desired action was completed successfully.


Question 6

Which type of evaluation should continue after an agent is deployed to production?

A. Prototype evaluation only

B. Continuous monitoring and evaluation

C. Initial prompt validation only

D. Installation verification

Answer: B

Explanation: Production monitoring helps identify new issues, emerging user needs, and opportunities for continuous improvement.


Question 7

A developer wants to verify that a knowledge-based agent retrieved the correct document and provided an accurate citation. Which area is being evaluated?

A. Authentication

B. Delegation

C. Knowledge retrieval and groundedness

D. UI rendering

Answer: C

Explanation: Knowledge retrieval evaluations determine whether the correct source was used and whether responses remain grounded in trusted content.


Question 8

What is the primary advantage of automated evaluation compared to manual testing?

A. It permanently stores every user conversation.

B. It guarantees zero hallucinations.

C. It automatically writes new prompts.

D. It provides repeatable, consistent testing across multiple runs.

Answer: D

Explanation: Automated evaluation enables consistent execution of predefined tests, making regression testing reliable and scalable.


Question 9

Which combination provides the most comprehensive assessment of an enterprise AI agent?

A. Manual testing only

B. Human evaluation only

C. Automated testing only

D. A combination of manual, automated, AI-assisted, and human evaluation

Answer: D

Explanation: Each evaluation method measures different aspects of agent quality. Combining them provides the most complete assessment.


Question 10

An evaluation determines that an agent answered the user’s question correctly but omitted several important procedural steps. Which quality criterion needs improvement?

A. Safety

B. Completeness

C. Authentication

D. Latency

Answer: B

Explanation: Completeness measures whether the response fully addresses the user’s request with sufficient detail and context.


Go to the AB-620 Exam Prep Hub main page

Create a test set (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Test and manage agents (20–25%)
   --> Evaluate agent performance
      --> Create a test set


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important responsibilities of an AI Agent Builder is ensuring that an agent consistently produces accurate, relevant, and safe responses. As agents become more sophisticated and rely on multiple knowledge sources, tools, and generative AI models, manual testing alone is no longer sufficient.

Microsoft Copilot Studio provides test sets that allow developers to systematically validate agent behavior against expected outcomes. Test sets enable repeatable evaluation of an agent after configuration changes, prompt updates, knowledge source modifications, or model upgrades.

For the AB-620 exam, you should understand:

  • What test sets are
  • Why they are important
  • How to create and manage them
  • How they integrate with agent evaluation
  • Best practices for maintaining reliable test coverage

What Is a Test Set?

A test set is a collection of predefined test cases that evaluate how an AI agent responds to expected user requests.

Each test case generally contains:

  • A sample user prompt
  • The expected behavior or outcome
  • Evaluation criteria
  • Pass/fail results after execution

Instead of manually asking the same questions every time changes are made, developers can rerun the entire test set to determine whether the agent continues to behave correctly.


Why Test Sets Matter

Without structured testing:

  • New prompts may unintentionally break previous functionality.
  • Updated knowledge sources may introduce incorrect answers.
  • Tool changes may fail silently.
  • Model updates may alter response quality.

Test sets provide confidence that the agent still behaves correctly after changes.

Benefits include:

  • Repeatable testing
  • Faster validation
  • Regression testing
  • Improved response quality
  • Easier troubleshooting
  • Better release confidence

Test Set vs Manual Testing

Manual TestingTest Set
Performed interactivelyExecuted repeatedly
Difficult to reproduceFully repeatable
Human remembers questionsQuestions stored permanently
Time consumingAutomated evaluation
Easy to miss scenariosCovers many scenarios consistently

When Should You Create a Test Set?

Create a test set whenever:

  • Building a new agent
  • Adding new topics
  • Adding knowledge sources
  • Adding tools
  • Integrating APIs
  • Updating prompts
  • Deploying a new version
  • Performing regression testing

Components of a Test Case

A typical test case includes several important elements.

1. User Input

The question or request submitted to the agent.

Example:

“Show me my remaining vacation balance.”


2. Expected Behavior

The desired outcome.

Examples include:

  • Calls HR connector
  • Retrieves employee record
  • Returns vacation balance
  • Does not hallucinate data

3. Expected Response

Depending on the evaluation method, expected responses may include:

  • Specific wording
  • Required information
  • Correct tool usage
  • Accurate citation
  • Proper formatting

4. Evaluation Result

After execution the test produces results such as:

  • Pass
  • Fail
  • Partial success
  • Confidence score (where applicable)

Types of Test Cases

A comprehensive test set should include multiple categories.

Happy Path Tests

Expected user behavior.

Example:

“Reset my password.”


Alternative Wording

Different ways users ask the same question.

Examples:

  • I forgot my password
  • Help me log in
  • I can’t sign in

Edge Cases

Unusual but valid requests.

Example:

“Can I reset someone else’s password?”


Invalid Requests

Questions the agent should decline.

Example:

“Delete every employee record.”


Ambiguous Questions

The agent should ask follow-up questions.

Example:

“Book a meeting.”

Expected behavior:

“Who should I invite?”


Tool Failure Tests

Verify graceful handling of failures.

Example:

API unavailable.

Expected response:

“The HR system is temporarily unavailable.”


Knowledge Tests

Ensure retrieval from enterprise knowledge.

Example:

“What is the travel reimbursement policy?”


Security Tests

Confirm proper authorization.

Example:

Employee requests another employee’s payroll information.

Expected behavior:

Access denied.


Creating a Test Set

The general workflow is:

Step 1

Open the agent in Copilot Studio.


Step 2

Navigate to testing or evaluation features.


Step 3

Create a new test set.


Step 4

Add individual test cases.

Each includes:

  • Prompt
  • Expected behavior
  • Expected response

Step 5

Save the test set.


Step 6

Run the evaluation.


Step 7

Review results.


Step 8

Improve the agent if failures occur.


Step 9

Run the test set again.


Organizing Test Sets

Large enterprise agents often use multiple test sets.

Examples:

  • HR Agent
  • Finance Agent
  • IT Help Desk
  • Customer Service
  • Sales Support

Within each, additional test groups may cover:

  • Authentication
  • Knowledge retrieval
  • API actions
  • Escalation
  • Security
  • Generative responses

Regression Testing

Regression testing verifies that new changes do not introduce unexpected problems.

Example:

Original agent answers:

“How do I request PTO?”

A new HR connector is added.

Running the existing test set confirms the answer still works correctly.

Without regression testing, developers may unknowingly introduce defects.


Testing Knowledge Retrieval

Knowledge-based agents should verify:

  • Correct document selected
  • Correct section retrieved
  • Accurate citation
  • Relevant answer
  • No hallucinated content

Example test:

Question:

“What is the expense reimbursement limit?”

Expected:

  • Searches indexed documents
  • Retrieves finance policy
  • Returns correct limit
  • Includes citation if configured

Testing Tool Invocation

For action-based agents, verify that the correct tool is selected.

Example:

User:

“Create a support ticket.”

Expected:

  • IT connector invoked
  • Ticket created
  • Ticket number returned

Failure examples:

  • Wrong connector called
  • No connector called
  • Hallucinated confirmation

Testing Multi-Agent Solutions

If delegation is used, verify:

  • Correct child agent selected
  • Successful delegation
  • Response returned
  • Parent continues conversation properly

Testing Generative AI

Generative responses require additional evaluation.

Verify:

  • Factual accuracy
  • Completeness
  • Grounding
  • Tone
  • Safety
  • Relevance

Evaluating Test Results

After execution, review:

  • Overall pass rate
  • Failed cases
  • Tool execution
  • Knowledge retrieval
  • Response quality
  • Latency
  • Error messages

Common questions include:

  • Did the correct tool run?
  • Was the answer accurate?
  • Was sensitive data protected?
  • Was grounding successful?

Common Reasons Tests Fail

Failures often result from:

  • Prompt changes
  • Missing connector permissions
  • API failures
  • Incorrect tool selection
  • Poor grounding
  • Hallucinations
  • Missing documents
  • Authentication problems
  • Incorrect routing

Best Practices

Microsoft recommends several best practices.

Build Early

Create test cases while building the agent.


Cover Real User Questions

Use production-like prompts whenever possible.


Include Variations

People ask the same question differently.

Test all common variations.


Test Negative Scenarios

Don’t only verify success.

Test:

  • Errors
  • Permission failures
  • Invalid input
  • Ambiguous requests

Keep Test Sets Updated

Whenever the agent changes:

  • Add new tests
  • Remove obsolete tests
  • Update expected responses

Run Tests Frequently

Execute the full test set:

  • Before deployment
  • After model updates
  • After connector updates
  • After knowledge updates
  • After prompt revisions

Exam Tips

For the AB-620 exam, remember:

  • Test sets enable repeatable evaluation.
  • They support regression testing.
  • Good test cases include expected behavior.
  • Test sets should include positive, negative, and edge-case scenarios.
  • Multi-agent solutions require delegation testing.
  • Tool-based agents require tool invocation validation.
  • Knowledge agents require grounding verification.
  • Test sets improve deployment confidence.

Practice Exam Questions

Question 1

Why is creating a test set preferable to relying solely on manual testing?

A. It permanently stores conversation history for users.

B. It provides repeatable, consistent evaluation of agent behavior.

C. It automatically retrains the language model.

D. It removes the need for production monitoring.

Answer: B

Explanation: Test sets allow the same scenarios to be executed repeatedly, making regression testing and validation much more reliable than manual testing.


Question 2

Which type of scenario should always be included in a comprehensive test set?

A. Only successful user interactions

B. Only connector failures

C. Positive, negative, and edge-case scenarios

D. Only knowledge retrieval questions

Answer: C

Explanation: Comprehensive testing includes normal requests, invalid inputs, ambiguous questions, security scenarios, and failure conditions.


Question 3

A developer updates an HR connector used by an agent. What is the best next step?

A. Run the existing test set to perform regression testing.

B. Delete all previous test cases.

C. Retrain the foundation model.

D. Create a new environment.

Answer: A

Explanation: Regression testing verifies that previously working functionality continues to operate after changes.


Question 4

Which component defines what a successful test should accomplish?

A. Conversation history

B. Agent version

C. Workspace settings

D. Expected behavior

Answer: D

Explanation: Expected behavior specifies the desired outcome that the agent should achieve during the test.


Question 5

A knowledge-based agent answers a company policy question using outdated information. Which area of testing should identify this issue?

A. User authentication testing

B. Knowledge retrieval testing

C. Network latency testing

D. Adaptive Card rendering

Answer: B

Explanation: Knowledge retrieval tests verify that the correct documents are located and that accurate, grounded information is returned.


Question 6

When testing an action that creates a support ticket, what should the evaluation confirm?

A. Only that the response is grammatically correct

B. Only that the response is polite

C. That the correct tool or connector was invoked successfully

D. That the conversation contains at least three turns

Answer: C

Explanation: Action-based tests should verify successful tool invocation and the expected outcome of that action.


Question 7

Why should multiple phrasings of the same request be included in a test set?

A. To increase the size of the knowledge base

B. To improve authentication

C. To ensure the agent recognizes natural language variations

D. To reduce connector latency

Answer: C

Explanation: Users ask the same question in many different ways, and the agent should respond correctly to common variations.


Question 8

Which situation best represents an edge-case test?

A. “Reset my password.”

B. “Show today’s weather.”

C. “Create a support ticket.”

D. “Can I reset another employee’s password?”

Answer: D

Explanation: This unusual but valid request tests whether the agent correctly handles authorization and security.


Question 9

An agent delegates requests to multiple child agents. What should testing verify?

A. That delegation occurs to the appropriate child agent and responses are returned correctly

B. That every child agent uses the same prompt

C. That delegation is disabled after deployment

D. That all child agents share one knowledge source

Answer: A

Explanation: Multi-agent testing ensures that routing, delegation, and response aggregation function as designed.


Question 10

Which statement best describes the primary purpose of regression testing?

A. Measuring internet bandwidth

B. Evaluating user satisfaction surveys

C. Ensuring that recent changes have not broken existing functionality

D. Generating additional knowledge documents

Answer: C

Explanation: Regression testing validates that existing capabilities continue to work correctly after updates to prompts, connectors, tools, or knowledge sources.


Go to the AB-620 Exam Prep Hub main page

Integrate an existing agent in Copilot Studio (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Configure multi-agent collaboration from Copilot Studio
      --> Integrate an existing agent in Copilot Studio


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As AI solutions become more sophisticated, organizations rarely rely on a single intelligent agent to perform every task. Instead, they build ecosystems of specialized agents that collaborate to complete user requests. Rather than recreating functionality, Microsoft Copilot Studio enables makers to integrate existing agents into new solutions, allowing organizations to reuse previously developed capabilities.

An existing agent is an AI agent that has already been created, configured, and tested. Instead of duplicating its logic, another Copilot Studio agent can delegate work to it when specialized knowledge or functionality is required.

For the AB-620 exam, you should understand:

  • Why organizations integrate existing agents
  • The different multi-agent architectures
  • When to reuse an existing agent
  • Connected agents versus child agents
  • Delegation strategies
  • Security considerations
  • Enterprise design patterns
  • Best practices for scalable agent collaboration

Why Integrate Existing Agents?

Many organizations already have AI agents that perform specialized business functions.

Examples include:

  • HR assistant
  • IT Help Desk agent
  • Benefits agent
  • Finance assistant
  • Procurement assistant
  • Legal advisor
  • Customer support bot
  • Inventory assistant
  • Sales assistant
  • Compliance advisor

Instead of creating one enormous agent that performs every task, Copilot Studio enables these specialized agents to work together.

Benefits include:

  • Reduced development time
  • Reuse of existing investments
  • Easier maintenance
  • Better scalability
  • Improved governance
  • Independent lifecycle management
  • Clear ownership between departments

What Is Multi-Agent Collaboration?

Multi-agent collaboration allows multiple intelligent agents to cooperate to fulfill a user’s request.

Rather than performing every task itself, one agent delegates work to another agent with specialized capabilities.

Example:

User:
"I need to schedule a vacation and verify my remaining PTO."
Employee Agent
Delegates PTO calculation
HR Agent
Returns remaining balance
Employee Agent
Schedules vacation request

The user experiences a seamless conversation, even though multiple agents participated.


Why Reuse Existing Agents?

Creating a new agent every time is inefficient.

Instead, organizations reuse agents that already provide:

  • validated business logic
  • tested prompts
  • secured integrations
  • approved knowledge sources
  • governance policies
  • compliance controls

This reduces duplication while improving consistency.


Common Enterprise Scenarios

Human Resources

Existing HR Agent

Handles:

  • leave requests
  • benefits
  • payroll
  • employee policies

Corporate Assistant

Handles:

  • general employee questions
  • company news
  • navigation

Delegates HR-related requests to the HR agent.


IT Support

Corporate Assistant

Handles:

  • FAQs
  • onboarding
  • software requests

IT Agent

Handles:

  • password reset
  • device management
  • troubleshooting
  • incident lookup

Healthcare

Patient Agent

Handles:

  • appointments
  • scheduling
  • billing

Clinical Agent

Handles:

  • medical summaries
  • treatment guidance
  • clinical knowledge

Banking

Customer Service Agent

Handles:

  • balances
  • transfers
  • FAQs

Investment Agent

Handles:

  • portfolio analysis
  • market recommendations
  • retirement planning

Types of Agent Integration

Several integration patterns exist.

Connected Agents

A connected agent operates as an independent AI agent.

Characteristics:

  • independently managed
  • separate lifecycle
  • separate owner
  • reusable
  • can serve multiple parent agents

Best for:

  • enterprise-wide services
  • shared business capabilities
  • departmental AI

Child Agents

Child agents are invoked by another agent to perform specific work.

Characteristics:

  • specialized
  • reusable
  • task-oriented
  • invisible to users

Examples:

  • tax calculator
  • recommendation engine
  • shipping estimator
  • language translator

External AI Agents

Organizations may integrate:

  • Azure AI Foundry agents
  • external AI services
  • partner AI systems

Copilot Studio orchestrates communication while external agents perform advanced reasoning.


Choosing the Right Integration Pattern

ScenarioRecommended Approach
Shared HR knowledgeConnected agent
Specialized calculationsChild agent
Advanced AI reasoningFoundry agent
Department-owned solutionConnected agent
Small reusable taskChild agent

Agent Orchestration

Copilot Studio often serves as the orchestration layer.

Responsibilities include:

  • managing conversations
  • determining user intent
  • collecting required information
  • selecting the appropriate agent
  • coordinating responses
  • presenting final answers

The delegated agent focuses only on the assigned task.


Delegation Workflow

A typical workflow looks like this:

User
Primary Copilot Studio Agent
Determine Intent
Need Specialist?
Yes
Delegate
Existing Agent
Process Request
Return Result
Primary Agent
Respond to User

Benefits of Delegation

Delegation enables:

  • modular AI architecture
  • reuse
  • scalability
  • specialization
  • simplified maintenance
  • independent updates
  • reduced development costs

Each agent performs only the work it is designed to perform.


Designing Specialized Agents

Good agent design follows the principle of specialization.

Instead of:

Mega Agent

that performs everything,

create:

Customer Agent
HR Agent
Finance Agent
Legal Agent
IT Agent
Operations Agent

Each agent develops expertise in its domain.


Avoiding Monolithic Agents

Large all-in-one agents often suffer from:

  • excessive prompts
  • difficult maintenance
  • poor scalability
  • slower responses
  • conflicting instructions
  • increased hallucinations

Smaller specialized agents generally produce more predictable behavior.


Routing User Requests

The primary agent determines:

  • What is the user’s intent?
  • Can I answer directly?
  • Should another agent answer?
  • Which agent has the required expertise?

