From chatting with the agent to integrating with ServiceNow, the Conditional Access Optimization Agent is helping you deploy policies confidently and optimize access with less effort.
Howdy folks!
Continuing our promise to make identity and access management, smarter, more intuitive and simpler to manage, today we’re announcing the next evolution of the Conditional Access Optimization Agent in Microsoft Entra.
Since general availability, the agent is uncovering an average of 26 policy gaps per customer per month. These are gaps that might otherwise be missed or even worse, exploited by bad actors. With these insights, 73% of the customers using the agent have made meaningful improvements in their Zero Trust security posture. We’re really proud of these results, but even more excited that the agent is helping you run a true Zero Trust security model with confidence.
But we’re not stopping there. We’ve been listening to your feedback and making the Conditional Access Optimization Agent more collaborative, more insightful, and more action-oriented. In this blog, I’ll walk you through the latest enhancements that help you manage Conditional Access with more confidence and less effort. These updates let you:
- Chat with the agent, ask questions, prioritize suggestions, and edit policies as if you were working with a digital colleague.
- Roll out policies gradually with phased deployment, saving weeks of manual effort while minimizing disruptions.
- Stay in sync with your Microsoft Intune policies, automatically aligning Conditional Access scopes with app protection and device compliance.
- Use deep analysis to uncover gaps in MFA and other baseline policies across all your Conditional Access configurations.
- Spot and fix policies causing failed sign-ins fast, with root cause analysis and clear guidance.
- Streamline change management with ServiceNow integration, automating tickets and ensuring compliant updates.
- Stay on top of your important tasks by snoozing recommendations when you need more time and get notified in Teams when new policy gaps are discovered.
We’ve made these updates to help you strengthen your security posture while reducing the everyday admin drudge work so you can focus on strategic improvements.
More interactive, more intelligent, and smarter than ever
You can now chat with the Conditional Access Optimization Agent in natural language. Ask questions, customize suggestions for your environment, and see which actions will have the biggest impact on your Zero Trust posture. The agent will explain its reasoning, so you know exactly what to act on first. You can request details, prioritize suggestions, or even edit output directly in the chat, such as adding break glass exclusion accounts or initiating password resets for risky users.
Explore detailed insights to better understand the agent’s policy recommendations by using chat with the Conditional Access Optimization Agent.
Deploy policies with control and confidence
The agent now supports phased rollouts, giving you the flexibility to deploy Conditional Access policies gradually. The agent analyzes sign-in data and existing policies to recommend a five-phase rollout, starting with small, low-risk groups and scaling up. The agent makes informed decisions throughout the rollout and equips admins with insights to adjust phases, group assignments, and timing to understand the impact before full enforcement.
You can now easily act on the agent’s suggestion, initiate a phased rollout, and monitor your policy deployment progress with the Conditional Access Optimization Agent.
And now with Microsoft Intune-based policy suggestions, you can close the gap between device protection and identity access. The agent now analyzes Microsoft Intune app protection and device compliance policies, flags gaps, and suggests fixes automatically. For example, if Finance teams are protected in Intune but not in Conditional Access, the agent catches it and recommends the right policy, such as requiring compliant apps on iOS or Android. This is especially helpful in BYOD or hybrid work scenarios, where mobile access is constant and harder to govern, making it easier to keep your data safe. Suggestions are tailored by user group and platform, and admins can roll them out safely with report-only mode before enforcing. This bridges identity and device security, so your mobile access stays secure.
You can now apply the agent’s suggestion based on your unique Intune configuration by enabling app protections for your devices.
Always learning, always improving
The agent now reviews your Conditional Access policies with deep analysis. It scans for weak spots like excluded users, overlooked apps, or missing break-glass accounts and points out the fixes. It started with MFA and now covers device compliance, legacy auth, and device code flow. You get a stronger Zero Trust posture without digging through policy logic.
You can now use deep analysis to review recommendations for no-break glass accounts and prevent lockouts.
And when a policy causes sign-ins to fail, the agent doesn’t just show you the numbers. It spots the spike, runs a root cause analysis, and finds the policy behind it. You’ll see the impacted users, apps, and platforms, along with clear steps to fix the issue. That means fewer blocked users, fewer helpdesk calls, and a smoother sign-in experience while improving your security posture.
Always learning from signals and improving recommendations, the agent helps you stay ahead, cut friction, and keep access secure.
You can now understand the causes of failed sign-ins with the root cause analysis report to rule out non-factors and reduce friction for users.
Greater operational efficiency for admins
With the new ServiceNow integration, the agent doesn’t just recommend policy changes, it drives them through your existing workflows. Each suggestion, whether enforcing MFA, adjusting policy scope, or retiring a risky app, is instantly turned into a ServiceNow change request. Approvals, tracking, and documentation all happen automatically.
No more copy-pasting into tickets. No more chasing paper trails for audits. Every update is logged, every step is traceable, and every policy change is secure. For organizations with strict change controls, this is a breakthrough. It embeds security updates directly into ServiceNow workflows, enhances visibility into change history, and ensures every policy update is audit ready.
The Conditional Access Optimization Agent can automatically convert its policy recommendations into change requests within a customer’s existing ServiceNow workflows.
And what’s even cooler, if you’re not quite ready to act, you can hit snooze and the agent holds the recommendation for 14 days. You don’t lose visibility, and you don’t have to dismiss it. Use the time to align with workflows, get approvals, or wait for the right moment. Every recommendation, even Intune-based ones can be paused without breaking your flow.
Plus, say hello to Microsoft Teams alerts for the Conditional Access Optimization Agent, a curated set of alerts that help you take action without the noise. The agent reaches out when it finds a gap or risk. You get notified in Teams the same place you already work. No more digging through dashboards or inboxes. You see the issue, act fast, and stay ahead. Together, snooze and Teams alerts make the agent feel less like a tool and more like an extension of your team—keeping you informed, in control, and never caught off guard.
Microsoft Teams alerts for the Conditional Access Optimization Agent helps your teams act quickly on the agent’s suggestions.
Get started today – we’re excited for you to try what’s new
The Conditional Access Optimization Agent part of Security Copilot is now available now for you to use. If you’re a Microsoft Entra customer with Entra ID P1 or P2 and have Security Copilot security compute units (SCUs) provisioned, you can access the capabilities I outlined in this blog right in the Microsoft Entra admin center: no separate install required.
Check out Microsoft Security Copilot pricing for details on licensing and provisioning SCUs. We’re excited to see how you’ll use these new features to simplify identity management, strengthen your security posture, and help your team focus on what matters most. We’re listening and building with you in mind.
-Alex
Additional resources
- Learn more about how to get started with the Conditional Access Optimization Agent
- Learn more about Security Copilot in Microsoft Entra, its experience, and how to get started. Visit Microsoft Learn: Microsoft Security Copilot + Microsoft Entra.
- Learn more about the new scenarios for Security Copilot in Microsoft Entra in Microsoft Learn: New Microsoft Security Copilot scenarios in Microsoft Entra.
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community
Microsoft