AB-100 — Microsoft Certified: Agentic AI Business Solutions Architect Quick Review
Quick Review for Microsoft AB-100 candidates preparing for agentic AI business solution architecture scenarios.
Quick Review purpose
This Quick Review is for candidates preparing for Microsoft AB-100, Microsoft Certified: Agentic AI Business Solutions Architect (AB-100). Use it to refresh the architecture decisions, risk tradeoffs, and Microsoft ecosystem concepts that commonly appear in scenario-based questions before moving into topic drills, mock exams, and detailed explanations.
The exam mindset is architectural: you are not just choosing an AI feature. You are translating a business outcome into a secure, governed, measurable agentic solution that can interact with people, data, tools, and enterprise processes.
The core AB-100 mindset
For most scenarios, think in this order:
- Business outcome — What measurable process, decision, or user experience needs improvement?
- User and workflow context — Who uses the agent, where, and at what point in the process?
- Agent capability — Should the solution answer, recommend, summarize, plan, or act?
- Grounding and data — What trusted enterprise data is required, and how are permissions enforced?
- Tools and actions — Which systems can the agent call, and what approvals are required?
- Risk controls — How will the design reduce hallucination, prompt injection, data leakage, unsafe actions, and compliance risk?
- Evaluation — How will quality, safety, cost, latency, and business impact be measured?
- Operations — How will the agent be monitored, updated, versioned, and governed after deployment?
flowchart LR
A[Business outcome] --> B[User workflow]
B --> C[Agent role and autonomy]
C --> D[Grounding data]
D --> E[Tools and actions]
E --> F[Security and governance]
F --> G[Evaluation and testing]
G --> H[Deployment and operations]
H --> I[Continuous improvement]
High-yield Microsoft solution positioning
AB-100 questions often test whether you can select an appropriate Microsoft-aligned architecture pattern, not just name a product.
| Need in the scenario | Likely architectural direction | Watch for |
|---|---|---|
| Employees need AI assistance inside Microsoft 365 work patterns | Extend or configure Microsoft 365 Copilot experiences where appropriate | Do not build a separate custom app if the requirement is mainly productivity-context assistance |
| Business users need a low-code conversational agent for internal or customer workflows | Consider Microsoft Copilot Studio with connectors, topics, actions, and governance | Confirm data sources, authentication, escalation, and environment strategy |
| Solution needs advanced custom orchestration, model selection, evaluation, or AI application lifecycle control | Consider Azure AI Foundry and related Azure services | Higher flexibility usually means more design responsibility |
| Agent must retrieve enterprise knowledge from documents or indexed data | Use a grounded retrieval pattern, often with search/indexing and permission controls | Do not rely on the model’s general knowledge for enterprise facts |
| Agent must update records, submit requests, or trigger workflows | Use tools, APIs, connectors, Power Automate, Logic Apps, or custom services | Require approvals, auditability, idempotency, and error handling |
| User only needs deterministic workflow automation | Use workflow automation instead of an agent when natural-language reasoning is unnecessary | Do not overuse agentic AI for fixed rule-based processes |
| Sensitive or regulated process with material business impact | Add human-in-the-loop, policy checks, logging, and constrained tool execution | Prompt instructions alone are not sufficient control |
Key terms to know cold
| Term | Practical meaning | Exam trap |
|---|---|---|
| Agent | AI system that can reason over context, use tools, and pursue a task through multiple steps | Treating every chatbot as a true agent |
| Copilot | AI assistant experience embedded in a user workflow | Assuming a copilot always has permission to all enterprise data |
| Grounding | Supplying trusted context to improve relevance and reduce unsupported answers | Confusing grounding with model training |
| RAG | Retrieval-augmented generation: retrieve relevant content, then generate an answer grounded in it | Assuming RAG automatically solves permissions, freshness, or quality |
| Tool / action | Callable capability such as an API, connector, workflow, or function | Forgetting authorization, validation, and rollback behavior |
| Orchestration | Control logic that coordinates prompts, tools, memory, routing, and multi-step tasks | Letting an agent freely call tools without constraints |
| Human-in-the-loop | Human review, approval, or escalation before or during an action | Adding approval too late for high-risk actions |
| Prompt injection | Malicious or accidental instructions that try to override system behavior or exfiltrate data | Believing “ignore malicious instructions” is a complete defense |
| Evaluation | Measuring correctness, groundedness, task success, safety, cost, and latency | Testing only with happy-path demos |
| Observability | Logs, traces, metrics, and feedback used to operate the solution | Ignoring production monitoring after launch |
Agent autonomy decision rules
The safest architecture usually gives the agent the minimum autonomy needed to create value.
