Tag: AI Agents

Integrate an existing agent in Copilot Studio (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Configure multi-agent collaboration from Copilot Studio
      --> Integrate an existing agent in Copilot Studio


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As AI solutions become more sophisticated, organizations rarely rely on a single intelligent agent to perform every task. Instead, they build ecosystems of specialized agents that collaborate to complete user requests. Rather than recreating functionality, Microsoft Copilot Studio enables makers to integrate existing agents into new solutions, allowing organizations to reuse previously developed capabilities.

An existing agent is an AI agent that has already been created, configured, and tested. Instead of duplicating its logic, another Copilot Studio agent can delegate work to it when specialized knowledge or functionality is required.

For the AB-620 exam, you should understand:

  • Why organizations integrate existing agents
  • The different multi-agent architectures
  • When to reuse an existing agent
  • Connected agents versus child agents
  • Delegation strategies
  • Security considerations
  • Enterprise design patterns
  • Best practices for scalable agent collaboration

Why Integrate Existing Agents?

Many organizations already have AI agents that perform specialized business functions.

Examples include:

  • HR assistant
  • IT Help Desk agent
  • Benefits agent
  • Finance assistant
  • Procurement assistant
  • Legal advisor
  • Customer support bot
  • Inventory assistant
  • Sales assistant
  • Compliance advisor

Instead of creating one enormous agent that performs every task, Copilot Studio enables these specialized agents to work together.

Benefits include:

  • Reduced development time
  • Reuse of existing investments
  • Easier maintenance
  • Better scalability
  • Improved governance
  • Independent lifecycle management
  • Clear ownership between departments

What Is Multi-Agent Collaboration?

Multi-agent collaboration allows multiple intelligent agents to cooperate to fulfill a user’s request.

Rather than performing every task itself, one agent delegates work to another agent with specialized capabilities.

Example:

User:
"I need to schedule a vacation and verify my remaining PTO."
Employee Agent
Delegates PTO calculation
HR Agent
Returns remaining balance
Employee Agent
Schedules vacation request

The user experiences a seamless conversation, even though multiple agents participated.


Why Reuse Existing Agents?

Creating a new agent every time is inefficient.

Instead, organizations reuse agents that already provide:

  • validated business logic
  • tested prompts
  • secured integrations
  • approved knowledge sources
  • governance policies
  • compliance controls

This reduces duplication while improving consistency.


Common Enterprise Scenarios

Human Resources

Existing HR Agent

Handles:

  • leave requests
  • benefits
  • payroll
  • employee policies

Corporate Assistant

Handles:

  • general employee questions
  • company news
  • navigation

Delegates HR-related requests to the HR agent.


IT Support

Corporate Assistant

Handles:

  • FAQs
  • onboarding
  • software requests

IT Agent

Handles:

  • password reset
  • device management
  • troubleshooting
  • incident lookup

Healthcare

Patient Agent

Handles:

  • appointments
  • scheduling
  • billing

Clinical Agent

Handles:

  • medical summaries
  • treatment guidance
  • clinical knowledge

Banking

Customer Service Agent

Handles:

  • balances
  • transfers
  • FAQs

Investment Agent

Handles:

  • portfolio analysis
  • market recommendations
  • retirement planning

Types of Agent Integration

Several integration patterns exist.

Connected Agents

A connected agent operates as an independent AI agent.

Characteristics:

  • independently managed
  • separate lifecycle
  • separate owner
  • reusable
  • can serve multiple parent agents

Best for:

  • enterprise-wide services
  • shared business capabilities
  • departmental AI

Child Agents

Child agents are invoked by another agent to perform specific work.

Characteristics:

  • specialized
  • reusable
  • task-oriented
  • invisible to users

Examples:

  • tax calculator
  • recommendation engine
  • shipping estimator
  • language translator

External AI Agents

Organizations may integrate:

  • Azure AI Foundry agents
  • external AI services
  • partner AI systems

Copilot Studio orchestrates communication while external agents perform advanced reasoning.


Choosing the Right Integration Pattern

ScenarioRecommended Approach
Shared HR knowledgeConnected agent
Specialized calculationsChild agent
Advanced AI reasoningFoundry agent
Department-owned solutionConnected agent
Small reusable taskChild agent

Agent Orchestration

Copilot Studio often serves as the orchestration layer.

Responsibilities include:

  • managing conversations
  • determining user intent
  • collecting required information
  • selecting the appropriate agent
  • coordinating responses
  • presenting final answers

The delegated agent focuses only on the assigned task.


Delegation Workflow

A typical workflow looks like this:

User
Primary Copilot Studio Agent
Determine Intent
Need Specialist?
Yes
Delegate
Existing Agent
Process Request
Return Result
Primary Agent
Respond to User

Benefits of Delegation

Delegation enables:

  • modular AI architecture
  • reuse
  • scalability
  • specialization
  • simplified maintenance
  • independent updates
  • reduced development costs

Each agent performs only the work it is designed to perform.


Designing Specialized Agents

Good agent design follows the principle of specialization.

Instead of:

Mega Agent

that performs everything,

create:

Customer Agent
HR Agent
Finance Agent
Legal Agent
IT Agent
Operations Agent

Each agent develops expertise in its domain.


Avoiding Monolithic Agents

Large all-in-one agents often suffer from:

  • excessive prompts
  • difficult maintenance
  • poor scalability
  • slower responses
  • conflicting instructions
  • increased hallucinations

Smaller specialized agents generally produce more predictable behavior.


Routing User Requests

The primary agent determines:

  • What is the user’s intent?
  • Can I answer directly?
  • Should another agent answer?
  • Which agent has the required expertise?

Examples:

User RequestDelegated Agent
Reset passwordIT Agent
Benefits questionHR Agent
Vendor paymentFinance Agent
Legal contractLegal Agent
Product inventoryInventory Agent

Agent Ownership

Large organizations often assign ownership to departments.

Example:

DepartmentAgent Owner
HRHR Team
ITInfrastructure Team
FinanceFinance Department
LegalLegal Department
SalesSales Operations

This decentralized ownership allows independent maintenance while supporting enterprise-wide collaboration.


Authentication Considerations

Integrated agents should communicate securely.

Authentication may involve:

  • Microsoft Entra ID
  • Managed identities
  • OAuth
  • API keys (when appropriate)
  • Service principals

Authentication should always follow organizational security policies.


Authorization

Authentication verifies identity.

Authorization determines what an agent is allowed to access.

Examples include:

  • HR records
  • payroll information
  • financial systems
  • customer databases
  • confidential documents

Delegated agents should only receive the permissions required to perform their tasks.


Context Sharing

When delegating requests, Copilot Studio shares only the context necessary for the delegated agent.

Examples of shared context:

  • user request
  • conversation variables
  • customer ID
  • department
  • case number
  • selected product

Avoid transmitting unnecessary information to reduce token usage and minimize exposure of sensitive data.


Best Practices

When integrating existing agents:

  • Reuse existing business capabilities whenever practical.
  • Keep agents focused on specific domains.
  • Use Copilot Studio as the orchestration layer.
  • Delegate only when specialized functionality is required.
  • Secure all communication between agents.
  • Minimize duplicated functionality.
  • Share only the context required for task completion.
  • Monitor agent performance and delegation frequency.
  • Design for independent updates and lifecycle management.
  • Document agent responsibilities clearly.

Key Exam Takeaways

For the AB-620 exam, remember these core concepts:

  • Existing agents enable organizations to reuse previously developed AI capabilities.
  • Copilot Studio commonly acts as the orchestrator in multi-agent solutions.
  • Connected agents are independently managed and reusable across solutions.
  • Child agents perform focused tasks on behalf of another agent.
  • Delegation improves scalability, maintainability, and modularity.
  • Authentication and authorization remain critical when integrating agents.
  • Agent specialization is preferred over monolithic, all-in-one designs.

Advanced Integration Patterns

As organizations mature their AI strategy, they often move beyond simple one-to-one delegation and adopt more sophisticated collaboration models. Copilot Studio supports orchestrating multiple specialized agents to create scalable, maintainable enterprise AI solutions.

Hub-and-Spoke Architecture

In this model, a primary Copilot Studio agent acts as the central orchestrator.

                 HR Agent
                     │
Finance Agent ──► Corporate Assistant ◄── IT Agent
                     │
               Legal Agent
                     │
             Inventory Agent

Advantages:

  • Centralized user experience
  • Simplified routing logic
  • Independent agent ownership
  • Easy addition of new agents
  • Consistent governance

Typical enterprise use:

  • Employee portals
  • Enterprise help desks
  • Customer service hubs

Layered Agent Architecture

Some solutions use multiple levels of delegation.

User
Primary Agent
Operations Agent
Inventory Agent
Warehouse Agent

This approach supports very complex business processes while allowing each agent to remain focused on a narrow domain.


Domain-Based Agent Design

A common enterprise strategy is to organize agents around business domains rather than technical systems.

Examples include:

Business DomainSpecialized Agent
Human ResourcesHR Agent
FinanceFinance Agent
Customer ServiceCustomer Support Agent
LegalLegal Agent
ManufacturingOperations Agent
SalesSales Agent
ProcurementPurchasing Agent

Benefits include:

  • Clear ownership
  • Easier governance
  • Better scalability
  • Independent release cycles

Agent Discovery

As organizations create dozens of agents, discovering the appropriate one becomes increasingly important.

Selection may be based on:

  • User intent
  • Department
  • Business process
  • Required expertise
  • User permissions
  • Conversation context

Well-designed orchestration ensures requests are routed to the most appropriate agent.


Governance Considerations

Enterprise AI requires governance throughout the agent lifecycle.

Governance includes:

  • Naming standards
  • Version control
  • Ownership
  • Documentation
  • Security reviews
  • Approval processes
  • Retirement planning

Organizations should maintain an inventory of available agents and their responsibilities.


Version Management

Existing agents evolve over time.

Considerations include:

  • Backward compatibility
  • API changes
  • Updated prompts
  • New tools
  • Modified knowledge sources
  • New capabilities

When integrating an existing agent, verify that updates do not introduce breaking changes for dependent solutions.


Monitoring Multi-Agent Solutions

Monitoring helps ensure reliable operation.

Important metrics include:

Conversation Metrics

  • Conversation completion rate
  • Successful delegations
  • Failed delegations
  • User satisfaction
  • Escalation frequency

Performance Metrics

  • Response time
  • Delegation latency
  • API execution time
  • Tool execution duration
  • Token consumption

Operational Metrics

  • Authentication failures
  • Authorization failures
  • Service availability
  • Agent utilization
  • Error rates

These metrics help identify performance bottlenecks and reliability issues.


Troubleshooting Agent Integrations

Common issues include:

Incorrect Agent Selection

Symptoms:

  • Requests routed to the wrong agent
  • Incorrect answers
  • User frustration

Resolution:

  • Improve intent recognition
  • Refine routing logic
  • Clarify agent responsibilities

Authentication Failures

Symptoms:

  • Access denied
  • Unauthorized responses
  • Connection errors

Resolution:

  • Verify credentials
  • Review authentication configuration
  • Confirm permissions

Missing Context

Symptoms:

  • Incomplete responses
  • Incorrect recommendations
  • Missing user information

Resolution:

  • Pass the required conversation variables
  • Validate data mappings
  • Ensure necessary context is shared

Circular Delegation

Example:

Agent A
Agent B
Agent A

This creates unnecessary processing and can result in loops.

Avoid circular dependencies by clearly defining agent responsibilities.


Performance Optimization

To improve efficiency:

  • Delegate only when necessary.
  • Reduce prompt size.
  • Pass only relevant context.
  • Avoid duplicate processing.
  • Minimize unnecessary API calls.
  • Reuse specialized agents.
  • Cache frequently requested information when appropriate.
  • Monitor response latency.

Efficient designs reduce operational costs and improve user experience.


Security Best Practices

When integrating existing agents:

  • Use Microsoft Entra ID where appropriate.
  • Apply least-privilege access.
  • Protect secrets using secure credential storage.
  • Encrypt communications.
  • Validate user identity before delegation.
  • Audit delegated actions.
  • Restrict access to sensitive knowledge sources.

Security should remain consistent across every participating agent.


Common Design Mistakes

Avoid these frequent errors:

❌ Creating duplicate agents with identical responsibilities

❌ Sending excessive conversation history

❌ Delegating every request

❌ Ignoring security boundaries

❌ Allowing overlapping ownership

❌ Building one massive all-purpose agent

❌ Failing to monitor delegated conversations

❌ Not documenting integration points


Enterprise Example

A global organization deploys a Corporate Assistant.

Employee asks:

“How many vacation days do I have left, and can I book next Friday off?”

Workflow:

  1. Corporate Assistant identifies an HR-related request.
  2. It delegates the request to the existing HR Agent.
  3. The HR Agent retrieves PTO data.
  4. The HR Agent validates available leave.
  5. The HR Agent submits the leave request.
  6. The HR Agent returns the result.
  7. The Corporate Assistant presents a user-friendly response.

The employee interacts with a single conversational interface while multiple specialized agents collaborate behind the scenes.


AB-620 Exam Tips

Expect scenario-based questions covering:

  • Choosing between connected and child agents
  • Designing scalable multi-agent architectures
  • Determining when to reuse existing agents
  • Selecting an orchestration strategy
  • Securing communication between agents
  • Monitoring delegated operations
  • Avoiding duplicated functionality
  • Improving maintainability through specialization

Remember these principles:

  • Copilot Studio commonly acts as the orchestration layer.
  • Existing agents should be reused whenever appropriate.
  • Keep agents specialized and modular.
  • Delegate only when another agent offers distinct expertise.
  • Share only the minimum context required.
  • Secure all integrations.
  • Monitor performance continuously.
  • Avoid monolithic designs.

Practice Exam Questions

Question 1

A company has separate HR, Finance, and IT agents that already perform their respective business functions. A Corporate Assistant should provide a single conversational interface while delegating specialized requests.

Which design best meets this requirement?

A. Create one new agent that duplicates every department’s functionality.

B. Replace all departmental agents with the Corporate Assistant.

C. Configure the Corporate Assistant as the orchestration layer that delegates requests to existing specialized agents.

D. Require users to manually choose which agent to contact before each request.

Answer: C

Explanation: Copilot Studio is commonly used as the orchestration layer, allowing existing specialized agents to perform domain-specific work while presenting users with one unified conversational experience.


Question 2

Which characteristic best describes a connected agent?

A. It is independently managed and reusable across multiple solutions.

B. It only performs mathematical calculations.

C. It can never communicate with another agent.

D. It always replaces the parent agent.

Answer: A

Explanation: Connected agents are autonomous, independently managed agents that can be reused by multiple Copilot Studio solutions.


Question 3

Why should organizations reuse existing agents whenever practical?

A. To increase prompt size.

B. To reduce duplication and leverage previously tested business capabilities.

C. To eliminate authentication requirements.

D. To prevent delegation.

Answer: B

Explanation: Reusing existing agents minimizes development effort while taking advantage of validated logic, integrations, governance, and security.


Question 4

Which practice best improves the performance of delegated conversations?

A. Send every conversation message ever exchanged.

B. Delegate every user request regardless of complexity.

C. Allow multiple agents to answer the same question simultaneously.

D. Share only the context required for the delegated task.

Answer: D

Explanation: Passing only relevant context reduces latency, token consumption, and unnecessary processing.


Question 5

An organization notices that Agent A frequently delegates requests to Agent B, which immediately delegates them back to Agent A.

What architectural issue exists?

A. Token expiration

B. Circular delegation

C. Prompt grounding

D. Adaptive Card failure

Answer: B

Explanation: Circular delegation creates unnecessary processing loops and should be avoided through clearly defined agent responsibilities.


Question 6

Which metric is most useful for identifying inefficient delegation?

A. Browser version

B. Screen resolution

C. Delegation frequency

D. Keyboard layout

Answer: C

Explanation: High delegation frequency can indicate routing inefficiencies or excessive reliance on secondary agents.


Question 7

A Finance department independently maintains its own AI agent while allowing multiple enterprise assistants to reuse it.

Which integration model is most appropriate?

A. Connected agent

B. Child agent

C. Adaptive Card

D. Variable node

Answer: A

Explanation: Connected agents are independently managed and designed for reuse across multiple parent solutions.


Question 8

Which security principle should guide permissions assigned to integrated agents?

A. Full administrative access

B. Anonymous access

C. Shared global credentials

D. Least privilege

Answer: D

Explanation: Agents should receive only the permissions necessary to complete their assigned tasks, reducing security risks.


Question 9

Which architecture is generally considered more scalable for large enterprises?

A. One massive agent responsible for every business function

B. Multiple specialized agents coordinated by an orchestration agent

C. Separate agents that never communicate

D. Duplicate agents performing identical work

Answer: B

Explanation: Specialized agents coordinated by Copilot Studio provide better scalability, maintainability, and governance than monolithic designs.


Question 10

A solution architect wants each business department to update its own AI capabilities without affecting other departments.

Which design recommendation best supports this goal?

A. Merge every capability into one shared prompt.

B. Build identical copies of every agent.

C. Store every business process inside one orchestration agent.

D. Assign ownership of specialized agents to their respective departments while using Copilot Studio to coordinate requests.

Answer: D

Explanation: Department-owned specialized agents allow independent development and maintenance while Copilot Studio orchestrates the overall user experience. This modular approach aligns with Microsoft best practices for enterprise-scale multi-agent solutions.


Go to the AB-620 Exam Prep Hub main page

Add REST APIs to an agent (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Add tools to agents
      --> Add REST APIs to an agent


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Learning Objectives

After completing this section, you should be able to:

  • Explain REST APIs.
  • Understand how REST API tools work in Copilot Studio.
  • Configure REST API tools.
  • Configure authentication.
  • Build requests.
  • Parse responses.
  • Use API outputs in conversations.
  • Apply Microsoft security best practices.

What is a REST API?

A REST (Representational State Transfer) API is a web service that allows applications to communicate over HTTP using standard operations.

Rather than interacting directly with databases or applications, agents communicate with REST APIs to retrieve or update information.

REST APIs are one of the most common integration mechanisms used in enterprise software.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Payment services
  • AI services
  • Internal business applications

Why Use REST APIs in Copilot Studio?

REST APIs enable agents to interact with virtually any application that exposes HTTP endpoints.

Common use cases include:

  • Retrieving customer records
  • Creating support tickets
  • Updating inventory
  • Booking appointments
  • Querying AI models
  • Processing payments
  • Accessing proprietary business systems

Unlike standard connectors, REST APIs allow organizations to integrate with services that do not already have a connector.


REST API Tool Architecture

A typical architecture looks like this:

User
Copilot Studio Agent
REST API Tool
HTTP Request
REST API Endpoint
Enterprise Application
HTTP Response
Agent Response

The REST API tool acts as the communication layer between the agent and the external service.


REST Principles

REST APIs generally use:

  • HTTP
  • URLs
  • Resources
  • Standard HTTP methods
  • JSON payloads

Example resource:

https://api.company.com/customers/10025

HTTP Methods

The AB-620 exam expects familiarity with the most common HTTP methods.

GET

Retrieves information.

Example:

GET /customers/10025

Used when reading data.


POST

Creates a new resource.

Example:

POST /orders

Used to create records.


PUT

Replaces an existing resource.

Example:

PUT /customers/10025

Often used for full updates.


PATCH

Updates part of a resource.

Example:

PATCH /customers/10025

Updates only specified fields.


DELETE

Deletes a resource.

Example:

DELETE /orders/501

REST API Requests

A request generally contains:

  • Endpoint URL
  • HTTP method
  • Authentication
  • Headers
  • Parameters
  • Optional request body

Example:

GET https://api.company.com/orders/12345
Authorization: Bearer <token>
Accept: application/json

Authentication Methods

Authentication is frequently tested on the exam.

Common methods include:

OAuth 2.0

Most common for enterprise applications.

Advantages:

  • Secure
  • Token-based
  • Supports delegated access

Microsoft Entra ID

Used for Microsoft-secured APIs.

Examples:

  • Microsoft Graph
  • Azure services
  • Internal enterprise APIs

API Key

Common for:

  • AI services
  • Third-party APIs
  • Internal APIs

The API key is usually sent in a request header.


Basic Authentication

Supported by some legacy systems.

Generally discouraged for modern enterprise deployments.


Configuring a REST API Tool

Typical steps include:

  1. Open the agent.
  2. Navigate to Tools.
  3. Select Add Tool.
  4. Choose REST API.
  5. Provide the endpoint URL.
  6. Configure authentication.
  7. Configure operations.
  8. Save the tool.

The REST API can now be invoked by the agent during conversations.


Endpoint Configuration

The endpoint identifies the resource.

Example:

https://api.contoso.com/orders

Additional path parameters may be used.

Example:

/orders/{OrderID}

Path Parameters

Path parameters identify specific resources.

Example:

/orders/45213

where:

OrderID = 45213

Query Parameters

Query parameters filter results.

Example:

/orders?status=Pending

Multiple query parameters may be combined.

Example:

/products?category=Electronics&warehouse=West

Headers

Headers provide additional information.

