AB-100 — Microsoft Certified: Agentic AI Business Solutions Architect Quick Reference
Compact AB-100 quick reference for designing secure, governed, business-aligned agentic AI solutions with Microsoft technologies.
Exam Identity and Architect Mindset
| Item | Reference |
|---|---|
| Vendor/provider | Microsoft |
| Certification title | Microsoft Certified: Agentic AI Business Solutions Architect (AB-100) |
| Exam code | AB-100 |
| Candidate mindset | Translate business outcomes into secure, governed, measurable agentic AI solutions across Microsoft services. |
| Common exam angle | Choose the right architecture, Microsoft service, control boundary, data grounding pattern, evaluation approach, and operational model. |
AB-100 scenarios are likely to reward architecture decisions more than feature memorization. Think in this order:
- Business objective: What outcome, user group, process, and success metric?
- Agent fit: Should the solution be an agent, copilot extension, workflow automation, or standard app?
- Grounding: What data is authoritative, fresh, permission-trimmed, and auditable?
- Actions: What tools, APIs, connectors, and approvals are needed?
- Safety and governance: What can the agent do, for whom, under what policy?
- Evaluation: How will quality, risk, and business value be measured before and after release?
- Operations: How will the solution be monitored, improved, and controlled over time?
Core Agentic AI Concepts
| Concept | Exam-ready meaning | High-yield distinction |
|---|---|---|
| Agent | AI system that can reason over goals, use tools, retrieve context, and take steps toward a task. | More autonomous than a single prompt-response chatbot. |
| Copilot | User-facing AI assistant, often embedded in a Microsoft experience. | Usually assists a human; may be extended with plugins, connectors, or agents. |
| Tool use | Agent calls APIs, functions, connectors, workflows, or external systems. | Requires strict authorization, input validation, and audit logging. |
| Grounding | Supplying the model with trusted enterprise data. | Reduces hallucination but does not eliminate need for evaluation. |
| RAG | Retrieval-augmented generation: retrieve relevant content, then generate an answer grounded in that content. | Good for knowledge-heavy scenarios; not enough for transactional actions. |
| Orchestration | Logic that plans steps, calls tools, manages state, and handles fallback. | Can be low-code, pro-code, or hybrid. |
| Human in the loop | Human review, approval, or escalation before or after agent action. | Essential for high-impact, irreversible, regulated, or ambiguous decisions. |
| Guardrails | Policies, constraints, filters, prompt instructions, validation, and monitoring. | Must be layered; prompt instructions alone are weak controls. |
| Evaluation | Testing agent quality, safety, grounding, tool accuracy, and business outcomes. | Should happen before release and continuously after deployment. |
| Responsible AI | Design discipline for fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. | Architecture concern, not just a policy document. |
Microsoft Service Selection Matrix
| Requirement | Prefer | Why | Watch for |
|---|---|---|---|
| Build low-code business agents for Teams, Microsoft 365, customer service, or internal workflows | Microsoft Copilot Studio | Fast agent creation, topics, actions, connectors, governance through Power Platform ecosystem. | Do not choose pro-code services when low-code connectors and governance meet the requirement. |
| Extend Microsoft 365 Copilot with enterprise data or actions | Copilot Studio, Microsoft Graph connectors, plugins/actions | Keeps experience close to Microsoft 365 users and permission-aware content. | Respect existing Microsoft 365 and Graph permissions. |
| Build custom, pro-code agentic apps with fine-grained orchestration | Azure AI Foundry, Azure AI Agent Service, Azure OpenAI Service, Semantic Kernel | More control over model selection, tools, retrieval, orchestration, app integration, and DevOps. | Requires deeper engineering, security, and operations design. |
| Add enterprise search grounding over documents and structured indexes | Azure AI Search | Indexing, hybrid/vector search, semantic ranking capabilities, security filtering patterns. | Poor chunking, stale indexes, or missing ACL trimming cause wrong answers or data exposure. |