| Autonomy level | What the agent can do | Best for | Required controls |
|---|---|---|---|
| Inform | Answer questions or summarize grounded content | Knowledge lookup, policy Q&A, document summarization | Source citation, permissions, freshness checks |
| Recommend | Suggest next steps but not execute | Sales coaching, support triage, process guidance | Explanation, confidence indicators, user validation |
| Draft | Prepare messages, tickets, plans, or records for user review | Email drafts, proposal content, case notes | Human review, content safety, audit trail |
| Act with approval | Execute an action after explicit approval | Submit request, update CRM, create ticket | Approval workflow, input validation, logging |
| Act independently | Execute bounded low-risk tasks automatically | Routine routing, notifications, data enrichment | Strict scope, monitoring, rollback, exception handling |
Fast rule
If the action is irreversible, external-facing, financial, legal, safety-related, privacy-sensitive, or reputationally risky, design for human approval or strong deterministic controls.
Requirements analysis: what the architect must clarify
Scenario questions often include extra detail. Focus on the requirement that changes the architecture.
| Requirement area | Questions to ask | Design implication |
|---|---|---|
| Business value | What KPI improves: cycle time, accuracy, cost, satisfaction, throughput? | Defines success metrics and prioritization |
| Users | Internal employee, customer, partner, admin, frontline worker? | Determines identity, channel, UX, and access model |
| Data | Which systems are authoritative? How fresh must data be? | Determines grounding, indexing, connectors, and sync strategy |
| Actions | Does the agent only answer, or can it modify systems? | Determines tool design, approvals, and audit needs |
| Risk | What can go wrong if the agent is wrong? | Determines autonomy, testing depth, and controls |
| Compliance | Are there privacy, retention, residency, or industry constraints? | Determines governance and data handling |
| Operations | Who owns, monitors, and updates the solution? | Determines ALM, telemetry, support, and change management |
Choosing between knowledge, workflow, and agent patterns
| Scenario clue | Prefer | Why |
|---|---|---|
| “Users need answers from internal documents” | Grounded knowledge copilot / RAG pattern | Retrieval and source grounding are central |
| “Users need a request submitted after a conversation” | Conversational agent plus workflow/action | Needs both natural language and system execution |
| “Every request follows fixed rules” | Deterministic workflow automation | Agent reasoning adds unnecessary risk |
| “Agent must plan across multiple systems” | Tool-using agent with orchestration | Requires state, tool selection, and error handling |
| “Business users must maintain conversation flows” | Low-code agent design | Maintainability by non-developers matters |
| “Developers need full control over models, evaluation, and deployment” | Custom Azure AI architecture | Flexibility, testing, and lifecycle control matter |
Grounding and retrieval review
Grounding is central to enterprise agentic AI. The agent should use trusted sources instead of unsupported model knowledge when answering business-specific questions.