Examples include:

  • Authorization
  • Accept
  • Content-Type
  • User-Agent
  • API version

Example:

Authorization: Bearer token
Content-Type: application/json

Request Body

POST, PUT, and PATCH operations often include JSON.

Example:

{
"customerID":12345,
"priority":"High",
"description":"Damaged shipment"
}

The request body supplies the data the API needs.


JSON

JSON (JavaScript Object Notation) is the most common REST payload format.

Example response:

{
"OrderID":12345,
"Status":"Shipped",
"Carrier":"Contoso Logistics",
"Tracking":"ABC987654"
}

Copilot Studio parses these values into variables that can be used in subsequent conversation steps.


Variables

Inputs can originate from:

  • User messages
  • Conversation variables
  • Previous tool outputs
  • Adaptive Card inputs
  • AI-extracted entities

Example:

User:

Check order 55421.

Variable:

OrderID = 55421

The REST API request uses this variable as a path or query parameter.


Response Mapping

REST API responses can populate conversation variables.

Example:

{
"Customer":"John Smith",
"Status":"Delivered",
"DeliveryDate":"2026-10-04"
}

The agent can then:

  • Respond naturally
  • Display an Adaptive Card
  • Make branching decisions
  • Invoke another tool
  • Store values for later use

Security Considerations

REST APIs often expose sensitive enterprise data.

Microsoft recommends:

  • Secure authentication
  • HTTPS only
  • Least privilege
  • Avoid exposing secrets
  • Validate inputs
  • Protect sensitive outputs

Best Practices

Keep APIs Focused

Each endpoint should perform one clear task.


Validate Inputs

Reject invalid values before sending requests.


Use Secure Authentication

Prefer:

  • OAuth 2.0
  • Microsoft Entra ID

Avoid storing secrets directly in requests whenever possible.


Return Only Required Data

Smaller responses improve:

  • Performance
  • Security
  • Readability

Use Clear Endpoint Names

Good examples:

/customers
/orders
/inventory

Poor examples:

/process1
/action
/data

Common Exam Scenarios

You should be able to determine when a REST API tool is the appropriate choice.

Examples include:

  • Integrating with a proprietary application that does not have a Power Platform connector.
  • Calling an external AI service.
  • Accessing an internal business API.
  • Invoking a third-party SaaS application that exposes a REST interface.
  • Rapidly integrating with an existing HTTP-based service without creating a reusable custom connector.

These scenarios frequently appear in the form of architecture or design questions on the AB-620 exam.


Key Takeaways from the topics covered so far

  • REST API tools allow Copilot Studio agents to interact directly with HTTP-based services.
  • REST APIs use standard HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • Authentication commonly uses OAuth 2.0, Microsoft Entra ID, or API keys.
  • Requests consist of endpoints, headers, parameters, and (when appropriate) JSON request bodies.
  • JSON responses are parsed into variables that can drive conversation flow and subsequent tool invocations.
  • Secure design, proper authentication, and least-privilege access are essential best practices.

Securing REST API Integrations

Security is one of the most heavily tested areas of the AB-620 exam. Microsoft expects AI Agent Builders to understand not only how to connect to an API, but also how to do so securely.

A poorly secured API can expose sensitive business information, customer data, and backend systems.


Authentication Overview

Most enterprise REST APIs require authentication before they process requests.

Common authentication methods include:

  • API Keys
  • OAuth 2.0
  • Microsoft Entra ID (Azure AD)
  • Bearer Tokens
  • Basic Authentication (legacy)

API Keys

An API Key is a unique secret value issued by an API provider.

Example:

GET https://api.company.com/orders
Headers
x-api-key:
A1B2C3D4E5

Advantages

  • Easy to configure
  • Simple to understand
  • Good for internal services

Disadvantages

  • Less secure than OAuth
  • Keys may expire
  • Keys must be protected

OAuth 2.0

OAuth is the preferred authentication method for modern enterprise applications.

Instead of sending usernames and passwords:

  1. User signs in
  2. Identity provider authenticates user
  3. Access token is issued
  4. API validates token

Benefits

  • Strong security
  • Supports delegated permissions
  • Supports application permissions
  • Token expiration
  • Token revocation

Microsoft Entra ID Authentication

Many Microsoft services use Microsoft Entra ID.

Examples include:

  • Microsoft Graph
  • SharePoint
  • Outlook
  • Teams
  • Azure Management APIs

Advantages

  • Central identity management
  • Conditional Access
  • Multi-factor authentication
  • Role-based access control

Bearer Tokens

Many REST APIs require an Authorization header.

Example

Authorization:
Bearer eyJhbGciOi...

The token proves that the caller has already authenticated.


Basic Authentication

Older systems may still require:

Authorization:
Basic Base64(username:password)

This method is generally discouraged for new solutions.

Reasons:

  • Lower security
  • Password management
  • Credential exposure risks

Managing Secrets

Never hard-code:

  • Passwords
  • API Keys
  • Tokens

Instead:

  • Store credentials securely
  • Use connection references
  • Use environment variables
  • Use secure authentication providers

Request Headers

Headers provide additional information.

Common headers include:

Authorization
Content-Type
Accept
User-Agent

Example

Content-Type:
application/json

This tells the server JSON is being sent.


Query Parameters

Many APIs accept filtering.

Example

GET
/customers?city=Seattle

Instead of returning every customer:

The API returns only Seattle customers.

Benefits

  • Faster
  • Smaller payloads
  • Lower cost

Pagination

Large APIs rarely return all records.

Instead they return pages.

Example

GET
/orders?page=1

Next request:

page=2

Benefits

  • Better performance
  • Smaller responses
  • Lower memory usage

Rate Limits

Most enterprise APIs limit requests.

Example

1000 requests/hour

If exceeded:

429 Too Many Requests

Best practices

  • Retry later
  • Respect Retry-After headers
  • Reduce unnecessary requests

Handling Errors

REST APIs commonly return status codes.

CodeMeaning
200Success
201Created
204No Content
400Bad Request
401Unauthorized
403Forbidden
404Not Found
408Timeout
429Too Many Requests
500Internal Server Error

Agents should handle these responses gracefully.


Logging API Activity

Developers should monitor:

  • Request success
  • Failures
  • Latency
  • Authentication failures
  • Timeouts

Useful for:

  • Troubleshooting
  • Performance tuning
  • Compliance
  • Auditing

Monitoring API Performance

Key metrics include:

Average response time

Error rate

Success rate

Retry count

Timeout frequency

API availability


Best Practices

Design

  • Keep APIs focused.
  • Follow REST conventions.
  • Use meaningful endpoints.
  • Version APIs.

Security

  • Prefer OAuth.
  • Encrypt traffic using HTTPS.
  • Protect secrets.
  • Validate input.
  • Apply least privilege.

Performance

  • Filter results.
  • Cache where appropriate.
  • Minimize payload size.
  • Use pagination.
  • Avoid unnecessary API calls.

Reliability

  • Handle failures gracefully.
  • Retry transient errors.
  • Log important events.
  • Monitor health.
  • Test regularly.

REST APIs vs Custom Connectors

REST API ToolCustom Connector
Direct API definitionReusable connector
Good for individual APIsGood for many apps
Can require manual configurationSimpler for repeated use
FlexibleMore standardized
Ideal for rapid integrationIdeal for enterprise reuse

Exam Tips

Remember these important distinctions:

  • REST APIs allow direct integration with external services.
  • APIs use HTTP methods such as GET, POST, PUT, PATCH, and DELETE.
  • JSON is the primary request and response format.
  • Authentication is commonly handled through OAuth 2.0 or Microsoft Entra ID.
  • API responses should be validated before use.
  • Agents should gracefully handle failures and retries.
  • Secure secrets should never be hard-coded.
  • Monitoring and logging are essential for production deployments.
  • Pagination and filtering improve performance.
  • Custom connectors simplify reuse of REST APIs across Power Platform solutions.

Practice Exam Questions

Question 1

A Copilot Studio agent needs to retrieve customer information from an external CRM without modifying any data. Which HTTP method should the REST API use?

A. POST

B. PUT

C. GET

D. PATCH

Answer: C

Explanation: GET retrieves data without changing server resources. POST creates resources, PUT replaces them, and PATCH partially updates them.


Question 2

Which authentication method is generally recommended for enterprise REST API integrations?

A. Basic Authentication

B. OAuth 2.0

C. Anonymous Access

D. Shared Password Files

Answer: B

Explanation: OAuth 2.0 provides secure, token-based authentication with delegated permissions and is preferred for enterprise APIs.


Question 3

A REST API returns HTTP status code 401 Unauthorized. What does this most likely indicate?

A. The requested resource does not exist.

B. The server encountered an internal error.

C. Authentication credentials are missing or invalid.

D. The request exceeded the rate limit.

Answer: C

Explanation: A 401 response indicates that the request lacks valid authentication credentials.


Question 4

Why should API keys never be hard-coded into an agent?

A. They increase API response times.

B. They prevent JSON serialization.

C. They disable HTTPS encryption.

D. They can be exposed and compromise security.

Answer: D

Explanation: Hard-coded secrets are difficult to rotate and may be exposed through source code or logs.


Question 5

An API returns 429 Too Many Requests. What is the most appropriate response by the agent?

A. Continue sending requests immediately.

B. Retry after waiting according to the API’s guidance.

C. Switch to Basic Authentication.

D. Ignore the error.

Answer: B

Explanation: HTTP 429 indicates that the client has exceeded rate limits. The agent should wait and retry appropriately.


Question 6

Which request header typically specifies the authentication token for a REST API?

A. Accept

B. Content-Type

C. Authorization

D. Cache-Control

Answer: C

Explanation: The Authorization header carries bearer tokens or other authentication credentials.


Question 7

Why do many APIs implement pagination?

A. To encrypt responses.

B. To reduce the amount of data returned in a single request.

C. To replace authentication.

D. To prevent HTTPS connections.

Answer: B

Explanation: Pagination improves performance and scalability by limiting the number of records returned per request.


Question 8

Which format is most commonly used for REST API request and response bodies?

A. CSV

B. XML

C. YAML

D. JSON

Answer: D

Explanation: JSON is lightweight, widely supported, and the standard format for modern REST APIs.


Question 9

When integrating a REST API into Copilot Studio, why is validating API responses important?

A. It guarantees that authentication is unnecessary.

B. It eliminates network latency.

C. It ensures returned data is complete and expected before the agent uses it.

D. It automatically encrypts responses.

Answer: C

Explanation: Response validation helps prevent errors and ensures the agent processes reliable, expected data.


Question 10

Why might a development team choose a Power Platform custom connector instead of directly configuring a REST API in every agent?

A. Custom connectors eliminate the need for authentication.

B. Custom connectors can only connect to Microsoft services.

C. Custom connectors replace HTTP methods.

D. Custom connectors provide reusable, centrally managed API definitions across multiple solutions.

Answer: D

Explanation: Custom connectors simplify maintenance, standardize integrations, and enable reuse across multiple apps, flows, and Copilot Studio agents.


Go to the AB-620 Exam Prep Hub main page

Add a tool by using an existing custom connector (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Add tools to agents
      --> Add a tool by using an existing custom connector


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

What is a Custom Connector?

A custom connector is a reusable connector created within the Microsoft Power Platform that exposes one or more APIs as actions that Power Apps, Power Automate, Copilot Studio, and other services can use.

Instead of writing HTTP requests directly into every application, developers encapsulate API definitions into a connector.

The connector becomes a reusable enterprise asset.

Examples include:

  • Internal HR system
  • Inventory management API
  • Legacy ERP
  • Manufacturing execution system
  • Banking platform
  • Insurance claims system
  • Internal CRM
  • Proprietary AI service

Why Use an Existing Custom Connector?

Many organizations already have custom connectors built for:

  • Power Apps
  • Power Automate
  • Logic Apps
  • Internal automation

Instead of recreating integrations, Copilot Studio can reuse them.

Benefits include:

  • Less development effort
  • Consistent API usage
  • Centralized maintenance
  • Shared authentication
  • Governance
  • Reduced duplication

Standard Connectors vs Custom Connectors

Standard ConnectorCustom Connector
Built by Microsoft or partnerBuilt by organization
Supports common SaaS productsSupports proprietary systems
Automatically maintainedOrganization maintains it
Limited to supported servicesCan connect to virtually any REST API
Examples: Outlook, SharePointExample: Internal Payroll API

How Custom Connectors Work

The architecture typically looks like:

User
Copilot Studio Agent
Tool
Custom Connector
REST API
Enterprise System

The connector translates:

  • Authentication
  • Request formatting
  • Parameter validation
  • Response parsing

into reusable actions.


Typical Enterprise Scenario

A company has an internal warranty database.

The API already exists.

Power Platform administrators previously created a custom connector.

The Copilot Studio agent simply calls the connector instead of directly calling the API.

This avoids:

  • duplicate coding
  • duplicated authentication
  • inconsistent API calls

Components of a Custom Connector

A connector typically includes:

General Information

  • Name
  • Description
  • Icon
  • Host URL

Security Definition

Authentication type

Examples:

  • OAuth 2.0
  • API Key
  • Microsoft Entra ID
  • Basic Authentication

API Definition

Defines:

  • Actions
  • Parameters
  • Request body
  • Responses

Policies

Optional transformations including:

  • Header injection
  • URL rewriting
  • Request modifications
  • Response modifications

Authentication Methods

One of the most important exam topics.

OAuth 2.0

Most common.

Suitable for:

  • Microsoft Graph
  • Enterprise APIs
  • Cloud applications

Benefits:

  • Secure
  • Token-based
  • Supports delegated permissions

API Key

Common for:

  • Third-party services
  • AI APIs
  • Internal APIs

The connector automatically sends the key.


Microsoft Entra ID

Often used for internal enterprise APIs.

Advantages:

  • Central identity management
  • Role-based access
  • Conditional Access
  • Single Sign-On

Basic Authentication

Supported but generally discouraged for production workloads.

Used mainly with legacy systems.


Adding an Existing Custom Connector as a Tool

Typical process:

  1. Open the agent.
  2. Navigate to Tools.
  3. Select Add Tool.
  4. Choose Existing Custom Connector.
  5. Select the connector.
  6. Select one or more operations.
  7. Configure parameters.
  8. Save.

The agent can now invoke the connector during conversations.


Choosing Operations

One connector may expose many actions.

Example:

Inventory Connector

  • Get Product
  • Update Inventory
  • Reserve Inventory
  • Cancel Reservation
  • Check Warehouse
  • Retrieve Supplier

The agent only needs the operations relevant to its purpose.

Selecting unnecessary operations increases complexity and expands the agent’s available actions beyond what is needed.


Designing Good Operations

Operations should be:

  • Focused
  • Reusable
  • Well documented
  • Clearly named

Good examples:

  • GetCustomer
  • CreateOrder
  • SubmitExpense
  • LookupPolicy

Poor examples:

  • ExecuteProcess1
  • ActionA
  • TestEndpoint

Configuring Parameters

Most operations require parameters.

Example:

GetCustomer
CustomerID

or

CreateTicket
Title
Priority
Description

Copilot Studio maps conversation data into these parameters.


Required vs Optional Parameters

Understand the distinction.

Required:

The action cannot execute without them.

Optional:

Improve results but are not mandatory.

Example:

Required

  • Order Number

Optional

  • Customer Email

Input Mapping

Inputs can come from:

  • User messages
  • Variables
  • Previous tool outputs
  • System variables
  • AI extracted entities

Example:

User:

Where is order 10245?

Extract:

Order Number

Connector:

GetOrderStatus(10245)


Output Mapping

Connector responses become variables.

Example:

API returns:

Customer Name
Order Status
Shipping Date

The agent can then:

  • respond to the user
  • populate Adaptive Cards
  • call another tool
  • make decisions
  • branch within a topic

Working with JSON Responses

Many APIs return JSON.

Example:

{
"customer":"John Smith",
"status":"Processing",
"shipDate":"2026-08-15"
}

Copilot Studio extracts individual properties for later use.


Security Considerations

Microsoft recommends granting only the permissions the connector actually requires.

Follow the principle of least privilege.

Avoid connectors with unnecessary administrative permissions.


Governance

Administrators should:

  • Review connector ownership.
  • Approve enterprise connectors.
  • Monitor usage.
  • Enforce Data Loss Prevention (DLP) policies.
  • Control environment access.
  • Audit authentication methods.
  • Review connector updates before deployment.

Best Practices

Reuse Existing Connectors

Avoid building duplicate connectors.


Keep Operations Small

Small operations are easier to test.


Use Descriptive Names

Helps AI select the correct tool.


Secure Authentication

Prefer:

  • OAuth
  • Microsoft Entra ID

Avoid hard-coded credentials.


Validate Inputs

Prevent invalid requests before invoking APIs.


Return Structured Responses

Predictable JSON improves downstream processing.


Common Exam Pitfalls

Candidates often confuse:

  • Standard connectors
  • Power Platform connectors
  • Custom connectors
  • REST API tools
  • MCP tools

Remember:

  • Standard connectors are Microsoft-provided.
  • Power Platform connectors include both standard and custom connectors available within the Power Platform ecosystem.
  • Custom connectors wrap your own APIs into reusable connector definitions.
  • REST API tools call APIs directly from the agent without requiring a custom connector.
  • MCP tools connect to capabilities exposed through the Model Context Protocol, enabling standardized interaction with external tools and services.

Being able to choose the most appropriate integration option for a given scenario is a key skill measured on the AB-620 exam.


Quick Orientation Summary

In the topics above, you learned what custom connectors are, how they differ from standard connectors, how to configure them as agent tools, and how authentication, parameters, and outputs work.

The topics below focus on the advanced knowledge expected for the AB-620 certification exam.


Advanced Configuration

Once a custom connector has been added to an agent, developers should configure it so that it behaves predictably during conversations.

Important considerations include:

  • Selecting only the operations the agent requires
  • Mapping variables correctly
  • Providing descriptive action names
  • Validating required inputs
  • Handling null values
  • Returning structured outputs

A well-configured connector is easier for the AI orchestrator to select appropriately and reduces the likelihood of incorrect tool invocation.


Designing Agent-Friendly Connectors

Although a connector may expose dozens of operations, not all of them should necessarily be available to an agent.

Good practice includes:

  • Separate read operations from update operations.
  • Expose only business-relevant actions.
  • Avoid administrative functions unless necessary.
  • Keep operations focused on a single task.
  • Use clear operation descriptions.

Example:

Instead of:

  • ExecuteAPI

Use:

  • GetCustomerOrders
  • CreateSupportTicket
  • UpdateDeliveryAddress

This improves the agent’s ability to determine when to invoke each action.


Variable Mapping Best Practices

Variables often originate from:

  • User input
  • Previous topic variables
  • Generative AI extraction
  • Other tools
  • Adaptive Card submissions

Example workflow:

User:

I need the warranty information for product 45831.

Conversation variable:

ProductID = 45831

Connector action:

GetWarranty(ProductID)

Connector response:

WarrantyStatus
ExpirationDate
CoverageType

These outputs become new variables that the agent can reference later in the conversation.


Chaining Multiple Tools

A single conversation often involves multiple tools working together.

Example:

Step 1

Retrieve customer information.

Step 2

Retrieve active orders.

Step 3

Retrieve shipping status.

Step 4

Generate natural-language response.

Rather than creating one large API, smaller reusable operations simplify maintenance and improve reliability.


Error Handling

Enterprise systems occasionally fail.

Possible causes include:

  • Invalid parameters
  • Expired authentication
  • Network interruptions
  • Service outages
  • Rate limiting
  • Missing permissions

Agents should be designed to recover gracefully whenever possible.


Common Error Responses

Examples include:

400 Bad Request

Incorrect input.

Example:

Customer ID contains invalid characters.


401 Unauthorized

Authentication failed.

Possible causes:

  • Expired token
  • Invalid credentials
  • Missing authentication

403 Forbidden

User is authenticated but lacks permission.


404 Not Found

Requested resource does not exist.


429 Too Many Requests

API rate limit exceeded.


500 Internal Server Error

Unexpected server-side failure.


Designing Friendly Error Messages

Avoid exposing raw API errors to end users.

Instead of:

Error 500

Use:

I couldn’t retrieve your information right now. Please try again in a few minutes.

This provides a better user experience while avoiding disclosure of unnecessary technical details.


Performance Optimization

Large enterprise APIs can affect conversation speed.

Microsoft recommends:

  • Return only required fields.
  • Reduce payload sizes.
  • Limit unnecessary API calls.
  • Cache frequently used information when appropriate.
  • Break large operations into smaller reusable actions.

Security Best Practices

Security is frequently tested on the AB-620 exam.

Recommendations include:

Principle of Least Privilege

Grant only the permissions required.

Example:

Instead of granting:

Customer.ReadWrite.All

Grant:

Customer.Read

if the agent only retrieves customer information.


Secure Authentication

Preferred methods:

  • Microsoft Entra ID
  • OAuth 2.0
  • Managed identity (where applicable)

Avoid embedding secrets directly in connector definitions whenever possible.