| Use Microsoft 365 content as knowledge source | Microsoft Graph connectors, Microsoft 365 data access patterns | Aligns with Microsoft 365 content and identity. | Avoid bypassing user permissions by copying broad data into an unprotected index. |
| Store business records for Power Platform agents | Microsoft Dataverse | Business data model, security roles, Power Platform integration. | Model data and roles intentionally; do not treat it as a simple file store. |
| Orchestrate business process approvals | Power Automate or Azure Logic Apps | Workflow, connectors, approvals, integration triggers. | Agent should not silently perform high-risk actions when approval is required. |
| Expose enterprise APIs safely to agents | Azure API Management | Central API gateway, policies, throttling, transformation, auth enforcement. | Do not let agents call raw backend APIs without contracts and controls. |
| Run custom tool logic | Azure Functions, Azure Container Apps, or app services | Encapsulates action logic behind secure interfaces. | Validate all model-provided inputs; assume tool arguments can be unsafe. |
| Protect secrets and keys | Azure Key Vault, managed identities | Central secret management and identity-based access. | Avoid hard-coded secrets in prompts, code, environment files, or connectors. |
| Monitor apps and agents | Azure Monitor, Application Insights, service-specific analytics | Telemetry, traces, failures, latency, tool-call behavior. | Log enough for diagnosis without storing sensitive prompts unnecessarily. |
| Govern data, classification, and compliance controls | Microsoft Purview | Data governance, sensitivity labels, data loss prevention, audit and risk controls. | Governance must cover data sources, retrieval stores, outputs, and user access. |
| Secure cloud posture and workloads | Microsoft Defender for Cloud, Microsoft Sentinel where applicable | Threat detection, posture management, security operations. | Agentic systems expand attack surface through tools and data paths. |
Solution Pattern Selection
| Pattern | Choose when | Avoid when | Key controls |
|---|---|---|---|
| FAQ/knowledge copilot | Users need answers from trusted content. | User needs complex action execution or multi-step planning. | RAG, citations, content freshness, permission trimming. |
| Task assistant | User remains in control and agent drafts, summarizes, or recommends. | Process requires unattended execution. | Clear UX, confidence display, review before submission. |
| Transactional agent | Agent updates systems, creates tickets, sends messages, or executes workflows. | Actions are irreversible and no approval path exists. | Tool authorization, input validation, audit trail, human approval. |
| Autonomous workflow agent | Agent decomposes work and executes multi-step processes. | Risk, ambiguity, or compliance requires human decisioning. | Bounded scope, state machine, rollback, exception handling, continuous monitoring. |
| Multi-agent system | Specialized agents handle planning, retrieval, domain tasks, or review. | A single agent or deterministic workflow is sufficient. | Clear responsibility boundaries, message contracts, loop prevention. |
| Copilot extension | Users already work in Microsoft 365 or Teams and need contextual actions. | Standalone app UX or custom orchestration is required. | Graph permissions, connector governance, tenant policies. |
| Deterministic workflow | Rules are stable and explainability is more important than flexible reasoning. | Inputs are unstructured or require language understanding. | Use Power Automate, Logic Apps, or standard app logic before adding an LLM. |
Reference Architecture
flowchart LR
U[User or business process] --> UX[Copilot, Teams, app, or workflow]
UX --> ORCH[Agent orchestration]
ORCH --> LLM[Model endpoint]
ORCH --> RET[Retrieval layer]
ORCH --> TOOLS[Tools and actions]
RET --> DATA[Enterprise data sources]
TOOLS --> API[APIs, connectors, workflows]
API --> SYS[Systems of record]
ORCH --> EVAL[Evaluation and guardrails]
ORCH --> OBS[Telemetry and audit]
SEC[Identity, access, policy, governance] --> UX
SEC --> ORCH
SEC --> RET
SEC --> TOOLS
| Layer | Architect decisions | Common traps |
|---|---|---|
