Edit

Share via

Microsoft Entra Conditional Access optimization agent with Microsoft Security Copilot

The Conditional Access optimization agent helps you ensure all users and applications are protected by Conditional Access policies. It recommends policies and changes based on best practices aligned with Zero Trust and Microsoft's learnings.

In preview, the Conditional Access optimization agent evaluates policies such as requiring multifactor authentication (MFA), enforcing device based controls (device compliance, app protection policies, and domain-joined devices), and blocking legacy authentication and device code flow. The agent also evaluates all existing enabled policies to propose potential consolidation of similar policies. When the agent identifies a suggestion, you can have the agent update the associated policy with one click-remediation.

Prerequisites

Limitations

  • During the preview, avoid using an account to set up the agent that requires role activation with Privileged Identity Management (PIM). Using an account that doesn't have standing permissions might cause authentication failures for the agent.
  • Once agents are started, they can't be stopped or paused. It might take a few minutes to run.
  • For policy consolidation, each agent run only looks at four similar policy pairs.
  • The agent currently runs as the user who enables it.
  • In preview, you should only run the agent from the Microsoft Entra admin center.
  • Scanning is limited to a 24 hour period.
  • Suggestions from the agent can't be customized or overridden.

How it works

The Conditional Access optimization agent scans your tenant for new users and applications from the last 24 hours and determines if Conditional Access policies are applicable. If the agent finds users or applications that aren't protected by Conditional Access policies, it provides suggested next steps, such as turning on or modifying a Conditional Access policy. You can review the suggestion, how the agent identified the solution, and what would be included in the policy.

Each time the agent runs, it takes the following steps. The initial scanning steps do not consume any SCUs.

  1. The agent scans all Conditional Access policies in your tenant.
  2. The agent checks for policy gaps and if any policies can be combined.
  3. The agent reviews previous suggestions so it won't suggest the same policy again.

If the agent identifies something that wasn't previously suggested, it takes the following steps. These action steps consume SCUs.

  1. The agent identifies a policy gap or a pair of policies that can be consolidated.
  2. The agent evaluates any custom instructions you provided.
  3. The agent creates a new policy in report-only mode or provides the suggestion to modify a policy, including any logic provided by the custom instructions.

Tip

Two policies can be consolidated if they differ by no more than two conditions or controls.

In preview, the policy suggestions identified by the agent include:

  • Require MFA: The agent identifies users who aren't covered by a Conditional Access policy that requires MFA and can update the policy.
  • Require device-based controls: The agent can enforce device-based controls, such as device compliance, app protection policies, and domain-joined devices.
  • Block legacy authentication: User accounts with legacy authentication are blocked from signing in.
  • Block device code flow: The agent looks for a policy blocking device code flow authentication.
  • Risky users: The agent suggests a policy to require secure password change for high risk users. Requires Microsoft Entra ID P2 license.
  • Risky sign-ins: The agent suggests a policy to require multifactor authentication for high risk sign-ins. Requires Microsoft Entra ID P2 license.
  • Policy consolidation: The agent scans your policy and identifies overlapping settings. For example, if you have more than one policy that has the same grant controls, the agent suggests consolidating those policies into one.

Important

The agent doesn't make any changes to existing policies unless an administrator explicitly approves the suggestion.

All new policies suggested by the agent are created in report-only mode.

Getting started

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. From the new home page, select Go to agents from the agent notification card.

    • You can also select Agents from the left navigation menu.

    Screenshot of the Microsoft Entra admin center showcasing the new Security Copilot agents experience.

  3. Select View details on the Conditional Access Optimization Agent tile.

    Screenshot of the Conditional Access agent tile with the view details button highlighted.

  4. Select Start agent to begin your first run.

    • Avoid using an account with a role activated through PIM.
    • A message that says "The agent is starting its first run" appears in the upper-right corner.
    • The first run might take a few minutes to complete.

    Screenshot showing the Conditional Access Optimization agent start agent page.

When the agent overview page loads, any suggestions appear in the Recent suggestions box. If a suggestion was identified, you can review the policy, determine policy impact, and apply the changes if needed. For more information, see Review and approve Conditional Access agent suggestions.

Screenshot of agent summary and recent suggestions with the review suggestion buttons highlighted.

Settings

Once the agent is enabled, you can adjust a few settings. You can access the settings from two places in the Microsoft Entra admin center:

  • From Agents > Conditional Access optimization agent > Settings.
  • From Conditional Access > select the Conditional Access optimization agent card under Policy summary > Settings.

Trigger

The agent is configured to run every 24 hours based on when it's initially configured. You can run it at a specific time by toggling the Trigger setting off and then back on when you want it to run.

Screenshot of the trigger option in the Conditional Access Optimization agent settings.

Objects

Use the checkboxes under Objects to specify what the agent should monitor when making policy recommendations. By default the agent looks for both new users and applications in your tenant over the previous 24 hour period.

Identity and permissions

The agent runs under the identity and permissions of the user who enabled the agent in your tenant. Because of this requirement, you should avoid using an account that requires elevation like those that use PIM for just-in-time elevation. The audit logs for actions taken by the agent are associated with the user who enabled the agent.

The Security Administrator and Global Administrator roles also have access to Security Copilot by default.

You can assign Conditional Access Administrators with Security Copilot access. This authorization gives your Conditional Access Administrators the ability to use the agent as well. For more information, see Assign Security Copilot access.

Custom instructions

You can tailor the policy to your needs using the optional Custom Instructions field. This setting allows you to provide a prompt to the agent as part of its execution. For example: "The user "Break Glass" should be excluded from policies created." Custom instructions can be used to include or exclude users, groups, and roles. This can be used to exclude them from consideration entirely or for a specific scenario and can also be used to add exceptions to the suggested policy.

Remove agent

If you no longer wish to use the Conditional Access optimization agent, select Remove agent from the top of the agent window. The existing data (agent activity, suggestions, and metrics) is removed but any policies created or updated based on the agent suggestions remain intact. Previously applied suggestions remain unchanged so you can continue to use the policies created or modified by the agent.

Providing feedback

Use the Give Microsoft feedback button at the top of the agent window to provide feedback to Microsoft about the agent.

Related content