Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Microsoft Entra Conditional Access Optimization Agent helps you ensure that all users, applications, and agent identities are protected by Conditional Access policies. The agent can recommend new policies and update existing policies, based on best practices aligned with Zero Trust and Microsoft's learnings. The agent also creates policy review reports (preview), which provide insights into spikes or dips that might indicate a policy misconfiguration.
The Conditional Access Optimization Agent evaluates policies such as:
- Requiring multifactor authentication (MFA).
- Enforcing device-based controls (device compliance, app protection policies, and domain-joined devices).
- Blocking legacy authentication and device code flow.
The agent also evaluates all existing enabled policies to propose potential consolidation of similar policies. When the agent identifies a suggestion, you can have the agent update the associated policy with one-click remediation.
Important
The ServiceNow integration, file upload capability, and activity-based runs in the Conditional Access Optimization Agent are currently in preview. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Prerequisites
- You must have at least the Microsoft Entra ID P1 license.
- You must have available security compute units (SCUs). On average, each agent run consumes less than one SCU.
- You must have the appropriate Microsoft Entra role.
- A Security Administrator role is required to activate the agent the first time.
- Security Reader and Global Reader roles can view the agent and any suggestions, but can't take any action.
- Conditional Access Administrator and Security Administrator roles can view the agent and take action on the suggestions.
- You can assign Conditional Access Administrators with Microsoft Security Copilot access, which gives your Conditional Access Administrators the ability to use the agent.
- For more information about roles, see Assign Security Copilot access.
- Device-based controls require Microsoft Intune licenses.
- Review Privacy and data security in Microsoft Security Copilot.
Limitations
- After the agent starts, you can't stop or pause the run. It might take a few minutes to run.
- For policy consolidation, each agent run evaluates 40 similar policy pairs.
- We recommend running the agent from the Microsoft Entra admin center.
- Scanning is limited to a 24-hour period.
- You can't customize or override suggestions from the agent.
- The agent can review up to 300 users and 150 applications in a single run.
How it works
The Conditional Access Optimization Agent scans your tenant for new users, applications, and agent identities from the last 24 hours and determines if Conditional Access policies are applicable. If the agent finds users, applications, or agent identities that Conditional Access policies don't cover, it provides suggested next steps.
A next step might be turning on or modifying a Conditional Access policy. You can review the suggestion, how the agent identified the solution, and what the policy would include.
Each time the agent runs, it takes the following steps. These initial scanning steps don't consume any SCUs.
- The agent scans all Conditional Access policies in your tenant.
- The agent checks for policy gaps and if any policies can be combined.
- The agent reviews previous suggestions so that it won't suggest the same policy again.
If the agent identifies something that it didn't previously suggest, it takes the following steps. These agent action steps consume SCUs.
- The agent identifies a policy gap or a pair of policies that can be consolidated.
- The agent evaluates any custom instructions that you provided.
- The agent creates a new policy in report-only mode or provides the suggestion to modify a policy, including any logic in the custom instructions.
Note
Security Copilot requires that at least one SCU is provisioned in your tenant. That SCU is billed each month, even if you don't consume any SCUs. Turning off the agent doesn't stop the monthly billing for the SCU.
The policy suggestions from the agent include:
- Require MFA: The agent identifies users who aren't covered by a Conditional Access policy that requires MFA and can update the policy.
- Require device-based controls: The agent can enforce device-based controls, such as device compliance, app protection policies, and domain-joined devices.
- Block legacy authentication: User accounts with legacy authentication are blocked from signing in.
- Block device code flow: The agent looks for a policy that blocks device code flow.
- Risky users: The agent suggests a policy to require secure password change for high-risk users. Requires a Microsoft Entra ID P2 license.
- Risky sign-ins: The agent suggests a policy to require multifactor authentication for high-risk sign-ins. Requires a Microsoft Entra ID P2 license.
- Risky agents: The agent suggests a policy to block authentication for high-risk sign-ins. Requires a Microsoft Entra ID P2 license.
- Policy consolidation: The agent scans your policy and identifies overlapping settings. For example, if you have more than one policy that has the same grant controls, the agent suggests consolidating those policies into one.
- Deep analysis: The agent evaluates policies that correspond to key scenarios to identify outlier policies that have more than a recommended number of exceptions (leading to unexpected gaps in coverage) or no exceptions (leading to possible lockout).
- Deep analysis MFA gap analysis: The agent scans all enabled Conditional Access policies in your tenant to identify users not covered by any MFA policy. This scan includes users excluded from baseline policies, missed in group membership, or falling through gaps between overlapping policies. Unlike standard scans, this analysis evaluates the entire tenant configuration and isn't limited to the last 24 hours.
- Least-privileged access for agent identities (preview): The agent identifies agent identities with unused or overprivileged Microsoft Graph permissions. It then recommends least-privilege enforcement, such as removing unused permissions or replacing broad permissions with more specific ones.
Important
The agent doesn't make any changes to existing policies unless an administrator explicitly approves the suggestion.
All new policies that the agent suggests are created in report-only mode.
Two policies can be consolidated if they differ by no more than two conditions or controls.