| User experience | Where users work, what they can see, how approvals appear, fallback route. | Building a separate app when Teams, Microsoft 365, or existing business app integration is better. |
| Orchestration | Low-code vs pro-code, planning strategy, tool routing, memory/state, retries. | Letting the model control everything without deterministic boundaries. |
| Model access | Model family, deployment region, prompt design, token budget, latency target. | Assuming the largest model is always best. |
| Retrieval | Index design, chunking, metadata, ranking, security filters, freshness. | Loading all content into prompts or using one global index without ACLs. |
| Tools/actions | API contracts, schemas, validation, idempotency, approval gates. | Exposing broad admin APIs directly to an agent. |
| Identity/security | User-delegated access vs app-only access, managed identity, RBAC, secrets. | Using a privileged service account for all users. |
| Governance | Data classification, DLP, audit, retention, responsible AI review. | Treating prompts and generated outputs as outside governance. |
| Operations | Monitoring, evaluation, feedback loops, incident response, cost tracking. | No way to reproduce or diagnose bad agent behavior. |
Requirements-to-Architecture Decision Table
| If the scenario says… | Architectural implication |
|---|---|
| “Answers must reflect the user’s permissions” | Use permission-trimmed retrieval; avoid broad shared indexes unless ACLs are enforced. |
| “Users need citations or source links” | Use RAG with document references and answer-generation constraints. |
| “The agent must update records” | Expose constrained tools/actions; add validation, authorization, audit, and rollback or compensation. |
| “The business process requires manager approval” | Insert human approval through Power Automate, Logic Apps, or app workflow before final action. |
| “Data changes frequently” | Prefer live API retrieval or frequent index refresh; document freshness strategy. |
| “Highly sensitive data is involved” | Apply least privilege, data classification, encryption, DLP, private networking where appropriate, and restricted logging. |
| “Nontechnical business teams will maintain the agent” | Favor Copilot Studio and Power Platform governance if requirements fit. |
| “Custom orchestration and complex integration are required” | Favor Azure AI Foundry, Azure AI Agent Service, Semantic Kernel, and pro-code services. |
| “The agent must scale across departments” | Design reusable tools, standardized evaluation, environment strategy, governance, and lifecycle management. |
| “The output is used for consequential decisions” | Require human review, explainability, documented limitations, bias/safety testing, and auditability. |
| “The agent needs to call many enterprise systems” | Use API Management, connector strategy, identity design, throttling, error handling, and integration monitoring. |
| “The solution must be supportable by IT operations” | Include telemetry, alerts, runbooks, versioning, incident process, and ownership model. |
Agent Scope and Autonomy Controls
| Autonomy level | Description | Suitable examples | Required controls |
|---|---|---|---|
| Inform | Agent answers questions only. | Policy Q&A, knowledge search, onboarding help. | Grounding, citations, feedback, content safety. |
| Draft | Agent prepares content but user submits. | Email draft, case summary, proposal outline. | User review, clear generated-content labeling. |
| Recommend | Agent proposes a decision or next best action. | Support routing, risk triage, sales recommendation. | Explanation, confidence cues, human accountability. |
| Act with approval | Agent prepares an action; human approves. | Refund, record update, external message. | Approval workflow, audit, action preview. |
| Act within bounds | Agent executes low-risk actions under predefined constraints. | Create ticket, schedule internal meeting, update noncritical metadata. | Policy constraints, validation, monitoring, rollback. |
| Autonomous | Agent plans and executes multi-step workflows with minimal human input. | Narrow, repeatable operational processes. | Strict scope, kill switch, incident response, continuous evaluation. |
High-yield exam trap: Do not equate “agentic” with “fully autonomous.” Many business solutions should use limited autonomy with human approval.