Protect Sensitive Data

Avoid returning:

  • Passwords
  • Authentication tokens
  • Social Security numbers
  • Credit card numbers
  • Personally identifiable information (PII) unless absolutely required

Return only the data necessary for the conversation.


Monitoring Connector Usage

Administrators should monitor:

  • Successful executions
  • Failed executions
  • Authentication failures
  • API latency
  • Usage frequency
  • User activity
  • Connector health

Monitoring helps identify bottlenecks and troubleshoot production issues.


Logging

Logging is useful for:

  • Diagnosing failures
  • Auditing requests
  • Measuring adoption
  • Identifying slow operations
  • Supporting compliance requirements

However, avoid logging confidential user information unnecessarily.


Versioning Connectors

Enterprise APIs evolve over time.

Best practices include:

  • Version APIs
  • Test new versions before deployment
  • Avoid breaking changes
  • Maintain backward compatibility where practical
  • Update agents after connector changes

Enterprise Scenario 1

A healthcare organization exposes a patient scheduling API through a custom connector.

The agent can:

  • Find appointments
  • Schedule visits
  • Cancel appointments
  • Check physician availability

Authentication uses Microsoft Entra ID.

Only authorized staff members can invoke scheduling operations.


Enterprise Scenario 2

A manufacturing company exposes inventory services.

Operations include:

  • Check inventory
  • Reserve inventory
  • Release reservation
  • Find warehouse

The Copilot agent helps warehouse employees without requiring them to open multiple applications.


Enterprise Scenario 3

An insurance company exposes claim-processing APIs.

The connector allows the agent to:

  • Retrieve claim status
  • Submit documentation
  • Update claimant information
  • Schedule inspections

Because the connector already exists for Power Automate workflows, the same connector can be reused within Copilot Studio.


Comparing Integration Options

FeatureStandard ConnectorCustom ConnectorREST API ToolMCP Tool
Microsoft-managedYesNoNoDepends
Organization-createdNoYesNoSometimes
Requires API definitionNoYesYesYes
Reusable across Power PlatformYesYesNoVaries
Direct API callsNoIndirectYesVia MCP server
Best for enterprise reuseModerateExcellentModerateExcellent for standardized AI tool ecosystems

When to Choose an Existing Custom Connector

Use an existing custom connector when:

  • The organization already has one.
  • The API is used by multiple Power Platform solutions.
  • Authentication has already been configured.
  • Governance requirements already exist.
  • Multiple applications share the same integration.

When a REST API Tool May Be Better

A REST API tool may be preferable when:

  • Only one API operation is needed.
  • No connector currently exists.
  • Rapid prototyping is desired.
  • Reusability across the Power Platform is not required.

More AB-620 Exam Tips

Remember these key points:

  • Existing custom connectors promote reuse across the Power Platform.
  • Connectors encapsulate authentication and API definitions.
  • Use least-privilege permissions.
  • Select only the operations needed by the agent.
  • Map variables carefully between conversations and connector inputs.
  • Handle API failures gracefully.
  • Monitor connector performance and usage.
  • Use descriptive operation names.
  • Reuse existing connectors instead of duplicating integrations.
  • Understand when a custom connector is preferable to a REST API tool or MCP tool.

Practice Exam Questions

Question 1

An organization has already created a custom connector for its internal ERP system. A Copilot Studio developer needs to enable agents to retrieve inventory information.

What is the best approach?

A. Create a new REST API tool that duplicates the ERP functionality.

B. Reuse the existing custom connector.

C. Build a Power Automate flow that manually calls the API.

D. Export the connector as an Adaptive Card.

Answer: B

Explanation: Existing custom connectors should be reused whenever possible because they already encapsulate authentication, API definitions, governance, and maintenance.


Question 2

Which authentication method is generally recommended for enterprise APIs secured by Microsoft identity services?

A. Anonymous authentication

B. API key only

C. Microsoft Entra ID (OAuth 2.0)

D. Basic Authentication

Answer: C

Explanation: Microsoft Entra ID with OAuth 2.0 provides secure, centralized identity management, token-based authentication, and integration with enterprise security controls.


Question 3

A connector exposes twenty operations, but an agent only needs two of them.

What is the recommended design?

A. Enable all operations.

B. Create duplicate connectors.

C. Expose only the required operations.

D. Disable authentication.

Answer: C

Explanation: Limiting available operations simplifies agent behavior, improves security, and reduces unnecessary complexity.


Question 4

Which HTTP response code typically indicates that authentication has failed?

A. 404

B. 429

C. 500

D. 401

Answer: D

Explanation: A 401 Unauthorized response indicates that authentication credentials are missing, invalid, or expired.


Question 5

Why should connector operations have descriptive names?

A. They reduce API latency.

B. They improve AI tool selection and maintainability.

C. They eliminate authentication requirements.

D. They automatically optimize API performance.

Answer: B

Explanation: Clear operation names help both developers and AI orchestration determine the appropriate action to invoke.


Question 6

A connector returns customer name, address, loyalty status, and internal audit history. The agent only needs the customer’s loyalty status.

What is the best practice?

A. Return every field.

B. Add more connector actions.

C. Return only the required data.

D. Disable response parsing.

Answer: C

Explanation: Returning only the necessary data reduces payload size, improves performance, and minimizes exposure of unnecessary information.


Question 7

Which practice best supports enterprise security?

A. Embed administrator passwords in the connector.

B. Grant every available permission.

C. Use anonymous access.

D. Apply the principle of least privilege.

Answer: D

Explanation: Least privilege limits permissions to only those required, reducing security risks and supporting compliance.


Question 8

What is a primary advantage of using an existing custom connector instead of recreating the same integration?

A. It automatically removes authentication.

B. It eliminates API documentation.

C. It promotes reuse, governance, and centralized maintenance.

D. It guarantees faster API responses.

Answer: C

Explanation: Existing custom connectors provide reusable, centrally managed integrations that can be shared across Power Platform solutions.


Question 9

During execution, an API returns HTTP 429.

What does this typically indicate?

A. The requested resource was not found.

B. The request exceeded the service’s rate limit.

C. Authentication failed.

D. The connector is incorrectly configured.

Answer: B

Explanation: HTTP 429 indicates that too many requests have been sent in a given period, triggering rate limiting.


Question 10

When should a developer consider using an existing custom connector instead of creating a direct REST API tool?

A. When the organization already maintains the connector for multiple Power Platform solutions.

B. When no reusable integration exists.

C. Only during testing.

D. Only for public APIs.

Answer: A

Explanation: Reusing an existing custom connector leverages established authentication, governance, maintenance, and reusability across multiple applications, making it the preferred approach when such a connector already exists.


AB-620 Exam Summary

For the exam, remember these key takeaways:

  • Custom connectors encapsulate APIs into reusable Power Platform components.
  • Existing custom connectors should generally be reused instead of creating duplicate integrations.
  • Configure only the operations an agent requires.
  • Use secure authentication methods such as Microsoft Entra ID and OAuth 2.0.
  • Apply least-privilege security principles.
  • Map conversation variables carefully to connector inputs and outputs.
  • Handle API errors gracefully with user-friendly messages.
  • Monitor connector health, performance, and usage.
  • Understand when to use custom connectors versus REST API tools and MCP tools based on governance, reuse, and integration requirements.

Go to the AB-620 Exam Prep Hub main page

Connect to Azure AI Search (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Integrate and extend agents in Copilot Studio (40–45%)
   --> Connect to enterprise knowledge sources
      --> Connect to Azure AI Search


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

What is Azure AI Search?

Azure AI Search is Microsoft’s enterprise search platform that indexes structured and unstructured content so AI applications can quickly retrieve relevant information.

Within Copilot Studio, Azure AI Search acts as a grounding source, allowing the agent to answer questions using your organization’s indexed knowledge instead of relying solely on the foundation model.

Think of it as the enterprise knowledge engine behind your AI agent.

Instead of asking:

“What does the language model know?”

the agent asks:

“What information exists inside our organization’s indexed documents?”


Why Use Azure AI Search?

Organizations often have:

  • Thousands of PDFs
  • Word documents
  • SharePoint files
  • Wikis
  • Product documentation
  • HR manuals
  • Technical specifications
  • Knowledge bases
  • Policy documents

Without search indexing:

  • documents remain isolated
  • responses may be incomplete
  • AI cannot efficiently locate relevant information

Azure AI Search solves this by:

  • indexing content
  • creating searchable metadata
  • performing semantic search
  • returning highly relevant passages

Copilot Studio can then use those passages to generate grounded responses.


High-Level Architecture

Enterprise Content
Azure Storage
SharePoint
SQL
Blob Storage
Web Sites
Databases
File Shares
Azure AI Search
Indexes
Documents
Metadata
Vectors (optional)
Copilot Studio
Grounding
Generative Answers
Agent Response

What Does Azure AI Search Store?

Azure AI Search stores indexes rather than the original documents.

Indexes contain:

  • searchable text
  • metadata
  • document identifiers
  • vector embeddings (optional)
  • semantic ranking information

The original documents remain in their original repositories.


Azure AI Search Components

Understanding these components is important for the exam.

Search Service

The Azure resource that hosts:

  • indexes
  • indexers
  • data sources
  • search APIs
  • semantic ranking

Data Source

Defines where information originates.

Examples:

  • Azure Blob Storage
  • SQL Database
  • Cosmos DB
  • SharePoint (through supported connectors)
  • Azure Table Storage

Index

A searchable collection of fields.

Example:

Document Name
Title
Category
Content
Department
Created Date
Owner
Keywords

Indexer

Automatically imports content into the index.

Responsibilities include:

  • reading documents
  • extracting text
  • updating indexes
  • incremental indexing
  • scheduling refreshes

Skillset (Optional)

A skillset enriches documents during indexing.

Examples include:

  • OCR
  • language detection
  • key phrase extraction
  • entity recognition
  • translation
  • image analysis

This creates richer searchable content.


How Copilot Studio Uses Azure AI Search

When a user asks:

“What is our PTO policy?”

Copilot Studio:

  1. Sends the query to Azure AI Search.
  2. Azure AI Search finds relevant indexed passages.
  3. Matching documents are returned.
  4. The language model generates an answer grounded in those documents.
  5. Citations can be included.

Retrieval-Augmented Generation (RAG)

Azure AI Search enables Retrieval-Augmented Generation (RAG).

Instead of relying only on model training:

User Question
Retrieve Documents
Ground Prompt
Generate Response

This greatly improves:

  • factual accuracy
  • enterprise relevance
  • freshness of information
  • reduced hallucinations

Benefits of Azure AI Search

Better Accuracy

Responses come from company documents.


Current Information

Indexes can refresh automatically.

This allows new documentation to become searchable.


Enterprise Security

Users only retrieve content they are authorized to access (depending on the implementation and connected systems).


Scalability

Millions of documents can be indexed efficiently.


Rich Metadata

Search can use:

  • departments
  • categories
  • dates
  • document types
  • owners
  • tags

to improve retrieval.


Supported Content Types

Azure AI Search can index many document formats, including:

  • PDF
  • Word
  • Excel
  • PowerPoint
  • HTML
  • JSON
  • CSV
  • XML
  • Text files

It can also index structured database records.


Semantic Search

Traditional keyword search looks for matching words.

Example:

vacation

Semantic search understands meaning.

Example:

User asks:

“How many vacation days do I receive?”

Relevant document:

“Employees receive 20 paid time off days annually.”

Semantic search recognizes:

Vacation = Paid Time Off

No exact keyword match is required.

This significantly improves answer quality.


Vector Search

Azure AI Search also supports vector search.

Instead of matching keywords:

  • text is converted into embeddings
  • similar meanings are identified
  • conceptual similarity is measured

Example:

User asks:

“Remote work policy”

Document says:

“Employees may perform duties from home.”

Keyword search may miss it.

Vector search finds it because the meanings are closely related.


Hybrid Search

Many enterprise implementations use hybrid search.

Hybrid combines:

  • keyword search
  • semantic ranking
  • vector search

This generally produces the highest-quality retrieval results and is increasingly recommended for AI-powered applications.


Connecting Azure AI Search to Copilot Studio

Typical steps include:

  1. Create an Azure AI Search service.
  2. Configure a data source.
  3. Build an index.
  4. Populate the index using an indexer.
  5. Enable semantic search if available.
  6. Connect the search service in Copilot Studio.
  7. Select the appropriate index.
  8. Configure the knowledge source.
  9. Test retrieval quality.
  10. Publish the agent.

Common Enterprise Scenarios

HR Assistant

Indexes:

  • employee handbook
  • benefits
  • PTO policies
  • onboarding guides

Employees receive accurate HR answers.


IT Help Desk

Indexes:

  • troubleshooting articles
  • knowledge base
  • software documentation
  • incident procedures

The agent resolves common IT questions.


Legal Assistant

Indexes:

  • contracts
  • compliance documents
  • regulations
  • internal policies

Responses are grounded in approved legal content.


Customer Support

Indexes:

  • product manuals
  • FAQs
  • troubleshooting guides
  • warranty documentation

Customers receive accurate support responses.


Sales Assistant

Indexes:

  • pricing documentation
  • product catalogs
  • competitive information
  • proposal templates

Sales representatives obtain consistent answers.


Best Practices

Build Clean Indexes

Avoid:

  • duplicate documents
  • obsolete files
  • incomplete documentation

Poor indexes lead to poor responses.


Use Meaningful Metadata

Metadata improves filtering.

Examples:

  • Department
  • Region
  • Product
  • Version
  • Owner

Schedule Regular Index Updates

Enterprise information changes frequently.

Regular refreshes keep responses current.


Enable Semantic Search

Semantic ranking generally improves retrieval quality compared to keyword search alone.


Monitor Search Quality

Review:

  • irrelevant responses
  • missing answers
  • outdated content
  • indexing failures

Continuously refine the index.


Security Considerations

Organizations should ensure:

  • Azure authentication is configured correctly.
  • Sensitive content is indexed intentionally.
  • Access permissions are respected.
  • Search services follow organizational governance policies.
  • Secrets and credentials are stored securely.

Limitations

Azure AI Search does not:

  • automatically understand every document without proper indexing
  • replace document governance
  • eliminate the need for quality source material
  • guarantee perfect answers if documents are outdated or incomplete

The quality of responses depends heavily on the quality and maintenance of the indexed content.


Exam Tips for topics covered so far

For the AB-620 exam, remember these key points:

  • Azure AI Search is primarily used to ground AI responses with enterprise data.
  • Copilot Studio queries indexes, not the original documents directly.
  • Semantic search improves retrieval by understanding intent and meaning.
  • Vector search retrieves conceptually similar content using embeddings.
  • Hybrid search combines keyword, semantic, and vector search for stronger results.
  • Indexers automate importing and refreshing searchable content.
  • High-quality, current indexes produce higher-quality grounded responses.

Advanced Index Design

An Azure AI Search index is much more than a simple list of documents. A well-designed index determines how effectively an AI agent retrieves information.

A typical enterprise index includes:

FieldPurposeSearchable
TitleDocument titleYes
ContentMain body textYes
CategoryDepartment or topicFilterable
AuthorDocument ownerFilterable
CreatedDateDate createdSortable
ModifiedDateLast updatedSortable
SecurityGroupAccess controlFilterable
DocumentURLCitation sourceRetrieved
KeywordsMetadataSearchable

Good index design improves:

  • Search relevance
  • Filtering
  • Security
  • Citation quality
  • Response accuracy

Document Chunking

Large documents should rarely be indexed as one massive record.

Instead, Azure AI Search typically indexes smaller chunks.

Example:

A 300-page employee handbook becomes:

  • Benefits section
  • PTO section
  • Holidays
  • Payroll
  • Remote work
  • Code of conduct
  • Travel policy

Instead of retrieving the entire handbook, Azure AI Search returns only the most relevant sections.

Benefits include:

  • Faster retrieval
  • Better grounding
  • Lower token usage
  • More accurate responses

Chunk Size Considerations

Choosing the correct chunk size is important.

Chunks that are too small

Problems include:

  • Missing context
  • Incomplete answers
  • Multiple retrievals required

Example:

Only one sentence is returned.


Chunks that are too large

Problems include:

  • Higher token consumption
  • Lower relevance
  • More irrelevant information

Best Practice

Use logical document sections.

Examples:

  • One policy
  • One chapter
  • One FAQ
  • One procedure
  • One product description

Metadata Filtering

Metadata helps Azure AI Search narrow search results.

Examples include:

  • Department
  • Country
  • Product
  • Region
  • Language
  • Version
  • Confidentiality level

Example query:

Show HR policies for employees in Canada.

The search can first filter:

  • Department = HR
  • Region = Canada

before retrieving relevant passages.


Semantic Ranking

Semantic ranking improves traditional keyword search.

Without semantic ranking:

User asks:

How do I request vacation?

Keyword search might only find documents containing the exact word “vacation.”

With semantic ranking:

Azure AI Search understands:

  • vacation
  • PTO
  • annual leave
  • paid leave
  • time off

It returns the most meaningful documents rather than only exact keyword matches.


Vector Search in Detail

Vector search converts text into numerical embeddings.

Rather than comparing words, it compares meaning.

Example:

User question:

Can I work from home?

Indexed document:

Employees may perform duties remotely.

Keyword overlap:

Very little.

Semantic similarity:

Very high.

Vector search successfully retrieves the document.


Hybrid Search Strategy

Most enterprise AI implementations use hybrid search.

Hybrid search combines:

  • Keyword search
  • Vector similarity
  • Semantic ranking

Benefits include:

  • Higher accuracy
  • Better recall
  • Better precision
  • Improved user satisfaction

Hybrid search is generally considered the recommended approach for enterprise AI.


Retrieval-Augmented Generation (RAG)

Azure AI Search enables Retrieval-Augmented Generation.

Workflow:

User Question
Azure AI Search
Relevant Chunks
LLM Prompt
Grounded Answer
Citation

The AI model generates answers only after retrieving relevant enterprise content.

This significantly reduces hallucinations.


Grounding Strategies

Good grounding depends on:

  • Clean source documents
  • Updated indexes
  • Proper chunking
  • Rich metadata
  • Semantic search
  • Hybrid search

Poor grounding often results from:

  • Duplicate files
  • Outdated documents
  • Missing metadata
  • Poor chunk boundaries
  • Incorrect indexing schedules

Security Trimming

Large organizations often have documents that should not be visible to every user.

Examples:

  • Executive policies
  • HR records
  • Financial reports
  • Legal contracts

Security trimming ensures that users retrieve only content they are authorized to access.

This is accomplished through identity, permissions, and access control mechanisms integrated with enterprise systems.


Incremental Indexing

Rebuilding an entire index can be expensive.

Instead, indexers typically perform incremental updates.

Example:

Monday:

100,000 documents

Tuesday:

Only 300 documents changed.

Incremental indexing updates only those 300 documents.

Benefits include:

  • Faster indexing
  • Lower compute costs
  • More current information
  • Reduced downtime

Index Refresh Strategies

Common schedules include:

  • Every 15 minutes
  • Hourly
  • Daily
  • Weekly

Choose a schedule based on how frequently the source data changes.

Examples:

Customer support knowledge:

Hourly

Employee handbook:

Weekly

Sales pricing:

Daily


Performance Optimization

Performance depends on:

  • Index size
  • Chunk size
  • Metadata quality
  • Semantic ranking
  • Vector indexing
  • Query complexity
  • Number of retrieved documents

Optimization techniques include:

  • Removing duplicate documents
  • Filtering before searching
  • Using hybrid search
  • Indexing only useful content
  • Excluding obsolete documents

Common Troubleshooting Scenarios

Problem

The agent cannot answer a question.

Possible causes:

  • Document not indexed
  • Indexer failed
  • Incorrect index selected
  • Missing permissions
  • Document format unsupported

Problem

The answer is outdated.

Possible causes:

  • Index not refreshed
  • Old documents remain indexed
  • Incremental indexing failed

Problem

The answer is inaccurate.

Possible causes:

  • Poor chunking
  • Weak metadata
  • Duplicate documents
  • Missing semantic ranking
  • Poor source documentation

Problem

Too many irrelevant documents are returned.

Possible causes:

  • No metadata filters
  • Large chunk size
  • Poor keyword quality
  • Broad search queries

Design Recommendations

Microsoft generally recommends:

  • Hybrid retrieval
  • Semantic ranking
  • Regular index updates
  • Rich metadata
  • Logical document chunking
  • High-quality source documents
  • Security-aware indexing
  • Continuous monitoring

Common Exam Mistakes

Candidates often confuse:

Azure AI Search vs. Azure OpenAI

Azure AI Search retrieves information.

Azure OpenAI generates responses.

Both work together in a RAG solution.


Index vs. Data Source

Data Source:

Where documents live.

Index:

What gets searched.


Indexer vs. Search Index

Indexer:

Loads data.

Index:

Stores searchable content.


Semantic Search vs. Vector Search

Semantic Search:

Uses language understanding to improve keyword-based ranking.

Vector Search:

Uses embeddings to retrieve conceptually similar content.