Retrieval design checklist
| Design point | Good practice | Common mistake |
|---|---|---|
| Source selection | Use authoritative repositories and systems of record | Indexing outdated, duplicate, or unofficial files |
| Chunking | Split content into useful, semantically coherent units | Chunks too large to retrieve precisely or too small to preserve context |
| Metadata | Store labels such as owner, date, department, sensitivity, product, region | Failing to filter by region, role, or effective date |
| Permissions | Enforce user access at retrieval and response time | Returning content the user cannot access |
| Freshness | Define sync/index update requirements | Assuming indexed content is always current |
| Citations | Provide references where useful | Producing confident answers with no traceability |
| Fallback | Say when information is unavailable or uncertain | Forcing an answer when grounding fails |
RAG versus fine-tuning
| Need | Better fit | Reason |
|---|---|---|
| Answer from changing enterprise documents | RAG / grounding | Easier to update content without retraining |
| Adapt style, format, or task behavior | Prompting or fine-tuning, depending on need | Behavior may not require retrieval |
| Add private facts to responses | RAG | Facts should remain in controlled data sources |
| Improve specialized output consistency | Prompt templates, examples, evaluation, or fine-tuning | Depends on volume, stability, and governance |
| Reduce hallucination about company policy | Grounded retrieval plus refusal/fallback behavior | Training alone does not guarantee current policy accuracy |
Data security and identity controls
For AB-100, security is not an afterthought. Agentic systems can amplify access because they combine natural language, data retrieval, and action execution.
| Control area | What to design for |
|---|---|
| Identity | Use enterprise identity such as Microsoft Entra ID where appropriate |
| Authorization | Apply least privilege to users, agents, connectors, and service identities |
| Permission trimming | Ensure retrieved content respects the user’s access rights |
| Secrets | Store credentials securely; do not place secrets in prompts or code |
| Data loss prevention | Apply policies to prevent sensitive data movement to unauthorized systems |
| Audit logging | Record important prompts, tool calls, approvals, and outputs where appropriate |
| Environment separation | Separate development, test, and production environments |
| Conditional access | Consider user, device, network, and risk context where relevant |
| Data lifecycle | Address retention, deletion, classification, and sensitivity labels when required |
Security traps
- Using a high-privilege service account that lets the agent retrieve or modify more data than the user can access.
- Treating prompts as a security boundary.
- Allowing unrestricted tool calls from untrusted user input.
- Returning retrieved content without checking sensitivity or access.
- Logging sensitive prompts or responses without retention and access controls.
- Forgetting that connectors and plugins may expand the agent’s effective attack surface.
Responsible AI and risk controls
Microsoft exam scenarios commonly reward designs that balance usefulness with responsible AI practices.
| Risk | Example | Mitigation |
|---|---|---|
| Hallucination | Agent invents a policy or price | Grounding, citations, evaluation, refusal behavior |
| Prompt injection | Document tells the agent to ignore prior instructions | Content filtering, instruction hierarchy, tool restrictions, retrieval sanitization |
| Data leakage | Agent exposes confidential records | Permission trimming, DLP, identity-aware retrieval |
| Unsafe action | Agent cancels an order or changes payroll incorrectly | Approval workflow, validation, rollback, scope limits |
| Bias or unfairness | Agent treats customers or employees inconsistently | Evaluation sets, human review, policy constraints |
| Overreliance | Users accept AI output without judgment | UX cues, confidence, citations, training |
| Compliance breach | Sensitive data leaves approved boundary | Governance, classification, approved connectors, monitoring |
| Poor explainability | User cannot understand why a recommendation was made | Show sources, reasoning summary, decision factors where appropriate |
Designing tool-using agents
Agents become business-critical when they can act. That increases value and risk.
Tool design principles
| Principle | Why it matters |
|---|---|
| Narrow tool scope | Reduces damage from bad planning or malicious input |
| Explicit schemas | Improves reliability and validation |
| Idempotency | Prevents duplicate actions during retries |
| Confirmation steps | Protects high-impact operations |
| Error handling | Lets the agent recover or escalate gracefully |
| Auditability | Supports compliance, troubleshooting, and user trust |
| Rate limits and quotas | Protects downstream systems |
| Timeouts | Prevents long-running or stalled agent tasks |
| Rollback or compensation | Handles partial failure in multi-step workflows |
Tool-call decision path
flowchart TD
A[Agent wants to call a tool] --> B{Is the tool needed?}
B -- No --> C[Answer without action]
B -- Yes --> D{Is user authorized?}
D -- No --> E[Refuse or escalate]
D -- Yes --> F{Is action high risk?}
F -- Yes --> G[Request approval]
F -- No --> H[Validate inputs]
G --> H
H --> I{Validation passes?}
I -- No --> J[Ask clarification or stop]
I -- Yes --> K[Execute tool]
K --> L[Log result and report status]
Orchestration and multi-agent thinking
Not every problem needs multiple agents. The exam may describe complex workflows to test whether you can decompose responsibilities safely.
