Conditional Access policies play a big role in keeping identities and data secure in Microsoft Entra. But as environments grow, managing these policies manually becomes a real challenge for admins. It’s easy to lose track of who’s covered, where gaps exist, or which policies might be outdated or overlapping.

To help with this complexity, Microsoft has added a few tools to help along the way — like the What If tool to analyze policy gaps, the Conditional Access Gap Analyzer workbook to spot missing coverage, and the Conditional Access Insights and Reporting Workbook to provide deeper visibility and help optimize your policy setup.

Microsoft has taken it a step further with the Conditional Access Optimization Agent — an AI-powered assistant that reviews your Conditional Access policies, identifies issues, and suggests fixes. Now generally available, this agent makes managing Conditional Access a whole lot easier. In this blog, we’ll take a closer look at how it works and what it brings to the table.

What is Conditional Access Optimization Agent in Microsoft Entra?

Conditional Access Optimization Agent is one of the six Security Copilot agents introduced by Microsoft. It’s also the first Security Copilot agent in Microsoft Entra built to run autonomously. As the name suggests, this agent helps optimize your Conditional Access policies. It identifies gaps in current configurations and provides one-click remediation suggestions to strengthen your access controls.

Key functionalities include:

  • Checks if new users are missing from existing Conditional Access policies and helps decide if they should be added or left out.
  • Scans Conditional Access policies to ensure MFA or device compliance controls are in place.
  • Supports new policy coverage to identify and address gaps across a broader range of access scenarios.
  • Explains recommendations in plain language, helping you understand the “why” behind each suggestion.
  • Logs all agent activity to provide full visibility and ensure audit readiness.
  • Analyzes audit logs to detect newly created users within the last 24 hours.
  • Recommends policy changes based on Zero Trust best practices.
  • Creates new policies in report-only mode without applying changes automatically.
  • Won’t add new users to existing policies or turn on new policies without your approval.

Prerequisites for Using the Conditional Access Optimization Agent

Before deploying the Conditional Access Optimization Agent, make sure you meet the following requirements:

  • Microsoft Entra ID P1 or higher license

Note: With P2, you also get support for user and sign-in risk-based policy enhancements.

  • An active Microsoft Entra tenant with Conditional Access policies
  • Microsoft Security Copilot subscription with SCUs (Security Compute Units). SCUs are consumed only when scans run—typically less than one SCU each time.
  • One of the following roles to deploy and manage the agent: Global Administrator, Security Administrator, or Conditional Access Administrator. Global Reader and Security Reader can view but cannot deploy or act on suggestions.

How to Deploy the Conditional Access Optimization Agent?

Follow these steps to set up the Conditional Access Optimization Agent:

  • Select Conditional Access Optimization Agent and click View details.
  • Click Start Agent to begin the process.

After activation, the agent runs an initial scan and provides immediate feedback. From that point onward, it runs daily, continuously analyzing your environment and delivering actionable recommendations to keep your Conditional Access policies optimized.

Note: You can also stop the scan anytime using the Stop agent button. To remove the Conditional Access AI agent entirely, use the Remove agent option—it disables and uninstalls the agent from your tenant.

How Does the Agent Help Optimize Conditional Access Policies?

The Conditional Access Optimization Agent presents its findings across four key tabs—Overview, Activities, Suggestions, and Settings—making it easier to review and enhance your Conditional Access setup. Let’s explore each tab in detail.

    1. Overview

    The Overview page summarizes the current scan status, key findings, and overall health of your Conditional Access environment.

    i) Recent Suggestions for Conditional Access Improvements

      This section displays the agent’s latest recommendations — such as updates to existing Conditional Access policies or the creation of new ones in report-only mode. These suggestions allow you to test and monitor Conditional Access policy changes safely before enforcing them, giving you a chance to fill Conditional Access gaps without disrupting user access.

      ii) Performance Highlights for Agent Recommendations

      This area summarizes the impact the agent’s recommendations could make if implemented. It’s a quick way to visualize the improvements in your CA policy coverage and the overall boost to your security stance. Below are the key metrics you can view in this section to help identify gaps and take corrective actions:

      • Unprotected Users Discovered: Shows how many users aren’t included in any Conditional Access policies and might be exposed to risks such as sign-ins without MFA. The agent flags these users so you can act quickly and help you assess Conditional Access health.
      • Sign-ins Protected: Estimates how many sign-ins would have been secured (e.g., via MFA) if the suggested policies were active. This helps you understand the real-world value of applying the recommendations.
      • Security Compute Units Used: Indicates how much Entra compute power the agent used during the scan — useful for monitoring resource usage and potential cost implications.

      2. Activities

      The Activities tab provides a detailed log of all scan runs performed by the Conditional Access Optimization Agent. For each run, you can view:

      • Run started – Timestamp showing when the scan began.
      • Run duration – How long the scan took to complete.
      • SCUs used – Number of Security Compute Units consumed during the scan.
      • Suggestions – The number of policy optimization suggestions generated from the scan.
      • Status – Indicates whether the scan was successfully completed.

      Clicking View activity provides a detailed breakdown of that specific scan.

      3. Suggestions

      The Suggestions tab displays actionable insights generated by the Conditional Access Optimization Agent. These recommendations are based on the agent’s scans and evaluations of your current Conditional Access policies.

      Key elements include:

      • Option to Apply suggestion or Review policy changes before committing.
      • Suggested next steps: Clear guidance such as adding users to existing policies or improving enforcement controls.
      • Actions taken by agent: Shows what the agent recommends (e.g., “Suggested policy update”).
      • Status: Indicates whether the suggestion has been applied or is still pending review.
      • Review suggestion: Opens a detailed pane showing:
      • The reason for the recommendation (e.g., user not in scope).
      • User impact, to help assess business implications.
      • Full policy details, including name, state, targeted groups, apps, and access conditions.

      4. Settings

      The Settings tab gives you full control over how the Conditional Access Optimization Agent runs. It includes two key configuration areas:

      • Trigger: The agent is set to run daily by default, but you can manually initiate a scan anytime by simply toggling the Trigger switch off and then back on.
      • Objects to Monitor: Specify what the agent should track for changes. You can choose to monitor:
        • New users added in the last 24 hours.
        • New applications registered in the last 24 hours.

      Advantages of Using the Conditional Access Optimization Agent

      • Smarter Decision-Making: The agent helps you make informed decisions about your Conditional Access policies, keeping them aligned with your changing security needs.
      • Less Admin Overhead: It eases the workload for admins by automating routine Conditional Access reviews, saving time and reducing manual effort.
      • Stronger Security Coverage: By identifying gaps in your current setup, the agent helps you strengthen your overall security posture.
      • Faster, Safer Updates: It makes policy updates quicker and reduces the chances of errors or misconfigurations during the process.
      • Early Risk Detection: The agent detects potential issues early and offers practical suggestions, helping you fix problems before they turn into bigger risks.

      We hope this gave you a clear understanding of how the Conditional Access Optimization Agent works & how it helps you enforce Conditional Access policy best practices. But optimizing Conditional Access alone isn’t enough. It’s equally important to monitor other common Microsoft Entra issues and their fixes to maintain the overall health and security of your tenant.

      Thanks for reading! If you have questions or thoughts, drop them in the comments section below.