Examples:

User RequestDelegated Agent
Reset passwordIT Agent
Benefits questionHR Agent
Vendor paymentFinance Agent
Legal contractLegal Agent
Product inventoryInventory Agent

Agent Ownership

Large organizations often assign ownership to departments.

Example:

DepartmentAgent Owner
HRHR Team
ITInfrastructure Team
FinanceFinance Department
LegalLegal Department
SalesSales Operations

This decentralized ownership allows independent maintenance while supporting enterprise-wide collaboration.


Authentication Considerations

Integrated agents should communicate securely.

Authentication may involve:

  • Microsoft Entra ID
  • Managed identities
  • OAuth
  • API keys (when appropriate)
  • Service principals

Authentication should always follow organizational security policies.


Authorization

Authentication verifies identity.

Authorization determines what an agent is allowed to access.

Examples include:

  • HR records
  • payroll information
  • financial systems
  • customer databases
  • confidential documents

Delegated agents should only receive the permissions required to perform their tasks.


Context Sharing

When delegating requests, Copilot Studio shares only the context necessary for the delegated agent.

Examples of shared context:

  • user request
  • conversation variables
  • customer ID
  • department
  • case number
  • selected product

Avoid transmitting unnecessary information to reduce token usage and minimize exposure of sensitive data.


Best Practices

When integrating existing agents:

  • Reuse existing business capabilities whenever practical.
  • Keep agents focused on specific domains.
  • Use Copilot Studio as the orchestration layer.
  • Delegate only when specialized functionality is required.
  • Secure all communication between agents.
  • Minimize duplicated functionality.
  • Share only the context required for task completion.
  • Monitor agent performance and delegation frequency.
  • Design for independent updates and lifecycle management.
  • Document agent responsibilities clearly.

Key Exam Takeaways

For the AB-620 exam, remember these core concepts:

  • Existing agents enable organizations to reuse previously developed AI capabilities.
  • Copilot Studio commonly acts as the orchestrator in multi-agent solutions.
  • Connected agents are independently managed and reusable across solutions.
  • Child agents perform focused tasks on behalf of another agent.
  • Delegation improves scalability, maintainability, and modularity.
  • Authentication and authorization remain critical when integrating agents.
  • Agent specialization is preferred over monolithic, all-in-one designs.

Advanced Integration Patterns

As organizations mature their AI strategy, they often move beyond simple one-to-one delegation and adopt more sophisticated collaboration models. Copilot Studio supports orchestrating multiple specialized agents to create scalable, maintainable enterprise AI solutions.

Hub-and-Spoke Architecture

In this model, a primary Copilot Studio agent acts as the central orchestrator.

                 HR Agent
                     │
Finance Agent ──► Corporate Assistant ◄── IT Agent
                     │
               Legal Agent
                     │
             Inventory Agent

Advantages:

  • Centralized user experience
  • Simplified routing logic
  • Independent agent ownership
  • Easy addition of new agents
  • Consistent governance

Typical enterprise use:

  • Employee portals
  • Enterprise help desks
  • Customer service hubs

Layered Agent Architecture

Some solutions use multiple levels of delegation.

User
Primary Agent
Operations Agent
Inventory Agent
Warehouse Agent

This approach supports very complex business processes while allowing each agent to remain focused on a narrow domain.


Domain-Based Agent Design

A common enterprise strategy is to organize agents around business domains rather than technical systems.

Examples include:

Business DomainSpecialized Agent
Human ResourcesHR Agent
FinanceFinance Agent
Customer ServiceCustomer Support Agent
LegalLegal Agent
ManufacturingOperations Agent
SalesSales Agent
ProcurementPurchasing Agent

Benefits include:

  • Clear ownership
  • Easier governance
  • Better scalability
  • Independent release cycles

Agent Discovery

As organizations create dozens of agents, discovering the appropriate one becomes increasingly important.

Selection may be based on:

  • User intent
  • Department
  • Business process
  • Required expertise
  • User permissions
  • Conversation context

Well-designed orchestration ensures requests are routed to the most appropriate agent.


Governance Considerations

Enterprise AI requires governance throughout the agent lifecycle.

Governance includes:

  • Naming standards
  • Version control
  • Ownership
  • Documentation
  • Security reviews
  • Approval processes
  • Retirement planning

Organizations should maintain an inventory of available agents and their responsibilities.


Version Management

Existing agents evolve over time.

Considerations include:

  • Backward compatibility
  • API changes
  • Updated prompts
  • New tools
  • Modified knowledge sources
  • New capabilities

When integrating an existing agent, verify that updates do not introduce breaking changes for dependent solutions.


Monitoring Multi-Agent Solutions

Monitoring helps ensure reliable operation.

Important metrics include:

Conversation Metrics

  • Conversation completion rate
  • Successful delegations
  • Failed delegations
  • User satisfaction
  • Escalation frequency

Performance Metrics

  • Response time
  • Delegation latency
  • API execution time
  • Tool execution duration
  • Token consumption

Operational Metrics

  • Authentication failures
  • Authorization failures
  • Service availability
  • Agent utilization
  • Error rates

These metrics help identify performance bottlenecks and reliability issues.


Troubleshooting Agent Integrations

Common issues include:

Incorrect Agent Selection

Symptoms:

  • Requests routed to the wrong agent
  • Incorrect answers
  • User frustration

Resolution:

  • Improve intent recognition
  • Refine routing logic
  • Clarify agent responsibilities

Authentication Failures

Symptoms:

  • Access denied
  • Unauthorized responses
  • Connection errors

Resolution:

  • Verify credentials
  • Review authentication configuration
  • Confirm permissions

Missing Context

Symptoms:

  • Incomplete responses
  • Incorrect recommendations
  • Missing user information

Resolution:

  • Pass the required conversation variables
  • Validate data mappings
  • Ensure necessary context is shared

Circular Delegation

Example:

Agent A
Agent B
Agent A

This creates unnecessary processing and can result in loops.

Avoid circular dependencies by clearly defining agent responsibilities.


Performance Optimization

To improve efficiency:

  • Delegate only when necessary.
  • Reduce prompt size.
  • Pass only relevant context.
  • Avoid duplicate processing.
  • Minimize unnecessary API calls.
  • Reuse specialized agents.
  • Cache frequently requested information when appropriate.
  • Monitor response latency.

Efficient designs reduce operational costs and improve user experience.


Security Best Practices

When integrating existing agents:

  • Use Microsoft Entra ID where appropriate.
  • Apply least-privilege access.
  • Protect secrets using secure credential storage.
  • Encrypt communications.
  • Validate user identity before delegation.
  • Audit delegated actions.
  • Restrict access to sensitive knowledge sources.

Security should remain consistent across every participating agent.


Common Design Mistakes

Avoid these frequent errors:

❌ Creating duplicate agents with identical responsibilities

❌ Sending excessive conversation history

❌ Delegating every request

❌ Ignoring security boundaries

❌ Allowing overlapping ownership

❌ Building one massive all-purpose agent

❌ Failing to monitor delegated conversations

❌ Not documenting integration points


Enterprise Example

A global organization deploys a Corporate Assistant.

Employee asks:

“How many vacation days do I have left, and can I book next Friday off?”

Workflow:

  1. Corporate Assistant identifies an HR-related request.
  2. It delegates the request to the existing HR Agent.
  3. The HR Agent retrieves PTO data.
  4. The HR Agent validates available leave.
  5. The HR Agent submits the leave request.
  6. The HR Agent returns the result.
  7. The Corporate Assistant presents a user-friendly response.

The employee interacts with a single conversational interface while multiple specialized agents collaborate behind the scenes.


AB-620 Exam Tips

Expect scenario-based questions covering:

  • Choosing between connected and child agents
  • Designing scalable multi-agent architectures
  • Determining when to reuse existing agents
  • Selecting an orchestration strategy
  • Securing communication between agents
  • Monitoring delegated operations
  • Avoiding duplicated functionality
  • Improving maintainability through specialization

Remember these principles:

  • Copilot Studio commonly acts as the orchestration layer.
  • Existing agents should be reused whenever appropriate.
  • Keep agents specialized and modular.
  • Delegate only when another agent offers distinct expertise.
  • Share only the minimum context required.
  • Secure all integrations.
  • Monitor performance continuously.
  • Avoid monolithic designs.

Practice Exam Questions

Question 1

A company has separate HR, Finance, and IT agents that already perform their respective business functions. A Corporate Assistant should provide a single conversational interface while delegating specialized requests.

Which design best meets this requirement?

A. Create one new agent that duplicates every department’s functionality.

B. Replace all departmental agents with the Corporate Assistant.

C. Configure the Corporate Assistant as the orchestration layer that delegates requests to existing specialized agents.

D. Require users to manually choose which agent to contact before each request.

Answer: C

Explanation: Copilot Studio is commonly used as the orchestration layer, allowing existing specialized agents to perform domain-specific work while presenting users with one unified conversational experience.


Question 2

Which characteristic best describes a connected agent?

A. It is independently managed and reusable across multiple solutions.

B. It only performs mathematical calculations.

C. It can never communicate with another agent.

D. It always replaces the parent agent.

Answer: A

Explanation: Connected agents are autonomous, independently managed agents that can be reused by multiple Copilot Studio solutions.


Question 3

Why should organizations reuse existing agents whenever practical?

A. To increase prompt size.

B. To reduce duplication and leverage previously tested business capabilities.

C. To eliminate authentication requirements.

D. To prevent delegation.

Answer: B

Explanation: Reusing existing agents minimizes development effort while taking advantage of validated logic, integrations, governance, and security.


Question 4

Which practice best improves the performance of delegated conversations?

A. Send every conversation message ever exchanged.

B. Delegate every user request regardless of complexity.

C. Allow multiple agents to answer the same question simultaneously.

D. Share only the context required for the delegated task.

Answer: D

Explanation: Passing only relevant context reduces latency, token consumption, and unnecessary processing.


Question 5

An organization notices that Agent A frequently delegates requests to Agent B, which immediately delegates them back to Agent A.

What architectural issue exists?

A. Token expiration

B. Circular delegation

C. Prompt grounding

D. Adaptive Card failure

Answer: B

Explanation: Circular delegation creates unnecessary processing loops and should be avoided through clearly defined agent responsibilities.


Question 6

Which metric is most useful for identifying inefficient delegation?

A. Browser version

B. Screen resolution

C. Delegation frequency

D. Keyboard layout

Answer: C

Explanation: High delegation frequency can indicate routing inefficiencies or excessive reliance on secondary agents.


Question 7

A Finance department independently maintains its own AI agent while allowing multiple enterprise assistants to reuse it.

Which integration model is most appropriate?

A. Connected agent

B. Child agent

C. Adaptive Card

D. Variable node

Answer: A

Explanation: Connected agents are independently managed and designed for reuse across multiple parent solutions.


Question 8

Which security principle should guide permissions assigned to integrated agents?

A. Full administrative access

B. Anonymous access

C. Shared global credentials

D. Least privilege

Answer: D

Explanation: Agents should receive only the permissions necessary to complete their assigned tasks, reducing security risks.


Question 9

Which architecture is generally considered more scalable for large enterprises?

A. One massive agent responsible for every business function

B. Multiple specialized agents coordinated by an orchestration agent

C. Separate agents that never communicate

D. Duplicate agents performing identical work

Answer: B

Explanation: Specialized agents coordinated by Copilot Studio provide better scalability, maintainability, and governance than monolithic designs.


Question 10

A solution architect wants each business department to update its own AI capabilities without affecting other departments.

Which design recommendation best supports this goal?

A. Merge every capability into one shared prompt.

B. Build identical copies of every agent.

C. Store every business process inside one orchestration agent.

D. Assign ownership of specialized agents to their respective departments while using Copilot Studio to coordinate requests.

Answer: D

Explanation: Department-owned specialized agents allow independent development and maintenance while Copilot Studio orchestrates the overall user experience. This modular approach aligns with Microsoft best practices for enterprise-scale multi-agent solutions.


Go to the AB-620 Exam Prep Hub main page

Design multi-agent solutions in Microsoft Copilot Studio (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Configure multi-agent collaboration from Copilot Studio
      --> Design multi-agent solutions in Copilot Studio


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Learning Objectives

After completing this article, you should be able to:

  • Understand what a multi-agent solution is.
  • Explain why organizations use multiple AI agents.
  • Identify the major components of a multi-agent architecture.
  • Differentiate between parent agents, child agents, and connected agents.
  • Design effective agent responsibilities.
  • Select appropriate routing and orchestration strategies.
  • Apply Microsoft-recommended design principles for enterprise AI solutions.

Introduction

As organizations adopt AI across multiple business functions, a single AI agent often becomes insufficient for handling every task. Large enterprises require AI systems capable of managing specialized workloads, integrating with diverse systems, and scaling independently.

Microsoft Copilot Studio addresses this challenge by enabling developers to create multi-agent solutions, where multiple specialized agents collaborate to solve complex business problems.

Rather than building one large, monolithic agent responsible for every interaction, developers can create multiple focused agents that communicate and cooperate while maintaining clear responsibilities.

This modular approach improves scalability, maintainability, security, and user experience.


What Is a Multi-Agent Solution?

A multi-agent solution consists of two or more AI agents working together toward a shared objective.

Each agent specializes in a particular domain or capability.

Example:

Instead of one agent handling everything, an organization creates:

  • HR Agent
  • IT Help Desk Agent
  • Finance Agent
  • Facilities Agent
  • Sales Agent
  • Customer Service Agent

Each agent focuses on its own area of expertise.

When necessary, agents collaborate to complete broader workflows.


Why Use Multiple Agents?

Multi-agent systems provide several advantages over a single large agent.

Benefits include:

Better Specialization

Each agent becomes an expert in a limited business domain.

Example:

Rather than one agent answering every possible company question,

Create:

  • Benefits Agent
  • Payroll Agent
  • Recruiting Agent

Each delivers more accurate responses.


Easier Maintenance

Updating one specialized agent is easier than modifying a massive all-purpose agent.

Benefits include:

  • fewer unintended side effects
  • simpler testing
  • faster deployments
  • independent versioning

Improved Scalability

Different agents can scale independently.

For example:

Customer Support Agent

  • thousands of daily requests

Finance Approval Agent

  • dozens of daily requests

Each can be optimized separately.


Better Security

Different agents can have different permissions.

Example:

Payroll Agent

Access:

  • salary information
  • tax records

Sales Agent

Access:

  • CRM data

The Sales Agent never needs payroll permissions.


Improved Reliability

If one specialized agent becomes unavailable,

Other agents continue operating.

This improves overall system resilience.


Multi-Agent Terminology

Understanding Microsoft’s terminology is essential for the AB-620 exam.

TermDescription
AgentAn AI assistant designed for a specific purpose
Parent AgentCoordinates other agents
Child AgentPerforms delegated work
Connected AgentIndependent agent available for collaboration
ToolCapability an agent can invoke
TopicConversation workflow
Knowledge SourceInformation available to an agent
ContextInformation shared during conversations
DelegationPassing work to another agent
OrchestrationCoordinating multiple agents

Core Components of a Multi-Agent Solution

Most enterprise architectures include several components.

User

Starts the conversation.

Parent Agent

Receives the request.

Decision Logic

Determines which specialized agent should handle the task.

Specialized Agent

Executes the requested task.

External Systems

  • Databases
  • APIs
  • Microsoft 365
  • Power Platform
  • Azure AI Search
  • ERP systems
  • CRM systems

Response Returned

Results flow back through the parent agent to the user.


Designing Specialized Agents

One of Microsoft’s primary recommendations is:

Design agents around business capabilities—not technologies.

Poor design:

One “Super Agent”

Responsibilities:

  • HR
  • Finance
  • Sales
  • IT
  • Marketing
  • Legal
  • Procurement

Problems:

  • difficult to maintain
  • confusing prompts
  • unnecessary permissions
  • reduced accuracy

Better design:

HR Agent

Handles:

  • benefits
  • vacation
  • onboarding

Finance Agent

Handles:

  • invoices
  • budgets
  • expense reports

IT Agent

Handles:

  • password resets
  • devices
  • software
  • support tickets

Each agent remains focused.


Agent Responsibilities

Every agent should have clearly defined responsibilities.

Good responsibilities are:

  • specific
  • measurable
  • independent
  • reusable

Example

Travel Agent

Responsibilities:

✓ Book flights

✓ Reserve hotels

✓ Check travel policies

Not responsible for:

✗ Payroll

✗ IT tickets

✗ Customer support


Designing Agent Boundaries

One common exam objective is identifying proper agent boundaries.

Ask:

What business capability owns this task?

Not:

Which department requested it?

Example

Employee requests:

“I need a laptop.”

Poor routing:

HR Agent

Better routing:

IT Agent

Reason:

Hardware provisioning belongs to IT.


Parent Agents

The parent agent serves as the coordinator.

Responsibilities include:

  • understanding requests
  • selecting child agents
  • maintaining conversation flow
  • combining responses
  • returning final answers

Think of the parent agent as a project manager.


Child Agents

Child agents perform specialized work delegated by the parent agent.

Examples include:

Benefits Agent

Inventory Agent

Legal Agent

Facilities Agent

Payroll Agent

Each performs work without needing knowledge of the broader conversation.


Connected Agents

Connected agents differ slightly from child agents.

Connected agents are:

  • independently published
  • reusable
  • discoverable
  • callable by other agents

This promotes reuse across multiple solutions.

Example

Company has:

Expense Agent

Multiple departments can connect to it:

  • HR
  • Sales
  • Finance
  • Operations

Rather than creating duplicate expense logic.