Hybrid search combines both approaches with keyword search.


More AB-620 Exam Tips

Remember the following:

  • Azure AI Search is the primary enterprise grounding service used by Copilot Studio.
  • AI agents search indexes rather than original documents directly.
  • Chunking improves retrieval quality.
  • Metadata improves filtering and relevance.
  • Indexers automate synchronization.
  • Semantic search improves intent matching.
  • Vector search improves conceptual matching.
  • Hybrid search typically provides the best overall retrieval performance.
  • Azure OpenAI generates the response after Azure AI Search retrieves the relevant content.
  • Good enterprise AI depends on both high-quality documents and high-quality indexing.

Practice Exam Questions

Question 1

A Copilot Studio agent uses Azure AI Search to answer employee questions. Which Azure AI Search feature allows the agent to retrieve conceptually similar information even when exact keywords are not present?

A. Indexer

B. Vector search

C. Filter expressions

D. Synonym maps

Answer: B

Explanation: Vector search uses embeddings to compare semantic meaning instead of exact keywords, allowing the retrieval of conceptually related information.


Question 2

Which Azure AI Search component is responsible for importing data from an external repository into a searchable index?

A. Semantic ranker

B. Search explorer

C. Indexer

D. Skillset

Answer: C

Explanation: An indexer connects to a data source, extracts content, and populates or refreshes the search index.


Question 3

Why is document chunking considered a best practice for enterprise AI agents?

A. It encrypts enterprise documents.

B. It eliminates duplicate documents automatically.

C. It allows the language model to train on enterprise content.

D. It improves retrieval precision by returning smaller, relevant sections.

Answer: D

Explanation: Smaller, logically organized chunks improve retrieval accuracy, reduce token usage, and provide better context for grounded responses.


Question 4

Which statement best describes the purpose of semantic ranking?

A. It schedules index refresh operations.

B. It converts documents into embeddings.

C. It improves search relevance by understanding the meaning behind user queries.

D. It compresses documents before indexing.

Answer: C

Explanation: Semantic ranking analyzes intent and contextual meaning to improve the ordering of search results beyond simple keyword matching.


Question 5

A company updates its employee handbook every day. Which indexing strategy minimizes processing time while keeping search results current?

A. Full index rebuild after every query

B. Weekly manual indexing

C. Incremental indexing

D. Delete and recreate the index daily

Answer: C

Explanation: Incremental indexing processes only changed documents, making updates faster and more efficient.


Question 6

In a Retrieval-Augmented Generation (RAG) architecture, what is Azure AI Search primarily responsible for?

A. Training the language model

B. Retrieving relevant enterprise information

C. Managing user authentication

D. Creating Adaptive Cards

Answer: B

Explanation: Azure AI Search retrieves relevant enterprise content, which is then supplied to the language model to generate grounded responses.


Question 7

What is the primary benefit of using metadata fields such as department and region within an Azure AI Search index?

A. They reduce Azure subscription costs.

B. They automatically summarize documents.

C. They improve filtering and search precision.

D. They increase language model context length.

Answer: C

Explanation: Metadata enables filtering before retrieval, improving both relevance and performance.


Question 8

An organization wants users to retrieve only documents they are authorized to view. Which design principle should be implemented?

A. Chunking

B. Security trimming

C. Semantic ranking

D. Synonym mapping

Answer: B

Explanation: Security trimming ensures that search results respect user permissions and organizational access controls.


Question 9

What is the primary purpose of hybrid search in Azure AI Search?

A. To replace semantic search completely

B. To eliminate metadata requirements

C. To combine keyword, semantic, and vector search techniques for improved retrieval

D. To reduce the number of indexed documents

Answer: C

Explanation: Hybrid search leverages multiple retrieval techniques to maximize both precision and recall.


Question 10

A Copilot Studio agent consistently provides outdated answers even though the source documents have been updated. What should an administrator investigate first?

A. Whether the language model version has changed

B. Whether the Adaptive Card schema is valid

C. Whether the agent’s topic triggers are configured correctly

D. Whether the Azure AI Search index has been refreshed successfully

Answer: D

Explanation: Outdated responses commonly indicate that the search index has not been updated after changes to the source documents. Regular index refreshes or successful indexer runs are essential for maintaining current grounded responses.


Key Takeaways for the AB-620 Exam

  • Azure AI Search provides enterprise knowledge grounding for Copilot Studio agents.
  • Indexes store searchable representations of documents, not the original files.
  • Indexers synchronize data sources with search indexes.
  • Chunking, metadata, semantic ranking, and vector search all contribute to better retrieval quality.
  • Hybrid search is the preferred enterprise retrieval strategy in many scenarios.
  • Security trimming ensures users only retrieve authorized content.
  • Retrieval-Augmented Generation (RAG) combines Azure AI Search retrieval with Azure OpenAI generation to produce accurate, grounded responses.

Go to the AB-620 Exam Prep Hub main page

Manage variables (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Manage variables


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Variables are one of the most important concepts in Microsoft Copilot Studio. Nearly every conversational agent uses variables to remember information, make decisions, personalize responses, and exchange data with external systems.

Without variables, an agent would treat every interaction independently and would be unable to:

  • Remember a user’s name
  • Store selections from menus
  • Save outputs from connectors
  • Track conversation progress
  • Pass information between topics
  • Personalize responses
  • Send data to APIs
  • Process results from external systems

For the AB-620 exam, you should understand not only how to create variables, but also when to use different variable types, how variable scope works, and how variables interact with agent flows, topics, tools, and generative AI capabilities.


What Are Variables?

A variable is a named container that temporarily stores information while an agent is running.

Examples include:

  • Customer ID
  • Product number
  • Employee name
  • Order status
  • Current date
  • Selected department
  • API response
  • User’s preferred language

Instead of repeatedly asking the user for the same information, the agent stores the value in a variable.

Example:

User:

My name is Sarah.

The agent stores:

UserName = Sarah

Later:

Agent:

Welcome back Sarah.

The user only had to provide the information once.


Why Variables Matter

Variables enable agents to:

  • Remember information
  • Personalize conversations
  • Drive conditional logic
  • Control branching
  • Pass data to tools
  • Receive results from tools
  • Populate Adaptive Cards
  • Send API requests
  • Display API results
  • Maintain conversation state

Without variables:

  • Every question must be repeated
  • Personalization disappears
  • API integration becomes impossible
  • Automation cannot function

Variable Types in Copilot Studio

Several categories of variables exist.

1. Topic Variables

Topic variables exist only while a topic is executing.

Example:

OrderNumber

Used only inside:

Track Order Topic

When the topic ends, the variable is no longer available unless it is explicitly passed elsewhere.

Typical uses:

  • Temporary calculations
  • User responses
  • Branch decisions
  • Intermediate results

2. Global Variables

Global variables remain available throughout the entire conversation.

Example:

CustomerName

Captured once:

"What is your name?"

Available later in any topic.

Example:

Welcome back John.

Global variables are ideal for:

  • Customer information
  • Language preferences
  • Account type
  • Authentication status
  • User profile information

3. System Variables

System variables are automatically maintained by Copilot Studio.

Examples include information such as:

  • Conversation identifiers
  • Channel information
  • Locale
  • User context
  • Current activity metadata

These variables are generally read-only and provide information about the current conversation or environment.

Common uses include:

  • Detecting the communication channel
  • Language detection
  • Auditing
  • Logging
  • Conditional behavior

4. Custom Variables

Developers create custom variables whenever business-specific data must be stored.

Examples:

ReservationDate
PreferredHotel
CurrentDepartment
ShippingMethod

These represent business information unique to the application.


5. Environment Variables

Environment variables store configuration rather than conversation data.

Examples:

API URL
Database Name
Service Endpoint
Tenant ID

Benefits include:

  • Easier deployment
  • Different settings for Development/Test/Production
  • No hardcoded URLs
  • Easier maintenance

Creating Variables

Variables are commonly created automatically when:

  • Asking a question
  • Capturing user input
  • Calling a connector
  • Receiving API results
  • Executing Power Automate flows
  • Running prompts
  • Using generative nodes

Example:

Question:

Enter your employee number.

Save response as:

EmployeeID

The variable is automatically populated.


Initializing Variables

Sometimes a variable needs an initial value before it is used.

Examples:

RetryCount = 0
TotalCost = 0
ApprovalStatus = Pending

Initialization helps avoid errors caused by empty or undefined values.


Variable Scope

Scope determines where a variable can be accessed.

Two variables may have identical names but exist in different scopes.

Example:

Topic Variable:

OrderID

Available only within:

Track Order Topic

Global Variable:

CustomerName

Available everywhere.

Understanding scope is essential because it prevents accidental overwriting and ensures the correct data is available where needed.


Variable Lifetime

Variable lifetime refers to how long the variable exists.

Typical lifetimes include:

Temporary

Exists only during a single topic.

Example:

SelectedProduct

Conversation Lifetime

Exists throughout the conversation.

Example:

CustomerName

Persistent Configuration

Exists independently of conversations.

Example:

Environment Variable

Using Variables in Questions

A common workflow is:

Ask Question

Store Response

Use Variable

Example:

Agent:

What city are you visiting?

Store:

DestinationCity

Later:

Hotels in {DestinationCity}

This creates a personalized interaction.


Using Variables in Messages

Variables can personalize responses.

Example:

Instead of:

Welcome.

Use:

Welcome back {CustomerName}

Instead of:

Your order is ready.

Use:

Order {OrderNumber} is ready.

This significantly improves the user experience.


Variables in Conditions

Variables frequently control branching logic.

Example:

If MembershipLevel = Gold

Offer Premium Support

Else

Standard Support

Almost every decision node relies on variable values.


Passing Variables Between Topics

Large agents often contain multiple topics.

Example:

Authentication Topic

Stores

EmployeeID

Calls:

Benefits Topic

Instead of asking again, the EmployeeID variable is passed to the next topic.

Benefits include:

  • Better user experience
  • Less repetitive questioning
  • Consistent conversation flow
  • Faster interactions

Variables and Agent Flows

Agent flows frequently use variables as both inputs and outputs.

Example:

Input:

CustomerID

Agent Flow

Queries CRM

Output:

CustomerStatus

The topic then continues using the returned value.

This enables modular, reusable workflows.


Variables with Connectors

Connectors almost always require variables.

Example:

Input Variable:

TicketNumber

Connector:

Get Ticket

Output Variables:

Status
AssignedEngineer
Priority
ResolutionDate

These outputs can then drive the rest of the conversation.


Best Practices

Use meaningful names

Good:

CustomerID

Poor:

Var1

Initialize variables

Avoid null values by assigning defaults where appropriate.


Limit scope

Use topic variables when information does not need to persist beyond the current topic.


Reuse existing variables

Avoid asking users the same question multiple times if the information has already been collected.


Keep variable names consistent

Examples:

OrderNumber
CustomerID
ReservationDate

Avoid inconsistent naming conventions.


Validate user input

Before storing values:

  • Check format
  • Check range
  • Check required fields
  • Handle missing or invalid input

This reduces downstream errors.


Common Mistakes

Candidates should recognize these frequent pitfalls:

  • Using a topic variable when a global variable is needed.
  • Assuming variables persist after a topic ends.
  • Forgetting to initialize variables before use.
  • Overwriting important values accidentally.
  • Using unclear variable names.
  • Passing incorrect variables to connectors or APIs.
  • Not validating user input before storing it.
  • Creating unnecessary duplicate variables.

AB-620 Exam Tips

Remember these key points:

  • Variables enable personalization and conversation state.
  • Topic variables have limited scope.
  • Global variables persist across the conversation.
  • System variables provide built-in conversation metadata.
  • Environment variables are used for configuration rather than user conversation data.
  • Variables are commonly used with topics, agent flows, connectors, Adaptive Cards, prompts, and APIs.
  • Proper scope management improves maintainability and reduces errors.
  • Variables are fundamental to conditions, branching, automation, and integrations.

Quick Orientation Summary

In the topics above, you learned the fundamentals of variables, including variable types, scope, lifetime, initialization, and best practices.

In the topics below, we’ll explore advanced scenarios that are frequently tested on the AB-620 certification exam.


Variables in Conditional Logic

Variables are most commonly used to control the path of a conversation. Decision nodes evaluate variable values and determine which actions the agent should perform.

Example

The agent asks:

“What type of account do you have?”

The user’s response is stored in:

AccountType

Decision:

If AccountType = Premium

Then:

  • Display premium support options

Else:

  • Display standard support options

Conditions can evaluate:

  • Equality
  • Inequality
  • Greater than / less than
  • Contains
  • Begins with
  • Ends with
  • Is empty
  • Is not empty
  • Boolean values
  • Multiple combined conditions

Using Variables in Branching

Variables enable dynamic conversation paths.

Example:

OrderStatus

Possible values:

  • Pending
  • Processing
  • Shipped
  • Delivered
  • Cancelled

Each value sends the conversation to a different branch.

Without variables, every user would receive identical responses regardless of their order status.


Variables in Loops

Loops repeat actions until a condition changes.

Common scenarios include:

  • Re-prompting for invalid input
  • Asking multiple questions
  • Processing collections
  • Reviewing lists of items
  • Retry logic

Example:

RetryCount = RetryCount + 1

Continue looping while:

RetryCount < 3

After three failed attempts:

  • Escalate to a human agent
  • End the conversation
  • Offer alternative support

Variables in Generative AI Prompt Nodes

Variables frequently personalize AI-generated responses.

Instead of using a static prompt:

Summarize today's weather.

Use:

Summarize today's weather for {City}.

If:

City = Orlando

The prompt automatically becomes:

Summarize today's weather for Orlando.

This produces highly personalized AI responses.


Variables in Custom Prompts

Custom prompts often include multiple variables.

Example:

CustomerName
SubscriptionType
LastPurchase
OpenSupportTickets

Prompt:

Write a friendly support response for {CustomerName}. They have a {SubscriptionType} subscription. Their last purchase was {LastPurchase}. They currently have {OpenSupportTickets} open support tickets.

The AI response is tailored using the supplied variables.


Variables in Generative Answers

Generative Answers may also leverage variables to refine searches.

Example:

Instead of searching:

Vacation policy

Search:

Vacation policy for {Department}

If:

Department = Finance

The search becomes more specific, increasing the likelihood of returning relevant information.


Variables in Adaptive Cards

Adaptive Cards often display variable values.

Example:

Customer Name
Order Number
Balance Due
Delivery Date

The card dynamically renders current variable values.

Example:

FieldVariable
CustomerCustomerName
OrderOrderNumber
BalanceBalanceDue

As the variables change, the displayed information updates automatically.


Capturing Values from Adaptive Cards

Adaptive Cards are not limited to displaying information—they also collect user input.

Common inputs include:

  • Text
  • Dates
  • Numbers
  • Dropdown selections
  • Toggle switches
  • Choice sets

When submitted, each field is stored in a variable.

Example:

PreferredDate
DeliveryTime
PickupLocation

These variables become available to subsequent nodes in the topic.


Variables in Power Automate Flows

Agent flows frequently call Power Automate.

Variables are used as both inputs and outputs.

Example:

Input variables:

EmployeeID
Department

Flow:

Lookup Employee

Output variables:

ManagerName
VacationBalance
OfficeLocation

The conversation continues using the returned values.


Variables with Connectors

Most connectors require variable mapping.

Example:

Input:

CustomerID

Connector:

Dynamics 365 Customer Lookup

Output:

CustomerName
AccountStatus
SupportTier

Each output becomes a variable that can be referenced later.


Variables in HTTP Requests

Variables commonly populate REST API requests.

Example URL:

https://api.contoso.com/orders/{OrderNumber}

Instead of hardcoding:

12345

The agent inserts:

OrderNumber

making the request dynamic.


Variables in Request Headers

Variables can populate authentication headers.

Example:

Authorization:
Bearer {AccessToken}

This allows tokens obtained earlier in the conversation to authenticate later requests.


Variables in JSON Request Bodies

Example:

{
"customerId": "{CustomerID}",
"priority": "{Priority}",
"description": "{IssueDescription}"
}

Dynamic JSON payloads are common in enterprise integrations.


Variables from HTTP Responses

Responses often populate multiple variables.

Example response:

{
"status":"Processing",
"trackingNumber":"87456",
"estimatedDelivery":"Friday"
}

Mapped variables:

OrderStatus
TrackingNumber
EstimatedDelivery

The conversation can immediately use these values.


Variables in Child Agents

Child agents accept input variables.

Parent agent:

EmployeeID

Child agent:

Benefits Lookup

Output:

RemainingVacation

This approach promotes modular design and reuse.


Variables in Connected Agents

Connected agents exchange variables across agent boundaries.

Typical information exchanged:

  • Customer identifiers
  • Authentication status
  • Product IDs
  • Support ticket numbers
  • Appointment information

Passing variables eliminates unnecessary repeated questions.


Variable Naming Best Practices

Good examples:

CustomerID
EmployeeName
OrderStatus
SupportTicketNumber
PreferredLanguage

Poor examples:

Data1
Value
Temp
MyVariable
ABC

Meaningful names make debugging and maintenance easier.


Avoid Variable Duplication

Avoid creating multiple variables representing the same information.

Poor design:

CustID
Customer_ID
CustomerNumber
CID

Better:

CustomerID

Consistency improves readability and reduces errors.


Secure Handling of Variables

Variables may contain sensitive information.

Examples include:

  • Email addresses
  • Phone numbers
  • Employee IDs
  • Customer records
  • Authentication tokens
  • Financial information

Best practices include:

  • Store only necessary data.
  • Avoid exposing sensitive variables in messages.
  • Protect access tokens.
  • Limit variable scope whenever possible.
  • Follow organizational security policies.
  • Respect Microsoft Power Platform security controls.

Common Troubleshooting Scenarios

Variable is Empty

Possible causes:

  • User skipped the question.
  • Variable was never initialized.
  • API returned no value.
  • Incorrect mapping.

Solution:

  • Validate the variable before use.

Wrong Variable Used

Example:

Expected:

CustomerID

Used:

OrderID

Result:

Connector returns incorrect data.

Always verify mappings carefully.


Variable Lost Between Topics

Possible cause:

A topic variable was used when a global variable was required.

Solution:

Use a conversation-level variable or explicitly pass the value between topics.


Null API Responses

If an external API returns:

null

The variable should be checked before it is displayed.

Example:

Instead of:

Order shipped on {ShipDate}

Use:

If ShipDate is empty
Display:
Shipping information is not yet available.

Performance Considerations

Well-designed variable management improves performance.

Recommendations:

  • Minimize unnecessary variables.
  • Remove unused variables.
  • Avoid repeated API calls when values are already available.
  • Reuse previously retrieved information.
  • Keep conversations efficient.

Exam Tips

Remember these important concepts for the AB-620 exam:

  • Variables drive nearly every dynamic conversation.
  • Decision nodes depend on variable values.
  • Loops often update variables during execution.
  • Adaptive Cards both display and collect variables.
  • Power Automate flows receive and return variables.
  • REST APIs consume variables in URLs, headers, and JSON bodies.
  • Child agents exchange information through input and output variables.
  • Variables should have meaningful names.
  • Scope determines where variables are available.
  • Secure handling of sensitive variables is essential.

Practice Exam Questions

Question 1

An agent collects a customer’s account number and needs to use it throughout several topics during the same conversation. Which type of variable is most appropriate?

A. Topic variable

B. Environment variable

C. Global (conversation) variable

D. System variable

Correct Answer: C

Explanation: Conversation-level (global) variables remain available across multiple topics during a conversation, making them ideal for information that must be reused.


Question 2

A developer needs to repeatedly ask a user for a valid email address until the format is correct. Which feature relies on variables to accomplish this?

A. Loop with a retry counter

B. Adaptive Card image

C. Environment variable

D. Knowledge source

Correct Answer: A

Explanation: Retry loops typically use a counter variable and validation logic to determine whether another attempt should occur.


Question 3

Which scenario is the best example of using variables inside a custom AI prompt?

A. Displaying a static welcome message

B. Showing the agent logo

C. Sending a prompt that includes the customer’s purchase history

D. Changing the conversation language manually

Correct Answer: C

Explanation: Variables personalize AI prompts by injecting dynamic business information into the prompt.


Question 4

An HTTP request needs to retrieve order information for whichever order the user specifies. What should be placed in the request URL?

A. A hardcoded order number

B. The API documentation

C. An environment variable containing the API version

D. A variable containing the selected order number

Correct Answer: D

Explanation: Dynamic API requests use variables to insert values collected during the conversation.


Question 5

An Adaptive Card contains text boxes for Name, Phone Number, and Email Address. What happens after the user submits the card?

A. The values automatically become available as variables.

B. The conversation immediately ends.

C. The variables become environment variables.

D. The card is deleted permanently.

Correct Answer: A

Explanation: Adaptive Card input controls capture user responses, which are stored as variables for later use.


Question 6

Why should developers avoid creating multiple variables for the same piece of information?

A. It increases API speed.

B. It reduces storage costs.

C. It improves maintainability and reduces confusion.

D. It encrypts the data automatically.

Correct Answer: C

Explanation: Consistent variable naming reduces errors and simplifies maintenance.


