How to review and apply suggestions from the Conditional Access optimization agent

The Microsoft Entra Conditional Access optimization agent provides suggestions for your Conditional Access policies. The suggestions vary based on what the agent finds. As the administrator, you need to review the suggestions and decide what to do.

This article provides an overview of the logic behind the suggestions and how to review the details of the suggestions.

Prerequisites

• You must have at least the Microsoft Entra ID P1 license.
• You must have available security compute units (SCU).
  • On average, each agent run consumes less than one SCU.
• Global Reader and Security Reader roles can view the agent and any suggestions, but can't take any actions.
• Global Administrator, Security Administrator, and Conditional Access Administrator roles can view the agent and take action on the suggestions.
  • For more information on roles for the Conditional Access optimization agent, see Assign Security Copilot access
• Review Privacy and data security in Microsoft Security Copilot

Limitations

• Avoid using an account to set up the agent that requires role activation with Privileged Identity Management (PIM). Using an account that doesn't have standing permissions might cause authentication failures for the agent.
• Once agents are started, they can't be stopped or paused. It might take a few minutes to run.
• For policy consolidation, each agent run only looks at four similar policy pairs.
• The agent currently runs as the user who enables it.
• We recommend running the agent from the Microsoft Entra admin center.
• Scanning is limited to a 24 hour period.
• Suggestions from the agent can't be customized or overridden.
• The agent can review up to 150 users and 100 applications in a single run.

How it works

The agent might run and:

• Not identify any unprotected users or recommend any changes
• Create a new Conditional Access policy in report-only mode
• Suggest modifying an existing policy
• Suggest consolidating overlapping policies

We want to provide as much information as possible about the logic used to identify the suggestions because Conditional Access policies can be complex. With each suggestion, the agent provides detailed reasoning, policy impact summaries, and details of the policy. As a best practice, review the information provided before applying a suggestion or changing a report-only policy to an active policy.

Review suggestions and agent logic

Select Review suggestion to review a thorough overview of the suggestion, including the logic used to identify the suggestion and the potential impact of the policy.

Policy details

The default view of the suggestion provides the policy details, including a high-level description at the top followed by the details that are used in the policy.

Policy impact

From the details panel that opens, select Policy impact to see a visualization of the potential impact of the policy.

Adjust the filters and the display as needed. Select a point on the graph to see a sample of the data that the policy affects. For example, for a policy to require multifactor authentication (MFA), the graph shows a sample of sign-in events where the Conditional Access policy wasn't applied. For more information, see Policy impact.

View agent's full activity

To see a detailed summary of the agent's activity and how it calculated the suggestion, select View agent's full activity. The agent's activity assesses policy drift, or gaps in policy coverage, for users and apps. The agent also looks for policies that can be merged or consolidated.

The Summary of agent activity is a natural language description of the activity illustrated in the Agent activity map. These details can help you understand the logic behind the suggestion so you can make an informed decision about whether to apply the suggestion.

Review policy changes

If the agent suggests modifying an existing policy, select Review policy changes to see the details of the recommended change. This page lists the users, target resources, and other details of the policy that will change if you apply the suggestion.

• Policy details are provided as both a list of all the details that are changing and a JSON view of the entire policy, with the changes highlighted.
• For policy changes that affect users or applications, you can download a JSON file of the users and applications affected by the policy change.

Apply suggestions

The experience for applying the suggestion depends on whether the agent created a new policy in report-only mode or suggests modifying an existing policy.

Modify an existing policy

The agent could suggest modifying an existing policy or consolidating overlapping policies. After reviewing the details and impact of the policy change, you can apply the suggestion to the policy.

• From the Policy details page, select Apply suggestion to apply the changes to the policy.

• From the Review policy changes page, you can also select Approve suggested changes from the bottom of the page.

Turn on a new policy

When the agent suggests a new policy, it creates the policy in report-only mode. After reviewing the policy impact, you can turn on the policy directly from the agent experience or from Conditional Access.

• Select Turn on policy to have the agent apply the changes to the policy in report-only mode.

• From Conditional Access, select the policy and then change the Enable policy toggle from Report-only to On.