Choosing Between Child and Connected Agents

Child AgentConnected Agent
Used within one solutionReusable across solutions
Parent controls lifecycleIndependent lifecycle
Tight integrationLooser integration
Typically internalEnterprise-wide reuse

Orchestration

Orchestration is the process of coordinating multiple agents.

The parent agent determines:

  • who performs work
  • when work begins
  • what data is shared
  • how results are combined

Without orchestration:

Agents work independently.

With orchestration:

Agents collaborate toward one goal.


Collaboration Patterns

Several collaboration models are common.

Sequential Collaboration

Agent A

Agent B

Agent C

Example

Travel request

Policy Agent

Booking Agent

Approval Agent


Parallel Collaboration

Multiple agents execute simultaneously.

          Parent
        /    |    \
      HR   IT   Finance
        \    |    /
         Combined Response

Advantages:

  • faster responses
  • independent execution

Hub-and-Spoke

Most common in Copilot Studio.

           Parent
        /   |   |   \
      HR   IT Finance Legal

Benefits:

  • centralized coordination
  • simple routing
  • easy governance

Mesh Collaboration

Agents communicate directly.

Agent A ↔ Agent B
↕ ↕
Agent C ↔ Agent D

More flexible

More complex

Less common than hub-and-spoke in enterprise Copilot Studio solutions.


Routing Strategies

One of the parent agent’s primary responsibilities is routing requests.

Examples include:

Intent-Based Routing

Determine user intent.

Example:

“I forgot my password.”

IT Agent


Keyword Routing

Specific words trigger agents.

“Payroll”

Payroll Agent

Simple but less flexible than intent recognition.


Rule-Based Routing

Business rules determine routing.

Example:

If request concerns invoices

Finance Agent

Else

Customer Service Agent


AI-Based Routing

The LLM evaluates the request and selects the most appropriate agent based on semantic understanding.

Benefits:

  • greater flexibility
  • better handling of ambiguous language
  • improved user experience

AI-based routing is increasingly preferred for enterprise conversational systems.


Enterprise Example

A user asks:

“I’m traveling to Seattle next week. Can you book my hotel, verify my travel policy, and submit the request for approval?”

Possible orchestration flow:

  1. Parent Agent receives the request.
  2. Policy Agent verifies travel rules.
  3. Booking Agent searches for available hotels.
  4. Approval Agent creates an approval request.
  5. Parent Agent consolidates the results.
  6. User receives a single, coherent response.

This illustrates how multiple specialized agents collaborate to complete a complex workflow while each remains focused on its own domain.


Best Practices

  • Design agents around business capabilities rather than departments.
  • Keep each agent focused on a well-defined responsibility.
  • Minimize overlapping responsibilities between agents.
  • Use parent agents to coordinate complex workflows.
  • Reuse connected agents whenever practical.
  • Prefer AI-based routing for complex conversational experiences.
  • Apply the principle of least privilege so each agent has only the permissions it requires.
  • Plan for scalability by allowing agents to evolve independently.

Common Design Mistakes

Avoid these common pitfalls:

  • Creating one “super agent” responsible for every task.
  • Giving multiple agents overlapping responsibilities.
  • Granting excessive permissions to specialized agents.
  • Routing requests solely by keywords when semantic routing is more appropriate.
  • Tightly coupling agents that should be reusable.
  • Failing to define clear ownership for business capabilities.

AB-620 Exam Tips

For the exam, remember these key concepts:

  • A multi-agent solution consists of multiple specialized agents working together.
  • Parent agents coordinate conversations and delegate work.
  • Child agents perform specialized tasks within a solution.
  • Connected agents are independently published and reusable across multiple solutions.
  • Orchestration manages how agents collaborate to fulfill user requests.
  • Design agents around business capabilities, not organizational departments.
  • Use AI-based routing when requests are complex or ambiguous.
  • Keep agents modular, secure, maintainable, and independently scalable.

Advanced Multi-Agent Design Patterns

Once you understand the fundamentals of multi-agent solutions, the next step is learning how to design enterprise-grade architectures. Microsoft expects AI Agent Builders to select appropriate collaboration patterns based on business requirements rather than attempting to solve every problem with a single architecture.


Pattern 1 – Hub-and-Spoke (Recommended)

This is the most common architecture used in Copilot Studio.

                  User
                   │
            Parent Agent
      ┌────────┼────────┐
      │        │        │
   HR Agent IT Agent Finance Agent
      │        │        │
      └────────┼────────┘
          Consolidated Response

Advantages

  • Centralized orchestration
  • Easy governance
  • Simplified security
  • Easy monitoring
  • Scalable
  • Easy to troubleshoot

Typical Uses

  • Enterprise copilots
  • Employee self-service
  • Customer support
  • IT service desks

Pattern 2 – Sequential Workflow

Each agent performs one step before passing work to the next.

Example

User
Travel Agent
Policy Agent
Approval Agent
Booking Agent
User

Best for

  • Approval workflows
  • Procurement
  • Employee onboarding
  • Case management

Pattern 3 – Parallel Processing

Several agents work simultaneously.

               Parent Agent
             /      |      \
         Sales   Inventory  Shipping
             \      |      /
          Combined Response

Benefits

  • Faster responses
  • Independent processing
  • Better user experience

Pattern 4 – Federated Agent Architecture

Different business units own their own agents.

Example

Sales Department

Owns Sales Agent

Finance Department

Owns Finance Agent

HR Department

Owns HR Agent

A parent agent coordinates requests without requiring centralized ownership of every specialized agent.


Agent Communication Lifecycle

Most multi-agent conversations follow this sequence:

Step 1

User submits request.

Step 2

Parent agent interprets intent.

Step 3

Appropriate specialized agent is selected.

Step 4

Context is transferred.

Step 5

Specialized agent completes work.

Step 6

Result returns to parent.

Step 7

Parent formats final response.


Context Sharing

Context refers to the information needed for another agent to complete work.

Examples include:

  • User identity
  • Previous conversation
  • Variables
  • Business data
  • Parameters
  • Selected products
  • Order numbers

Good context sharing reduces duplicate questions and improves user experience.

Example

Without context:

Parent Agent:

“What order number?”

Inventory Agent:

“What order number?”

Shipping Agent:

“What order number?”

Poor experience.


Better

Parent collects:

Order #14567

Passes it automatically to downstream agents.


State Management

State represents information preserved during a conversation.

Examples include:

  • Customer ID
  • Shopping cart
  • Selected location
  • Previous answers
  • Authentication status

Good state management allows conversations to continue naturally.

Example

User:

“I’d like to change my reservation.”

Five minutes later:

“Can you move it to next Tuesday?”

The agent remembers the reservation discussed earlier.


Stateless vs. Stateful Design

StatelessStateful
No memory between requestsMaintains conversation context
Simple implementationMore personalized interactions
Highly scalableSupports complex workflows
Good for APIsGood for conversational agents

Copilot Studio frequently combines both approaches depending on the scenario.


Security Considerations

Every agent should follow the principle of least privilege.

Example

Benefits Agent

Access

✓ Benefits database

✗ Payroll database

✗ Financial records

Finance Agent

Access

✓ Expense reports

✓ Budgets

✗ HR records

This reduces risk and improves compliance.


Authentication

Each specialized agent may authenticate independently.

Possible methods include:

  • Microsoft Entra ID
  • OAuth 2.0
  • Managed identities
  • API Keys (when appropriate)

The parent agent should not automatically inherit unrestricted access to every connected system.


Performance Considerations

Large organizations may operate dozens or even hundreds of specialized agents.

Performance can be improved by:

  • Running independent agents in parallel
  • Caching frequently accessed information
  • Reusing connected agents
  • Avoiding unnecessary delegations
  • Limiting context passed between agents
  • Reducing repeated API calls

Scalability

A good architecture should support future growth.

Instead of:

Parent
One giant agent

Use:

Parent
HR
Finance
Sales
Legal
IT
Marketing
Facilities
Travel
Procurement

New business capabilities can be added without redesigning the entire solution.


Monitoring Multi-Agent Solutions

Enterprise deployments should monitor:

  • Conversation success rate
  • Agent selection accuracy
  • API failures
  • Response times
  • Authentication failures
  • Delegation failures
  • User satisfaction
  • Tool execution success
  • Token usage
  • Error frequency

Monitoring enables continuous improvement and faster troubleshooting.


Troubleshooting Collaboration Issues

Common issues include:

Incorrect Routing

Symptoms

  • Wrong agent selected
  • Irrelevant responses

Solution

Improve routing logic or intent recognition.


Missing Context

Symptoms

  • Users repeatedly answer the same questions.

Solution

Share required variables between agents.


Permission Errors

Symptoms

  • Agent cannot access required resources.

Solution

Review security roles and connector permissions.


Delegation Loops

Symptoms

Agent A

Agent B

Agent A

Agent B

Avoid circular delegation by defining clear ownership and termination conditions.


Slow Performance

Causes

  • Too many API calls
  • Excessive context transfer
  • Sequential execution when parallel processing is possible

Single-Agent vs. Multi-Agent Architecture

Single AgentMulti-Agent
Simple implementationMore flexible
Limited specializationHighly specialized
Harder to scaleScales independently
Large promptSmaller focused prompts
One security modelGranular permissions
Lower maintenance flexibilityIndependent lifecycle management
Good for small solutionsBest for enterprise solutions

Real-World Enterprise Scenario 1

A global manufacturing company deploys:

  • HR Agent
  • Payroll Agent
  • IT Agent
  • Procurement Agent
  • Maintenance Agent

The Enterprise Copilot receives:

“Order a replacement laptop for my new employee.”

Possible workflow:

  1. Parent Agent identifies onboarding request.
  2. HR Agent confirms employee status.
  3. Procurement Agent verifies available hardware.
  4. IT Agent creates deployment ticket.
  5. Parent Agent summarizes results.

No single specialized agent performs every task.


Real-World Enterprise Scenario 2

Customer asks:

“My shipment is late and I’d like a refund.”

Workflow:

Parent Agent

Order Agent

Shipping Agent

Finance Agent

Customer Support Agent

Response returned

Each agent performs one specialized responsibility.


Design Decision Matrix

RequirementRecommended Design
Simple FAQ botSingle agent
Enterprise employee assistantMulti-agent hub-and-spoke
Department specializationConnected agents
Approval workflowsSequential orchestration
Independent business unitsFederated architecture
Large enterprise platformParent with reusable connected agents

Summary

For the AB-620 exam, remember these key points:

  • Multi-agent solutions improve scalability, maintainability, and specialization.
  • Parent agents orchestrate work across specialized agents.
  • Child agents perform delegated tasks within a solution.
  • Connected agents are reusable across multiple solutions.
  • Effective context sharing minimizes repeated user input.
  • State management enables natural, continuous conversations.
  • Security should follow the principle of least privilege.
  • Parallel execution can improve performance.
  • Monitoring and troubleshooting are essential for production deployments.
  • Select an architecture that aligns with business requirements rather than forcing a single design pattern.

Practice Exam Questions

Question 1

A company wants a Copilot solution where HR, Finance, and IT each maintain their own specialized agents while a single enterprise assistant coordinates user requests. Which architecture is most appropriate?

A. Hub-and-spoke multi-agent architecture

B. Single-agent architecture

C. Stateless REST API architecture

D. Batch processing architecture

Answer: A

Explanation: A hub-and-spoke architecture uses a parent agent to coordinate specialized agents, making it ideal for enterprise scenarios where multiple business domains are involved.


Question 2

What is the primary responsibility of a parent agent in a multi-agent solution?

A. Store all enterprise data

B. Replace every specialized agent

C. Orchestrate conversations and delegate work

D. Authenticate every external API directly

Answer: C

Explanation: The parent agent coordinates conversations, selects the appropriate specialized agent, manages context, and returns a unified response.


Question 3

Which design principle helps reduce unnecessary security risks in multi-agent solutions?

A. Shared administrator permissions

B. Principle of least privilege

C. Universal read/write access

D. Anonymous authentication

Answer: B

Explanation: Granting each agent only the permissions it requires minimizes the attack surface and aligns with Microsoft’s security recommendations.


Question 4

A company wants multiple departments to reuse the same Expense Approval agent without duplicating its logic. Which type of agent is most appropriate?

A. Parent agent

B. Temporary agent

C. Stateless agent

D. Connected agent

Answer: D

Explanation: Connected agents are independently published and reusable across multiple solutions or departments.


Question 5

Why is context sharing important between collaborating agents?

A. It encrypts API traffic automatically.

B. It eliminates authentication requirements.

C. It prevents users from repeatedly providing the same information.

D. It replaces business rules.

Answer: C

Explanation: Sharing relevant context improves efficiency and provides a smoother conversational experience.


Question 6

Which collaboration pattern is generally the best choice when several independent tasks can be completed simultaneously?

A. Parallel processing

B. Sequential workflow

C. Single-agent routing

D. Manual delegation

Answer: A

Explanation: Parallel processing reduces overall response time by allowing multiple specialized agents to work concurrently.


Question 7

A conversation requires remembering a reservation number while multiple agents collaborate. Which capability is most important?

A. Stateless routing

B. Keyword matching

C. State management

D. Anonymous access

Answer: C

Explanation: State management preserves important conversation data across interactions and between collaborating agents.


Question 8

Which issue is most likely to occur if agent responsibilities overlap significantly?

A. Improved specialization

B. Easier maintenance

C. Lower API costs

D. Incorrect routing and duplicated functionality

Answer: D

Explanation: Overlapping responsibilities create ambiguity, increase maintenance complexity, and may cause requests to be routed incorrectly.


Question 9

What is the primary advantage of designing specialized agents around business capabilities instead of departments?

A. Reduced conversation quality

B. Clear ownership and easier long-term maintenance

C. Elimination of authentication

D. Guaranteed parallel execution

Answer: B

Explanation: Business capability–based design creates well-defined responsibilities, improving maintainability, scalability, and reuse.


Question 10

A global organization expects to add new AI capabilities every few months. Which architectural characteristic best supports future growth?

A. One large monolithic agent

B. Hard-coded routing rules only

C. Modular multi-agent architecture with independently scalable agents

D. Manual agent switching by users

Answer: C

Explanation: A modular multi-agent architecture allows organizations to add or update specialized agents independently without redesigning the entire solution, making it the preferred enterprise approach.


Go to the AB-620 Exam Prep Hub main page

Add REST APIs to an agent (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Add tools to agents
      --> Add REST APIs to an agent


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Learning Objectives

After completing this section, you should be able to:

  • Explain REST APIs.
  • Understand how REST API tools work in Copilot Studio.
  • Configure REST API tools.
  • Configure authentication.
  • Build requests.
  • Parse responses.
  • Use API outputs in conversations.
  • Apply Microsoft security best practices.

What is a REST API?

A REST (Representational State Transfer) API is a web service that allows applications to communicate over HTTP using standard operations.

Rather than interacting directly with databases or applications, agents communicate with REST APIs to retrieve or update information.

REST APIs are one of the most common integration mechanisms used in enterprise software.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Payment services
  • AI services
  • Internal business applications

Why Use REST APIs in Copilot Studio?

REST APIs enable agents to interact with virtually any application that exposes HTTP endpoints.

Common use cases include:

  • Retrieving customer records
  • Creating support tickets
  • Updating inventory
  • Booking appointments
  • Querying AI models
  • Processing payments
  • Accessing proprietary business systems

Unlike standard connectors, REST APIs allow organizations to integrate with services that do not already have a connector.


REST API Tool Architecture

A typical architecture looks like this:

User
Copilot Studio Agent
REST API Tool
HTTP Request
REST API Endpoint
Enterprise Application
HTTP Response
Agent Response

The REST API tool acts as the communication layer between the agent and the external service.


REST Principles

REST APIs generally use:

  • HTTP
  • URLs
  • Resources
  • Standard HTTP methods
  • JSON payloads

Example resource:

https://api.company.com/customers/10025

HTTP Methods

The AB-620 exam expects familiarity with the most common HTTP methods.

GET

Retrieves information.

Example:

GET /customers/10025

Used when reading data.


POST

Creates a new resource.

Example:

POST /orders

Used to create records.


PUT

Replaces an existing resource.

Example:

PUT /customers/10025

Often used for full updates.


PATCH

Updates part of a resource.

Example:

PATCH /customers/10025

Updates only specified fields.


DELETE

Deletes a resource.

Example:

DELETE /orders/501

REST API Requests

A request generally contains:

  • Endpoint URL
  • HTTP method
  • Authentication
  • Headers
  • Parameters
  • Optional request body

Example:

GET https://api.company.com/orders/12345
Authorization: Bearer <token>
Accept: application/json

Authentication Methods

Authentication is frequently tested on the exam.

Common methods include:

OAuth 2.0

Most common for enterprise applications.

Advantages:

  • Secure
  • Token-based
  • Supports delegated access

Microsoft Entra ID

Used for Microsoft-secured APIs.

Examples:

  • Microsoft Graph
  • Azure services
  • Internal enterprise APIs

API Key

Common for:

  • AI services
  • Third-party APIs
  • Internal APIs

The API key is usually sent in a request header.


Basic Authentication

Supported by some legacy systems.

Generally discouraged for modern enterprise deployments.


Configuring a REST API Tool

Typical steps include:

  1. Open the agent.
  2. Navigate to Tools.
  3. Select Add Tool.
  4. Choose REST API.
  5. Provide the endpoint URL.
  6. Configure authentication.
  7. Configure operations.
  8. Save the tool.

The REST API can now be invoked by the agent during conversations.


Endpoint Configuration

The endpoint identifies the resource.

Example:

https://api.contoso.com/orders

Additional path parameters may be used.

Example:

/orders/{OrderID}

Path Parameters

Path parameters identify specific resources.

Example:

/orders/45213

where:

OrderID = 45213

Query Parameters

Query parameters filter results.

