Explore the Conditional Access Optimization Agent

In this exercise, you explore key capabilities of the Microsoft Security Copilot Conditional Access optimization agent that is embedded in Microsoft Entra.

Exercise

For this exercise, you're logged in as Avery Howard and have the Copilot owner role (security administrator role in Microsoft Entra) where you explore the key capabilities of the Microsoft Security Copilot Conditional Access optimization agent. As you explore, keep in mind that the information displayed and the configuration settings are based on the Copilot owner (security administrator) role of Avery Howard.

This exercise should take approximately 10 minutes to complete.

Task: Exploring the Conditional Access Agent

1. Open the simulated environment by selecting Microsoft Entra admin center.

2. There are two ways to access the agent:

   1. From the left navigation panel, select Conditional Access then from the Overview tab, select Conditional Access Optimization Agent.
   2. From the main landing page of the Microsoft Entra admin center, select Go to agents then from the Security Copilot agents page, select View details.

3. Review the Overview tab.

   1. Agent is active – Note the last time the agent ran and the upcoming schedule.
   2. Performance highlights – Review the cost in Security Compute Units (SCUs) for the agent. See how many unprotected users the agent found to protect.
   3. About this agent – Quick description of the agent and how it works.
   4. Recent suggestions – Review of all existing Conditional Access policies and suggestions on how they could be merged, updated, removed, or enhanced.
   5. Recent Activity – Status on the last few attempts of the Conditional Access Optimization Agent to run, and the results.

4. Select the View run link within the Agent is active box.

5. Review the process flow of the agent and see what new information was detected since the last completion.

   1. Take note that is search for three common access rights optimizations:
      1. App / Application drift – new applications were deployed and need to be protected.
      2. User drift – new users were found, or user rights changed that leave them unprotected by policy.
      3. Policy merge – places where two or more policies could be merged to provide the same result, with easier management.

6. From the breadcrumb, select Conditional Access Optimization Agent to return to the Overview page.

7. Select the Activities tab in the top menu. The list shows when the agent ran, the duration of the run, the number of suggestions offer, and status. You can also view the activity map for each completed run.

   1. Select View activity to view the activity map for that run.
   2. Close the activity map by selecting X.

8. Select the Suggestions from the tab menu.

   1. Select the Review suggestion button for the first item on the list, "Add 2 users to existing policy: CA99 - Mitigate Risk Users with Password Reset."
   2. A panel opens to the Policy details tab that provides more information on the selected suggestion. The policy wants to add two users to CA99 – Mitigate Risk Users with Password Reset policy.
   3. Select the Policy impact tab at the top of the page to see a graph of this policy change over time.
   4. Switch back to the Policy details tab, then select the Review policy changes to see the proposed changes.
   5. Select the JSON view tab to view the JSON updates that would be applied if the suggestions were approved. The changes are highlighted.
   6. Close this page by selecting the X on the top-right corner of the page to return to the Suggestions page.

9. Select the Settings tab to view information on agent settings.

10. Select the X in the upper right of the screen to return the Security Copilots agents page that shows the tile for the Conditional Access agent.

11. Keep the browser tab open, you need it for the next task.

Task: Explore Conditional Access Optimization Agents in CA-Policies

1. From the left navigational panel on the Microsoft Entra admin center page, select Conditional Access then select Policies.

2. Review the list of policies, you should see three types (you'll need to scroll-down on the page to view all the types of policies):

   1. Microsoft – global policies sent out by Microsoft, like require MFA.
   2. User – conditional access policies created by an authorized user in your organization.
   3. Conditional Access Optimization Agent – Report Only policies created by the agent for your review. You can choose to apply them depending on business and security goals.

3. Scroll down the list to find the "CA99 - Mitigate Risk Users with Password Reset" policy we reviewed earlier and from that line item, select New agent suggestion.

   1. This time, the information listed includes multiple suggestions. On four occasions the Conditional Access Optimization agent found new users that aren't in scope of a policy requiring a password change for high risk uses, and has an Apply suggestion for each.
   2. Select the Apply suggestion button for one or more of these suggestions to have the agent apply the change to the policy.

4. Exit Microsoft Entra to finish the simulation.

Review

In this exercise, you explored the Conditional Access Optimization agent. This agent scans your tenant for new users and applications and determines if Conditional Access policies are applicable, suggests updates to applicable policies, and enables quick remediation through the "Apply suggestions" option. By selecting the "Apply suggestions" button, you add protection for the impacted users and improve security for your organization.