Getting started
Sign in to the Microsoft Entra admin center as at least a Security Administrator.
On the new home page, select Go to agents from the agent notification card.
You can also select Agents from the left menu.
On the Conditional Access Optimization Agent tile, select View details.
Select Start agent to begin your first run.
On the Overview tab for the agent, any suggestions appear in the Recent suggestions box. You can then review the policy, determine policy impact, and apply the changes if needed. For more information, see Review and apply suggestions from the Conditional Access Optimization Agent.
Settings
The agent includes several powerful settings to expand the capabilities while making them unique to your organization. You can configure the following capabilities on the Settings tab. For more information, see Conditional Access Optimization Agent settings.
- Allow the agent to run automatically, every 24 hours.
- Enable activity-based runs to trigger the agent when relevant tenant changes occur (preview).
- Set the agent to check for changes to users and applications.
- Allow the agent to create policies in report-only mode.
- Allow the agent to send notifications through Microsoft Teams.
- Allow the agent to create phased rollout plans.
- Allow the agent to create passkey adoption campaigns.
- Enable integration with ServiceNow for automatic ticket creation.
- Provide knowledge sources to the agent for organization-specific suggestions.
- View the insights dashboard to track agent-driven Zero Trust improvements to security posture (preview).
Built-in integrations
The Conditional Access Optimization Agent can make policy suggestions for organizations that use Intune for device management and Global Secure Access for network access.
Intune integration
The Conditional Access Optimization Agent integrates with Intune to:
- Monitor device compliance and application protection policies configured in Intune.
- Identify potential gaps in Conditional Access enforcement.
This proactive and automated approach ensures that Conditional Access policies remain aligned with organizational security goals and compliance requirements. The agent suggestions are the same as the other policy suggestions, except that Intune provides part of the signal to the agent.
Agent suggestions for Intune scenarios cover specific user groups and platforms (iOS or Android). For example, the agent identifies an active Intune policy for app protection that targets the Finance group, but it determines that no sufficient Conditional Access policy enforces app protection. The agent creates a report-only policy that requires users to access resources only through compliant applications on iOS devices.
To identify Intune device compliance and app protection policies, the agent must be running as a Global Administrator or Conditional Access Administrator and Global Reader. The Conditional Access Administrator role isn't sufficient on its own for the agent to produce Intune suggestions.
Global Secure Access integration
Microsoft Entra Internet Access and Microsoft Entra Private Access (collectively known as Global Secure Access) integrate with the Conditional Access Optimization Agent to provide suggestions specific to your organization's network access policies. The suggestion Turn on new policy to enforce Global Secure Access network access requirements helps you align your Global Secure Access policies that include network locations and protected applications.
With this integration, the agent identifies users or groups that aren't covered by a Conditional Access policy to require access to corporate resources only through approved Global Secure Access channels. This policy requires users to connect to corporate resources by using the organization's secure Global Secure Access network before accessing corporate apps and data. Users who connect from unmanaged or untrusted networks are prompted to use the Global Secure Access client or web gateway. You can review sign-in logs to verify compliant connections.
Agent removal
If you no longer want to use the Conditional Access Optimization Agent, select Remove agent at the top of the agent window. The existing data (agent activity, suggestions, and metrics) is removed, but any policies created or updated based on the agent suggestions remain intact. Previously applied suggestions remain unchanged, so you can continue to use the policies that the agent created or modified.
Providing feedback
To provide feedback to Microsoft about the agent, use the Give Microsoft feedback button at the top of the agent window.
FAQs
When should I use the Conditional Access Optimization Agent vs. Copilot Chat?
The Conditional Access Optimization Agent and Microsoft Copilot Chat provide different insights into your Conditional Access policies. The following table compares the two features.
| Scenario | Conditional Access Optimization Agent | Copilot Chat |
|---|---|---|
| Generic scenarios | ||
| Tenant-specific configuration | ✅ | |
| Advanced reasoning | ✅ | |
| On-demand insights | ✅ | |
| Interactive troubleshooting | ✅ | |
| Continuous policy assessment | ✅ | |
| Automated improvement suggestions | ✅ | |
| Guidance on certificate authority (CA) best practices and configuration | ✅ | ✅ |
| Specific scenarios | ||
| Proactive identification of unprotected users or applications | ✅ | |
| Enforcement of MFA and other baseline controls for all users | ✅ | |
| Continuous monitoring and optimization of CA policies | ✅ | |
| One-click policy changes | ✅ | |
| Review of existing CA policies and assignments ("Do policies apply to Alice?") | ✅ | ✅ |
| Troubleshooting a user's access ("Why was Alice prompted for MFA?") | ✅ |
I activated the agent, but the activity status is Fail. What's happening?
It's possible that you activated the agent before Microsoft Ignite 2025 by using an account that required role activation with Privileged Identity Management (PIM). So when the agent attempted to run, it failed because the account didn't have the required permissions at that time. A Conditional Access Optimization Agent that was activated after November 17, 2025, no longer uses the identity of the user who activated it.
You can resolve this problem by migrating to Microsoft Entra Agent ID. Select Create agent identity from either the banner message on the agent page or the Identity and permissions section of the agent settings.