| Pattern | Use when | Caution |
|---|---|---|
| Single agent | One primary user task, limited tools, clear context | Avoid overloading with unrelated responsibilities |
| Router pattern | Different tasks require different specialized flows or agents | Routing logic must be tested |
| Planner-executor | Agent plans steps and uses tools to complete them | Needs constraints, monitoring, and recovery |
| Human escalation | The agent cannot safely or confidently complete the task | Escalation path must be part of the design |
| Deterministic workflow plus AI step | AI is needed for summarization, classification, or drafting inside a stable process | Do not make the entire workflow probabilistic |
| Multi-agent collaboration | Distinct specialized roles improve quality or maintainability | More complexity, latency, cost, and testing burden |
Prompt and instruction hierarchy review
Prompts are important but should not carry the entire architecture.
| Prompt layer | Purpose |
|---|---|
| System/developer instructions | Define role, boundaries, policies, and response style |
| Grounding context | Supplies retrieved facts or task-specific data |
| User request | Describes the current user’s goal |
| Tool outputs | Provide results from external systems |
| Conversation history or memory | Preserves relevant context across turns |
Prompt engineering traps
- Hiding business rules only in a long prompt when they should be enforced by code, workflow, or policy.
- Asking the model to “always be accurate” without grounding or evaluation.
- Including sensitive credentials or secrets in prompt text.
- Allowing retrieved documents to override higher-priority instructions.
- Using one giant prompt instead of modular instructions, tools, and evaluation.
Evaluation: what to measure
A strong architect defines how the agent will be evaluated before full deployment.
| Metric area | What it measures | Example evaluation method |
|---|---|---|
| Task success | Whether the agent completes the intended workflow | Test cases with expected outcomes |
| Groundedness | Whether answers are supported by retrieved sources | Compare response claims to source documents |
| Retrieval quality | Whether the right content is retrieved | Precision/recall review against known queries |
| Safety | Whether harmful, disallowed, or sensitive responses are blocked | Red-team prompts and policy tests |
| Tool accuracy | Whether tool calls use correct parameters and sequence | Simulated API tests and logs |
| Latency | How quickly the solution responds | Performance tests under realistic load |
| Cost | Token, compute, search, and workflow execution cost | Usage telemetry and budget thresholds |
| User satisfaction | Whether users trust and adopt the solution | Feedback, surveys, support tickets |
| Business impact | Whether the KPI improved | Before/after process metrics |
Evaluation traps
- Testing only a few demo prompts.
- Ignoring negative tests and adversarial prompts.
- Measuring answer fluency instead of correctness.
- Not testing permissions with different user roles.
- Not retesting after prompt, model, data, or tool changes.
- Failing to include real business edge cases.
Monitoring and operations
Production agentic AI requires continuous operation, not one-time deployment.
| Operational concern | What to plan |
|---|---|
| Telemetry | Prompts, responses, retrievals, tool calls, latency, errors, user feedback |
| Versioning | Track changes to prompts, models, tools, indexes, and workflows |
| Rollback | Ability to revert a bad prompt, connector, index, or model change |
| Incident response | Process for unsafe output, data leakage, or failed actions |
| Cost management | Budgets, quotas, alerts, usage reporting |
| Model updates | Regression testing when model behavior changes |
| Content updates | Index refresh strategy and source ownership |
| Support model | Who handles failed sessions, escalations, and user issues |
| Governance | Review process for new agents, tools, connectors, and data sources |
Governance and lifecycle
AB-100 scenarios may describe multiple departments building agents. The architect should prevent uncontrolled sprawl.