Data Grounding and RAG Reference
| Design area | Good choice | Poor choice |
|---|---|---|
| Source selection | Authoritative systems of record, curated knowledge bases, approved Microsoft 365 content. | Random exports, stale files, duplicated uncontrolled content. |
| Indexing | Chunk by meaning, preserve metadata, include source URI, owner, sensitivity, timestamps. | Huge chunks, missing metadata, no source traceability. |
| Retrieval | Combine keyword, vector, semantic, filters, and reranking where useful. | Rely on embeddings alone for all queries. |
| Security | Enforce user or group permissions at retrieval time. | Retrieve everything, then ask the model not to reveal restricted content. |
| Freshness | Refresh indexes based on business need or query live APIs for volatile data. | Treat static snapshots as current. |
| Answering | Require grounded answers, citations, and “I don’t know” behavior when evidence is missing. | Force an answer even when retrieval confidence is low. |
| Evaluation | Test groundedness, relevance, citation accuracy, and refusal behavior. | Test only with happy-path questions. |
RAG Failure Modes
| Symptom | Likely cause | Architect response |
|---|---|---|
| Correct source exists but answer is wrong | Poor chunking, ranking, or prompt instructions. | Tune chunking, metadata, ranking, and answer constraints. |
| Agent exposes restricted content | Missing ACL trimming or overprivileged index access. | Enforce identity-aware retrieval and least privilege. |
| Agent says “I don’t know” too often | Retrieval recall too low or content not indexed. | Improve index coverage, synonyms, hybrid retrieval, query rewriting. |
| Agent hallucinates citations | Prompt allows unsupported citations or source mapping is weak. | Generate citations only from retrieved source IDs. |
| Slow responses | Large context, many tools, inefficient retrieval. | Reduce context, cache safe data, optimize tool calls, use appropriate model. |
| Stale answers | Index refresh not aligned to data change rate. | Refresh more often or retrieve live from source system. |
Identity, Access, and Security
| Topic | Exam-ready rule |
|---|---|
| Least privilege | Give the agent, tools, and users only the permissions required for the task. |
| User-delegated access | Use when results/actions must reflect the signed-in user’s permissions. |
| App-only access | Use only when the app has its own controlled service permissions and business justification. |
| Managed identity | Prefer for Azure-hosted workloads accessing Azure resources. |
| Secrets | Store in Azure Key Vault or managed secret stores; do not place secrets in prompts or code. |
| API security | Put controlled contracts in front of systems; validate input and output. |
| Network controls | Use private access patterns where required by the organization’s security model. |
| Data protection | Classify data, apply DLP, encryption, retention, and access reviews according to policy. |
| Prompt injection | Treat retrieved content and user input as untrusted; isolate instructions from data. |
| Auditability | Log user, tool, action, approval, result, and correlation IDs where appropriate. |
Delegated vs App-Only Access
| Use delegated access when… | Use app-only access when… |
|---|---|
| The answer must be trimmed to the user’s rights. | A background process performs a controlled organizational task. |
| The user is responsible for the action. | The application identity is responsible for the action. |
| Different users should see different results. | All authorized users receive the same approved service behavior. |
| Microsoft 365 or Graph data must follow user permissions. | A curated service index or backend API has its own authorization layer. |
Common trap: Using one highly privileged app identity to retrieve all enterprise data can violate least privilege and produce data leakage.
Tool and Action Design
| Design element | Recommendation |
|---|---|
| Tool contract | Use explicit schemas, required fields, allowed values, and clear descriptions. |
| Authorization | Enforce outside the model in the API/workflow layer. |
| Validation | Validate model-provided parameters as untrusted input. |
| Idempotency | Design repeated calls not to duplicate harmful actions. |
| Confirmation | Preview high-impact actions before execution. |
| Error handling | Return structured errors the orchestrator can handle safely. |
| Logging | Record action intent, parameters where safe, actor, approval, result, and correlation ID. |
| Rollback | Provide compensation or reversal for actions where possible. |
| Rate control | Protect backend systems from loops or excessive calls. |
Example tool contract style:
{
"name": "create_support_ticket",
"description": "Create a support ticket after user confirmation.",
"parameters": {
"type": "object",
"properties": {
"customerId": { "type": "string" },
"severity": { "type": "string", "enum": ["low", "medium", "high"] },
"summary": { "type": "string" }
},
"required": ["customerId", "severity", "summary"]
}
}
Architectural point: the schema helps the model call the tool correctly, but the backend still must enforce permissions, validation, and business rules.