Example:

/orders?status=Pending

Multiple query parameters may be combined.

Example:

/products?category=Electronics&warehouse=West

Headers

Headers provide additional information.

Examples include:

  • Authorization
  • Accept
  • Content-Type
  • User-Agent
  • API version

Example:

Authorization: Bearer token
Content-Type: application/json

Request Body

POST, PUT, and PATCH operations often include JSON.

Example:

{
"customerID":12345,
"priority":"High",
"description":"Damaged shipment"
}

The request body supplies the data the API needs.


JSON

JSON (JavaScript Object Notation) is the most common REST payload format.

Example response:

{
"OrderID":12345,
"Status":"Shipped",
"Carrier":"Contoso Logistics",
"Tracking":"ABC987654"
}

Copilot Studio parses these values into variables that can be used in subsequent conversation steps.


Variables

Inputs can originate from:

  • User messages
  • Conversation variables
  • Previous tool outputs
  • Adaptive Card inputs
  • AI-extracted entities

Example:

User:

Check order 55421.

Variable:

OrderID = 55421

The REST API request uses this variable as a path or query parameter.


Response Mapping

REST API responses can populate conversation variables.

Example:

{
"Customer":"John Smith",
"Status":"Delivered",
"DeliveryDate":"2026-10-04"
}

The agent can then:

  • Respond naturally
  • Display an Adaptive Card
  • Make branching decisions
  • Invoke another tool
  • Store values for later use

Security Considerations

REST APIs often expose sensitive enterprise data.

Microsoft recommends:

  • Secure authentication
  • HTTPS only
  • Least privilege
  • Avoid exposing secrets
  • Validate inputs
  • Protect sensitive outputs

Best Practices

Keep APIs Focused

Each endpoint should perform one clear task.


Validate Inputs

Reject invalid values before sending requests.


Use Secure Authentication

Prefer:

  • OAuth 2.0
  • Microsoft Entra ID

Avoid storing secrets directly in requests whenever possible.


Return Only Required Data

Smaller responses improve:

  • Performance
  • Security
  • Readability

Use Clear Endpoint Names

Good examples:

/customers
/orders
/inventory

Poor examples:

/process1
/action
/data

Common Exam Scenarios

You should be able to determine when a REST API tool is the appropriate choice.

Examples include:

  • Integrating with a proprietary application that does not have a Power Platform connector.
  • Calling an external AI service.
  • Accessing an internal business API.
  • Invoking a third-party SaaS application that exposes a REST interface.
  • Rapidly integrating with an existing HTTP-based service without creating a reusable custom connector.

These scenarios frequently appear in the form of architecture or design questions on the AB-620 exam.


Key Takeaways from the topics covered so far

  • REST API tools allow Copilot Studio agents to interact directly with HTTP-based services.
  • REST APIs use standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • Authentication commonly uses OAuth 2.0, Microsoft Entra ID, or API keys.
  • Requests consist of endpoints, headers, parameters, and (when appropriate) JSON request bodies.
  • JSON responses are parsed into variables that can drive conversation flow and subsequent tool invocations.
  • Secure design, proper authentication, and least-privilege access are essential best practices.

Securing REST API Integrations

Security is one of the most heavily tested areas of the AB-620 exam. Microsoft expects AI Agent Builders to understand not only how to connect to an API, but also how to do so securely.

A poorly secured API can expose sensitive business information, customer data, and backend systems.


Authentication Overview

Most enterprise REST APIs require authentication before they process requests.

Common authentication methods include:

  • API Keys
  • OAuth 2.0
  • Microsoft Entra ID (Azure AD)
  • Bearer Tokens
  • Basic Authentication (legacy)

API Keys

An API Key is a unique secret value issued by an API provider.

Example:

GET https://api.company.com/orders
Headers
x-api-key:
A1B2C3D4E5

Advantages

  • Easy to configure
  • Simple to understand
  • Good for internal services

Disadvantages

  • Less secure than OAuth
  • Keys may expire
  • Keys must be protected

OAuth 2.0

OAuth is the preferred authentication method for modern enterprise applications.

Instead of sending usernames and passwords:

  1. User signs in
  2. Identity provider authenticates user
  3. Access token is issued
  4. API validates token

Benefits

  • Strong security
  • Supports delegated permissions
  • Supports application permissions
  • Token expiration
  • Token revocation

Microsoft Entra ID Authentication

Many Microsoft services use Microsoft Entra ID.

Examples include:

  • Microsoft Graph
  • SharePoint
  • Outlook
  • Teams
  • Azure Management APIs

Advantages

  • Central identity management
  • Conditional Access
  • Multi-factor authentication
  • Role-based access control

Bearer Tokens

Many REST APIs require an Authorization header.

Example

Authorization:
Bearer eyJhbGciOi...

The token proves that the caller has already authenticated.


Basic Authentication

Older systems may still require:

Authorization:
Basic Base64(username:password)

This method is generally discouraged for new solutions.

Reasons:

  • Lower security
  • Password management
  • Credential exposure risks

Managing Secrets

Never hard-code:

  • Passwords
  • API Keys
  • Tokens

Instead:

  • Store credentials securely
  • Use connection references
  • Use environment variables
  • Use secure authentication providers

Request Headers

Headers provide additional information.

Common headers include:

Authorization
Content-Type
Accept
User-Agent

Example

Content-Type:
application/json

This tells the server JSON is being sent.


Query Parameters

Many APIs accept filtering.

Example

GET
/customers?city=Seattle

Instead of returning every customer:

The API returns only Seattle customers.

Benefits

  • Faster
  • Smaller payloads
  • Lower cost

Pagination

Large APIs rarely return all records.

Instead they return pages.

Example

GET
/orders?page=1

Next request:

page=2

Benefits

  • Better performance
  • Smaller responses
  • Lower memory usage

Rate Limits

Most enterprise APIs limit requests.

Example

1000 requests/hour

If exceeded:

429 Too Many Requests

Best practices

  • Retry later
  • Respect Retry-After headers
  • Reduce unnecessary requests

Handling Errors

REST APIs commonly return status codes.

CodeMeaning
200Success
201Created
204No Content
400Bad Request
401Unauthorized
403Forbidden
404Not Found
408Timeout
429Too Many Requests
500Internal Server Error

Agents should handle these responses gracefully.


Logging API Activity

Developers should monitor:

  • Request success
  • Failures
  • Latency
  • Authentication failures
  • Timeouts

Useful for:

  • Troubleshooting
  • Performance tuning
  • Compliance
  • Auditing

Monitoring API Performance

Key metrics include:

Average response time

Error rate

Success rate

Retry count

Timeout frequency

API availability


Best Practices

Design

  • Keep APIs focused.
  • Follow REST conventions.
  • Use meaningful endpoints.
  • Version APIs.

Security

  • Prefer OAuth.
  • Encrypt traffic using HTTPS.
  • Protect secrets.
  • Validate input.
  • Apply least privilege.

Performance

  • Filter results.
  • Cache where appropriate.
  • Minimize payload size.
  • Use pagination.
  • Avoid unnecessary API calls.

Reliability

  • Handle failures gracefully.
  • Retry transient errors.
  • Log important events.
  • Monitor health.
  • Test regularly.

REST APIs vs Custom Connectors

REST API ToolCustom Connector
Direct API definitionReusable connector
Good for individual APIsGood for many apps
Can require manual configurationSimpler for repeated use
FlexibleMore standardized
Ideal for rapid integrationIdeal for enterprise reuse

Exam Tips

Remember these important distinctions:

  • REST APIs allow direct integration with external services.
  • APIs use HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • JSON is the primary request and response format.
  • Authentication is commonly handled through OAuth 2.0 or Microsoft Entra ID.
  • API responses should be validated before use.
  • Agents should gracefully handle failures and retries.
  • Secure secrets should never be hard-coded.
  • Monitoring and logging are essential for production deployments.
  • Pagination and filtering improve performance.
  • Custom connectors simplify reuse of REST APIs across Power Platform solutions.

Practice Exam Questions

Question 1

A Copilot Studio agent needs to retrieve customer information from an external CRM without modifying any data. Which HTTP method should the REST API use?

A. POST

B. PUT

C. GET

D. PATCH

Answer: C

Explanation: GET retrieves data without changing server resources. POST creates resources, PUT replaces them, and PATCH partially updates them.


Question 2

Which authentication method is generally recommended for enterprise REST API integrations?

A. Basic Authentication

B. OAuth 2.0

C. Anonymous Access

D. Shared Password Files

Answer: B

Explanation: OAuth 2.0 provides secure, token-based authentication with delegated permissions and is preferred for enterprise APIs.


Question 3

A REST API returns HTTP status code 401 Unauthorized. What does this most likely indicate?

A. The requested resource does not exist.

B. The server encountered an internal error.

C. Authentication credentials are missing or invalid.

D. The request exceeded the rate limit.

Answer: C

Explanation: A 401 response indicates that the request lacks valid authentication credentials.


Question 4

Why should API keys never be hard-coded into an agent?

A. They increase API response times.

B. They prevent JSON serialization.

C. They disable HTTPS encryption.

D. They can be exposed and compromise security.

Answer: D

Explanation: Hard-coded secrets are difficult to rotate and may be exposed through source code or logs.


Question 5

An API returns 429 Too Many Requests. What is the most appropriate response by the agent?

A. Continue sending requests immediately.

B. Retry after waiting according to the API’s guidance.

C. Switch to Basic Authentication.

D. Ignore the error.

Answer: B

Explanation: HTTP 429 indicates that the client has exceeded rate limits. The agent should wait and retry appropriately.


Question 6

Which request header typically specifies the authentication token for a REST API?

A. Accept

B. Content-Type

C. Authorization

D. Cache-Control

Answer: C

Explanation: The Authorization header carries bearer tokens or other authentication credentials.


Question 7

Why do many APIs implement pagination?

A. To encrypt responses.

B. To reduce the amount of data returned in a single request.

C. To replace authentication.

D. To prevent HTTPS connections.

Answer: B

Explanation: Pagination improves performance and scalability by limiting the number of records returned per request.


Question 8

Which format is most commonly used for REST API request and response bodies?

A. CSV

B. XML

C. YAML

D. JSON

Answer: D

Explanation: JSON is lightweight, widely supported, and the standard format for modern REST APIs.


Question 9

When integrating a REST API into Copilot Studio, why is validating API responses important?

A. It guarantees that authentication is unnecessary.

B. It eliminates network latency.

C. It ensures returned data is complete and expected before the agent uses it.

D. It automatically encrypts responses.

Answer: C

Explanation: Response validation helps prevent errors and ensures the agent processes reliable, expected data.


Question 10

Why might a development team choose a Power Platform custom connector instead of directly configuring a REST API in every agent?

A. Custom connectors eliminate the need for authentication.

B. Custom connectors can only connect to Microsoft services.

C. Custom connectors replace HTTP methods.

D. Custom connectors provide reusable, centrally managed API definitions across multiple solutions.

Answer: D

Explanation: Custom connectors simplify maintenance, standardize integrations, and enable reuse across multiple apps, flows, and Copilot Studio agents.


Go to the AB-620 Exam Prep Hub main page

Add a tool by using an existing custom connector (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Add tools to agents
      --> Add a tool by using an existing custom connector


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

What is a Custom Connector?

A custom connector is a reusable connector created within the Microsoft Power Platform that exposes one or more APIs as actions that Power Apps, Power Automate, Copilot Studio, and other services can use.

Instead of writing HTTP requests directly into every application, developers encapsulate API definitions into a connector.

The connector becomes a reusable enterprise asset.

Examples include:

  • Internal HR system
  • Inventory management API
  • Legacy ERP
  • Manufacturing execution system
  • Banking platform
  • Insurance claims system
  • Internal CRM
  • Proprietary AI service

Why Use an Existing Custom Connector?

Many organizations already have custom connectors built for:

  • Power Apps
  • Power Automate
  • Logic Apps
  • Internal automation

Instead of recreating integrations, Copilot Studio can reuse them.

Benefits include:

  • Less development effort
  • Consistent API usage
  • Centralized maintenance
  • Shared authentication
  • Governance
  • Reduced duplication

Standard Connectors vs Custom Connectors

Standard ConnectorCustom Connector
Built by Microsoft or partnerBuilt by organization
Supports common SaaS productsSupports proprietary systems
Automatically maintainedOrganization maintains it
Limited to supported servicesCan connect to virtually any REST API
Examples: Outlook, SharePointExample: Internal Payroll API

How Custom Connectors Work

The architecture typically looks like:

User
Copilot Studio Agent
Tool
Custom Connector
REST API
Enterprise System

The connector translates:

  • Authentication
  • Request formatting
  • Parameter validation
  • Response parsing

into reusable actions.


Typical Enterprise Scenario

A company has an internal warranty database.

The API already exists.

Power Platform administrators previously created a custom connector.

The Copilot Studio agent simply calls the connector instead of directly calling the API.

This avoids:

  • duplicate coding
  • duplicated authentication
  • inconsistent API calls

Components of a Custom Connector

A connector typically includes:

General Information

  • Name
  • Description
  • Icon
  • Host URL

Security Definition

Authentication type

Examples:

  • OAuth 2.0
  • API Key
  • Microsoft Entra ID
  • Basic Authentication

API Definition

Defines:

  • Actions
  • Parameters
  • Request body
  • Responses

Policies

Optional transformations including:

  • Header injection
  • URL rewriting
  • Request modifications
  • Response modifications

Authentication Methods

One of the most important exam topics.

OAuth 2.0

Most common.

Suitable for:

  • Microsoft Graph
  • Enterprise APIs
  • Cloud applications

Benefits:

  • Secure
  • Token-based
  • Supports delegated permissions

API Key

Common for:

  • Third-party services
  • AI APIs
  • Internal APIs

The connector automatically sends the key.


Microsoft Entra ID

Often used for internal enterprise APIs.

Advantages:

  • Central identity management
  • Role-based access
  • Conditional Access
  • Single Sign-On

Basic Authentication

Supported but generally discouraged for production workloads.

Used mainly with legacy systems.


Adding an Existing Custom Connector as a Tool

Typical process:

  1. Open the agent.
  2. Navigate to Tools.
  3. Select Add Tool.
  4. Choose Existing Custom Connector.
  5. Select the connector.
  6. Select one or more operations.
  7. Configure parameters.
  8. Save.

The agent can now invoke the connector during conversations.


Choosing Operations

One connector may expose many actions.

Example:

Inventory Connector

  • Get Product
  • Update Inventory
  • Reserve Inventory
  • Cancel Reservation
  • Check Warehouse
  • Retrieve Supplier

The agent only needs the operations relevant to its purpose.

Selecting unnecessary operations increases complexity and expands the agent’s available actions beyond what is needed.


Designing Good Operations

Operations should be:

  • Focused
  • Reusable
  • Well documented
  • Clearly named

Good examples:

  • GetCustomer
  • CreateOrder
  • SubmitExpense
  • LookupPolicy

Poor examples:

  • ExecuteProcess1
  • ActionA
  • TestEndpoint

Configuring Parameters

Most operations require parameters.

Example:

GetCustomer
CustomerID

or

CreateTicket
Title
Priority
Description

Copilot Studio maps conversation data into these parameters.


Required vs Optional Parameters

Understand the distinction.

Required:

The action cannot execute without them.

Optional:

Improve results but are not mandatory.

Example:

Required

  • Order Number

Optional

  • Customer Email

Input Mapping

Inputs can come from:

  • User messages
  • Variables
  • Previous tool outputs
  • System variables
  • AI extracted entities

Example:

User:

Where is order 10245?

Extract:

Order Number

Connector:

GetOrderStatus(10245)


Output Mapping

Connector responses become variables.

Example:

API returns:

Customer Name
Order Status
Shipping Date

The agent can then:

  • respond to the user
  • populate Adaptive Cards
  • call another tool
  • make decisions
  • branch within a topic

Working with JSON Responses

Many APIs return JSON.

Example:

{
"customer":"John Smith",
"status":"Processing",
"shipDate":"2026-08-15"
}

Copilot Studio extracts individual properties for later use.


Security Considerations

Microsoft recommends granting only the permissions the connector actually requires.

Follow the principle of least privilege.

Avoid connectors with unnecessary administrative permissions.


Governance

Administrators should:

  • Review connector ownership.
  • Approve enterprise connectors.
  • Monitor usage.
  • Enforce Data Loss Prevention (DLP) policies.
  • Control environment access.
  • Audit authentication methods.
  • Review connector updates before deployment.

Best Practices

Reuse Existing Connectors

Avoid building duplicate connectors.


Keep Operations Small

Small operations are easier to test.


Use Descriptive Names

Helps AI select the correct tool.


Secure Authentication

Prefer:

  • OAuth
  • Microsoft Entra ID

Avoid hard-coded credentials.


Validate Inputs

Prevent invalid requests before invoking APIs.


Return Structured Responses

Predictable JSON improves downstream processing.


Common Exam Pitfalls

Candidates often confuse:

  • Standard connectors
  • Power Platform connectors
  • Custom connectors
  • REST API tools
  • MCP tools

Remember:

  • Standard connectors are Microsoft-provided.
  • Power Platform connectors include both standard and custom connectors available within the Power Platform ecosystem.
  • Custom connectors wrap your own APIs into reusable connector definitions.
  • REST API tools call APIs directly from the agent without requiring a custom connector.
  • MCP tools connect to capabilities exposed through the Model Context Protocol, enabling standardized interaction with external tools and services.

Being able to choose the most appropriate integration option for a given scenario is a key skill measured on the AB-620 exam.


Quick Orientation Summary

In the topics above, you learned what custom connectors are, how they differ from standard connectors, how to configure them as agent tools, and how authentication, parameters, and outputs work.

