Conditional Access Optimization Agent in Microsoft Entra

Conditional Access policies play a big role in keeping identities and data secure in Microsoft Entra. But as environments grow, managing these policies manually becomes a real challenge for admins. It’s easy to lose track of who’s covered, where gaps exist, or which policies might be outdated or overlapping.

To help with this complexity, Microsoft has added a few tools to help along the way — like the What If tool to analyze policy gaps, the Conditional Access Gap Analyzer workbook to spot missing coverage, and the Conditional Access Insights and Reporting Workbook to provide deeper visibility and help optimize your policy setup.

Now, they’ve taken it further with the Conditional Access Optimization Agent (which is currently in private preview) — an AI-powered assistant that reviews your Conditional Access policies, finds issues and suggests fixes. In this blog, we’ll take a closer look at how it works and how it can make managing Conditional Access a whole lot easier.

Conditional Access Optimization Agent is one of the six Security Copilot agents introduced by Microsoft. As the name suggests, this agent helps optimize your Conditional Access policies. It identifies gaps in current configurations and provides one-click remediation suggestions to strengthen your access controls.

Key functionalities include:

• Checks if new users are missing from existing Conditional Access policies and helps decide if they should be added or left out.
• Scans Conditional Access policies to ensure MFA or device compliance controls are in place.
• Analyzes audit logs to detect newly created users within the last 24 hours.
• Recommends policy changes based on Zero Trust best practices.
• Creates new policies in report-only mode without applying changes automatically.
• Won’t add new users to existing policies or turn on new policies without your approval.

• Smarter Decision-Making: The agent helps you make informed decisions about your Conditional Access policies, keeping them aligned with your changing security needs.
• Less Admin Overhead: It eases the workload for admins by automating routine Conditional Access reviews, saving time and reducing manual effort.
• Stronger Security Coverage: By identifying gaps in your current setup, the agent helps you strengthen your overall security posture.
• Faster, Safer Updates: It makes policy updates quicker and reduces the chances of errors or misconfigurations during the process.
• Early Risk Detection: The agent detects potential issues early and offers practical suggestions, helping you fix problems before they turn into bigger risks.

Once you start the agent by clicking the Start agent button, it begins scanning your environment to identify gaps in your existing Conditional Access (CA) setup. Based on its findings, it generates actionable suggestions to help strengthen your security posture.

Recent Suggestions for Conditional Access Improvements

This section displays the agent’s latest recommendations — such as updates to existing Conditional Access policies or the creation of new ones in report-only mode. These suggestions allow you to test and monitor Conditional Access policy changes safely before enforcing them, giving you a chance to fill Conditional Access gaps without disrupting user access.

Performance Highlights for Agent Recommendations

This area summarizes the impact the agent’s recommendations could make if implemented. It’s a quick way to visualize the improvements in your CA policy coverage and the overall boost to your security stance. Below are the key metrics you can view in this section to help identify gaps and take corrective actions:

• Unprotected Users Discovered: Shows how many users aren’t included in any Conditional Access policies and might be exposed to risks such as sign-ins without MFA. The agent flags these users so you can act quickly and help you assess Conditional Access health.

• Sign-ins Protected: Estimates how many sign-ins would have been secured (e.g., via MFA) if the suggested policies were active. This helps you understand the real-world value of applying the recommendations.

• Security Compute Units Used: Indicates how much Entra compute power the agent used during the scan — useful for monitoring resource usage and potential cost implications.

You can stop the scan anytime using the Stop agent button. To remove the Conditional Access AI agent entirely, use the Remove agent option—it disables and uninstalls the agent from your tenant.

Other tabs like Suggestions, Activity, and Settings offer additional ways to explore the agent’s recommendations and behavior. However, since this feature is still in private preview, these tabs may have limited functionality for now. We’ll be sure to update this blog when it becomes publicly available — stay tuned!

We hope this gave you a clear understanding of how the Conditional Access Optimization Agent works & how it helps you enforce Conditional Access policy best practices. But optimizing Conditional Access alone isn’t enough. It’s equally important to monitor other common Microsoft Entra issues and their fixes to maintain the overall health and security of your tenant.

Thanks for reading! If you have questions or thoughts, drop them in the comments section below.