Question 7

Which information should generally receive additional protection when stored in variables?

A. Conversation greeting

B. Authentication tokens

C. Agent display name

D. Static instructions

Correct Answer: B

Explanation: Access tokens and other credentials are sensitive information and should be handled securely.


Question 8

A connector returns a customer’s membership level. What is the primary purpose of storing this value in a variable?

A. To reduce the size of the connector

B. To replace system variables

C. To personalize future conversation decisions

D. To generate environment variables

Correct Answer: C

Explanation: Connector outputs are commonly stored in variables so they can be used in conditions, messages, and subsequent actions.


Question 9

A developer notices that a variable is unavailable after switching to another topic. What is the most likely cause?

A. The variable exceeded its maximum length.

B. The variable was encrypted.

C. The connector failed.

D. The variable was created with topic scope instead of conversation scope.

Correct Answer: D

Explanation: Topic variables exist only within their originating topic unless their values are explicitly passed or stored in conversation-level variables.


Question 10

What is one of the primary benefits of passing variables to child agents?

A. Child agents become system variables.

B. Variables are automatically persisted forever.

C. Child agents can perform specialized work without asking the user for the same information again.

D. Variables are converted into knowledge sources.

Correct Answer: C

Explanation: Passing variables between parent and child agents improves modularity and creates a smoother user experience by avoiding duplicate prompts.


Key Takeaways

For the AB-620 exam, remember that variables are the foundation of dynamic, intelligent conversations in Copilot Studio. You should be comfortable with:

  • Creating, initializing, and managing variables.
  • Understanding topic, conversation, system, and environment variable scopes.
  • Using variables in conditions, loops, Adaptive Cards, prompts, connectors, agent flows, and REST APIs.
  • Passing variables between topics, parent agents, and child agents.
  • Applying naming conventions, security practices, and troubleshooting techniques.
  • Recognizing when conversation-level variables are more appropriate than topic-level variables in multi-topic agent solutions.

Go to the AB-620 Exam Prep Hub main page

Configure adaptive cards (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure adaptive cards


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

What Are Adaptive Cards in Copilot Studio?

Adaptive Cards are a structured way to present rich, interactive UI elements inside a Copilot Studio agent conversation. Instead of plain text responses, they allow agents to display:

  • Forms
  • Tables
  • Images
  • Buttons
  • Structured data
  • Input controls

They are defined using JSON schema and rendered consistently across channels such as Microsoft Teams, web chat, and other supported interfaces.

In Copilot Studio, Adaptive Cards are commonly used when you need more than conversational text, especially when collecting structured input or displaying business data.


Why Adaptive Cards Are Used

Adaptive Cards help bridge the gap between conversation and application UI.

Key reasons they are used:

  • Improve user experience with structured layouts
  • Reduce conversational back-and-forth
  • Collect multiple inputs in a single interaction
  • Display data in a visually organized way
  • Enable guided actions (buttons, choices, forms)
  • Support enterprise-grade workflows inside chat

Core Structure of an Adaptive Card

An Adaptive Card is composed of three main layers:

1. Schema Version

Defines compatibility.

"version": "1.5"

2. Body

Contains visual and input elements.

Examples:

  • TextBlock
  • Image
  • Input.Text
  • Input.ChoiceSet
  • Container

3. Actions

Defines what the user can do.

Examples:

  • Submit
  • OpenUrl
  • Execute (in some advanced scenarios)

Common Adaptive Card Elements

TextBlock

Used to display text content.

  • Titles
  • Instructions
  • Labels

Input.Text

Captures free-text user input.

Example use:

  • Name
  • Email
  • Description

Input.ChoiceSet

Used for dropdowns, radio buttons, or multi-select.

Example:

  • Department selection
  • Product category
  • Priority level

Image

Displays visual content such as logos or product images.

Action.Submit

Sends user input back to the agent.


Adding Adaptive Cards in Copilot Studio Topics

In Copilot Studio, Adaptive Cards are typically added inside a topic node.

Basic Flow:

  1. User triggers topic
  2. Agent displays Adaptive Card
  3. User completes form/input
  4. Data is returned to variables
  5. Topic continues logic flow

Typical Configuration Steps

Step 1: Add a “Ask with Adaptive Card” node

This node renders the card inside the conversation.


Step 2: Define or paste Adaptive Card JSON

You either:

  • Paste a prebuilt JSON schema
  • Or build via Copilot Studio editor

Step 3: Map outputs to variables

Each input field is mapped to:

  • Topic variables
  • Conversation variables
  • Global variables (if needed)

Example mapping:

  • Input.TextuserEmail
  • ChoiceSetdepartmentSelection

Step 4: Use collected data in workflow

Once captured, data can be used for:

  • Power Automate flows
  • API calls
  • Conditional branching
  • Database updates

Dynamic Adaptive Cards

Adaptive Cards in Copilot Studio can include dynamic values using variables.

Example:

{
"type": "TextBlock",
"text": "Hello {{userName}}"
}

This allows personalization such as:

  • Greeting users
  • Displaying previous answers
  • Showing context-aware content

Common Use Cases in Enterprise Scenarios

1. IT Service Desk

  • Ticket submission forms
  • Incident categorization
  • Priority selection

2. HR Assistants

  • Leave request forms
  • Benefits selection
  • Onboarding checklists

3. Customer Support

  • Case creation
  • Product selection
  • Feedback forms

4. Internal Tools

  • Approval requests
  • Data entry workflows
  • Status updates

Design Principles for Adaptive Cards

1. Keep It Simple

Avoid overly complex layouts. Cards should be easy to complete.

2. Minimize Inputs

Only ask for required data.

3. Group Related Fields

Use containers to logically organize inputs.

4. Provide Clear Labels

Ensure users understand what is being asked.

5. Use Defaults Where Possible

Pre-fill known values to reduce effort.


Accessibility Considerations

Adaptive Cards should:

  • Use readable font sizes
  • Maintain high contrast
  • Avoid overly dense layouts
  • Provide clear instructions
  • Ensure keyboard navigation support (where applicable)

Adaptive Cards vs Regular Messages

FeatureAdaptive CardsText Messages
Structured inputYesNo
UI componentsYesNo
Data collectionHigh efficiencyManual parsing
Visual layoutRichLimited
Use caseForms, workflowsSimple responses

Common Mistakes

1. Overcomplicating cards

Too many fields reduce completion rates.

2. Not mapping variables correctly

Results in missing or unusable data.

3. Ignoring validation

Leads to bad or incomplete inputs.

4. Using cards for simple responses

Text is better for simple answers.

5. Forgetting fallback handling

If card fails, conversation should continue gracefully.


When NOT to Use Adaptive Cards

Avoid Adaptive Cards when:

  • Only a simple answer is needed
  • No user input is required
  • The response is purely informational
  • A generative answer is more appropriate

Exam Tips (AB-620)

For the exam, focus on these key ideas:

  • Adaptive Cards are JSON-based UI components
  • They are used for structured interaction
  • Inputs map to variables in Copilot Studio
  • They are commonly used in topics, not generative answers
  • They support buttons, inputs, and rich formatting
  • They reduce conversational complexity
  • They are best for business process interactions
  • They integrate with Power Automate and APIs
  • They improve user experience in enterprise workflows
  • They are not meant for free-form conversation

Advanced Adaptive Card Capabilities in Copilot Studio

Once you understand the basics of Adaptive Cards, the exam expects you to recognize how they behave in real enterprise-grade agent solutions, especially when combined with:

  • Variables
  • Power Automate flows
  • API calls
  • Topics
  • Generative answers (hybrid patterns)
  • Conditional logic

1. Using Variables Inside Adaptive Cards

Adaptive Cards in Copilot Studio support dynamic content through variables.

Example use cases:

  • Personalized greetings
  • Pre-filled form fields
  • Context-aware instructions

Example:

{
"type": "TextBlock",
"text": "Welcome {{userName}}, please confirm your request."
}

Key concept:

Variables are resolved at runtime and injected into the card before rendering.


2. Capturing and Returning Structured Input

Adaptive Cards are powerful because they return structured outputs, not just text.

Example mapping:

Card FieldCopilot Studio Variable
Input.Text (Email)userEmail
ChoiceSet (Department)selectedDepartment
Date InputrequestDate

Once submitted:

  • Values are stored in topic variables
  • Used in downstream logic (flows, APIs, conditions)

3. Adaptive Cards + Power Automate Integration

One of the most common enterprise patterns.

Flow:

  1. User completes Adaptive Card
  2. Data is stored in variables
  3. Topic calls Power Automate flow
  4. Flow processes data (e.g., create ticket, update record)
  5. Response returned to agent

Example use cases:

  • ServiceNow ticket creation
  • HR leave approval
  • CRM record updates
  • Order processing

4. Conditional Rendering (Dynamic Card Behavior)

Adaptive Cards can change based on:

  • User role
  • Prior answers
  • System state
  • Variables

Example pattern:

  • If user = “IT Admin” → show advanced options
  • If user = “Employee” → show simplified form

This is handled using:

  • Topic logic before rendering
  • Variable-based branching

5. Error Handling in Adaptive Cards

Adaptive Cards themselves do not “handle errors,” but Copilot Studio manages:

Common strategies:

  • Validation before submission
  • Required field enforcement
  • Re-prompting user on invalid input
  • Fallback to text input

Example:

If API fails after submission:

  • Show error message
  • Ask user to retry
  • Log failure in monitoring system

6. Adaptive Cards vs Power Fx Expressions

Adaptive Cards:

  • Define UI structure
  • Collect input
  • Render visuals

Power Fx:

  • Used for logic and expressions in Copilot Studio
  • Helps transform or validate values

Example:

  • Validate email format before submission
  • Compute derived values (e.g., priority level)

7. Security and Data Sensitivity

Adaptive Cards often collect sensitive data.

Important considerations:

  • Do not expose secrets in card JSON
  • Use secured variables
  • Avoid displaying sensitive backend values
  • Ensure compliance with organizational policies

8. Performance Considerations

Poorly designed cards can impact user experience.

Best practices:

  • Keep JSON lightweight
  • Avoid unnecessary images
  • Limit number of inputs per card
  • Reduce nested containers
  • Avoid overly large payloads

9. Multi-Step Adaptive Card Workflows

Instead of one large card:

Break into steps:

  1. Basic information card
  2. Detail collection card
  3. Confirmation card

Benefits:

  • Better usability
  • Lower abandonment rate
  • Cleaner logic flow

10. Common Enterprise Patterns

Pattern 1: Service Request Intake

  • Collect issue type
  • Collect urgency
  • Collect description
  • Submit to ticket system

Pattern 2: HR Onboarding

  • Employee details
  • Role selection
  • Equipment request
  • Manager approval trigger

Pattern 3: Customer Feedback

  • Rating selection
  • Comments input
  • Submit to CRM

Pattern 4: Approval Workflow

  • Request details
  • Approver selection
  • Approval action buttons

Common Pitfalls (Exam Focus)

  • Overusing Adaptive Cards for simple text responses
  • Missing variable mapping after submission
  • Not validating required fields
  • Ignoring fallback conversation design
  • Creating overly complex card layouts
  • Not considering user accessibility

Exam Tips (AB-620)

Key things to remember:

  • Adaptive Cards = structured UI in JSON format
  • Used inside Topics (not generative answers directly)
  • Inputs map to Copilot Studio variables
  • Frequently combined with Power Automate flows
  • Support dynamic content using variables
  • Better for structured workflows than free-form chat
  • Can be used for enterprise forms and approvals
  • Improve UX by reducing conversational steps
  • Should be simple, focused, and task-oriented
  • Often part of hybrid agent designs

Practice Exam Questions


Question 1

An agent needs to collect multiple fields (name, department, and request type) in a single interaction.

What should be used?

A. Generative Answers node
B. Topic variables only
C. Adaptive Card with input controls
D. Conversation summary node

Answer: C

Explanation: Adaptive Cards allow structured multi-field input in a single UI interaction.


Question 2

What is the primary format used to define Adaptive Cards?

A. YAML
B. XML
C. Markdown
D. JSON schema

Answer: D

Explanation: Adaptive Cards are defined using JSON.


Question 3

A developer wants to pass user input from an Adaptive Card into a Power Automate flow.

What is required?

A. Direct API call from card
B. Manual email parsing
C. Mapping card inputs to variables first
D. Using generative responses

Answer: C

Explanation: Inputs must be stored in variables before being passed to flows or connectors.


Question 4

Which component of an Adaptive Card defines user actions like Submit or Open URL?

A. Body
B. Schema
C. Variables
D. Actions

Answer: D

Explanation: Actions define what happens when a user interacts with the card.


Question 5

What is a best practice when designing Adaptive Cards?

A. Include as many fields as possible
B. Use nested loops in JSON
C. Avoid using variables
D. Keep the card simple and focused

Answer: D

Explanation: Simpler cards improve usability and completion rates.


Question 6

Which Copilot Studio feature is MOST commonly used with Adaptive Cards for automation?

A. Dataverse triggers
B. Azure DevOps pipelines
C. Power Automate flows
D. Azure Functions only

Answer: C

Explanation: Power Automate is commonly used to process data collected from Adaptive Cards.


Question 7

A developer wants to personalize an Adaptive Card with the user’s name.

What should be used?

A. Hardcoded values
B. Static JSON only
C. API gateway
D. Variables inside the card template

Answer: D

Explanation: Variables allow dynamic content insertion at runtime.


Question 8

What happens when a user submits an Adaptive Card in Copilot Studio?

A. The card is deleted permanently
B. A new topic is created automatically
C. The agent restarts
D. Input values are stored in mapped variables

Answer: D

Explanation: Submitted values are captured in Copilot Studio variables for use in the conversation flow.


Question 9

Which scenario is NOT suitable for Adaptive Cards?

A. Collecting structured form data
B. Displaying service request forms
C. Showing multiple input fields
D. Answering a simple factual question

Answer: D

Explanation: Simple questions are better handled by text or generative answers.


Question 10

What is the main advantage of Adaptive Cards over plain text responses?

A. Faster deployment pipelines
B. Reduced licensing cost
C. Structured data collection and richer UI interaction
D. Automatic AI training

Answer: C

Explanation: Adaptive Cards provide structured input and rich UI elements, improving interaction quality.


Go to the AB-620 Exam Prep Hub main page

Configure advanced agent responses with API and Send HTTP requests (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure advanced agent responses with API and Send HTTP requests


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most powerful capabilities of Microsoft Copilot Studio is the ability to extend an agent beyond conversational AI. While generative AI enables agents to answer questions from knowledge sources, enterprise agents frequently need to retrieve live information, update business systems, trigger workflows, or communicate with applications that exist outside Microsoft 365.

This is accomplished through APIs (Application Programming Interfaces) and HTTP requests.

For the AB-620 exam, you should understand not only how to configure HTTP requests within Copilot Studio, but also when they should be used, how they are secured, how data flows through requests and responses, and how these capabilities support enterprise-grade AI agents.


Learning Objectives

After studying this topic, you should be able to:

  • Explain why APIs are important in enterprise AI agents.
  • Understand the HTTP communication model.
  • Differentiate HTTP request methods.
  • Configure HTTP requests in Copilot Studio.
  • Pass parameters to external services.
  • Authenticate API requests.
  • Parse API responses.
  • Use returned data within agent conversations.
  • Recognize best practices for secure integrations.

Why Use APIs in Copilot Studio?

Generative AI can answer questions based on available knowledge.

However, business processes usually require interaction with systems that contain live operational data.

Examples include:

  • CRM systems
  • ERP systems
  • HR applications
  • Inventory systems
  • Financial systems
  • Ticketing systems
  • Booking systems
  • Custom business applications
  • Third-party SaaS platforms

Rather than simply answering questions, an agent can:

  • Retrieve customer account information
  • Create service tickets
  • Update CRM records
  • Submit purchase requests
  • Check inventory
  • Reserve meeting rooms
  • Retrieve shipping status
  • Submit vacation requests
  • Trigger approval workflows

This transforms the agent from an information assistant into an intelligent business application.


When to Use HTTP Requests

Microsoft Copilot Studio supports several methods of integrating external systems.

These include:

  • Microsoft Power Platform connectors
  • REST APIs
  • Custom connectors
  • Agent tools
  • Microsoft Graph
  • Azure services

HTTP requests are typically used when:

  • No prebuilt connector exists.
  • A custom application exposes a REST API.
  • You need full control over requests.
  • The API supports operations unavailable through existing connectors.
  • You need to communicate directly with enterprise services.

What is an API?

An Application Programming Interface (API) allows one application to communicate with another.

Instead of manually opening software and entering information, software applications exchange data automatically.

Example:

A user asks:

“What is the shipping status of Order 48291?”

Instead of searching documents:

The agent:

  1. Calls the shipping API.
  2. Sends Order ID 48291.
  3. Receives current shipping information.
  4. Formats the response.
  5. Displays it to the user.

The user experiences a natural conversation while the agent communicates with backend systems.


REST APIs

Most modern enterprise systems expose REST APIs.

REST (Representational State Transfer) is an architectural style for web services.

REST APIs typically use:

  • HTTP
  • URLs
  • JSON
  • Standard HTTP methods

Example endpoint:

https://company.com/api/customers/1052

The agent sends an HTTP request.

The service returns JSON.


HTTP Fundamentals

HTTP is the communication protocol used by browsers, websites, cloud services, and APIs.

Every HTTP request contains:

  • URL
  • Method
  • Headers
  • Parameters
  • Body (optional)

The server then returns:

  • Status code
  • Headers
  • Response body

Anatomy of an HTTP Request

Example:

GET https://api.company.com/orders/48291

Headers

Authorization: Bearer token
Accept: application/json

Response

{
"OrderNumber":"48291",
"Status":"Shipped",
"Carrier":"UPS"
}

The agent can extract these values and use them during the conversation.


HTTP Methods

Understanding HTTP methods is important for the AB-620 exam.

GET

Retrieves information.

Example:

Get customer details

No data is modified.

Examples:

  • Get customer profile
  • Get inventory
  • Get weather
  • Get shipping status

Safe operation.


POST

Creates new information.

Examples:

  • Create support ticket
  • Submit expense report
  • Create employee record

Example request:

POST /tickets

Body:

{
"Priority":"High",
"Description":"Printer not working"
}

PUT

Replaces an existing resource.

Example:

Update the complete employee record.

Entire object is replaced.


PATCH

Updates part of a resource.

Example:

Only update:

Customer Phone Number

instead of replacing the entire customer record.

PATCH is generally more efficient than PUT for partial updates.


DELETE

Removes a resource.

Example:

Delete reservation.

Delete temporary record.

Delete shopping cart.

Because DELETE permanently removes data, organizations often restrict access.


URL Components

Understanding URL structure is important.

Example:

https://api.company.com/customers/1052/orders?year=2025

Breakdown:

Protocol

https

Host

api.company.com

Resource

customers

Path Parameter

1052

Subresource

orders

Query Parameter

year=2025

Path Parameters

Path parameters identify a specific resource.

Example

/customers/1052

Customer ID

1052

is embedded within the URL.

Often used for:

  • Employee ID
  • Customer ID
  • Product ID
  • Ticket ID

Query Parameters

Query parameters filter information.

Example

/orders?status=Open

Another example

/products?category=Laptops

Query parameters are optional and do not change the endpoint itself.


HTTP Headers

Headers provide metadata about the request.

Common headers include:

Authorization

Bearer Token

Accept

application/json

Content-Type

application/json

User-Agent

Application identification.

Custom headers

Many enterprise APIs require organization-specific headers.


Request Body

GET requests usually do not include a request body.

POST, PUT, and PATCH commonly include one.

Example

{
"EmployeeID":102,
"Department":"Finance"
}

The body contains the information being submitted.


JSON

Most APIs communicate using JSON.

Example

{
"CustomerID": 1052,
"Name": "John Smith",
"Status": "Gold",
"RewardPoints": 8400
}

The agent can retrieve individual values such as:

  • Name
  • Status
  • RewardPoints

and include them in responses.


Authentication

Most enterprise APIs require authentication.

Without authentication:

The request is rejected.

Authentication verifies:

  • Who is calling
  • Whether permission exists
  • Which resources are accessible

Common Authentication Methods

API Keys

Simple authentication method.

Example

x-api-key:

Advantages:

  • Easy

Disadvantages:

  • Less secure
  • Key management required

OAuth 2.0

Most Microsoft services use OAuth.

Workflow:

User authenticates.

Identity provider issues access token.

Agent sends Bearer token.

API validates token.

Request proceeds.

OAuth supports:

  • Delegated permissions
  • Application permissions
  • Token expiration
  • Refresh tokens

It is considered the enterprise standard.


Microsoft Entra ID

Many enterprise APIs authenticate through Microsoft Entra ID.

Benefits include:

  • Centralized identity
  • Role-based access
  • Conditional Access
  • Multifactor Authentication
  • Secure token management

This is the preferred authentication mechanism for Microsoft enterprise environments.