The topics below focus on the advanced knowledge expected for the AB-620 certification exam.


Advanced Configuration

Once a custom connector has been added to an agent, developers should configure it so that it behaves predictably during conversations.

Important considerations include:

  • Selecting only the operations the agent requires
  • Mapping variables correctly
  • Providing descriptive action names
  • Validating required inputs
  • Handling null values
  • Returning structured outputs

A well-configured connector is easier for the AI orchestrator to select appropriately and reduces the likelihood of incorrect tool invocation.


Designing Agent-Friendly Connectors

Although a connector may expose dozens of operations, not all of them should necessarily be available to an agent.

Good practice includes:

  • Separate read operations from update operations.
  • Expose only business-relevant actions.
  • Avoid administrative functions unless necessary.
  • Keep operations focused on a single task.
  • Use clear operation descriptions.

Example:

Instead of:

  • ExecuteAPI

Use:

  • GetCustomerOrders
  • CreateSupportTicket
  • UpdateDeliveryAddress

This improves the agent’s ability to determine when to invoke each action.


Variable Mapping Best Practices

Variables often originate from:

  • User input
  • Previous topic variables
  • Generative AI extraction
  • Other tools
  • Adaptive Card submissions

Example workflow:

User:

I need the warranty information for product 45831.

Conversation variable:

ProductID = 45831

Connector action:

GetWarranty(ProductID)

Connector response:

WarrantyStatus
ExpirationDate
CoverageType

These outputs become new variables that the agent can reference later in the conversation.


Chaining Multiple Tools

A single conversation often involves multiple tools working together.

Example:

Step 1

Retrieve customer information.

Step 2

Retrieve active orders.

Step 3

Retrieve shipping status.

Step 4

Generate natural-language response.

Rather than creating one large API, smaller reusable operations simplify maintenance and improve reliability.


Error Handling

Enterprise systems occasionally fail.

Possible causes include:

  • Invalid parameters
  • Expired authentication
  • Network interruptions
  • Service outages
  • Rate limiting
  • Missing permissions

Agents should be designed to recover gracefully whenever possible.


Common Error Responses

Examples include:

400 Bad Request

Incorrect input.

Example:

Customer ID contains invalid characters.


401 Unauthorized

Authentication failed.

Possible causes:

  • Expired token
  • Invalid credentials
  • Missing authentication

403 Forbidden

User is authenticated but lacks permission.


404 Not Found

Requested resource does not exist.


429 Too Many Requests

API rate limit exceeded.


500 Internal Server Error

Unexpected server-side failure.


Designing Friendly Error Messages

Avoid exposing raw API errors to end users.

Instead of:

Error 500

Use:

I couldn’t retrieve your information right now. Please try again in a few minutes.

This provides a better user experience while avoiding disclosure of unnecessary technical details.


Performance Optimization

Large enterprise APIs can affect conversation speed.

Microsoft recommends:

  • Return only required fields.
  • Reduce payload sizes.
  • Limit unnecessary API calls.
  • Cache frequently used information when appropriate.
  • Break large operations into smaller reusable actions.

Security Best Practices

Security is frequently tested on the AB-620 exam.

Recommendations include:

Principle of Least Privilege

Grant only the permissions required.

Example:

Instead of granting:

Customer.ReadWrite.All

Grant:

Customer.Read

if the agent only retrieves customer information.


Secure Authentication

Preferred methods:

  • Microsoft Entra ID
  • OAuth 2.0
  • Managed identity (where applicable)

Avoid embedding secrets directly in connector definitions whenever possible.


Protect Sensitive Data

Avoid returning:

  • Passwords
  • Authentication tokens
  • Social Security numbers
  • Credit card numbers
  • Personally identifiable information (PII) unless absolutely required

Return only the data necessary for the conversation.


Monitoring Connector Usage

Administrators should monitor:

  • Successful executions
  • Failed executions
  • Authentication failures
  • API latency
  • Usage frequency
  • User activity
  • Connector health

Monitoring helps identify bottlenecks and troubleshoot production issues.


Logging

Logging is useful for:

  • Diagnosing failures
  • Auditing requests
  • Measuring adoption
  • Identifying slow operations
  • Supporting compliance requirements

However, avoid logging confidential user information unnecessarily.


Versioning Connectors

Enterprise APIs evolve over time.

Best practices include:

  • Version APIs
  • Test new versions before deployment
  • Avoid breaking changes
  • Maintain backward compatibility where practical
  • Update agents after connector changes

Enterprise Scenario 1

A healthcare organization exposes a patient scheduling API through a custom connector.

The agent can:

  • Find appointments
  • Schedule visits
  • Cancel appointments
  • Check physician availability

Authentication uses Microsoft Entra ID.

Only authorized staff members can invoke scheduling operations.


Enterprise Scenario 2

A manufacturing company exposes inventory services.

Operations include:

  • Check inventory
  • Reserve inventory
  • Release reservation
  • Find warehouse

The Copilot agent helps warehouse employees without requiring them to open multiple applications.


Enterprise Scenario 3

An insurance company exposes claim-processing APIs.

The connector allows the agent to:

  • Retrieve claim status
  • Submit documentation
  • Update claimant information
  • Schedule inspections

Because the connector already exists for Power Automate workflows, the same connector can be reused within Copilot Studio.


Comparing Integration Options

FeatureStandard ConnectorCustom ConnectorREST API ToolMCP Tool
Microsoft-managedYesNoNoDepends
Organization-createdNoYesNoSometimes
Requires API definitionNoYesYesYes
Reusable across Power PlatformYesYesNoVaries
Direct API callsNoIndirectYesVia MCP server
Best for enterprise reuseModerateExcellentModerateExcellent for standardized AI tool ecosystems

When to Choose an Existing Custom Connector

Use an existing custom connector when:

  • The organization already has one.
  • The API is used by multiple Power Platform solutions.
  • Authentication has already been configured.
  • Governance requirements already exist.
  • Multiple applications share the same integration.

When a REST API Tool May Be Better

A REST API tool may be preferable when:

  • Only one API operation is needed.
  • No connector currently exists.
  • Rapid prototyping is desired.
  • Reusability across the Power Platform is not required.

More AB-620 Exam Tips

Remember these key points:

  • Existing custom connectors promote reuse across the Power Platform.
  • Connectors encapsulate authentication and API definitions.
  • Use least-privilege permissions.
  • Select only the operations needed by the agent.
  • Map variables carefully between conversations and connector inputs.
  • Handle API failures gracefully.
  • Monitor connector performance and usage.
  • Use descriptive operation names.
  • Reuse existing connectors instead of duplicating integrations.
  • Understand when a custom connector is preferable to a REST API tool or MCP tool.

Practice Exam Questions

Question 1

An organization has already created a custom connector for its internal ERP system. A Copilot Studio developer needs to enable agents to retrieve inventory information.

What is the best approach?

A. Create a new REST API tool that duplicates the ERP functionality.

B. Reuse the existing custom connector.

C. Build a Power Automate flow that manually calls the API.

D. Export the connector as an Adaptive Card.

Answer: B

Explanation: Existing custom connectors should be reused whenever possible because they already encapsulate authentication, API definitions, governance, and maintenance.


Question 2

Which authentication method is generally recommended for enterprise APIs secured by Microsoft identity services?

A. Anonymous authentication

B. API key only

C. Microsoft Entra ID (OAuth 2.0)

D. Basic Authentication

Answer: C

Explanation: Microsoft Entra ID with OAuth 2.0 provides secure, centralized identity management, token-based authentication, and integration with enterprise security controls.


Question 3

A connector exposes twenty operations, but an agent only needs two of them.

What is the recommended design?

A. Enable all operations.

B. Create duplicate connectors.

C. Expose only the required operations.

D. Disable authentication.

Answer: C

Explanation: Limiting available operations simplifies agent behavior, improves security, and reduces unnecessary complexity.


Question 4

Which HTTP response code typically indicates that authentication has failed?

A. 404

B. 429

C. 500

D. 401

Answer: D

Explanation: A 401 Unauthorized response indicates that authentication credentials are missing, invalid, or expired.


Question 5

Why should connector operations have descriptive names?

A. They reduce API latency.

B. They improve AI tool selection and maintainability.

C. They eliminate authentication requirements.

D. They automatically optimize API performance.

Answer: B

Explanation: Clear operation names help both developers and AI orchestration determine the appropriate action to invoke.


Question 6

A connector returns customer name, address, loyalty status, and internal audit history. The agent only needs the customer’s loyalty status.

What is the best practice?

A. Return every field.

B. Add more connector actions.

C. Return only the required data.

D. Disable response parsing.

Answer: C

Explanation: Returning only the necessary data reduces payload size, improves performance, and minimizes exposure of unnecessary information.


Question 7

Which practice best supports enterprise security?

A. Embed administrator passwords in the connector.

B. Grant every available permission.

C. Use anonymous access.

D. Apply the principle of least privilege.

Answer: D

Explanation: Least privilege limits permissions to only those required, reducing security risks and supporting compliance.


Question 8

What is a primary advantage of using an existing custom connector instead of recreating the same integration?

A. It automatically removes authentication.

B. It eliminates API documentation.

C. It promotes reuse, governance, and centralized maintenance.

D. It guarantees faster API responses.

Answer: C

Explanation: Existing custom connectors provide reusable, centrally managed integrations that can be shared across Power Platform solutions.


Question 9

During execution, an API returns HTTP 429.

What does this typically indicate?

A. The requested resource was not found.

B. The request exceeded the service’s rate limit.

C. Authentication failed.

D. The connector is incorrectly configured.

Answer: B

Explanation: HTTP 429 indicates that too many requests have been sent in a given period, triggering rate limiting.


Question 10

When should a developer consider using an existing custom connector instead of creating a direct REST API tool?

A. When the organization already maintains the connector for multiple Power Platform solutions.

B. When no reusable integration exists.

C. Only during testing.

D. Only for public APIs.

Answer: A

Explanation: Reusing an existing custom connector leverages established authentication, governance, maintenance, and reusability across multiple applications, making it the preferred approach when such a connector already exists.


AB-620 Exam Summary

For the exam, remember these key takeaways:

  • Custom connectors encapsulate APIs into reusable Power Platform components.
  • Existing custom connectors should generally be reused instead of creating duplicate integrations.
  • Configure only the operations an agent requires.
  • Use secure authentication methods such as Microsoft Entra ID and OAuth 2.0.
  • Apply least-privilege security principles.
  • Map conversation variables carefully to connector inputs and outputs.
  • Handle API errors gracefully with user-friendly messages.
  • Monitor connector health, performance, and usage.
  • Understand when to use custom connectors versus REST API tools and MCP tools based on governance, reuse, and integration requirements.

Go to the AB-620 Exam Prep Hub main page

Connect to Azure AI Search (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Connect to enterprise knowledge sources
      --> Connect to Azure AI Search


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

What is Azure AI Search?

Azure AI Search is Microsoft’s enterprise search platform that indexes structured and unstructured content so AI applications can quickly retrieve relevant information.

Within Copilot Studio, Azure AI Search acts as a grounding source, allowing the agent to answer questions using your organization’s indexed knowledge instead of relying solely on the foundation model.

Think of it as the enterprise knowledge engine behind your AI agent.

Instead of asking:

“What does the language model know?”

the agent asks:

“What information exists inside our organization’s indexed documents?”


Why Use Azure AI Search?

Organizations often have:

  • Thousands of PDFs
  • Word documents
  • SharePoint files
  • Wikis
  • Product documentation
  • HR manuals
  • Technical specifications
  • Knowledge bases
  • Policy documents

Without search indexing:

  • documents remain isolated
  • responses may be incomplete
  • AI cannot efficiently locate relevant information

Azure AI Search solves this by:

  • indexing content
  • creating searchable metadata
  • performing semantic search
  • returning highly relevant passages

Copilot Studio can then use those passages to generate grounded responses.


High-Level Architecture

Enterprise Content
Azure Storage
SharePoint
SQL
Blob Storage
Web Sites
Databases
File Shares
Azure AI Search
Indexes
Documents
Metadata
Vectors (optional)
Copilot Studio
Grounding
Generative Answers
Agent Response

What Does Azure AI Search Store?

Azure AI Search stores indexes rather than the original documents.

Indexes contain:

  • searchable text
  • metadata
  • document identifiers
  • vector embeddings (optional)
  • semantic ranking information

The original documents remain in their original repositories.


Azure AI Search Components

Understanding these components is important for the exam.

Search Service

The Azure resource that hosts:

  • indexes
  • indexers
  • data sources
  • search APIs
  • semantic ranking

Data Source

Defines where information originates.

Examples:

  • Azure Blob Storage
  • SQL Database
  • Cosmos DB
  • SharePoint (through supported connectors)
  • Azure Table Storage

Index

A searchable collection of fields.

Example:

Document Name
Title
Category
Content
Department
Created Date
Owner
Keywords

Indexer

Automatically imports content into the index.

Responsibilities include:

  • reading documents
  • extracting text
  • updating indexes
  • incremental indexing
  • scheduling refreshes

Skillset (Optional)

A skillset enriches documents during indexing.

Examples include:

  • OCR
  • language detection
  • key phrase extraction
  • entity recognition
  • translation
  • image analysis

This creates richer searchable content.


How Copilot Studio Uses Azure AI Search

When a user asks:

“What is our PTO policy?”

Copilot Studio:

  1. Sends the query to Azure AI Search.
  2. Azure AI Search finds relevant indexed passages.
  3. Matching documents are returned.
  4. The language model generates an answer grounded in those documents.
  5. Citations can be included.

Retrieval-Augmented Generation (RAG)

Azure AI Search enables Retrieval-Augmented Generation (RAG).

Instead of relying only on model training:

User Question
Retrieve Documents
Ground Prompt
Generate Response

This greatly improves:

  • factual accuracy
  • enterprise relevance
  • freshness of information
  • reduced hallucinations

Benefits of Azure AI Search

Better Accuracy

Responses come from company documents.


Current Information

Indexes can refresh automatically.

This allows new documentation to become searchable.


Enterprise Security

Users only retrieve content they are authorized to access (depending on the implementation and connected systems).


Scalability

Millions of documents can be indexed efficiently.


Rich Metadata

Search can use:

  • departments
  • categories
  • dates
  • document types
  • owners
  • tags

to improve retrieval.


Supported Content Types

Azure AI Search can index many document formats, including:

  • PDF
  • Word
  • Excel
  • PowerPoint
  • HTML
  • JSON
  • CSV
  • XML
  • Text files

It can also index structured database records.


Semantic Search

Traditional keyword search looks for matching words.

Example:

vacation

Semantic search understands meaning.

Example:

User asks:

“How many vacation days do I receive?”

Relevant document:

“Employees receive 20 paid time off days annually.”

Semantic search recognizes:

Vacation = Paid Time Off

No exact keyword match is required.

This significantly improves answer quality.


Vector Search

Azure AI Search also supports vector search.

Instead of matching keywords:

  • text is converted into embeddings
  • similar meanings are identified
  • conceptual similarity is measured

Example:

User asks:

“Remote work policy”

Document says:

“Employees may perform duties from home.”

Keyword search may miss it.

Vector search finds it because the meanings are closely related.


Hybrid Search

Many enterprise implementations use hybrid search.

Hybrid combines:

  • keyword search
  • semantic ranking
  • vector search

This generally produces the highest-quality retrieval results and is increasingly recommended for AI-powered applications.


Connecting Azure AI Search to Copilot Studio

Typical steps include:

  1. Create an Azure AI Search service.
  2. Configure a data source.
  3. Build an index.
  4. Populate the index using an indexer.
  5. Enable semantic search if available.
  6. Connect the search service in Copilot Studio.
  7. Select the appropriate index.
  8. Configure the knowledge source.
  9. Test retrieval quality.
  10. Publish the agent.

Common Enterprise Scenarios

HR Assistant

Indexes:

  • employee handbook
  • benefits
  • PTO policies
  • onboarding guides

Employees receive accurate HR answers.


IT Help Desk

Indexes:

  • troubleshooting articles
  • knowledge base
  • software documentation
  • incident procedures

The agent resolves common IT questions.


Legal Assistant

Indexes:

  • contracts
  • compliance documents
  • regulations
  • internal policies

Responses are grounded in approved legal content.


Customer Support

Indexes:

  • product manuals
  • FAQs
  • troubleshooting guides
  • warranty documentation

Customers receive accurate support responses.


Sales Assistant

Indexes:

  • pricing documentation
  • product catalogs
  • competitive information
  • proposal templates

Sales representatives obtain consistent answers.


Best Practices

Build Clean Indexes

Avoid:

  • duplicate documents
  • obsolete files
  • incomplete documentation

Poor indexes lead to poor responses.


Use Meaningful Metadata

Metadata improves filtering.

Examples:

  • Department
  • Region
  • Product
  • Version
  • Owner

Schedule Regular Index Updates

Enterprise information changes frequently.

Regular refreshes keep responses current.


Enable Semantic Search

Semantic ranking generally improves retrieval quality compared to keyword search alone.


Monitor Search Quality

Review:

  • irrelevant responses
  • missing answers
  • outdated content
  • indexing failures

Continuously refine the index.


Security Considerations

Organizations should ensure:

  • Azure authentication is configured correctly.
  • Sensitive content is indexed intentionally.
  • Access permissions are respected.
  • Search services follow organizational governance policies.
  • Secrets and credentials are stored securely.

Limitations

Azure AI Search does not:

  • automatically understand every document without proper indexing
  • replace document governance
  • eliminate the need for quality source material
  • guarantee perfect answers if documents are outdated or incomplete

The quality of responses depends heavily on the quality and maintenance of the indexed content.


