Skip to content

Conditional Access Optimization Agent ​

πŸ‘‹ Introduction ​

Now that Security Copilot slowly gets activated in all M365 E5 tenants, people get access to all the great Security Copilot Agents. The Conditional Access Optimization Agent is one of these agents, that helps you assess the status of your Conditional Access rules and identify gaps, overlaps and exceptions in your policies.

Prerequisite Roles

  • A Security Administrator role is required to activate the agent the first time.
  • Security Reader and Global Reader roles can view the agent and any suggestions, but can't take any action.
  • Conditional Access Administrator and Security Administrator roles can view the agent and take action on the suggestions.
  • You can assign Conditional Access Administrators with Microsoft Security Copilot access, which gives your Conditional Access Administrators the ability to use the agent.
  • Device-based controls require Microsoft Intune licenses.
  • Privacy and data security can be reviewed in Microsoft Security Copilot portal.

Admin Experience ​

To get started with the CA Agent follow these steps:

  1. Open the Entra admin center -> Entra ID -> Conditional Access.
  2. If you never started the agent before, you will see a banner alerting you to your access. When select to get started, the agent will activate itself for a few seconds and then do a first run after which it will give you the first information about your environment.

Overview ​

When you open the agent you will see the Overview dashboard, which gives you a quick overview of your Conditional Access environment.

You can see recent changes, recent activities, credits used and suggestions.

In the Recent activity section you can directly see how much SCU's the agent used for each run, which makes it much easier to plan in the long run.

Activities ​

When opening the Activities tab, the agent's activity summary provides a clear overview of its assessment process, including detecting policy gaps, assessing policy drift, and identifying opportunities to merge policies. If the suggestion involves adding users or applications, you can view the relevant list directly from the map. This natural language summary explains the activity shown in the map, helping you understand the reasoning behind the suggestion and enabling informed decision-making.

Suggestions ​

When opening the Suggestions tab, you get a list of all the suggestions the agent has found for your Conditional Access policies.

When you click Review Suggestion on a suggestion to see a detailed overview, including the reasoning behind the suggestion and its potential impact. The options in the suggestion details vary by type: new policies may have a "Turn on" button, while modifications may include an "Add accounts" button to include users.

The default suggestion view displays policy details, starting with a high-level description and followed by specific policy information.

You can take actions such as editing, duplicating, downloading, or deleting the policy, or using the Chat with agent feature. Below the summary, options vary by suggestion type, including reviewing changes, turning on new policies, marking as reviewed, snoozing for 14 days, viewing the agent's full activity, and adding notes. The page provides comprehensive options to help you make an informed decision, with additional details available on policy impact and the agent’s activity if needed.

When you start creating a new policy, you will again get infos about it and you will be able to download it in JSON format. When you decide to create the policy it will always be created in Report-only mode.

Reporting ​

In the Reporting tab, you can see various information about the progress the agent and you have done in your environment.

  • Objects with improved coverage: Users, apps, or agent identities that gained at least one new critical policy control in the last 30 days.
  • Objects missing coverage: Users, apps, or agent identities missing one or more critical policy controls.

Settings ​

In the Settings tab, you can configure standard and advanced settings, including triggers, notifications, scope, custom instructions, Intune integration, and permissions.


Trigger

In the Trigger tab you can configure when and how often the agent should runs.

  • The Schedule automatic analysis of reviews every 24 hours option enables the agent to automatically analyze your tenant once every 24 hours, starting from the time the agent was initially configured. You can also run the analysis manually at any time by clicking Analyze my tenant.
  • The Automatically analyze tenant each time there are changes to policies that are turned on option allows the agent to perform additional analyses when enabled Conditional Access policies are modified. These event-driven analyses supplement, rather than replace, the regular 24-hour scheduled analysis. To prevent excessive execution, activity-based analyses are limited to a maximum of one run every six hours.

Capabilities

In the Capabilities tab, you can enable different features of the agent.

  • Under Microsoft Entra objects to monitor, you can choose which newly created objects the agent monitors when generating Conditional Access recommendations. By default, the agent checks for both Users and Applications that have been created within the last 24 hours and evaluates whether policy updates or new policy recommendations may be needed.
  • The Agent capabilities setting controls whether the agent can automatically create new Conditional Access policies in report-only mode. By default, this option is disabled, meaning the agent provides recommendations, insights, and policy details but does not create policies on your behalf.
  • The Phased rollout option allows the agent to deploy eligible Conditional Access policies gradually. When enabled, the agent creates phased rollout plans that begin with lower-risk user groups and expand over time, helping administrators assess the impact of a new policy before broader deployment. This option is enabled by default.
  • The Passkey adoption campaigns option allows the agent to create enrollment campaigns designed to help users adopt passkeys. These campaigns can guide users through device readiness checks, passkey registration, and the transition to passwordless authentication experiences across supported sign-in scenarios.

Notifications

In the Notifications tab, you can configure Microsoft Teams notifications settings.

  1. Activate the checkbox to Allow agent to send Teams messages.
  2. Then click the Select users and groups button to select who should get the Teams notifications (up to 10 users).
  1. At the bottom of the main Settings page, select the Save button.

To add the agent app to Microsoft Teams:

  1. In Microsoft Teams, select Apps from the left navigation menu and search for conditional access agent.
  1. Select the agent and click Add.

Knowledge sources

In the Knowledge sources tab you can add custom files or instructions to the agent to customize it more to your needs with additional information.

IMPORTANT

The data will stay within the agent and isn't used for model training.

Files

Here you can upload a Word (.docx) or PDF document containing Conditional Access governance rules, naming conventions, persona definitions, breakglass account exclusions or desired policy standards. The agent will then analyzes the document, creates an internal understanding of the guidance and apply it to your future recommendations.

Custom instructions

Here you can

  • Include or exclude specific users, groups, objects or roles
  • Or add special exceptions for specific policies kinds of policies, like always exclude Break-Glass accounts when MFA is required.

Example:

Exclude users in the "Break Glass" group from any policy that requires multifactor authentication.


Plugins

In the Plugins tab you can find the third party integrations for the agent.

Intune and Global Secure Access are also integrated, but built-in, so you can not see or control them.

Currently (July 2026) there is one available third party plugin and that is for ServiceNow. In the case of this plugin, the agent creates a Change Request for each new suggestion he makes and also implements it when the request gets approved in ServiceNow.


Permissions

In the Permissions tab you can see the managed identity and permissions the agent uses to access the policies and logs.

INFO

The Agent now also supports Entra Agent ID, enabling secure, agent-based authentication without relying on a user identity.

Clicking Manage agent identity will open the managed identities information in Entra Agent ID.

The Managed Identity uses the following permissions:

Read permissions:

  • AuditLog.Read.All
  • CustomSecAttributeAssignment.Read.All
  • DeviceManagementApps.Read.All
  • DeviceManagementConfiguration.Read.All
  • GroupMember.Read.All
  • LicenseAssignment.Read.All
  • NetworkAccess.Read.All
  • Policy.Read.All
  • RoleManagement.Read.Directory
  • User.Read.All

Write permissions:

  • Policy.Create.ConditionalAccessRO

Users

In the Users tab you can currently only see the Entra roles that can access the agent. For access you need at least the Conditional Access Administrator role.

πŸ’‘ Conclusion ​

The Conditional Access Optimization Agent is the best agent Microsoft released for Security Copilot so far in my opinion. It is easy to use, gives great insights and helps directly to solve uncovered issues. It is exactly what I would want from an agent like this.

References