Configuring HTTP Requests in Copilot Studio

Within Copilot Studio, HTTP requests can be configured as actions or tools that execute during conversations.

A typical configuration includes:

  1. Define the endpoint URL.
  2. Select the HTTP method.
  3. Configure authentication.
  4. Add headers.
  5. Add parameters.
  6. Configure the request body if needed.
  7. Send the request.
  8. Capture the response.
  9. Store returned values in variables.
  10. Continue the conversation using the returned data.

Passing Dynamic Values

Most APIs require information supplied by the user.

Example:

User says:

“Check order 84592.”

The conversation stores:

OrderID = 84592

The HTTP request inserts that variable into:

https://api.company.com/orders/84592

instead of using a hardcoded value.

Dynamic parameters make APIs reusable across conversations.


Using Responses in Conversations

After receiving JSON, Copilot Studio can:

  • Store values
  • Display values
  • Evaluate conditions
  • Pass values into other actions
  • Use values inside prompts
  • Populate Adaptive Cards
  • Trigger additional API calls

Example:

API returns:

{
"Status":"Delivered",
"Carrier":"FedEx",
"Date":"2026-06-14"
}

The agent responds:

“Your package was delivered on June 14 by FedEx.”

The user never sees the underlying API call.


Best Practices

When designing HTTP integrations:

  • Prefer HTTPS over HTTP.
  • Never hard-code secrets.
  • Use secure authentication mechanisms.
  • Validate user input before sending requests.
  • Minimize the amount of sensitive data transmitted.
  • Return only information required by the conversation.
  • Reuse existing connectors when appropriate instead of creating unnecessary custom integrations.
  • Document API endpoints and expected responses.
  • Test APIs independently before integrating them into an agent.
  • Design requests to be idempotent where appropriate, particularly for update operations.

Exam Tips

For the AB-620 exam, remember the following:

  • REST APIs are the primary mechanism for integrating enterprise systems.
  • HTTP requests enable agents to retrieve live data and perform actions.
  • GET retrieves data, POST creates data, PUT replaces data, PATCH partially updates data, and DELETE removes data.
  • Authentication is typically performed using OAuth 2.0 or Microsoft Entra ID in enterprise environments.
  • JSON is the most common format for request and response payloads.
  • Dynamic variables collected during conversations are frequently inserted into URLs, query parameters, headers, or request bodies.
  • Agent responses are generated by parsing API responses and presenting the returned data in a conversational format.
  • Security, authentication, and proper handling of API responses are core skills emphasized throughout the AB-620 exam.

Quick Orientation Summary

In the topics above, you learned the fundamentals of using APIs and HTTP requests in Microsoft Copilot Studio, including REST principles, HTTP methods, authentication, request construction, and response handling.

In the next set of topics below, we will build upon that foundation by exploring advanced implementation techniques, enterprise design patterns, security considerations, performance optimization, and common exam scenarios.


Advanced HTTP Integration Patterns

Enterprise AI agents rarely execute a single API call. Instead, they often perform multiple requests, make decisions based on returned data, and coordinate actions across several systems.

Common integration patterns include:

  • Sequential API requests
  • Conditional API execution
  • Parallel data retrieval
  • Data enrichment
  • Multi-system orchestration
  • Event-driven integrations

These patterns allow an agent to perform sophisticated business processes while maintaining a natural conversational experience.


Sequential API Calls

Sometimes one API request provides information needed by another request.

Example:

User asks:

“Show me all orders for customer John Smith.”

Workflow:

  1. Search Customers API
  2. Retrieve Customer ID
  3. Pass Customer ID to Orders API
  4. Retrieve order list
  5. Present results

Example flow:

User Question
Search Customer API
Customer ID Returned
Retrieve Orders API
Return Orders

This pattern is common in CRM and ERP integrations.


Conditional API Execution

An agent may determine whether another API call is necessary.

Example:

Get Order Status
Delivered?
/ \
Yes No
↓ ↓
End Call Shipping API

Conditional execution reduces unnecessary API calls while improving performance.


Data Enrichment

Multiple systems often contain complementary information.

Example:

CRM:

  • Customer name
  • Email

ERP:

  • Orders

Shipping system:

  • Tracking

The agent combines all three into one response.

Example:

Customer: John Smith
Gold Member
Last Order: June 10
Tracking Number: 874623

The user experiences a single conversation despite multiple backend requests.


Working with JSON Responses

Most enterprise APIs return JSON.

Example:

{
"customer": {
"id": 125,
"name": "John Smith",
"status": "Gold",
"orders": [
{
"number": 4521,
"total": 275
},
{
"number": 4528,
"total": 118
}
]
}
}

The agent may extract:

  • customer.name
  • customer.status
  • orders[0].number
  • orders[1].total

Understanding nested JSON structures is valuable for the exam.


Mapping JSON to Variables

Returned values are commonly stored as variables.

Example:

CustomerName
John Smith
MembershipStatus
Gold
RewardPoints
12450

These variables can later be referenced in prompts, Adaptive Cards, conditions, or additional HTTP requests.


Chaining Multiple Requests

Many business processes require several connected API operations.

Example:

Vacation request:

Employee submits request
Retrieve manager
Check leave balance
Create approval
Notify manager
Update HR system

Each step may involve a separate HTTP request.


Long-Running Operations

Some APIs require time to complete.

Examples include:

  • AI document analysis
  • Video processing
  • Image generation
  • Data exports
  • Large database operations

Typical workflow:

Submit Job
Receive Job ID
Check Status API
Completed?
Retrieve Results

This polling pattern is common in cloud services.


HTTP Status Codes

Understanding status codes is essential.

200 OK

The request completed successfully.


201 Created

A new resource was successfully created.

Example:

Create support ticket.


202 Accepted

The request has been accepted but processing continues.

Often used for asynchronous operations.


204 No Content

The operation succeeded without returning data.

Common with DELETE requests.


400 Bad Request

The request is invalid.

Possible causes:

  • Missing fields
  • Invalid parameters
  • Incorrect formatting

401 Unauthorized

Authentication failed.

Usually indicates:

  • Invalid token
  • Expired token
  • Missing credentials

403 Forbidden

Authentication succeeded.

Permission is denied.

Example:

User lacks required role.


404 Not Found

Requested resource does not exist.


429 Too Many Requests

Rate limit exceeded.

Clients should wait before retrying.


500 Internal Server Error

Unexpected server failure.

Retry may succeed later.


Error Handling Strategies

Good enterprise agents never expose raw API errors directly to users.

Poor response:

Error 500.

Better response:

“The customer database is temporarily unavailable. Please try again in a few minutes.”

The technical details should be logged while presenting a friendly message.


Retry Logic

Temporary failures should not always terminate a conversation.

Good candidates for retries:

  • Network timeout
  • Temporary server outage
  • HTTP 429
  • HTTP 503

Poor candidates:

  • Invalid credentials
  • Missing permissions
  • Incorrect request format

Retry strategies typically use exponential backoff to reduce server load.


Timeouts

Every HTTP request should define an appropriate timeout.

Without one:

  • Conversations may hang.
  • User experience suffers.
  • Resources remain occupied.

Enterprise solutions balance responsiveness with backend processing time.


Logging

Successful enterprise solutions record important execution details.

Typical information includes:

  • Timestamp
  • Endpoint
  • Status code
  • Duration
  • User ID (when appropriate)
  • Correlation ID
  • Request outcome

Sensitive information such as passwords or tokens should never be logged.


Security Best Practices

For the AB-620 exam, security is heavily emphasized.

Recommended practices include:

  • Always use HTTPS.
  • Store secrets securely.
  • Use OAuth or Microsoft Entra ID whenever possible.
  • Implement least-privilege access.
  • Validate all user input.
  • Sanitize request data.
  • Encrypt sensitive information.
  • Rotate credentials regularly.
  • Monitor API usage.
  • Audit access to critical resources.

Protecting Sensitive Information

Avoid exposing:

  • Passwords
  • Tokens
  • API keys
  • Internal URLs
  • Database identifiers
  • Personally identifiable information (PII)

Agents should display only the information users are authorized to see.


Rate Limiting

External APIs often restrict request volume.

Example:

500 requests/hour

If exceeded:

HTTP 429

Design strategies include:

  • Request batching
  • Caching
  • Retry delays
  • Limiting unnecessary calls

Performance Optimization

Well-designed agents minimize latency.

Optimization techniques include:

  • Reuse previously retrieved information.
  • Avoid duplicate API calls.
  • Cache frequently requested data.
  • Request only required fields.
  • Combine related operations when supported.
  • Minimize payload sizes.
  • Execute independent requests in parallel where appropriate.

Choosing Between Connectors and HTTP Requests

In Copilot Studio, both connectors and HTTP requests provide integration capabilities.

Use Connectors WhenUse HTTP Requests When
Microsoft provides a supported connectorNo connector exists
Standard authentication is sufficientFull control over requests is required
Low-code development is preferredCustom APIs must be accessed
Minimal maintenance is desiredSpecialized API features are needed
Enterprise governance favors managed connectorsAdvanced REST functionality is required

The exam may ask you to choose the most appropriate integration method.


Common Enterprise Scenarios

Customer Support

  • Retrieve account
  • Create ticket
  • Update ticket
  • Escalate issue

Sales

  • Search CRM
  • Retrieve opportunities
  • Update customer records
  • Generate quotes

Human Resources

  • Vacation requests
  • Employee lookup
  • Benefits information
  • Payroll inquiries

Finance

  • Expense submission
  • Invoice lookup
  • Budget approval
  • Payment status

IT Help Desk

  • Password reset
  • Device lookup
  • Software requests
  • Incident management

Common Exam Pitfalls

Watch for these common mistakes:

  • Using POST when GET is appropriate.
  • Sending sensitive information in URLs instead of secure request bodies or headers.
  • Hard-coding API keys.
  • Ignoring authentication requirements.
  • Assuming every successful request returns HTTP 200 (201, 202, and 204 are also successful responses).
  • Failing to validate user input before making API calls.
  • Displaying raw server errors to users.
  • Using HTTP requests when an existing connector is the better choice.
  • Not accounting for rate limits or transient failures.
  • Returning more data than necessary, increasing security and performance risks.

AB-620 Exam Tips

Remember these key points:

  • APIs enable agents to interact with live enterprise systems.
  • REST and JSON are the dominant standards for enterprise integrations.
  • OAuth 2.0 and Microsoft Entra ID are preferred authentication methods.
  • Understand the purpose of each HTTP method.
  • Differentiate client errors (4xx) from server errors (5xx).
  • Design secure, maintainable, and reusable integrations.
  • Handle failures gracefully with retries where appropriate.
  • Protect sensitive information throughout the integration process.
  • Choose connectors when possible and HTTP requests when customization is required.

Topic Summary

An enterprise Copilot Studio agent becomes significantly more powerful when it can communicate with external systems through APIs and HTTP requests. By combining conversational AI with secure integrations, organizations can automate business processes, retrieve live operational data, and perform transactions across enterprise applications.

For the AB-620 exam, focus on understanding the complete lifecycle of an HTTP request, authentication mechanisms, JSON handling, response processing, error handling, and secure integration design. These concepts are foundational to designing enterprise-grade AI agent solutions.


Practice Exam Questions

Question 1

A Copilot Studio agent must retrieve a customer’s current loyalty points without modifying any data. Which HTTP method should be used?

A. POST

B. GET

C. PATCH

D. DELETE

Answer: B

Explanation: GET is used to retrieve information without modifying server-side resources.


Question 2

An API returns HTTP status code 401 Unauthorized. What is the most likely cause?

A. The requested resource does not exist.

B. The request exceeded the rate limit.

C. Authentication credentials are missing or invalid.

D. The request completed successfully.

Answer: C

Explanation: A 401 status indicates that authentication failed because valid credentials were not provided or have expired.


Question 3

A developer needs to update only a customer’s phone number. Which HTTP method is most appropriate?

A. PUT

B. POST

C. PATCH

D. GET

Answer: C

Explanation: PATCH performs partial updates, making it ideal for modifying a single property without replacing the entire resource.


Question 4

Which authentication mechanism is recommended for securing enterprise APIs integrated with Microsoft Copilot Studio?

A. Anonymous authentication

B. Basic authentication using hardcoded credentials

C. OAuth 2.0 with Microsoft Entra ID

D. Query string authentication

Answer: C

Explanation: OAuth 2.0 integrated with Microsoft Entra ID provides secure, token-based authentication and centralized identity management.


Question 5

An agent receives the following response:

{
"Status":"Approved",
"Manager":"Karen Lee"
}

What should the agent do next?

A. Ignore the response.

B. Store the values in variables for use later in the conversation.

C. Convert the response into XML.

D. Retry the request immediately.

Answer: B

Explanation: JSON values are typically parsed and stored in variables for use in responses, conditions, or subsequent actions.


Question 6

A REST API limits clients to 1,000 requests per hour. Which design strategy best helps avoid exceeding this limit?

A. Retry every request immediately.

B. Disable authentication.

C. Cache frequently requested data and avoid unnecessary calls.

D. Send duplicate requests for verification.

Answer: C

Explanation: Caching and reducing redundant API calls are common strategies for working within rate limits.


Question 7

A company already has a fully supported Microsoft Power Platform connector for its CRM system. Which integration approach should generally be chosen?

A. Build every interaction using raw HTTP requests.

B. Use the existing connector unless custom functionality requires direct API access.

C. Export CRM data to spreadsheets.

D. Replace the CRM with a custom application.

Answer: B

Explanation: Managed connectors simplify development, maintenance, authentication, and governance, making them the preferred option when available.


Question 8

Which status code indicates that a new resource has been successfully created?

A. 200

B. 201

C. 404

D. 500

Answer: B

Explanation: HTTP 201 Created indicates that a new resource was successfully created by the server.


Question 9

What is the primary benefit of chaining multiple API requests within an agent flow?

A. It reduces authentication requirements.

B. It eliminates the need for variables.

C. It enables complex business processes that span multiple systems.

D. It guarantees faster execution than a single request.

Answer: C

Explanation: Chained API calls allow agents to orchestrate multi-step workflows involving several enterprise applications.


Question 10

Why should an agent avoid displaying raw HTTP error messages directly to users?

A. HTTP errors are never useful.

B. Raw errors may expose technical details and create a poor user experience.

C. HTTP errors always indicate a network problem.

D. Users cannot understand status codes.

Answer: B

Explanation: Enterprise agents should present friendly, actionable messages while logging technical details internally to maintain security and usability.


Go to the AB-620 Exam Prep Hub main page

Configure advanced agent responses with custom knowledge sources (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure advanced agent responses with custom knowledge sources


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the greatest strengths of Microsoft Copilot Studio is the ability to ground AI-generated responses using enterprise knowledge instead of relying solely on the large language model’s general knowledge. This capability allows organizations to build intelligent agents that answer questions using trusted business information while reducing hallucinations and ensuring responses remain accurate, current, and relevant.

For the AB-620 certification exam, you should understand not only how to configure custom knowledge sources, but also when each type should be used, their limitations, security implications, and how they fit into an enterprise AI architecture.

This topic frequently overlaps with several other exam objectives, including:

  • Designing enterprise integration strategies
  • Grounding agents with enterprise knowledge
  • Configuring generative answers
  • Implementing governance and Responsible AI
  • Designing reusable agent components

What Are Custom Knowledge Sources?

A custom knowledge source is any repository of information that an agent can use to answer user questions.

Instead of answering solely from the language model’s pre-trained knowledge, the agent retrieves relevant enterprise content and uses it to formulate a grounded response.

This process is commonly called Retrieval-Augmented Generation (RAG).

Instead of:

User Question → Large Language Model → Response

the process becomes:

User Question → Search Enterprise Knowledge → Retrieve Relevant Content → Large Language Model Generates Grounded Response

This dramatically improves:

  • Accuracy
  • Trustworthiness
  • Freshness
  • Business relevance
  • Compliance

Why Ground Responses?

Without grounding, AI may:

  • invent information
  • provide outdated answers
  • misunderstand company terminology
  • answer questions outside company policy

Grounding ensures responses come from trusted organizational content.

Example:

Without grounding:

“Our PTO policy allows 25 vacation days.”

Grounded response:

“According to the HR handbook updated in January 2026, employees receive 15 days during years 1–5.”


Benefits of Custom Knowledge Sources

Organizations use knowledge grounding to:

  • Answer employee questions
  • Answer customer questions
  • Reduce support tickets
  • Provide product documentation
  • Deliver policy guidance
  • Search internal knowledge bases
  • Surface procedures
  • Retrieve manuals
  • Access compliance documents
  • Improve consistency

Typical Enterprise Scenarios

Human Resources

Employees ask:

  • How many vacation days do I receive?
  • What is parental leave?
  • How do I submit expenses?

The agent searches:

  • HR SharePoint
  • Employee handbook
  • Policy documents

IT Help Desk

Users ask:

  • Reset password
  • VPN setup
  • Install software
  • MFA issues

Knowledge sources include:

  • IT documentation
  • Knowledge base
  • Support articles

Customer Service

Customers ask:

  • Product specifications
  • Warranty information
  • Pricing
  • Returns

Knowledge sources:

  • Product manuals
  • FAQ databases
  • Documentation
  • CRM articles

Healthcare

Agents answer questions using:

  • Clinical procedures
  • Patient documentation
  • Internal policies
  • Approved treatment guidelines

Manufacturing

Knowledge sources include:

  • Equipment manuals
  • Safety procedures
  • Maintenance documentation
  • Production SOPs

Types of Knowledge Sources

Copilot Studio supports multiple knowledge sources.

Understanding which one fits each scenario is important for the exam.


SharePoint

One of the most common enterprise sources.

Ideal for:

  • Policies
  • Procedures
  • Manuals
  • Internal documentation

Advantages:

  • Already used by many organizations
  • Supports permissions
  • Frequently updated
  • Easy integration

Example:

Employee:

“What is our travel reimbursement policy?”

Agent retrieves:

TravelPolicy.docx stored in SharePoint.


Public Websites

Useful for:

  • Public documentation
  • FAQs
  • Knowledge portals
  • Product documentation

Example:

A software company exposes:

support.contoso.com

The agent retrieves relevant pages.

Advantages:

  • Always current
  • Easy to maintain
  • No document uploads

Uploaded Files

Supported document types include examples such as:

  • PDF
  • DOCX
  • PPTX
  • TXT

Useful for:

  • Training manuals
  • Internal guides
  • Product documentation

Best for:

Small knowledge collections.


Dataverse

Dataverse can act as structured enterprise knowledge.

Useful for:

  • Business records
  • Customer information
  • Products
  • Inventory
  • Services

Unlike documents, Dataverse contains structured tables.

Example:

Instead of searching a PDF catalog:

The agent queries a Products table.


Azure AI Search

Azure AI Search is Microsoft’s enterprise search platform.

It is ideal for:

  • Millions of documents
  • Large organizations
  • Multiple repositories
  • Advanced indexing
  • Semantic search
  • Hybrid search
  • Vector search

Azure AI Search is commonly used when enterprise knowledge becomes too large for basic document collections.


External Connectors

Organizations often store information outside Microsoft 365.

Examples include:

  • Salesforce
  • ServiceNow
  • Confluence
  • Zendesk
  • SAP
  • Oracle systems

Connectors allow agents to retrieve information from these systems.


Microsoft Graph

Microsoft Graph provides access to Microsoft 365 resources.

Examples include:

  • Outlook
  • Teams
  • OneDrive
  • SharePoint
  • Calendar

Agents can retrieve user-specific information when appropriate permissions are granted.


Structured vs. Unstructured Knowledge

Understanding this distinction is important.

Structured Knowledge

Examples:

  • Dataverse
  • SQL
  • CRM records
  • ERP systems

Characteristics:

  • Tables
  • Rows
  • Columns
  • Predictable schema

Best for:

Business data.


Unstructured Knowledge

Examples:

  • PDFs
  • Word documents
  • Policies
  • Web pages
  • Wikis

Characteristics:

  • Natural language
  • Paragraphs
  • Articles
  • Documentation

Best for:

Generative answers.


Choosing the Right Knowledge Source

ScenarioBest Choice
Employee handbookSharePoint
Company policiesSharePoint
Public FAQWebsite
Millions of documentsAzure AI Search
Product catalogDataverse
Customer recordsDataverse
External CRMConnector
Internal wikiSharePoint or Website
Product manualsUploaded PDFs or SharePoint
Enterprise documentationAzure AI Search

Custom Knowledge Sources vs. Custom Prompts

This distinction is frequently tested.

Custom Prompts

Control:

  • Writing style
  • Tone
  • Personality
  • Formatting
  • Instructions

Examples:

  • “Answer formally.”
  • “Always summarize first.”
  • “Respond in bullet points.”

Prompts influence how the AI answers.


Custom Knowledge

Controls:

  • Facts
  • Information
  • Source material
  • Evidence

Examples:

  • HR handbook
  • Product manual
  • Company policy

Knowledge determines what the AI answers.


Together

A high-quality enterprise agent uses both.

Custom Prompt:

Respond professionally using short paragraphs.