Exam Tips for topics covered so far

For the AB-620 exam, remember these key points:

  • Azure AI Search is primarily used to ground AI responses with enterprise data.
  • Copilot Studio queries indexes, not the original documents directly.
  • Semantic search improves retrieval by understanding intent and meaning.
  • Vector search retrieves conceptually similar content using embeddings.
  • Hybrid search combines keyword, semantic, and vector search for stronger results.
  • Indexers automate importing and refreshing searchable content.
  • High-quality, current indexes produce higher-quality grounded responses.

Advanced Index Design

An Azure AI Search index is much more than a simple list of documents. A well-designed index determines how effectively an AI agent retrieves information.

A typical enterprise index includes:

FieldPurposeSearchable
TitleDocument titleYes
ContentMain body textYes
CategoryDepartment or topicFilterable
AuthorDocument ownerFilterable
CreatedDateDate createdSortable
ModifiedDateLast updatedSortable
SecurityGroupAccess controlFilterable
DocumentURLCitation sourceRetrieved
KeywordsMetadataSearchable

Good index design improves:

  • Search relevance
  • Filtering
  • Security
  • Citation quality
  • Response accuracy

Document Chunking

Large documents should rarely be indexed as one massive record.

Instead, Azure AI Search typically indexes smaller chunks.

Example:

A 300-page employee handbook becomes:

  • Benefits section
  • PTO section
  • Holidays
  • Payroll
  • Remote work
  • Code of conduct
  • Travel policy

Instead of retrieving the entire handbook, Azure AI Search returns only the most relevant sections.

Benefits include:

  • Faster retrieval
  • Better grounding
  • Lower token usage
  • More accurate responses

Chunk Size Considerations

Choosing the correct chunk size is important.

Chunks that are too small

Problems include:

  • Missing context
  • Incomplete answers
  • Multiple retrievals required

Example:

Only one sentence is returned.


Chunks that are too large

Problems include:

  • Higher token consumption
  • Lower relevance
  • More irrelevant information

Best Practice

Use logical document sections.

Examples:

  • One policy
  • One chapter
  • One FAQ
  • One procedure
  • One product description

Metadata Filtering

Metadata helps Azure AI Search narrow search results.

Examples include:

  • Department
  • Country
  • Product
  • Region
  • Language
  • Version
  • Confidentiality level

Example query:

Show HR policies for employees in Canada.

The search can first filter:

  • Department = HR
  • Region = Canada

before retrieving relevant passages.


Semantic Ranking

Semantic ranking improves traditional keyword search.

Without semantic ranking:

User asks:

How do I request vacation?

Keyword search might only find documents containing the exact word “vacation.”

With semantic ranking:

Azure AI Search understands:

  • vacation
  • PTO
  • annual leave
  • paid leave
  • time off

It returns the most meaningful documents rather than only exact keyword matches.


Vector Search in Detail

Vector search converts text into numerical embeddings.

Rather than comparing words, it compares meaning.

Example:

User question:

Can I work from home?

Indexed document:

Employees may perform duties remotely.

Keyword overlap:

Very little.

Semantic similarity:

Very high.

Vector search successfully retrieves the document.


Hybrid Search Strategy

Most enterprise AI implementations use hybrid search.

Hybrid search combines:

  • Keyword search
  • Vector similarity
  • Semantic ranking

Benefits include:

  • Higher accuracy
  • Better recall
  • Better precision
  • Improved user satisfaction

Hybrid search is generally considered the recommended approach for enterprise AI.


Retrieval-Augmented Generation (RAG)

Azure AI Search enables Retrieval-Augmented Generation.

Workflow:

User Question
Azure AI Search
Relevant Chunks
LLM Prompt
Grounded Answer
Citation

The AI model generates answers only after retrieving relevant enterprise content.

This significantly reduces hallucinations.


Grounding Strategies

Good grounding depends on:

  • Clean source documents
  • Updated indexes
  • Proper chunking
  • Rich metadata
  • Semantic search
  • Hybrid search

Poor grounding often results from:

  • Duplicate files
  • Outdated documents
  • Missing metadata
  • Poor chunk boundaries
  • Incorrect indexing schedules

Security Trimming

Large organizations often have documents that should not be visible to every user.

Examples:

  • Executive policies
  • HR records
  • Financial reports
  • Legal contracts

Security trimming ensures that users retrieve only content they are authorized to access.

This is accomplished through identity, permissions, and access control mechanisms integrated with enterprise systems.


Incremental Indexing

Rebuilding an entire index can be expensive.

Instead, indexers typically perform incremental updates.

Example:

Monday:

100,000 documents

Tuesday:

Only 300 documents changed.

Incremental indexing updates only those 300 documents.

Benefits include:

  • Faster indexing
  • Lower compute costs
  • More current information
  • Reduced downtime

Index Refresh Strategies

Common schedules include:

  • Every 15 minutes
  • Hourly
  • Daily
  • Weekly

Choose a schedule based on how frequently the source data changes.

Examples:

Customer support knowledge:

Hourly

Employee handbook:

Weekly

Sales pricing:

Daily


Performance Optimization

Performance depends on:

  • Index size
  • Chunk size
  • Metadata quality
  • Semantic ranking
  • Vector indexing
  • Query complexity
  • Number of retrieved documents

Optimization techniques include:

  • Removing duplicate documents
  • Filtering before searching
  • Using hybrid search
  • Indexing only useful content
  • Excluding obsolete documents

Common Troubleshooting Scenarios

Problem

The agent cannot answer a question.

Possible causes:

  • Document not indexed
  • Indexer failed
  • Incorrect index selected
  • Missing permissions
  • Document format unsupported

Problem

The answer is outdated.

Possible causes:

  • Index not refreshed
  • Old documents remain indexed
  • Incremental indexing failed

Problem

The answer is inaccurate.

Possible causes:

  • Poor chunking
  • Weak metadata
  • Duplicate documents
  • Missing semantic ranking
  • Poor source documentation

Problem

Too many irrelevant documents are returned.

Possible causes:

  • No metadata filters
  • Large chunk size
  • Poor keyword quality
  • Broad search queries

Design Recommendations

Microsoft generally recommends:

  • Hybrid retrieval
  • Semantic ranking
  • Regular index updates
  • Rich metadata
  • Logical document chunking
  • High-quality source documents
  • Security-aware indexing
  • Continuous monitoring

Common Exam Mistakes

Candidates often confuse:

Azure AI Search vs. Azure OpenAI

Azure AI Search retrieves information.

Azure OpenAI generates responses.

Both work together in a RAG solution.


Index vs. Data Source

Data Source:

Where documents live.

Index:

What gets searched.


Indexer vs. Search Index

Indexer:

Loads data.

Index:

Stores searchable content.


Semantic Search vs. Vector Search

Semantic Search:

Uses language understanding to improve keyword-based ranking.

Vector Search:

Uses embeddings to retrieve conceptually similar content.

Hybrid search combines both approaches with keyword search.


More AB-620 Exam Tips

Remember the following:

  • Azure AI Search is the primary enterprise grounding service used by Copilot Studio.
  • AI agents search indexes rather than original documents directly.
  • Chunking improves retrieval quality.
  • Metadata improves filtering and relevance.
  • Indexers automate synchronization.
  • Semantic search improves intent matching.
  • Vector search improves conceptual matching.
  • Hybrid search typically provides the best overall retrieval performance.
  • Azure OpenAI generates the response after Azure AI Search retrieves the relevant content.
  • Good enterprise AI depends on both high-quality documents and high-quality indexing.

Practice Exam Questions

Question 1

A Copilot Studio agent uses Azure AI Search to answer employee questions. Which Azure AI Search feature allows the agent to retrieve conceptually similar information even when exact keywords are not present?

A. Indexer

B. Vector search

C. Filter expressions

D. Synonym maps

Answer: B

Explanation: Vector search uses embeddings to compare semantic meaning instead of exact keywords, allowing the retrieval of conceptually related information.


Question 2

Which Azure AI Search component is responsible for importing data from an external repository into a searchable index?

A. Semantic ranker

B. Search explorer

C. Indexer

D. Skillset

Answer: C

Explanation: An indexer connects to a data source, extracts content, and populates or refreshes the search index.


Question 3

Why is document chunking considered a best practice for enterprise AI agents?

A. It encrypts enterprise documents.

B. It eliminates duplicate documents automatically.

C. It allows the language model to train on enterprise content.

D. It improves retrieval precision by returning smaller, relevant sections.

Answer: D

Explanation: Smaller, logically organized chunks improve retrieval accuracy, reduce token usage, and provide better context for grounded responses.


Question 4

Which statement best describes the purpose of semantic ranking?

A. It schedules index refresh operations.

B. It converts documents into embeddings.

C. It improves search relevance by understanding the meaning behind user queries.

D. It compresses documents before indexing.

Answer: C

Explanation: Semantic ranking analyzes intent and contextual meaning to improve the ordering of search results beyond simple keyword matching.


Question 5

A company updates its employee handbook every day. Which indexing strategy minimizes processing time while keeping search results current?

A. Full index rebuild after every query

B. Weekly manual indexing

C. Incremental indexing

D. Delete and recreate the index daily

Answer: C

Explanation: Incremental indexing processes only changed documents, making updates faster and more efficient.


Question 6

In a Retrieval-Augmented Generation (RAG) architecture, what is Azure AI Search primarily responsible for?

A. Training the language model

B. Retrieving relevant enterprise information

C. Managing user authentication

D. Creating Adaptive Cards

Answer: B

Explanation: Azure AI Search retrieves relevant enterprise content, which is then supplied to the language model to generate grounded responses.


Question 7

What is the primary benefit of using metadata fields such as department and region within an Azure AI Search index?

A. They reduce Azure subscription costs.

B. They automatically summarize documents.

C. They improve filtering and search precision.

D. They increase language model context length.

Answer: C

Explanation: Metadata enables filtering before retrieval, improving both relevance and performance.


Question 8

An organization wants users to retrieve only documents they are authorized to view. Which design principle should be implemented?

A. Chunking

B. Security trimming

C. Semantic ranking

D. Synonym mapping

Answer: B

Explanation: Security trimming ensures that search results respect user permissions and organizational access controls.


Question 9

What is the primary purpose of hybrid search in Azure AI Search?

A. To replace semantic search completely

B. To eliminate metadata requirements

C. To combine keyword, semantic, and vector search techniques for improved retrieval

D. To reduce the number of indexed documents

Answer: C

Explanation: Hybrid search leverages multiple retrieval techniques to maximize both precision and recall.


Question 10

A Copilot Studio agent consistently provides outdated answers even though the source documents have been updated. What should an administrator investigate first?

A. Whether the language model version has changed

B. Whether the Adaptive Card schema is valid

C. Whether the agent’s topic triggers are configured correctly

D. Whether the Azure AI Search index has been refreshed successfully

Answer: D

Explanation: Outdated responses commonly indicate that the search index has not been updated after changes to the source documents. Regular index refreshes or successful indexer runs are essential for maintaining current grounded responses.


Key Takeaways for the AB-620 Exam

  • Azure AI Search provides enterprise knowledge grounding for Copilot Studio agents.
  • Indexes store searchable representations of documents, not the original files.
  • Indexers synchronize data sources with search indexes.
  • Chunking, metadata, semantic ranking, and vector search all contribute to better retrieval quality.
  • Hybrid search is the preferred enterprise retrieval strategy in many scenarios.
  • Security trimming ensures users only retrieve authorized content.
  • Retrieval-Augmented Generation (RAG) combines Azure AI Search retrieval with Azure OpenAI generation to produce accurate, grounded responses.

Go to the AB-620 Exam Prep Hub main page

Configure advanced agent responses with API and Send HTTP requests (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure advanced agent responses with API and Send HTTP requests


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most powerful capabilities of Microsoft Copilot Studio is the ability to extend an agent beyond conversational AI. While generative AI enables agents to answer questions from knowledge sources, enterprise agents frequently need to retrieve live information, update business systems, trigger workflows, or communicate with applications that exist outside Microsoft 365.

This is accomplished through APIs (Application Programming Interfaces) and HTTP requests.

For the AB-620 exam, you should understand not only how to configure HTTP requests within Copilot Studio, but also when they should be used, how they are secured, how data flows through requests and responses, and how these capabilities support enterprise-grade AI agents.


Learning Objectives

After studying this topic, you should be able to:

  • Explain why APIs are important in enterprise AI agents.
  • Understand the HTTP communication model.
  • Differentiate HTTP request methods.
  • Configure HTTP requests in Copilot Studio.
  • Pass parameters to external services.
  • Authenticate API requests.
  • Parse API responses.
  • Use returned data within agent conversations.
  • Recognize best practices for secure integrations.

Why Use APIs in Copilot Studio?

Generative AI can answer questions based on available knowledge.

However, business processes usually require interaction with systems that contain live operational data.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Financial systems
  • Ticketing systems
  • Booking systems
  • Custom business applications
  • Third-party SaaS platforms

Rather than simply answering questions, an agent can:

  • Retrieve customer account information
  • Create service tickets
  • Update CRM records
  • Submit purchase requests
  • Check inventory
  • Reserve meeting rooms
  • Retrieve shipping status
  • Submit vacation requests
  • Trigger approval workflows

This transforms the agent from an information assistant into an intelligent business application.


When to Use HTTP Requests

Microsoft Copilot Studio supports several methods of integrating external systems.

These include:

  • Microsoft Power Platform connectors
  • REST APIs
  • Custom connectors
  • Agent tools
  • Microsoft Graph
  • Azure services

HTTP requests are typically used when:

  • No prebuilt connector exists.
  • A custom application exposes a REST API.
  • You need full control over requests.
  • The API supports operations unavailable through existing connectors.
  • You need to communicate directly with enterprise services.

What is an API?

An Application Programming Interface (API) allows one application to communicate with another.

Instead of manually opening software and entering information, software applications exchange data automatically.

Example:

A user asks:

“What is the shipping status of Order 48291?”

Instead of searching documents:

The agent:

  1. Calls the shipping API.
  2. Sends Order ID 48291.
  3. Receives current shipping information.
  4. Formats the response.
  5. Displays it to the user.

The user experiences a natural conversation while the agent communicates with backend systems.


REST APIs

Most modern enterprise systems expose REST APIs.

REST (Representational State Transfer) is an architectural style for web services.

REST APIs typically use:

  • HTTP
  • URLs
  • JSON
  • Standard HTTP methods

Example endpoint:

https://company.com/api/customers/1052

The agent sends an HTTP request.

The service returns JSON.


HTTP Fundamentals

HTTP is the communication protocol used by browsers, websites, cloud services, and APIs.

Every HTTP request contains:

  • URL
  • Method
  • Headers
  • Parameters
  • Body (optional)

The server then returns:

  • Status code
  • Headers
  • Response body

Anatomy of an HTTP Request

Example:

GET https://api.company.com/orders/48291

Headers

Authorization: Bearer token
Accept: application/json

Response

{
"OrderNumber":"48291",
"Status":"Shipped",
"Carrier":"UPS"
}

The agent can extract these values and use them during the conversation.


HTTP Methods

Understanding HTTP methods is important for the AB-620 exam.

GET

Retrieves information.

Example:

Get customer details

No data is modified.

Examples:

  • Get customer profile
  • Get inventory
  • Get weather
  • Get shipping status

Safe operation.


POST

Creates new information.

Examples:

  • Create support ticket
  • Submit expense report
  • Create employee record

Example request:

POST /tickets

Body:

{
"Priority":"High",
"Description":"Printer not working"
}

PUT

Replaces an existing resource.

Example:

Update the complete employee record.

Entire object is replaced.


PATCH

Updates part of a resource.

Example:

Only update:

Customer Phone Number

instead of replacing the entire customer record.

PATCH is generally more efficient than PUT for partial updates.


DELETE

Removes a resource.

Example:

Delete reservation.

Delete temporary record.

Delete shopping cart.

Because DELETE permanently removes data, organizations often restrict access.


URL Components

Understanding URL structure is important.

Example:

https://api.company.com/customers/1052/orders?year=2025

Breakdown:

Protocol

https

Host

api.company.com

Resource

customers

Path Parameter

1052

Subresource

orders

Query Parameter

year=2025

Path Parameters

Path parameters identify a specific resource.

Example

/customers/1052

Customer ID

1052

is embedded within the URL.

Often used for:

  • Employee ID
  • Customer ID
  • Product ID
  • Ticket ID

Query Parameters

Query parameters filter information.

Example

/orders?status=Open

Another example

/products?category=Laptops

Query parameters are optional and do not change the endpoint itself.


HTTP Headers

Headers provide metadata about the request.

Common headers include:

Authorization

Bearer Token

Accept

application/json

Content-Type

application/json

User-Agent

Application identification.

Custom headers

Many enterprise APIs require organization-specific headers.


Request Body

GET requests usually do not include a request body.

POST, PUT, and PATCH commonly include one.

Example

{
"EmployeeID":102,
"Department":"Finance"
}

The body contains the information being submitted.


JSON

Most APIs communicate using JSON.

Example

{
"CustomerID": 1052,
"Name": "John Smith",
"Status": "Gold",
"RewardPoints": 8400
}

The agent can retrieve individual values such as:

  • Name
  • Status
  • RewardPoints

and include them in responses.


Authentication

Most enterprise APIs require authentication.

Without authentication:

The request is rejected.

Authentication verifies:

  • Who is calling
  • Whether permission exists
  • Which resources are accessible

Common Authentication Methods

API Keys

Simple authentication method.

Example

x-api-key:

Advantages:

  • Easy

Disadvantages:

  • Less secure
  • Key management required

OAuth 2.0

Most Microsoft services use OAuth.

Workflow:

User authenticates.