Prompt, Instruction, and Memory Controls
| Area | Good practice | Avoid |
|---|---|---|
| System/developer instructions | State role, allowed tasks, forbidden tasks, escalation rules, citation rules. | Hiding security-critical logic only in natural-language instructions. |
| User input | Treat as untrusted. | Letting user override policy, identity, or tool restrictions. |
| Retrieved content | Treat as data, not instructions. | Allowing documents to redefine the agent’s behavior. |
| Conversation history | Keep only relevant context. | Sending unnecessary sensitive history into every request. |
| Memory | Store explicit, consented, useful facts where appropriate. | Persisting sensitive inferred data without governance. |
| Output format | Use structured output for tool calls and downstream systems. | Free-form output when a deterministic schema is required. |
Prompt Injection Defense Layers
| Layer | Control |
|---|---|
| Instruction hierarchy | Keep trusted system instructions separate from user and retrieved content. |
| Retrieval filtering | Retrieve only authorized, relevant content. |
| Tool allowlist | Only expose tools needed for the current task. |
| Parameter validation | Reject unsafe or unauthorized tool arguments. |
| Action approval | Require human approval for sensitive actions. |
| Output filtering | Detect unsafe, unsupported, or policy-violating output. |
| Monitoring | Review suspicious prompts, failed guardrails, and abnormal tool usage. |
Responsible AI and Risk Controls
| Microsoft Responsible AI principle | Architecture implications |
|---|---|
| Fairness | Test for uneven quality or harmful outcomes across user groups and scenarios. |
| Reliability and safety | Evaluate failure modes, fallback behavior, and robustness before production use. |
| Privacy and security | Minimize data exposure, secure identities, protect prompts and outputs. |
| Inclusiveness | Design accessible experiences and support diverse user needs. |
| Transparency | Tell users they are interacting with AI, show sources, explain limitations. |
| Accountability | Define owners, approval paths, audit trails, incident handling, and review process. |
Evaluation and Acceptance Criteria
| Evaluation type | What to test | Example acceptance question |
|---|---|---|
| Groundedness | Output supported by retrieved sources. | “Can every factual claim be traced to approved evidence?” |
| Relevance | Answer addresses the user’s actual task. | “Did the agent solve the requested problem without irrelevant content?” |
| Tool accuracy | Correct tool selected with valid parameters. | “Did the agent call the right API with authorized inputs?” |
| Safety | Harmful, disallowed, or sensitive outputs blocked. | “Does the agent refuse or escalate unsafe requests?” |
| Permission behavior | Users only see and act on permitted data. | “Do two users with different rights get appropriately different results?” |
| Robustness | Handles ambiguous, adversarial, and incomplete requests. | “Does the agent ask clarifying questions when needed?” |
| Latency | Response time fits the user workflow. | “Is the solution usable during the business process?” |
| Cost efficiency | Model, retrieval, and tool usage align with value. | “Can a smaller model or cached retrieval meet the need?” |
| Business outcome | Process metric improves. | “Did the agent reduce handling time, errors, or backlog?” |
Test Set Design
| Include | Why |
|---|---|
| Happy-path examples | Confirms intended behavior. |
| Edge cases | Reveals brittle assumptions. |
| Ambiguous prompts | Tests clarification and refusal behavior. |
| Restricted-content prompts | Tests permission trimming. |
| Prompt injection attempts | Tests instruction isolation and tool safety. |
| Stale or missing data cases | Tests uncertainty handling. |
| High-impact action requests | Tests approval and audit controls. |
| Realistic user language | Tests production readiness beyond lab prompts. |
Governance and Lifecycle
| Phase | Architect checklist |
|---|---|
| Discover | Business goal, users, data sources, risk level, success metrics, ownership. |
| Design | Pattern selection, Microsoft services, identity, retrieval, tools, controls. |
| Build | Environments, source control, CI/CD, prompt/version management, secure connectors. |
| Evaluate | Offline test sets, red-team prompts, responsible AI review, user acceptance. |
| Deploy | Release gates, tenant/environment policies, monitoring, rollback plan. |
| Operate | Telemetry, feedback review, model/index/tool updates, incident response. |
| Improve | Analyze failures, update prompts, refine retrieval, add tests, retire unused features. |
Environment and ALM Considerations
| Concern | Practical reference |
|---|---|