Custom Knowledge:

HR Policy Handbook

The prompt determines presentation.

The knowledge determines accuracy.


Knowledge Grounding Process

A typical request follows these steps:

Step 1

User submits a question.

Step 2

Copilot determines whether enterprise knowledge is needed.

Step 3

Searches configured knowledge sources.

Step 4

Ranks relevant documents.

Step 5

Retrieves the most relevant passages.

Step 6

Uses the retrieved content as context.

Step 7

LLM generates the final grounded response.


Designing Enterprise Knowledge Architecture

Successful enterprise deployments rarely rely on a single repository.

Instead, organizations often build layered knowledge architectures.

Example:

Layer 1

Public website

Layer 2

SharePoint documentation

Layer 3

Azure AI Search index

Layer 4

Dataverse

Layer 5

External business systems

This allows agents to answer increasingly sophisticated questions while using the most appropriate source.


Best Practices

Keep Knowledge Current

Outdated documentation leads to outdated answers.

Review knowledge regularly.


Remove Duplicate Documents

Multiple conflicting versions reduce answer quality.

Maintain a single authoritative version whenever possible.


Organize Content Logically

Use:

  • Clear folder structures
  • Consistent naming
  • Well-defined document ownership

Good organization improves retrieval quality.


Use Smaller, Focused Documents

Instead of one 300-page manual:

Use multiple focused documents.

Benefits include:

  • Better retrieval
  • More relevant passages
  • Higher response quality

Write Clearly

Documents should use:

  • Plain language
  • Headings
  • Lists
  • Consistent terminology

Well-written content produces better AI answers.


Apply Security

Only expose information users should access.

Respect existing permissions.

Never use AI to bypass organizational security.


Common Exam Pitfalls

Candidates often confuse:

  • Custom prompts with custom knowledge
  • Knowledge grounding with connector actions
  • Dataverse with document repositories
  • Azure AI Search with SharePoint
  • Enterprise search with generative responses

Remember:

  • Custom prompts shape the response.
  • Custom knowledge sources provide factual grounding.
  • Connectors retrieve or update operational data.
  • Azure AI Search is optimized for enterprise-scale search.
  • Dataverse stores structured business information.

Exam Tips

For the AB-620 exam, be prepared to:

  • Differentiate structured and unstructured knowledge sources.
  • Select the most appropriate knowledge source for a given business scenario.
  • Explain how retrieval-augmented generation (RAG) improves response quality.
  • Compare SharePoint, Dataverse, Azure AI Search, websites, uploaded documents, and external connectors.
  • Recognize when Azure AI Search is preferable to standard document collections.
  • Distinguish between custom prompts and custom knowledge sources.
  • Design scalable, secure knowledge architectures that support enterprise AI agents.
  • Identify best practices for maintaining high-quality, trustworthy knowledge repositories.

Quick Orientation Summary

In the topics above, you learned about the purpose of custom knowledge sources, supported knowledge repositories, retrieval-augmented generation (RAG), and best practices for designing enterprise knowledge architectures.

In the topics below, we will focus on advanced implementation considerations, security and governance, optimization strategies, troubleshooting, and conclude with ten practice exam questions.


Advanced Knowledge Grounding Strategies

Enterprise AI agents often need to search multiple repositories simultaneously. Rather than relying on a single knowledge source, organizations typically combine several repositories to maximize answer quality.

Example architecture:

  • Public product documentation
  • Internal SharePoint sites
  • Azure AI Search indexes
  • Dataverse tables
  • External knowledge bases
  • Microsoft Graph resources

When a user asks a question, Copilot Studio determines which configured sources are relevant, retrieves supporting information, and uses the language model to generate a grounded response.

This layered approach provides:

  • Higher answer accuracy
  • Broader organizational coverage
  • Better scalability
  • Easier maintenance
  • Reduced hallucinations

Selecting the Appropriate Knowledge Source

One of the most common AB-620 exam scenarios asks which knowledge source should be used.

Choose SharePoint when:

  • Company documentation already exists
  • Policies change regularly
  • Permissions must follow Microsoft 365 security
  • Knowledge is primarily document-based

Choose Azure AI Search when:

  • Millions of documents exist
  • Multiple repositories must be searched
  • Semantic search is required
  • Vector search improves relevance
  • Enterprise-scale performance is needed

Choose Dataverse when:

  • Information is highly structured
  • Records change frequently
  • Business applications already use Dataverse
  • Data relationships are important

Choose Website Knowledge when:

  • Information is publicly available
  • Documentation is maintained online
  • Customers require self-service support
  • No authentication is required

Choose Uploaded Documents when:

  • Small knowledge collections exist
  • Pilot projects are being developed
  • Documentation is static
  • Quick deployment is desired

Security Considerations

Security is a significant exam objective because AI should never expose information users are not authorized to access.

A well-designed agent should respect existing security controls instead of bypassing them.

Key principles include:

  • Least privilege access
  • Identity-aware authentication
  • Permission inheritance
  • Secure connector configuration
  • Protected credentials
  • Secure storage of secrets

Authentication

Knowledge sources often require authentication.

Examples include:

  • Microsoft Entra ID
  • OAuth
  • API Keys
  • Managed Identity
  • Service Principals

Authentication ensures only authorized users and applications can retrieve enterprise information.


Authorization

Authentication answers:

Who are you?

Authorization answers:

What are you allowed to access?

For example:

Employee A may access:

  • HR policies
  • Employee handbook

Employee B (HR Manager) may additionally access:

  • Salary guidelines
  • Benefits administration documents

The agent should return only information the current user is authorized to view.


Governance Considerations

Governance ensures AI solutions remain secure, compliant, and manageable over time.

Important governance practices include:

  • Content lifecycle management
  • Document ownership
  • Data classification
  • Information retention
  • Audit logging
  • Compliance monitoring

Organizations should regularly review knowledge repositories to remove outdated or conflicting information.


Maintaining Knowledge Quality

AI quality depends heavily on knowledge quality.

Poor documentation results in poor answers.

High-quality knowledge repositories should be:

  • Current
  • Accurate
  • Complete
  • Well-organized
  • Clearly written
  • Free of duplicate information

Good Example

Policy:

Employees receive 15 vacation days during their first five years of employment.

Simple, clear, and easy to retrieve.


Poor Example

Vacation...
Unless otherwise specified...
depending on previous agreements...
except...
refer to Appendix D...

Long, ambiguous documents reduce retrieval quality.


Optimizing Documents for AI

Large language models perform better when documents are structured logically.

Recommendations include:

Use headings

Instead of:

Large blocks of text

Use:

  • Overview
  • Eligibility
  • Procedures
  • Exceptions
  • Contacts

Use Lists

Lists improve retrieval.

Example:

Expense reimbursement includes:

  • Hotel
  • Airfare
  • Mileage
  • Parking

instead of long paragraphs.


Break Large Documents Apart

Instead of:

EmployeeHandbook_900Pages.pdf

Use:

  • Vacation Policy
  • Sick Leave
  • Benefits
  • Travel Policy
  • Remote Work Policy

Smaller documents improve retrieval precision.


Azure AI Search Considerations

Azure AI Search offers advanced enterprise capabilities beyond simple document search.

Important concepts include:

Semantic Search

Understands meaning instead of matching keywords.

Example:

Question:

“How many vacation days?”

Matches:

Paid Time Off Policy

even if the phrase “vacation days” never appears.


Vector Search

Uses embeddings to locate conceptually similar information.

Useful for:

  • Similar questions
  • Natural language
  • Synonyms
  • Contextual search

Hybrid Search

Combines:

  • Keyword search
  • Semantic search
  • Vector search

Hybrid search often produces the best enterprise retrieval performance.


Common Configuration Mistakes

Candidates should recognize poor implementations.

Examples include:

Using outdated documentation

Result:

Incorrect AI answers.


Uploading duplicate manuals

Result:

Conflicting responses.


Ignoring permissions

Result:

Unauthorized information exposure.


Poor document organization

Result:

Low-quality retrieval.


Overly large documents

Result:

Reduced relevance.


Troubleshooting Knowledge Sources

Problem

Agent cannot answer a question.

Possible causes:

  • Document not indexed
  • Missing permissions
  • Wrong connector
  • Unsupported format
  • Source disconnected

Problem

Hallucinated response

Possible causes:

  • Missing knowledge
  • Poor prompt
  • Weak grounding
  • No matching documents

Problem

Wrong document selected

Possible causes:

  • Duplicate information
  • Ambiguous wording
  • Similar document titles
  • Poor organization

Problem

Outdated answer

Possible causes:

  • Old document version
  • Knowledge source not refreshed
  • Multiple conflicting documents

Performance Best Practices

Improve response quality by:

  • Removing duplicate documents
  • Updating stale content
  • Using descriptive document names
  • Applying metadata where supported
  • Organizing repositories logically
  • Limiting unnecessary repositories
  • Maintaining clean document libraries

Designing for Scalability

As organizations grow, knowledge repositories also expand.

Scalable designs include:

  • Department-specific repositories
  • Central governance
  • Standard document templates
  • Regular review cycles
  • Automated indexing
  • Consistent naming conventions

Large enterprises often combine SharePoint, Azure AI Search, Dataverse, and external systems into a unified knowledge architecture.


Relationship to Other AB-620 Objectives

This topic connects directly with several other exam areas.

ObjectiveRelationship
Configure Generative AnswersUses knowledge sources to generate grounded responses
Configure Advanced PromptsPrompts determine how information is presented, while knowledge sources determine what information is presented
Add Tools to TopicsTools execute actions, whereas knowledge sources provide information
Enterprise IntegrationConnectors expose enterprise data to agents
Security and GovernancePermissions and compliance determine accessible knowledge
Responsible AIGrounding reduces hallucinations and improves trustworthy responses

Exam Tips

Remember these important distinctions:

FeaturePrimary Purpose
Custom PromptControls behavior, tone, style, and formatting
Custom KnowledgeProvides factual information
ConnectorRetrieves or updates operational data
Azure AI SearchEnterprise-scale semantic and vector search
DataverseStructured business records
SharePointDocument-based enterprise knowledge
Website KnowledgePublic documentation
Uploaded FilesSmall or static document collections

A common exam question presents several repositories and asks which one is the most appropriate. Focus on understanding the business scenario rather than memorizing product names.


Final Review

Before taking the AB-620 exam, ensure you can:

  • Explain Retrieval-Augmented Generation (RAG).
  • Differentiate structured and unstructured knowledge.
  • Compare SharePoint, Dataverse, Azure AI Search, websites, and uploaded files.
  • Recommend the correct knowledge source for various business scenarios.
  • Explain how prompts and knowledge sources complement each other.
  • Describe governance and security considerations.
  • Identify causes of hallucinations and inaccurate responses.
  • Apply best practices for organizing enterprise knowledge.

Practice Exam Questions

Question 1

A company stores over five million engineering documents across multiple repositories. Users need semantic search with highly relevant AI-generated answers.

Which knowledge solution is the best choice?

A. Uploaded PDF files

B. SharePoint document library only

C. Azure AI Search

D. Dataverse tables

Correct Answer: C

Explanation:
Azure AI Search is designed for enterprise-scale indexing, semantic search, vector search, and retrieval across massive document collections. Uploaded files and SharePoint alone are less suitable for large-scale enterprise search.


Question 2

What is the primary purpose of a custom knowledge source in Copilot Studio?

A. Execute Power Automate flows

B. Provide factual information that grounds AI-generated responses

C. Improve connector authentication

D. Replace topic triggers

Correct Answer: B

Explanation:
Knowledge sources provide trusted information used during Retrieval-Augmented Generation (RAG). They do not execute workflows or replace conversational triggers.


Question 3

A developer wants an agent to answer questions using the latest employee handbook stored in Microsoft 365.

Which repository is the most appropriate?

A. Azure AI Search

B. Uploaded Excel workbook

C. SharePoint

D. Dataverse

Correct Answer: C

Explanation:
SharePoint is the preferred repository for organizational documents that change regularly and already inherit Microsoft 365 security.


Question 4

Which statement best describes the relationship between custom prompts and custom knowledge?

A. They perform identical functions.

B. Custom prompts retrieve documents.

C. Custom knowledge replaces large language models.

D. Custom prompts influence how responses are generated, while custom knowledge provides the factual information used to generate them.

Correct Answer: D

Explanation:
Prompts guide the model’s behavior and formatting, while knowledge sources provide the content used to create accurate, grounded responses.


Question 5

Which practice most improves AI retrieval quality?

A. Store every policy in one large document.

B. Duplicate documents across multiple repositories.

C. Divide documentation into well-organized, topic-specific documents.

D. Remove document headings.

Correct Answer: C

Explanation:
Smaller, clearly organized documents improve retrieval precision and reduce ambiguity during grounding.


Question 6

A user receives information they should not have been able to access.

Which security principle was most likely violated?

A. Document versioning

B. Semantic indexing

C. Retrieval-Augmented Generation

D. Least privilege

Correct Answer: D

Explanation:
Least privilege ensures users can access only the information necessary for their role. Violating this principle can expose sensitive information.


Question 7

An AI agent consistently provides outdated answers despite having the correct repository configured.

What is the most likely cause?

A. The documents have not been updated or re-indexed.

B. The custom prompt is too short.

C. The topic trigger contains multiple phrases.

D. The conversation variables are empty.

Correct Answer: A

Explanation:
If the repository contains outdated content or has not been refreshed, the AI will continue retrieving stale information.


Question 8

Which Azure AI Search capability helps locate conceptually similar information even when exact keywords are absent?

A. Power Automate

B. Keyword ranking

C. Vector search

D. Adaptive Cards

Correct Answer: C

Explanation:
Vector search uses embeddings to identify semantically related content rather than relying solely on exact keyword matches.


Question 9

Which repository is best suited for storing structured business records such as products, customers, and inventory?

A. SharePoint

B. Public websites

C. Uploaded PDF documents

D. Dataverse

Correct Answer: D

Explanation:
Dataverse is designed to manage structured relational business data and is ideal for operational records.


Question 10

A company wants to reduce hallucinations in AI-generated responses.

Which approach best supports this objective?

A. Use larger custom prompts only.

B. Disable knowledge sources.

C. Ground responses using trusted enterprise knowledge repositories.

D. Increase the number of topic triggers.

Correct Answer: C

Explanation:
Grounding responses with trusted enterprise knowledge is one of the most effective ways to reduce hallucinations and improve the reliability and accuracy of AI-generated answers.


Key Takeaways

For the AB-620 exam, remember these core principles:

  • Grounding with custom knowledge sources improves accuracy, consistency, and trustworthiness.
  • Choose knowledge repositories based on the type, scale, and location of the information.
  • Custom prompts define how an agent responds; custom knowledge defines what it responds with.
  • Azure AI Search is the preferred solution for large-scale, enterprise-grade semantic and vector search.
  • Organize knowledge into clear, well-maintained documents to maximize retrieval quality.
  • Respect authentication, authorization, and governance requirements to ensure secure access to enterprise knowledge.
  • Retrieval-Augmented Generation (RAG) is a foundational concept for designing intelligent, enterprise-ready agents in Microsoft Copilot Studio.

Go to the AB-620 Exam Prep Hub main page

Configure agent response formatting (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Configure agent response formatting


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most important responsibilities of an AI Agent Builder is designing responses that are easy for users to read, understand, and act upon. Even if an agent provides accurate information, poorly formatted responses can confuse users and reduce confidence in the solution.

Microsoft Copilot Studio provides several methods for formatting responses, ranging from simple text to sophisticated interactive experiences using Adaptive Cards. Choosing the correct response format depends on the audience, communication channel, business process, and complexity of the information being presented.

For the AB-620 exam, you should understand not only how to configure response formatting, but also when each formatting option should be used.


Why Response Formatting Matters

Well-designed responses help users:

  • Understand information quickly
  • Complete tasks efficiently
  • Reduce misunderstandings
  • Improve user satisfaction
  • Increase adoption of AI agents
  • Reduce unnecessary follow-up questions

Poorly formatted responses often lead to:

  • Long walls of text
  • Missing important information
  • Difficult navigation
  • User frustration
  • Increased support requests

Types of Agent Responses

Copilot Studio supports multiple response formats.

Plain Text Responses

The simplest response format.

Example:

Your request has been submitted successfully.

Advantages

  • Fast
  • Works across all channels
  • Universal compatibility

Limitations

  • Limited visual appeal
  • Difficult to organize large amounts of information
  • No interactive elements

Best used for:

  • Confirmations
  • Greetings
  • Short answers
  • Status messages

Rich Text Responses

Rich text improves readability by organizing information.

Examples include:

  • Headings
  • Paragraphs
  • Bullets
  • Numbered lists
  • Hyperlinks
  • Basic formatting

Example

Instead of:

Your laptop has shipped. Tracking number 123456. Expected delivery Friday.

Use:

Your Order Has Shipped

Tracking Number:

123456

Expected Delivery:

Friday

Rich text greatly improves the user experience.


Markdown Formatting

Many Copilot Studio responses support Markdown formatting.

Common Markdown elements include:

Bold

**Important**

Result:

Important


Italics

*Reminder*

Result:

Reminder


Lists

• Review your request
• Submit approval
• Wait for confirmation

or

1. Sign in
2. Select your project
3. Submit the request

Links

[Employee Portal](https://contoso.com)

Depending on the channel, links may appear as clickable hyperlinks.


Code Blocks

Useful when returning:

  • JSON
  • XML
  • PowerShell
  • SQL
  • REST requests

Example

{
"status":"Complete"
}

Although primarily useful for IT scenarios, formatted code blocks improve readability significantly.


Using Variables in Responses

Most responses contain dynamic information.

Instead of static text:

Hello Customer

Use variables:

Hello {User.Name}

Examples include:

  • Customer name
  • Order number
  • Case ID
  • Ticket status
  • Product information
  • Appointment time

Dynamic responses create personalized conversations.

Example:

Instead of

Your appointment has been confirmed.

Return

Hello John,
Your appointment for Tuesday at 2:00 PM has been confirmed.

Formatting Dynamic Data

When displaying variables, consider formatting.

Examples include:

Dates

Instead of:

2026-07-03T18:30:00Z

Display

July 3, 2026
6:30 PM

Currency

Instead of:

1249.95

Display

$1,249.95

Percentages

Instead of

0.82

Display

82%

Proper formatting improves professionalism and reduces confusion.


Structuring Long Responses

Avoid overwhelming users with lengthy paragraphs.

Instead:

Break responses into logical sections.

Example:


Support Ticket Created

Ticket Number:

87421

Priority:

High

Estimated Response:

2 Hours

Next Steps

• Monitor your email

• Reply if additional information is requested

• Close the ticket after resolution


This structure is much easier to scan.


Using Adaptive Cards

Adaptive Cards provide rich interactive user experiences.

Instead of displaying only text, an Adaptive Card can include:

  • Images
  • Buttons
  • Forms
  • Multiple columns
  • Input fields
  • Choice selections
  • Action buttons
  • Hyperlinks

Example use cases:

  • Expense approval
  • Vacation requests
  • IT support forms
  • Purchase approvals
  • Customer surveys
  • Product recommendations

Adaptive Cards are especially valuable when users need to make decisions directly inside the conversation.


Benefits of Adaptive Cards

Advantages include:

  • Interactive experiences
  • Improved usability
  • Reduced typing
  • Consistent design
  • Mobile-friendly layouts
  • Better user engagement

Rather than asking:

Would you like Option A or Option B?

An Adaptive Card can present two buttons the user simply clicks.


Adaptive Card Components

Common elements include:

Text Blocks

Display formatted text.

Example:

Vacation Request

Images

Useful for:

  • Employee photos
  • Product images
  • Maps
  • Company logos

Fact Sets

Display key-value information.

Example

Employee:

John Smith

Department:

Finance

Status:

Pending


Input Controls

Examples include:

  • Text boxes
  • Date pickers
  • Toggle switches
  • Dropdown lists
  • Rating controls

Action Buttons

Examples:

Approve

Reject

View Details

Submit

Cancel

Buttons simplify user interaction.


Images in Responses

Images improve engagement when used appropriately.

Common examples include:

  • Product photos
  • Company logos
  • Equipment diagrams
  • Employee pictures
  • Charts

Avoid using decorative images that do not add business value.


Hyperlinks

Responses often direct users to other systems.

Examples:

  • Knowledge articles
  • HR portal
  • SharePoint
  • Microsoft Teams
  • ServiceNow
  • Dynamics 365
  • Internal documentation

Rather than displaying long URLs, use descriptive text.

Good example:

Open the Employee Benefits Portal

Poor example:

https://contoso.sharepoint.com/sites/hr/benefits/documents...

Tables

Some channels support table formatting.

Tables work well for:

  • Pricing
  • Inventory
  • Order summaries
  • Project status
  • Performance metrics

Example

ProductQuantityStatus
Laptop3Ready
Monitor2Backordered

Tables improve readability compared to long sentences.