| Governance need | Design response |
|---|---|
| Many teams creating agents | Define standards, templates, review gates, and ownership |
| Sensitive data access | Require classification, DLP, permission trimming, and approved connectors |
| Production deployment | Use environment strategy, testing, approvals, and monitoring |
| Business-user maintainability | Provide low-code governance, managed environments, and change control |
| Reuse | Create shared connectors, prompts, policies, evaluation sets, and components |
| Compliance evidence | Maintain logs, approvals, evaluation results, and documentation |
Scenario-based decision table
Use this table when a question asks for the “best” design.
| If the question emphasizes… | Choose the answer that prioritizes… |
|---|---|
| Least custom development | Existing Microsoft copilot or low-code capabilities |
| Maximum control and custom AI lifecycle | Azure-based custom architecture and evaluation |
| Business-user ownership | Copilot Studio / low-code maintainability with governance |
| Enterprise data Q&A | Grounded retrieval with permissions and citations |
| Process execution | Tool/action integration with validation and approvals |
| High-risk actions | Human-in-the-loop and constrained automation |
| Compliance and privacy | Data governance, identity, audit, DLP, retention |
| Accuracy problems | Better grounding, evaluation, retrieval tuning, fallback |
| Production readiness | Monitoring, versioning, rollback, support |
| Adoption | User workflow fit, training, feedback, measurable value |
Common exam traps
| Trap | Better reasoning |
|---|---|
| Selecting the most advanced model by default | Start with business need, risk, cost, latency, and grounding |
| Replacing all workflows with agents | Use deterministic automation for deterministic processes |
| Treating a proof of concept as production-ready | Add security, testing, monitoring, ALM, and governance |
| Solving data security with prompt instructions | Enforce identity, authorization, DLP, and permissions in architecture |
| Assuming retrieved content is correct | Use authoritative sources, metadata, freshness, and evaluation |
| Allowing broad tool access | Use least privilege, schema validation, approvals, and audit logs |
| Ignoring user experience | Put the agent in the user’s actual workflow |
| Measuring only technical accuracy | Also measure business impact and adoption |
| Forgetting operational ownership | Assign owners for data, agent behavior, connectors, and support |
| Overbuilding custom solutions | Use Microsoft platform capabilities when they satisfy requirements |
Quick review: architecture checklist
Before answering an AB-100 scenario, mentally check:
- Outcome: Is the business problem clearly defined?
- Users: Who interacts with the agent and through which channel?
- Data: What sources ground the response?
- Permissions: Does the user have rights to the data and actions?
- Actions: What systems can the agent modify?
- Autonomy: Is approval required?
- Safety: What can go wrong, and what prevents it?
- Evaluation: How is correctness and safety measured?
- Operations: How is the agent monitored and updated?
- Governance: Who owns the agent, data, tools, and lifecycle?
How to use IT Mastery practice effectively
After this Quick Review, move into IT Mastery practice with original practice questions. For each question:
- Identify the business goal before reading the answers.
- Mark the key constraint: security, cost, governance, autonomy, data freshness, or user workflow.
- Eliminate answers that rely only on prompting for security or compliance.
- Prefer the least complex architecture that satisfies all requirements.
- Review the detailed explanations for both correct and incorrect choices.
- Use topic drills for weak areas such as grounding, tool execution, governance, or evaluation.
Final readiness check
You are closer to exam-ready when you can explain why an architecture is appropriate, not just name the Microsoft service involved. Focus your final review on scenario tradeoffs: when to use an agent, how to ground it, how to constrain its actions, how to secure it, and how to prove it works.
Next step: use the AB-100 question bank for targeted topic drills, then complete mixed mock exams with detailed explanations to test whether you can apply these decision rules under exam-style pressure.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official Microsoft questions, copied live-exam content, or exam dumps.