Identity provider issues access token.

Agent sends Bearer token.

API validates token.

Request proceeds.

OAuth supports:

  • Delegated permissions
  • Application permissions
  • Token expiration
  • Refresh tokens

It is considered the enterprise standard.


Microsoft Entra ID

Many enterprise APIs authenticate through Microsoft Entra ID.

Benefits include:

  • Centralized identity
  • Role-based access
  • Conditional Access
  • Multifactor Authentication
  • Secure token management

This is the preferred authentication mechanism for Microsoft enterprise environments.


Configuring HTTP Requests in Copilot Studio

Within Copilot Studio, HTTP requests can be configured as actions or tools that execute during conversations.

A typical configuration includes:

  1. Define the endpoint URL.
  2. Select the HTTP method.
  3. Configure authentication.
  4. Add headers.
  5. Add parameters.
  6. Configure the request body if needed.
  7. Send the request.
  8. Capture the response.
  9. Store returned values in variables.
  10. Continue the conversation using the returned data.

Passing Dynamic Values

Most APIs require information supplied by the user.

Example:

User says:

“Check order 84592.”

The conversation stores:

OrderID = 84592

The HTTP request inserts that variable into:

https://api.company.com/orders/84592

instead of using a hardcoded value.

Dynamic parameters make APIs reusable across conversations.


Using Responses in Conversations

After receiving JSON, Copilot Studio can:

  • Store values
  • Display values
  • Evaluate conditions
  • Pass values into other actions
  • Use values inside prompts
  • Populate Adaptive Cards
  • Trigger additional API calls

Example:

API returns:

{
"Status":"Delivered",
"Carrier":"FedEx",
"Date":"2026-06-14"
}

The agent responds:

“Your package was delivered on June 14 by FedEx.”

The user never sees the underlying API call.


Best Practices

When designing HTTP integrations:

  • Prefer HTTPS over HTTP.
  • Never hard-code secrets.
  • Use secure authentication mechanisms.
  • Validate user input before sending requests.
  • Minimize the amount of sensitive data transmitted.
  • Return only information required by the conversation.
  • Reuse existing connectors when appropriate instead of creating unnecessary custom integrations.
  • Document API endpoints and expected responses.
  • Test APIs independently before integrating them into an agent.
  • Design requests to be idempotent where appropriate, particularly for update operations.

Exam Tips

For the AB-620 exam, remember the following:

  • REST APIs are the primary mechanism for integrating enterprise systems.
  • HTTP requests enable agents to retrieve live data and perform actions.
  • GET retrieves data, POST creates data, PUT replaces data, PATCH partially updates data, and DELETE removes data.
  • Authentication is typically performed using OAuth 2.0 or Microsoft Entra ID in enterprise environments.
  • JSON is the most common format for request and response payloads.
  • Dynamic variables collected during conversations are frequently inserted into URLs, query parameters, headers, or request bodies.
  • Agent responses are generated by parsing API responses and presenting the returned data in a conversational format.
  • Security, authentication, and proper handling of API responses are core skills emphasized throughout the AB-620 exam.

Quick Orientation Summary

In the topics above, you learned the fundamentals of using APIs and HTTP requests in Microsoft Copilot Studio, including REST principles, HTTP methods, authentication, request construction, and response handling.

In the next set of topics below, we will build upon that foundation by exploring advanced implementation techniques, enterprise design patterns, security considerations, performance optimization, and common exam scenarios.


Advanced HTTP Integration Patterns

Enterprise AI agents rarely execute a single API call. Instead, they often perform multiple requests, make decisions based on returned data, and coordinate actions across several systems.

Common integration patterns include:

  • Sequential API requests
  • Conditional API execution
  • Parallel data retrieval
  • Data enrichment
  • Multi-system orchestration
  • Event-driven integrations

These patterns allow an agent to perform sophisticated business processes while maintaining a natural conversational experience.


Sequential API Calls

Sometimes one API request provides information needed by another request.

Example:

User asks:

“Show me all orders for customer John Smith.”

Workflow:

  1. Search Customers API
  2. Retrieve Customer ID
  3. Pass Customer ID to Orders API
  4. Retrieve order list
  5. Present results

Example flow:

User Question
Search Customer API
Customer ID Returned
Retrieve Orders API
Return Orders

This pattern is common in CRM and ERP integrations.


Conditional API Execution

An agent may determine whether another API call is necessary.

Example:

Get Order Status
Delivered?
/ \
Yes No
↓ ↓
End Call Shipping API

Conditional execution reduces unnecessary API calls while improving performance.


Data Enrichment

Multiple systems often contain complementary information.

Example:

CRM:

  • Customer name
  • Email

ERP:

  • Orders

Shipping system:

  • Tracking

The agent combines all three into one response.

Example:

Customer: John Smith
Gold Member
Last Order: June 10
Tracking Number: 874623

The user experiences a single conversation despite multiple backend requests.


Working with JSON Responses

Most enterprise APIs return JSON.

Example:

{
"customer": {
"id": 125,
"name": "John Smith",
"status": "Gold",
"orders": [
{
"number": 4521,
"total": 275
},
{
"number": 4528,
"total": 118
}
]
}
}

The agent may extract:

  • customer.name
  • customer.status
  • orders[0].number
  • orders[1].total

Understanding nested JSON structures is valuable for the exam.


Mapping JSON to Variables

Returned values are commonly stored as variables.

Example:

CustomerName
John Smith
MembershipStatus
Gold
RewardPoints
12450

These variables can later be referenced in prompts, Adaptive Cards, conditions, or additional HTTP requests.


Chaining Multiple Requests

Many business processes require several connected API operations.

Example:

Vacation request:

Employee submits request
Retrieve manager
Check leave balance
Create approval
Notify manager
Update HR system

Each step may involve a separate HTTP request.


Long-Running Operations

Some APIs require time to complete.

Examples include:

  • AI document analysis
  • Video processing
  • Image generation
  • Data exports
  • Large database operations

Typical workflow:

Submit Job
Receive Job ID
Check Status API
Completed?
Retrieve Results

This polling pattern is common in cloud services.


HTTP Status Codes

Understanding status codes is essential.

200 OK

The request completed successfully.


201 Created

A new resource was successfully created.

Example:

Create support ticket.


202 Accepted

The request has been accepted but processing continues.

Often used for asynchronous operations.


204 No Content

The operation succeeded without returning data.

Common with DELETE requests.


400 Bad Request

The request is invalid.

Possible causes:

  • Missing fields
  • Invalid parameters
  • Incorrect formatting

401 Unauthorized

Authentication failed.

Usually indicates:

  • Invalid token
  • Expired token
  • Missing credentials

403 Forbidden

Authentication succeeded.

Permission is denied.

Example:

User lacks required role.


404 Not Found

Requested resource does not exist.


429 Too Many Requests

Rate limit exceeded.

Clients should wait before retrying.


500 Internal Server Error

Unexpected server failure.

Retry may succeed later.


Error Handling Strategies

Good enterprise agents never expose raw API errors directly to users.

Poor response:

Error 500.

Better response:

“The customer database is temporarily unavailable. Please try again in a few minutes.”

The technical details should be logged while presenting a friendly message.


Retry Logic

Temporary failures should not always terminate a conversation.

Good candidates for retries:

  • Network timeout
  • Temporary server outage
  • HTTP 429
  • HTTP 503

Poor candidates:

  • Invalid credentials
  • Missing permissions
  • Incorrect request format

Retry strategies typically use exponential backoff to reduce server load.


Timeouts

Every HTTP request should define an appropriate timeout.

Without one:

  • Conversations may hang.
  • User experience suffers.
  • Resources remain occupied.

Enterprise solutions balance responsiveness with backend processing time.


Logging

Successful enterprise solutions record important execution details.

Typical information includes:

  • Timestamp
  • Endpoint
  • Status code
  • Duration
  • User ID (when appropriate)
  • Correlation ID
  • Request outcome

Sensitive information such as passwords or tokens should never be logged.


Security Best Practices

For the AB-620 exam, security is heavily emphasized.

Recommended practices include:

  • Always use HTTPS.
  • Store secrets securely.
  • Use OAuth or Microsoft Entra ID whenever possible.
  • Implement least-privilege access.
  • Validate all user input.
  • Sanitize request data.
  • Encrypt sensitive information.
  • Rotate credentials regularly.
  • Monitor API usage.
  • Audit access to critical resources.

Protecting Sensitive Information

Avoid exposing:

  • Passwords
  • Tokens
  • API keys
  • Internal URLs
  • Database identifiers
  • Personally identifiable information (PII)

Agents should display only the information users are authorized to see.


Rate Limiting

External APIs often restrict request volume.

Example:

500 requests/hour

If exceeded:

HTTP 429

Design strategies include:

  • Request batching
  • Caching
  • Retry delays
  • Limiting unnecessary calls

Performance Optimization

Well-designed agents minimize latency.

Optimization techniques include:

  • Reuse previously retrieved information.
  • Avoid duplicate API calls.
  • Cache frequently requested data.
  • Request only required fields.
  • Combine related operations when supported.
  • Minimize payload sizes.
  • Execute independent requests in parallel where appropriate.

Choosing Between Connectors and HTTP Requests

In Copilot Studio, both connectors and HTTP requests provide integration capabilities.

Use Connectors WhenUse HTTP Requests When
Microsoft provides a supported connectorNo connector exists
Standard authentication is sufficientFull control over requests is required
Low-code development is preferredCustom APIs must be accessed
Minimal maintenance is desiredSpecialized API features are needed
Enterprise governance favors managed connectorsAdvanced REST functionality is required

The exam may ask you to choose the most appropriate integration method.


Common Enterprise Scenarios

Customer Support

  • Retrieve account
  • Create ticket
  • Update ticket
  • Escalate issue

Sales

  • Search CRM
  • Retrieve opportunities
  • Update customer records
  • Generate quotes

Human Resources

  • Vacation requests
  • Employee lookup
  • Benefits information
  • Payroll inquiries

Finance

  • Expense submission
  • Invoice lookup
  • Budget approval
  • Payment status

IT Help Desk

  • Password reset
  • Device lookup
  • Software requests
  • Incident management

Common Exam Pitfalls

Watch for these common mistakes:

  • Using POST when GET is appropriate.
  • Sending sensitive information in URLs instead of secure request bodies or headers.
  • Hard-coding API keys.
  • Ignoring authentication requirements.
  • Assuming every successful request returns HTTP 200 (201, 202, and 204 are also successful responses).
  • Failing to validate user input before making API calls.
  • Displaying raw server errors to users.
  • Using HTTP requests when an existing connector is the better choice.
  • Not accounting for rate limits or transient failures.
  • Returning more data than necessary, increasing security and performance risks.

AB-620 Exam Tips

Remember these key points:

  • APIs enable agents to interact with live enterprise systems.
  • REST and JSON are the dominant standards for enterprise integrations.
  • OAuth 2.0 and Microsoft Entra ID are preferred authentication methods.
  • Understand the purpose of each HTTP method.
  • Differentiate client errors (4xx) from server errors (5xx).
  • Design secure, maintainable, and reusable integrations.
  • Handle failures gracefully with retries where appropriate.
  • Protect sensitive information throughout the integration process.
  • Choose connectors when possible and HTTP requests when customization is required.

Topic Summary

An enterprise Copilot Studio agent becomes significantly more powerful when it can communicate with external systems through APIs and HTTP requests. By combining conversational AI with secure integrations, organizations can automate business processes, retrieve live operational data, and perform transactions across enterprise applications.

For the AB-620 exam, focus on understanding the complete lifecycle of an HTTP request, authentication mechanisms, JSON handling, response processing, error handling, and secure integration design. These concepts are foundational to designing enterprise-grade AI agent solutions.


Practice Exam Questions

Question 1

A Copilot Studio agent must retrieve a customer’s current loyalty points without modifying any data. Which HTTP method should be used?

A. POST

B. GET

C. PATCH

D. DELETE

Answer: B

Explanation: GET is used to retrieve information without modifying server-side resources.


Question 2

An API returns HTTP status code 401 Unauthorized. What is the most likely cause?

A. The requested resource does not exist.

B. The request exceeded the rate limit.

C. Authentication credentials are missing or invalid.

D. The request completed successfully.

Answer: C

Explanation: A 401 status indicates that authentication failed because valid credentials were not provided or have expired.


Question 3

A developer needs to update only a customer’s phone number. Which HTTP method is most appropriate?

A. PUT

B. POST

C. PATCH

D. GET

Answer: C

Explanation: PATCH performs partial updates, making it ideal for modifying a single property without replacing the entire resource.


Question 4

Which authentication mechanism is recommended for securing enterprise APIs integrated with Microsoft Copilot Studio?

A. Anonymous authentication

B. Basic authentication using hardcoded credentials

C. OAuth 2.0 with Microsoft Entra ID

D. Query string authentication

Answer: C

Explanation: OAuth 2.0 integrated with Microsoft Entra ID provides secure, token-based authentication and centralized identity management.


Question 5

An agent receives the following response:

{
"Status":"Approved",
"Manager":"Karen Lee"
}

What should the agent do next?

A. Ignore the response.

B. Store the values in variables for use later in the conversation.

C. Convert the response into XML.

D. Retry the request immediately.

Answer: B

Explanation: JSON values are typically parsed and stored in variables for use in responses, conditions, or subsequent actions.


Question 6

A REST API limits clients to 1,000 requests per hour. Which design strategy best helps avoid exceeding this limit?

A. Retry every request immediately.

B. Disable authentication.

C. Cache frequently requested data and avoid unnecessary calls.

D. Send duplicate requests for verification.

Answer: C

Explanation: Caching and reducing redundant API calls are common strategies for working within rate limits.


Question 7

A company already has a fully supported Microsoft Power Platform connector for its CRM system. Which integration approach should generally be chosen?

A. Build every interaction using raw HTTP requests.

B. Use the existing connector unless custom functionality requires direct API access.

C. Export CRM data to spreadsheets.

D. Replace the CRM with a custom application.

Answer: B

Explanation: Managed connectors simplify development, maintenance, authentication, and governance, making them the preferred option when available.


Question 8

Which status code indicates that a new resource has been successfully created?

A. 200

B. 201

C. 404

D. 500

Answer: B

Explanation: HTTP 201 Created indicates that a new resource was successfully created by the server.


Question 9

What is the primary benefit of chaining multiple API requests within an agent flow?

A. It reduces authentication requirements.

B. It eliminates the need for variables.

C. It enables complex business processes that span multiple systems.

D. It guarantees faster execution than a single request.

Answer: C

Explanation: Chained API calls allow agents to orchestrate multi-step workflows involving several enterprise applications.


Question 10

Why should an agent avoid displaying raw HTTP error messages directly to users?

A. HTTP errors are never useful.

B. Raw errors may expose technical details and create a poor user experience.

C. HTTP errors always indicate a network problem.

D. Users cannot understand status codes.

Answer: B

Explanation: Enterprise agents should present friendly, actionable messages while logging technical details internally to maintain security and usability.


Go to the AB-620 Exam Prep Hub main page

Add tools to a topic (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Add tools to a topic


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Topics define how a Microsoft Copilot Studio agent responds to user requests and performs business tasks. While conversational responses can answer questions, most enterprise agents must also perform actions such as retrieving customer information, creating support tickets, updating records, approving requests, or interacting with external applications.

These capabilities are provided through tools. A tool enables an agent to move beyond answering questions and interact with business systems, APIs, workflows, databases, and AI services.

Understanding how to select, configure, and use tools within topics is an important objective for the AB-620 certification exam.


What Are Tools?

A tool is a reusable capability that an agent can invoke while executing a topic.

Rather than writing custom code, tools allow designers to connect an agent to business processes and enterprise systems.

A tool can:

  • Retrieve information
  • Create or update records
  • Execute workflows
  • Call external APIs
  • Generate AI responses
  • Search enterprise knowledge
  • Perform calculations
  • Trigger approvals
  • Invoke child agents
  • Connect to third-party applications

A topic determines when a tool should be called, while the tool determines what action is performed.


Why Add Tools to Topics?

Without tools, an agent is primarily informational.

With tools, an agent becomes capable of completing real business tasks.

Examples include:

  • Looking up customer orders
  • Creating help desk tickets
  • Updating CRM records
  • Scheduling appointments
  • Processing purchase requests
  • Retrieving inventory information
  • Sending emails
  • Creating Microsoft Teams messages
  • Accessing SharePoint documents
  • Initiating approval workflows

How Topics and Tools Work Together

A typical conversation follows this pattern:

  1. User asks a question.
  2. The topic is triggered.
  3. The topic collects required information.
  4. A tool is called.
  5. The tool performs its task.
  6. Results are returned.
  7. The topic formats the response.
  8. The conversation continues.

Example:

User:

“Create an IT support ticket.”

Topic:

  • Collects issue description
  • Collects priority
  • Collects device information

Tool:

Creates the ticket in ServiceNow or another ticketing system.

Topic:

Returns:

“Your ticket has been created successfully.”


Types of Tools Available

Copilot Studio supports several categories of tools.

Understanding when to use each one is important for the exam.


Built-in Tools

Built-in tools are native capabilities available within Copilot Studio.

Examples include:

  • Asking questions
  • Collecting user input
  • Sending responses
  • Ending conversations
  • Calling another topic
  • Using variables
  • Performing simple logic

Advantages:

  • Easy to configure
  • No coding required
  • Fast implementation
  • Low maintenance

Best for:

  • Simple business logic
  • Conversation management
  • User interaction

Connector Tools

Connector tools interact with external business applications using Power Platform connectors.