Lists

Bulleted lists are excellent for:

  • Instructions
  • Requirements
  • Features
  • Benefits
  • Action items

Example

Before submitting:

  • Verify your information
  • Upload required documents
  • Review your answers
  • Click Submit

Response Tone

Formatting is not only visual—it also influences communication style.

Agents should be:

Professional

Friendly

Clear

Concise

Helpful

Avoid:

  • Excessive technical jargon
  • Large blocks of text
  • Ambiguous wording
  • Robotic language
  • Unnecessary repetition

AI-Generated Responses vs Authored Responses

Copilot Studio supports both authored and AI-generated responses.

Authored Responses

Created manually by the designer.

Advantages:

  • Predictable
  • Consistent
  • Easier compliance
  • Controlled wording

Best for:

  • Policies
  • Compliance
  • Legal information
  • HR guidance

AI-Generated Responses

Generated using enterprise knowledge sources and generative AI.

Advantages:

  • Dynamic
  • Flexible
  • Natural conversations
  • Less maintenance

Best for:

  • FAQs
  • Large knowledge bases
  • Documentation
  • Internal support

Designers should ensure AI-generated responses still follow organizational formatting guidelines.


Channel Considerations

Different deployment channels render responses differently.

Examples include:

  • Microsoft Teams
  • Web chat
  • Mobile applications
  • Custom websites
  • Power Apps
  • Omnichannel Customer Service

Not every channel supports every formatting feature.

Adaptive Cards, images, buttons, and Markdown may behave differently depending on the target platform.

Before deployment, always validate that responses render correctly on every supported channel.


Accessibility Considerations

Well-formatted responses should also be accessible.

Best practices include:

  • Use descriptive button labels.
  • Avoid relying solely on color to convey meaning.
  • Keep language simple and readable.
  • Organize information with headings and lists.
  • Provide alternative text for images where supported.
  • Ensure sufficient spacing between sections.
  • Keep interactive cards uncluttered.

Accessibility improves usability for all users and supports inclusive design principles.


Performance Considerations

Overly complex responses can affect user experience.

Recommendations include:

  • Avoid unnecessarily large Adaptive Cards.
  • Limit excessive images.
  • Keep responses concise.
  • Return only relevant information.
  • Avoid deeply nested card layouts.
  • Use buttons instead of requiring users to type common responses.

Simple, focused responses generally provide the best user experience.


Common Design Mistakes

Candidates should recognize poor response design.

Common mistakes include:

  • Returning paragraphs instead of structured content.
  • Showing raw JSON or API output to users.
  • Displaying poorly formatted dates and currencies.
  • Using inconsistent terminology.
  • Creating overly large Adaptive Cards.
  • Mixing multiple unrelated tasks into one response.
  • Ignoring channel limitations.
  • Forgetting to test rendering across deployment targets.

Best Practices

When configuring agent responses:

  • Choose the simplest format that satisfies the business requirement.
  • Use Markdown to improve readability.
  • Personalize responses with variables.
  • Display business data in user-friendly formats.
  • Use Adaptive Cards for interactive experiences.
  • Maintain consistent formatting across topics.
  • Design for accessibility.
  • Test responses on every deployment channel.
  • Keep messages concise and action-oriented.
  • Use buttons and structured layouts to reduce user effort.

AB-620 Exam Tips

For the exam, remember the following:

  • Understand the differences between plain text, Markdown, rich text, and Adaptive Cards.
  • Know when Adaptive Cards provide value over standard text responses.
  • Be familiar with using variables to personalize responses.
  • Understand how channel capabilities influence formatting choices.
  • Recognize when authored responses are preferable to AI-generated responses.
  • Know how formatting improves usability, accessibility, and user satisfaction.
  • Expect scenario-based questions requiring you to choose the most appropriate response format for a given business requirement.

This topic is frequently tested through scenarios in which you must balance user experience, maintainability, accessibility, and channel compatibility. A strong understanding of response formatting principles will help you design professional, effective AI agents in Microsoft Copilot Studio.


Practice Exam Questions


Question 1

A company is building a Copilot Studio agent that helps employees submit vacation requests. Users should be able to review the request details and either approve or cancel the submission without typing additional text.

Which response format should you use?

A. Plain text response

B. Adaptive Card with action buttons

C. Markdown with bullet lists

D. AI-generated response

Correct Answer: B

Explanation:

Adaptive Cards support interactive controls such as buttons, input fields, and forms. Since users need to take immediate action by selecting Approve or Cancel, an Adaptive Card provides the best user experience. Plain text and Markdown can display information but cannot provide rich interactive controls.


Question 2

An agent returns the following response:

Order Number: 84562
Status: Shipped
Expected Delivery: July 8

The designer wants the response to be easier to scan while maintaining compatibility across nearly all deployment channels.

Which approach should be used?

A. Convert the response into an Adaptive Card

B. Replace the response with AI-generated text

C. Format the response using Markdown headings and spacing

D. Display the information as raw JSON

Correct Answer: C

Explanation:

Markdown formatting improves readability while remaining compatible with most supported channels. An Adaptive Card could also work, but it introduces unnecessary complexity when only simple formatting is required.


Question 3

A Copilot Studio agent retrieves a customer’s first name from Microsoft Dataverse before responding.

How should the response be personalized?

A. Hard-code the customer’s name into every response.

B. Ask the customer to type their name every time.

C. Insert a variable that contains the customer’s name.

D. Return the customer ID instead.

Correct Answer: C

Explanation:

Variables allow responses to dynamically personalize information using data retrieved during the conversation. This reduces user effort and improves the conversational experience.


Question 4

A developer wants an agent to return troubleshooting instructions that include several PowerShell commands.

Which formatting option provides the clearest presentation?

A. Store the commands in a Fact Set.

B. Display the commands inside an image.

C. Place the commands inside an Adaptive Card button.

D. Format the commands using a code block.

Correct Answer: D

Explanation:

Code blocks preserve formatting and spacing, making PowerShell commands easier to read and copy. Images prevent copying, and buttons are intended for actions rather than displaying scripts.


Question 5

An HR agent returns employee handbook information that rarely changes and must always match company policy exactly.

Which response type is most appropriate?

A. Authored response

B. AI-generated response

C. Adaptive Card

D. Markdown-generated summary

Correct Answer: A

Explanation:

Policy and compliance information should use authored responses because administrators maintain complete control over wording and consistency. AI-generated responses may paraphrase information, which is undesirable for official policy.


Question 6

A product catalog agent must display several products with images, prices, descriptions, and “View Details” buttons.

Which response format is most appropriate?

A. Plain text

B. Markdown bullet list

C. Adaptive Card

D. Code block

Correct Answer: C

Explanation:

Adaptive Cards are designed for structured, interactive presentations that include images, buttons, and organized information, making them ideal for product catalogs.


Question 7

A support agent currently returns the following response:

Ticket created. Number 87321. Priority High. Assigned to Network Team. Estimated completion 2 hours.

What is the best improvement?

A. Replace the response with a hyperlink.

B. Separate the information into headings and labeled sections.

C. Convert the information into XML.

D. Remove the priority information.

Correct Answer: B

Explanation:

Organizing related information into labeled sections makes responses easier to scan and understand. The content remains the same while improving readability.


Question 8

An organization deploys the same agent to Microsoft Teams, a company website, and a mobile application.

Why should response formatting be tested on every deployment channel?

A. Every channel supports identical formatting capabilities.

B. Adaptive Cards only work on websites.

C. AI-generated responses cannot be used on Teams.

D. Different channels may render formatting and interactive components differently.

Correct Answer: D

Explanation:

Channel capabilities vary. Some channels support full Adaptive Cards and Markdown, while others may partially support or render features differently. Testing ensures a consistent user experience.


Question 9

An agent retrieves the following value from a database:

2026-08-14T13:30:00Z

What is the best way to present this information?

A. Display the raw timestamp.

B. Convert it to binary.

C. Format it into a user-friendly date and time.

D. Replace it with the database record ID.

Correct Answer: C

Explanation:

Users should see dates and times in an understandable format rather than technical timestamp values. Proper formatting improves usability and professionalism.


Question 10

A designer wants to improve accessibility for all users interacting with a Copilot Studio agent.

Which design choice best supports this goal?

A. Use descriptive button labels and well-structured responses.

B. Rely only on color to indicate status.

C. Replace text with images whenever possible.

D. Display all information in a single paragraph.

Correct Answer: A

Explanation:

Accessibility best practices include meaningful button labels, organized layouts, headings, and clear language. Relying solely on color or replacing text with images reduces accessibility, while large blocks of text make responses harder to understand.


Exam Readiness Checklist

Before taking the AB-620 exam, ensure you can:

  • ✔ Differentiate between plain text, Markdown, rich text, and Adaptive Cards.
  • ✔ Identify when to use authored versus AI-generated responses.
  • ✔ Configure dynamic responses using variables.
  • ✔ Select the most appropriate formatting for business scenarios.
  • ✔ Design responses that improve readability and usability.
  • ✔ Understand how deployment channels affect response rendering.
  • ✔ Apply accessibility best practices to agent responses.
  • ✔ Format dates, currencies, percentages, and other dynamic values appropriately.
  • ✔ Recognize when interactive controls improve the user experience.
  • ✔ Evaluate response formatting decisions based on business requirements, user experience, and maintainability.

These scenario-based questions reflect the style of the AB-620 certification exam, where selecting the most appropriate design choice is often more important than simply knowing a feature exists.


Go to the AB-620 Exam Prep Hub main page

Add agent flows to a topic (AB-620 Exam Prep)

This post is a part of the AB-620: Designing and Building Integrated AI Agent Solutions in Copilot Studio Exam Prep Hub.
This topic falls under these sections:
Plan and configure agent solutions (30–35%)
   --> Configure topics
      --> Add agent flows to a topic


Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

One of the most powerful capabilities in Microsoft Copilot Studio is the ability to combine conversational topics with agent flows. While topics define how an agent interacts with users through conversation, agent flows enable the agent to perform business processes, automate tasks, integrate with enterprise systems, and orchestrate complex workflows.

For the AB-620 certification exam, you should understand how topics and agent flows work together, when to invoke an agent flow, how data is passed between topics and flows, and how to build resilient, reusable conversational experiences.


Understanding Topics and Agent Flows

Before discussing how to add agent flows to a topic, it is important to understand the role of each component.

Topics

A topic represents a conversational pathway that allows an agent to:

  • Respond to user requests
  • Ask questions
  • Collect information
  • Make decisions
  • Guide users through conversations
  • Call actions and tools
  • Invoke agent flows

Topics determine when something should happen.


Agent Flows

Agent flows define the business logic that performs actions such as:

  • Calling APIs
  • Running Power Automate flows
  • Accessing Dataverse
  • Updating CRM records
  • Sending emails
  • Creating support tickets
  • Querying databases
  • Calling AI models
  • Executing approval workflows

Agent flows determine how the work is completed.


Relationship Between Topics and Agent Flows

Think of the relationship like this:

Topic

  • Conducts the conversation
  • Collects user input
  • Determines intent
  • Decides what action is required

Agent Flow

  • Executes the requested business process
  • Returns results
  • Provides output back to the topic

Topic

  • Continues the conversation
  • Explains the outcome
  • Requests additional information if necessary

Why Use Agent Flows Instead of Placing All Logic in a Topic?

Separating conversational logic from business logic provides several advantages.

Benefits include:

  • Better maintainability
  • Reusable workflows
  • Easier testing
  • Simpler troubleshooting
  • Consistent business processes
  • Reduced duplication
  • Easier governance

Instead of rebuilding the same process in multiple topics, several topics can invoke the same agent flow.


When Should a Topic Invoke an Agent Flow?

Typical scenarios include:

  • Creating a support ticket
  • Looking up customer information
  • Checking inventory
  • Approving requests
  • Booking appointments
  • Updating CRM records
  • Searching enterprise knowledge
  • Calling external REST APIs
  • Sending notifications
  • Creating work items

Designing Topics Before Adding Flows

A well-designed topic should first determine:

  • What information is needed?
  • Which data must be collected?
  • What validation is required?
  • Which flow should execute?
  • What outputs are expected?
  • What should happen if the flow fails?

Planning these elements simplifies implementation.


Collecting Required Inputs

Topics typically gather user information before invoking an agent flow.

Examples include:

  • Customer ID
  • Product name
  • Order number
  • Email address
  • Department
  • Date
  • Priority
  • Approval comments

These values become the input parameters for the flow.

Example conversation:

Agent:
“What is your order number?”

User:
“100548”

Store value in variable.

Pass variable to the flow.


Input Parameters

Agent flows commonly accept parameters such as:

ParameterExample
Customer IDC10245
Emailnorm@company.com
Ticket PriorityHigh
Product NameSurface Laptop
Order NumberORD-14589
DepartmentHR

The topic passes these values to the flow when invoking it.


Output Parameters

Flows also return information.

Examples include:

  • Success status
  • Error message
  • Order status
  • Customer name
  • Case number
  • Appointment confirmation
  • Inventory quantity

The topic can use these outputs to continue the conversation.

Example:

Flow returns:

  • Success = True
  • TicketNumber = INC-45891

Topic responds:

“Your support ticket has been created successfully. Your ticket number is INC-45891.”


Passing Variables Between Topics and Flows

Copilot Studio variables enable communication between conversations and workflows.

Typical process:

  1. User provides input.
  2. Topic stores values in variables.
  3. Variables are passed into the flow.
  4. Flow executes.
  5. Flow returns output variables.
  6. Topic displays results.

This creates a seamless conversational experience.


Triggering an Agent Flow

Within a topic, an agent flow is typically invoked after:

  • Required inputs are collected
  • Validation succeeds
  • User confirms the request

Avoid invoking flows before all required information has been collected.


Validating Data Before Calling a Flow

Validation reduces failures.

Examples include validating:

  • Email addresses
  • Dates
  • Numeric values
  • Required fields
  • Customer IDs
  • Business rules

Example:

Incorrect:

Call flow first.

Receive error.

Correct:

Validate first.

Call flow only after validation succeeds.


Handling Flow Results

Every flow should return meaningful outputs.

Typical outcomes include:

Success

Continue conversation.

Example:

“Your vacation request has been submitted.”


Business Failure

Example:

“No customer exists with that ID.”

The topic can ask for a different ID.


System Failure

Example:

“The HR system is temporarily unavailable.”

The topic may:

  • Retry
  • Escalate
  • Ask the user to return later

Conditional Logic After Flow Execution

Topics frequently branch based on flow outputs.

Examples:

If Success = True

→ Confirm completion

If Success = False

→ Explain failure

If Approval Required

→ Route for approval

If Customer Not Found

→ Ask again


Reusing Agent Flows

One of the biggest advantages of agent flows is reuse.

Example:

Customer Lookup Flow

Used by:

  • Sales topic
  • Support topic
  • Billing topic
  • Warranty topic

Instead of maintaining four lookup implementations, only one flow requires maintenance.


Integrating Enterprise Systems

Topics frequently invoke flows that connect to:

  • Microsoft Dataverse
  • Dynamics 365
  • SharePoint
  • Microsoft Teams
  • SQL Server
  • Azure AI Search
  • SAP
  • ServiceNow
  • Salesforce
  • Custom REST APIs

The topic itself remains conversational while the flow manages integration.


Long-Running Operations

Some workflows require several minutes.

Examples:

  • Report generation
  • Data synchronization
  • Large database updates
  • AI document processing

Best practices include:

  • Inform users processing has begun.
  • Provide progress messages when possible.
  • Notify users when processing completes.
  • Continue asynchronously if supported.

Human-in-the-Loop Scenarios

Some flows require human approval.

Examples include:

  • Expense approvals
  • Vacation approvals
  • Purchase requests
  • Legal review
  • Financial authorization

The topic may:

  • Submit the request.
  • Inform the user approval is pending.
  • Resume once approval completes.

Error Handling

Topics should never assume a flow succeeds.

Always plan for:

  • Authentication failures
  • Connector failures
  • Missing inputs
  • Invalid responses
  • Timeout errors
  • API failures
  • Network outages

Provide friendly error messages rather than technical details.

Example:

“I couldn’t complete your request because the service is temporarily unavailable.”


Logging and Monitoring

Administrators should monitor:

  • Successful executions
  • Failed executions
  • Flow duration
  • Connector errors
  • API failures
  • User abandonment
  • Retry frequency

These metrics help improve reliability over time.


Security Considerations

Topics should only invoke flows users are authorized to execute.

Consider:

  • Microsoft Entra ID authentication
  • User permissions
  • Least privilege
  • Secure connectors
  • Data protection
  • Sensitive information masking

Never expose secrets or internal system information to users.


Best Practices

  • Keep conversational logic inside topics.
  • Keep business logic inside agent flows.
  • Validate inputs before invoking flows.
  • Use meaningful input and output parameters.
  • Handle failures gracefully.
  • Reuse flows whenever possible.
  • Log important events.
  • Protect sensitive information.
  • Use clear confirmation messages.
  • Test both successful and failure scenarios.

Common Mistakes

Avoid these common design errors:

  • Calling flows before collecting all required inputs
  • Ignoring returned output values
  • Exposing technical error messages
  • Duplicating identical business logic in multiple topics
  • Failing to validate user input
  • Hardcoding values instead of using variables
  • Not planning for connector failures
  • Building overly large topics instead of modular conversations

Exam Tips

For the AB-620 exam, remember the following:

  • Topics manage conversations, while agent flows perform business operations.
  • Topics should collect and validate data before invoking a flow.
  • Use variables to pass information between topics and flows.
  • Agent flows should return structured outputs that topics can evaluate.
  • Reuse agent flows whenever possible to reduce duplication.
  • Handle errors gracefully and provide meaningful user feedback.
  • Design topics to support enterprise integrations while maintaining a conversational experience.
  • Separate conversation design from business process implementation.
  • Secure flows with appropriate authentication and authorization.
  • Test both successful and unsuccessful execution paths.

Practice Exam Questions

Question 1

A Copilot Studio topic collects a user’s employee ID before invoking an agent flow. What is the primary purpose of collecting this information first?

A. To reduce the number of topics in the agent

B. To allow the flow to receive the required input parameter

C. To prevent authentication from occurring

D. To automatically create a Dataverse table

Answer: B

Explanation: Agent flows often require input parameters. The topic gathers the necessary information before invoking the flow.


Question 2

Which responsibility belongs primarily to a topic rather than an agent flow?

A. Updating a SQL database

B. Calling a REST API

C. Managing the conversation with the user

D. Executing a Power Automate workflow

Answer: C

Explanation: Topics handle conversational interactions, while agent flows perform business operations and integrations.


Question 3

Why is separating conversation logic from business logic considered a best practice?

A. It prevents users from accessing connectors.

B. It removes the need for authentication.

C. It allows topics to execute without variables.

D. It improves maintainability and enables workflow reuse.

Answer: D

Explanation: Separating responsibilities makes solutions easier to maintain, test, and reuse across multiple topics.


Question 4

An agent flow returns a value indicating that a customer record could not be found. What should the topic do next?

A. Ignore the response and continue.

B. Delete the conversation history.

C. Ask the user for a different customer identifier.

D. Disable the flow.

Answer: C

Explanation: The topic should respond appropriately to business outcomes by allowing the user to correct the information.


Question 5

Which of the following is the BEST example of an output parameter returned by an agent flow?

A. Ticket number generated after creating a support case

B. User’s spoken question

C. Conversation trigger phrase

D. Greeting message

Answer: A

Explanation: Output parameters communicate the results of a completed workflow back to the topic.


Question 6

Before invoking an agent flow, a topic should first:

A. Restart the conversation.

B. Validate required user inputs.

C. Disable error handling.

D. Create a new environment.

Answer: B

Explanation: Input validation prevents unnecessary failures and improves the user experience.


Question 7

Multiple topics need to retrieve customer information using identical business logic. What is the recommended design?

A. Copy the workflow into every topic.

B. Create separate connectors for each topic.

C. Build one reusable agent flow that all topics invoke.

D. Eliminate topics and use only flows.

Answer: C

Explanation: Reusable agent flows reduce maintenance and ensure consistent business logic across conversations.


Question 8

Which scenario is most appropriate for invoking an agent flow?

A. Displaying a welcome message

B. Asking for the user’s preferred language

C. Detecting user intent

D. Creating a purchase order in an ERP system

Answer: D

Explanation: Business operations involving enterprise systems are ideal candidates for agent flows.


Question 9

Why should a topic evaluate the outputs returned by an agent flow?

A. To determine how the conversation should continue

B. To reduce connector licensing costs

C. To automatically create new topics

D. To bypass authentication

Answer: A

Explanation: Output parameters allow the topic to make decisions based on the success, failure, or results of the workflow.


Question 10

An enterprise workflow may take several minutes to complete. What is the best user experience?

A. Close the conversation immediately.

B. Repeatedly invoke the flow until it finishes.

C. Inform the user that processing is underway and provide follow-up or asynchronous notification if appropriate.

D. Return a technical timeout message.

Answer: C

Explanation: Long-running operations should provide feedback to the user and, where appropriate, continue asynchronously rather than blocking the conversation or exposing technical errors.


Go to the AB-620 Exam Prep Hub main page