| Separation | Use separate development, test, and production environments. |
| Versioning | Version prompts, agent definitions, tools, workflows, and evaluation sets. |
| Change control | Treat prompt and tool changes as production-impacting changes. |
| Rollback | Keep a known-good agent or configuration available. |
| Ownership | Assign business owner, technical owner, data owner, and support owner. |
| Documentation | Record data sources, permissions, limitations, known risks, and escalation paths. |
Observability and Troubleshooting
| Signal | What it tells you |
|---|---|
| User feedback | Perceived usefulness, missing features, bad answers. |
| Prompt/response traces | Reason for poor answer or unsafe behavior; handle sensitive logging carefully. |
| Retrieval diagnostics | Which documents/chunks were used and why. |
| Tool-call logs | Action selection, parameters, failures, latency, repeated calls. |
| Approval logs | Human review patterns and bottlenecks. |
| Safety events | Refusals, content filter events, prompt injection attempts. |
| Cost and usage metrics | Model, retrieval, and tool consumption trends. |
| Business KPIs | Whether the agent improves the intended process. |
Troubleshooting Decision Table
| Problem | First checks | Likely fix |
|---|---|---|
| Agent gives generic answers | No grounding, weak retrieval, vague prompt. | Add authoritative data, tune retrieval, require citations. |
| Agent uses wrong tool | Tool descriptions overlap or orchestration lacks constraints. | Clarify tool schemas, restrict tools by intent, add tests. |
| Agent fails for some users | Permission issue, connector configuration, identity mismatch. | Verify delegated/app permissions and data ACLs. |
| Agent takes unsafe action | Missing approval, weak validation, overbroad tool access. | Add approval gate, reduce permissions, enforce backend policy. |
| Agent loops or calls tools repeatedly | No step limit, poor error handling, ambiguous state. | Add maximum steps, deterministic workflow states, retry policy. |
| Good in test, poor in production | Test set not representative, data drift, user behavior differs. | Expand evaluations with real-world cases and monitor drift. |
| High latency | Too much context, too many tool calls, slow backend. | Reduce context, optimize retrieval, parallelize safe calls, cache. |
Common AB-100 Traps
| Trap | Better answer |
|---|---|
| “Use an LLM for everything.” | Use deterministic workflow or standard automation when rules are clear. |
| “Grounding guarantees correctness.” | Grounding helps; evaluation, citations, and fallback are still required. |
| “Prompt instructions are security controls.” | Enforce security in identity, retrieval, API, and workflow layers. |
| “Agent autonomy is always desirable.” | Match autonomy to risk; use approval for high-impact actions. |
| “One index for all enterprise content is simpler.” | Simpler can be unsafe; design permission-aware retrieval. |
| “The biggest model is the best architecture.” | Select model based on quality, latency, cost, context, and task complexity. |
| “Business users can own the whole solution alone.” | Low-code still needs governance, data ownership, security, and lifecycle management. |
| “Logs should capture everything.” | Capture diagnostic value while minimizing sensitive data exposure. |
| “Evaluation is a one-time launch task.” | Agent quality changes as prompts, tools, data, and user behavior change. |
| “APIs exposed to agents can trust agent inputs.” | Validate and authorize every tool call as untrusted input. |
Compact Design Checklist
Before choosing an answer in an AB-100 scenario, verify:
- Business fit: The solution solves a measurable business problem.
- Pattern fit: Agent, copilot, RAG, workflow, or traditional app is justified.
- Microsoft service fit: Low-code vs pro-code choice matches ownership and complexity.
- Grounding fit: Data is authoritative, current, permission-aware, and traceable.
- Tool fit: Actions are limited, validated, authorized, observable, and recoverable.
- Identity fit: Delegated vs app-only access is intentional.
- Risk fit: Autonomy level matches impact and uncertainty.
- Responsible AI fit: Safety, transparency, privacy, fairness, and accountability are designed in.
- Evaluation fit: Test cases include realistic, adversarial, permission, and edge scenarios.
- Operations fit: Monitoring, ownership, support, incident response, and improvement loop exist.
Practical Next Step
Use this Quick Reference as a decision checklist while you practice AB-100 scenarios. For each practice question, identify the business goal, required autonomy level, data grounding pattern, Microsoft service choice, security boundary, and evaluation method before selecting an answer.