Examples include:

  • Microsoft Dataverse
  • Microsoft Teams
  • Outlook
  • SharePoint
  • Dynamics 365
  • SQL Server
  • Salesforce
  • SAP
  • ServiceNow
  • Azure DevOps

Advantages

  • Hundreds of available connectors
  • Low-code implementation
  • Secure authentication
  • Enterprise support

Example

A topic retrieves customer information from Dynamics 365 using a connector.


REST API Tools

Some business systems do not have built-in connectors.

REST API tools allow the agent to communicate directly with web services.

Common operations include:

  • GET
  • POST
  • PUT
  • PATCH
  • DELETE

Example

A shipping company exposes an API that returns package tracking information.

The topic calls the REST API and presents the tracking results.

REST APIs provide maximum flexibility when integrating enterprise applications.


Power Automate Flow Tools

Power Automate allows complex business processes to be executed from within a topic.

Typical uses include:

  • Multi-step approvals
  • Email notifications
  • Database updates
  • File creation
  • Scheduled processing
  • Document generation
  • ERP integration

Example

A vacation request topic:

  • Collects employee information
  • Calls a Power Automate flow
  • Sends approval to a manager
  • Waits for approval
  • Returns the result

Power Automate is ideal when business logic extends beyond a single API call.


AI Tools

Copilot Studio can leverage AI-powered tools for intelligent processing.

Examples include:

  • Summarization
  • Classification
  • Translation
  • Entity extraction
  • Content generation
  • Question answering
  • Enterprise knowledge retrieval

Example

A customer uploads a lengthy support log.

An AI tool summarizes the document before presenting key findings.

AI tools reduce manual effort and improve productivity.


Knowledge Tools

Knowledge tools retrieve information from trusted enterprise content.

Knowledge sources include:

  • SharePoint
  • Websites
  • Dataverse
  • Microsoft Fabric
  • Azure AI Search
  • Uploaded documents
  • Internal knowledge bases

Instead of storing static answers inside every topic, knowledge tools retrieve current information dynamically.

Example

An HR policy changes.

Rather than updating multiple topics, the knowledge source is updated once.

The agent automatically retrieves the latest information.


Model Context Protocol (MCP) Tools

Model Context Protocol (MCP) provides a standardized method for connecting agents to external services.

Benefits include:

  • Standardized integrations
  • Reusable tool definitions
  • Cross-platform interoperability
  • Reduced custom integration effort
  • Simplified maintenance

As MCP adoption grows, organizations can expose business capabilities through standardized tool interfaces that multiple AI agents can consume.


Child Agents as Tools

In multi-agent architectures, one agent can invoke another specialized agent.

Examples include:

General Employee Assistant

Benefits Agent

Payroll Agent

IT Agent

Each child agent specializes in a specific business domain.

Advantages include:

  • Better organization
  • Easier maintenance
  • Reusable business logic
  • Independent development
  • Improved scalability

Choosing the Correct Tool

When selecting a tool, consider several factors.

Simplicity

Use the simplest solution that meets the requirement.

Avoid unnecessary complexity.


Existing Connectors

If a connector already exists, use it instead of building a custom REST integration.


Business Logic

Simple task:

Connector

Complex workflow:

Power Automate


External Systems

If no connector exists:

REST API

If standardized services are available:

MCP


AI Requirements

Need summarization?

Use AI.

Need document retrieval?

Use enterprise knowledge.

Need workflow automation?

Use Power Automate.


Adding a Tool to a Topic

The general process includes:

  1. Open the topic.
  2. Navigate to the appropriate conversation step.
  3. Insert a tool node.
  4. Select the desired tool.
  5. Configure required inputs.
  6. Map outputs to variables.
  7. Continue the conversation.

The topic controls when the tool is executed.


Passing Input Parameters

Tools usually require information.

Examples include:

Customer ID

Order Number

Email Address

Product Name

Employee Number

Start Date

Priority

Department

These values are collected from:

  • User input
  • Variables
  • Previous tool results
  • System context

Example

User:

“Track package 84592.”

Package number becomes an input parameter for the tracking tool.


Receiving Output Parameters

After execution, tools often return results.

Examples include:

Customer Name

Order Status

Tracking Number

Ticket ID

Approval Result

Balance

Appointment Time

Confirmation Number

Outputs should be stored in variables for later use within the topic.


Variables and Data Mapping

Data mapping connects topic variables to tool parameters.

Example

Conversation variable:

CustomerEmail

Tool input:

EmailAddress

API parameter:

email

Correct mapping ensures the tool receives accurate data.

Incorrect mapping frequently causes tool failures.


Authentication Considerations

Many enterprise tools require authentication.

Common authentication methods include:

  • Microsoft Entra ID
  • OAuth 2.0
  • API keys
  • Service principals
  • Managed identities (where applicable)

Authentication should:

  • Follow least privilege principles.
  • Protect credentials.
  • Avoid hard-coded secrets.
  • Comply with organizational security policies.

Designers should understand authentication requirements even if administrators configure the connections.


Handling Tool Failures

External systems may occasionally fail.

Common causes include:

  • Network outages
  • Expired credentials
  • Invalid inputs
  • Service downtime
  • Permission errors
  • Rate limiting
  • API timeouts

Topics should anticipate failures and respond gracefully.

Example

Instead of:

“Unexpected Error.”

Return:

“I’m unable to retrieve your order information right now. Please try again later or contact support if the issue continues.”

Graceful error handling improves user trust.


Performance Considerations

Each tool invocation consumes time and resources.

To optimize performance:

  • Minimize unnecessary tool calls.
  • Reuse retrieved information when possible.
  • Avoid duplicate API requests.
  • Retrieve only required data.
  • Prefer connectors over custom integrations when appropriate.
  • Design efficient workflows.

Well-designed topics provide faster responses and reduce infrastructure costs.


Security Considerations

Tools often access sensitive enterprise data.

Best practices include:

  • Grant only required permissions.
  • Validate user inputs.
  • Protect confidential information.
  • Encrypt communications.
  • Use secure authentication.
  • Avoid exposing internal system details.
  • Log actions for auditing where appropriate.

Security planning is a recurring theme throughout the AB-620 exam.


Reusability

Rather than building identical tools repeatedly:

  • Reuse connectors.
  • Reuse Power Automate flows.
  • Reuse child agents.
  • Reuse MCP integrations.
  • Standardize common actions.

Reusable tools reduce maintenance effort and improve consistency across multiple agents.


Common Design Mistakes

Candidates should recognize poor design decisions such as:

  • Calling multiple tools when one is sufficient.
  • Using REST APIs when an existing connector is available.
  • Ignoring authentication requirements.
  • Not validating required inputs.
  • Failing to store outputs in variables.
  • Exposing raw API responses directly to users.
  • Building duplicate tools for the same function.
  • Not planning for service failures.
  • Hard-coding values that should be dynamic.

Best Practices

When adding tools to topics:

  • Select the simplest tool that satisfies the requirement.
  • Prefer existing connectors before creating custom integrations.
  • Keep tools focused on a single responsibility.
  • Validate all inputs before execution.
  • Store outputs in meaningful variables.
  • Handle failures gracefully.
  • Secure connections using enterprise authentication.
  • Reuse existing tools whenever possible.
  • Test tools independently before integrating them into topics.
  • Document tool purpose and dependencies.

AB-620 Exam Tips

For the exam, you should be able to:

  • Explain the purpose of tools within a topic.
  • Distinguish between connectors, REST APIs, Power Automate flows, AI tools, knowledge tools, MCP tools, and child agents.
  • Identify the best tool for common business scenarios.
  • Understand how topics invoke tools and process their outputs.
  • Configure input and output parameters using variables.
  • Recognize authentication and security considerations.
  • Design reusable and maintainable tool integrations.
  • Select appropriate error-handling strategies.
  • Optimize tool usage for performance and scalability.
  • Evaluate scenario-based questions that require choosing the most appropriate integration approach based on business requirements.

Mastering how tools extend topics is fundamental to building enterprise-ready Copilot Studio agents. The AB-620 exam emphasizes selecting the right tool for the right scenario, configuring it securely, and integrating it into conversational workflows that are reliable, maintainable, and user-friendly.


AB-620 Exam Preparation

Configure Topics: Add Tools to a Topic (Part 2)

This part continues the discussion of adding tools to topics in Microsoft Copilot Studio. It focuses on implementation strategies, best practices, troubleshooting, design considerations, and concludes with 10 practice exam questions complete with answers and explanations.


Advanced Tool Integration Strategies

As Copilot Studio solutions become more sophisticated, topics often interact with multiple tools during a single conversation. Instead of simply calling one connector, enterprise-grade agents frequently coordinate several tools to complete a business process.

For example:

User asks:

“Book a meeting with Sarah next Tuesday and email everyone on the project.”

The topic might perform the following:

  1. Query Microsoft 365 Users
  2. Check Outlook Calendar
  3. Create calendar event
  4. Query Dataverse for project members
  5. Send Outlook email
  6. Log activity in Dynamics 365
  7. Return confirmation

Although the user experiences one seamless conversation, multiple tools execute behind the scenes.


Chaining Multiple Tools

Complex topics commonly chain tool calls together.

Example workflow:

User Request
Validate request
Retrieve customer
Retrieve order
Retrieve shipment
Update CRM
Send confirmation email
Respond to user

Benefits include:

  • Reduced manual work
  • Consistent business processes
  • Better user experience
  • Improved automation
  • Easier maintenance

Passing Data Between Tools

Outputs from one tool frequently become inputs for another.

Example

Tool 1:

Get Customer
Returns
CustomerID

Tool 2

Get Orders
Input
CustomerID

Tool 3

Get Shipment
Input
OrderID

Tool 4

Send Email
Uses shipment details

Proper variable mapping is critical for successful tool orchestration.


Using Variables with Tools

Variables make tool interactions dynamic.

Examples include:

Conversation variables

  • Customer Name
  • Order Number
  • Product Name
  • Email Address

System variables

  • Current Date
  • User ID
  • Locale
  • Conversation ID

Tool outputs

  • Record IDs
  • API responses
  • Status values
  • URLs

Variables eliminate hard-coded values and enable reusable conversations.


Designing Reusable Tool Calls

Rather than creating duplicate logic across many topics, organizations should centralize reusable business operations.

Poor design

Topic A
Create Customer
Topic B
Create Customer
Topic C
Create Customer

Every topic duplicates logic.

Better design

Reusable Tool
Create Customer
Used by
Topic A
Topic B
Topic C

Advantages include:

  • Easier maintenance
  • Fewer errors
  • Consistent business rules
  • Simpler updates
  • Improved scalability

Designing for Performance

Every tool invocation introduces some latency.

Good design minimizes unnecessary tool calls.

Instead of:

Get Customer
Get Customer Again
Get Customer Again

Store the response once and reuse it.

Additional performance practices include:

  • Cache values when appropriate.
  • Avoid duplicate connector calls.
  • Retrieve only required fields.
  • Reduce unnecessary API requests.
  • Use efficient branching logic.

Handling Missing Information

Sometimes a tool requires information that the user has not yet provided.

Example

User says:

“Cancel my reservation.”

The tool requires:

  • Reservation number

The topic should ask:

“Could you provide your reservation number?”

Only after receiving the required information should the tool execute.


User Confirmation Before Tool Execution

Certain business actions should require explicit user confirmation.

Examples include:

  • Delete record
  • Cancel order
  • Submit expense
  • Approve invoice
  • Create purchase order
  • Send payment

Conversation example

User:

“Delete customer.”

Agent:

“Are you sure you want to permanently delete customer Contoso?”

User:

“Yes.”

Tool executes.

Confirmation reduces accidental business changes.


Handling Tool Failures Gracefully

External systems occasionally become unavailable.

Good topics anticipate failures.

Instead of displaying technical messages such as:

HTTP 500 Internal Server Error

Use business-friendly responses.

Example

“I’m unable to access the customer database right now. Please try again in a few minutes.”

Or

“I couldn’t retrieve your order information. Would you like me to connect you with a support representative?”


Timeout Considerations

External services may take several seconds to respond.

Topics should:

  • Inform users when processing takes time.
  • Avoid repeated submissions.
  • Prevent duplicate actions.
  • Handle timeout exceptions.
  • Retry when appropriate.

Security When Using Tools

Tools often access enterprise data.

Developers should follow least privilege principles.

Only expose:

  • Required tables
  • Required APIs
  • Required operations

Avoid granting unnecessary permissions.

Example

Instead of allowing:

Read All Customers
Write All Customers
Delete All Customers

Grant only:

Read Assigned Customers

This reduces security risks.


Auditing Tool Usage

Organizations frequently monitor tool usage.

Auditing can record:

  • User identity
  • Timestamp
  • Tool executed
  • Parameters
  • Result
  • Errors
  • Duration

Benefits include:

  • Compliance
  • Troubleshooting
  • Usage reporting
  • Security investigations

Common Tool Design Mistakes

Calling too many tools

Problem

Slow conversations

Better

Retrieve only necessary information.


Duplicating connector logic

Problem

Maintenance becomes difficult.

Better

Create reusable tools.


Poor variable management

Problem

Wrong data passed to connectors.

Better

Use meaningful variable names.


Ignoring failures

Problem

Conversation stops unexpectedly.

Better

Implement error handling and fallback responses.


Excessive permissions

Problem

Security risk.

Better

Apply least privilege access.


Best Practices

Choose the right tool

Different business needs require different tool types.

Examples:

  • Microsoft 365 → Microsoft connectors
  • Dynamics 365 → Dataverse connector
  • SAP → Custom connector
  • REST API → REST tool
  • Internal services → MCP or REST

Build reusable business capabilities

Instead of embedding business logic inside every topic:

  • Create reusable tools.
  • Reuse connectors.
  • Standardize API calls.
  • Centralize business logic.

Test every tool thoroughly

Testing should include:

  • Valid inputs
  • Invalid inputs
  • Missing values
  • Authentication failures
  • Timeout scenarios
  • Permission issues
  • Large datasets

Keep conversations natural

The user should not notice tool complexity.

Good experience:

User:

“Where is my order?”

Agent:

“Your order shipped yesterday and is expected to arrive Friday.”

Poor experience:

“I’m calling connector 4…waiting for API…processing response…”


Exam Tips

Remember the following concepts:

  • Topics orchestrate business conversations.
  • Tools perform business operations.
  • Connectors communicate with external systems.
  • Variables pass data between conversation steps.
  • Tool outputs can feed subsequent actions.
  • Reusable tools reduce maintenance.
  • Confirmation should precede destructive actions.
  • Errors should produce friendly responses.
  • Least privilege improves security.
  • Proper testing ensures reliable automation.

Practice Exam Questions

Question 1

A topic retrieves customer information before creating a support ticket. Which design approach is most efficient?

A. Retrieve the customer information every time it is needed.

B. Store the customer information in a variable and reuse it throughout the topic.

C. Ask the user to enter the information multiple times.

D. Create separate connectors for each step.

Correct Answer: B

Explanation:
Retrieving the information once and storing it in a variable reduces connector calls, improves performance, and simplifies the conversation.


Question 2

A topic updates customer records and then sends a confirmation email. What is happening?

A. Parallel execution

B. Conversation branching

C. Tool chaining

D. Topic merging

Correct Answer: C

Explanation:
Tool chaining occurs when the output or completion of one tool triggers the execution of another tool in sequence.


Question 3

A tool requires an Order ID, but the user has not provided one. What should the topic do?

A. Use a random Order ID.

B. Skip the tool execution.

C. Generate a placeholder value.

D. Prompt the user to provide the missing Order ID.

Correct Answer: D

Explanation:
Topics should collect all required information before invoking a tool.


Question 4

Which practice best supports reusable agent design?

A. Embed identical connector logic in every topic.

B. Duplicate actions across multiple topics.

C. Create centralized reusable tools that multiple topics can call.

D. Build separate connectors for every conversation.

Correct Answer: C

Explanation:
Reusable tools centralize business logic, making updates easier and ensuring consistent behavior.


Question 5

A connector returns an HTTP error. What is the best user experience?

A. Display the raw HTTP error.

B. End the conversation immediately.

C. Ask the user to debug the connector.

D. Present a friendly message explaining that the service is temporarily unavailable.

Correct Answer: D

Explanation:
Users should receive understandable messages rather than technical error details.


Question 6

Which security principle should guide tool permissions?

A. Full administrative access

B. Least privilege

C. Anonymous access

D. Shared administrator accounts

Correct Answer: B

Explanation:
Grant only the permissions necessary for the tool to perform its intended function.


Question 7

Why should developers audit tool usage?

A. To slow down execution

B. To increase connector costs

C. To support compliance, troubleshooting, and monitoring

D. To replace authentication

Correct Answer: C

Explanation:
Audit logs provide visibility into tool execution and support governance and compliance.


Question 8

When should an agent request confirmation before executing a tool?

A. Before every read-only operation

B. Before displaying help information

C. Before listing products

D. Before deleting or making significant business changes

Correct Answer: D

Explanation:
Confirmation helps prevent accidental execution of irreversible or high-impact actions.


Question 9

What is the primary purpose of passing variables between tools?

A. To reduce conversation quality

B. To transfer outputs from one action as inputs to another

C. To eliminate authentication

D. To avoid using connectors

Correct Answer: B

Explanation:
Variables enable data produced by one tool to be reused by subsequent tools in the workflow.


Question 10

A topic repeatedly calls the same connector to retrieve unchanged customer data. What is the recommended improvement?

A. Increase the number of connector calls.

B. Replace the connector with a chatbot response.

C. Cache or store the retrieved data in variables and reuse it.

D. Split the topic into multiple unrelated topics.

Correct Answer: C

Explanation:
Reusing previously retrieved data reduces latency, minimizes API calls, and improves overall performance.


Go to the AB-620 Exam Prep Hub main page