Organizations are expanding Zero Trust across more users, applications, and now a growing population of AI agent identities, making it even more challenging to maintain visibility and control at scale. As environments grow more complex and change daily, static best-practice approaches can’t keep up. Security teams are left trying to reason across dozens of access policies, shifting conditions, and evolving risks, often without clear visibility into where gaps exist.

That’s exactly what we’re hearing from customers.

“The recommendations are great, but they don’t always match how our organization works.”

With this latest set of enhancements, the Conditional Access Optimization Agent moves beyond static guidance to continuous, context-aware identity posture optimization. The agent now understands your organization’s business context, surfaces gaps that manual reviews miss, helps you act on insights safely, and proves the impact of your improvements—all as part of a new operating model for identity security.

Here’s a quick look at what’s new in the Conditional Access Optimization Agent, now in public preview:

• Context-aware recommendations tailored to your environment.
• Continuous deep gap analysis to identify persistent or emerging policy gaps.
• Automated least-privilege enforcement to reduce unnecessary permissions.
• Enhanced phased rollout for gradual, controlled deployment.
• Passkey deployment campaigns that streamline phishing-resistant authentication rollout.
• Zero Trust posture reporting that helps demonstrate measurable improvements.

These new capabilities are designed to work together as part of a continuous operating model for identity security.

To make this concrete, let’s walk through how the agent works in practice across four key steps – from tailoring recommendations to your environment, to identifying gaps, safely deploying changes, and measurable impact.

 

 

This is a view of the agent overview dashboard, showing analyzed coverage, identified gaps, and recommended actions to strengthen your access policies.

Step 1: Make recommendations match your reality

Every organization runs Conditional Access a little differently. Naming conventions, policy design patterns, and exception processes – these all vary across environments.

Until now, the agent's recommendations were based on industry and Microsoft best practices, sign-in data, and your Conditional Access policies. However, guidance needs to reflect how your organizations actually operate.

Context-aware policy recommendations – teach the agent your standards

With context-aware policy recommendations, you can upload internal documentation directly to the agent. Think about the guidance your team already relies on, such as documents that outline authentication strength requirements, device compliance baselines, and internal or external policy standards. These often live as PDFs, wiki pages, or long policy docs that admins manually cross-reference during periodic reviews.

The agent securely uses that context to tailor recommendations for your organization, so they align with how your team designs and manages Conditional Access.

For example, the Australian government publishes Conditional Access guidance for organizations operating in regulated environments. The agent is able to reason over this guidance and produce recommendations aligned to Australian compliance standards.

In the agent’s settings page, you can upload organization-specific policies and guidance so the agent can tailor recommendations to your environment

Step 2: Surface gaps humans can’t easily see

As environments grow more complex, Conditional Access policies become increasingly difficult to reason over.  Organizations often manage dozens, or even hundreds, of policies across user groups, applications, authentication strengths, and device requirements, making it hard to fully understand how they interact.

Continuous deep gap analysis

Enterprise customers average 83 Conditional Access policies. The number of possible interactions between those policies – layers, overlaps, and coverage gaps – is challenging to reason over.  Manual review typically focuses on recently changed policies. But some of the most critical gaps have been there all along. They are persistent configuration issues that have existed for years.

The agent evaluates how policies interact with one another, understands how authentication requirements are enforced across the policies, and identifies gaps where coverage falls short. This means it can detect:

• newly introduced gaps caused by policy changes or configuration drift
• persistent structural gaps cause by policy overlap, constantly evolving exceptions, and more

Instead of reviewing policies one by one, the agent evaluates the entire access control system as a whole.

 

The agent identifies uncovered users and policy gaps by analyzing how Conditional Access policies interact across your environment.

Zero Trust least-privileged enforcement for agent identities

Nowadays, access is no longer just about people. Gartner stated that by 2029, most secure access requests will come from non-human identities—up from less than 5% today.

As AI agents become a rapidly growing part of the workforce, they also introduce new risks. Many of these identities can be over-privileged, making them attractive targets for attackers!

The Conditional Access Optimization Agent identifies agent identities with excessive or unused permissions and recommends least-privilege adjustments.

This extends continuous Zero Trust enforcement beyond workforce identities to the fastest-growing population in your environment.

Step 3: Turn insight into action without breaking things

Finding gaps is important. Fixing them safely is where the real operational challenge begins.

We all know the risk of making access policy changes without understanding their real-world impact. A single misconfigured policy can lock out users or disrupt critical applications.

These enhancements help your teams move from insight to execution with confidence.

Phased rollout for any Conditional Access policy

With our updated Phased Rollout capability, you can now deploy any Conditional Access policy gradually, not only agent-recommended ones like in our previous release.

For each rollout, the agent proposes low-impact phases, monitors real user impact at every stage, and intelligently suggests progression or roll back so you can easily deploy policies while minimizing end-user impact. This means your team no longer needs to manually move policies from report only to enabled. The agent handles that progression for you.

This allows your team to strengthen access protections in a way that works for your business, without widespread lockouts, helpdesk spikes, or disruption to critical workflows.

The agent creates a phased rollout plan, allowing policies to be deployed gradually while monitoring user impact and minimizing disruption.

Passkey deployment campaigns – structured adoption of phishing-resistant authentication

Phishing-resistant authentication is one of the most important steps organizations can take to strengthen identity security – and passkeys deliver both security and usability. The challenge isn't whether to adopt passkeys, but how to roll them out without creating operational friction.

Microsoft data shows consumer users are 3× more successful signing in with passkeys compared to legacy authentication methods. That's where the agent's passkey campaign experience comes in, helping you run structured adoption campaigns across your organization.

 Start with your highest-impact users such as administrators, executives, or employees most targeted by phishing. The agent tracks registration progress, identifies users that haven’t enrolled yet, communicates with them via teams, and helps you expand adoption wave by wave.

No more ad hoc enforcement or spreadsheet-driven tracking across teams.

The agent guides passkey adoption with structured campaigns, targeting users, tracking progress, and expanding rollout in stages.

Step 4: Prove progress and communicate impact

Closing gaps is only just a piece of the whole story. Security leaders increasingly need to demonstrate measurable progress, to both internal stakeholders and your executive leadership.

The built-in reporting dashboard provides a clear summary of posture improvements driven by you and the agent. You can track:

• Exactly how many Conditional Access policy gaps the agent has discovered
• Users, Apps, and Agent IDs you have improved policy coverage for
• Remaining users, apps, and agent IDs requiring additional coverage

This makes it easier to demonstrate the value of your Zero Trust investments and communicate progress to your leadership.

 

The reporting dashboard tracks Conditional Access posture improvements, showing gaps closed, coverage gained, and remaining areas to address.

The new operating model for identity security

These enhancements aren't incremental improvements to a recommendation engine.

They represent a shift in how identity security operations work. Moving from static rule management to continuous, context-aware optimization leveraging the power of AI.

Identity security is no longer a periodic audit exercise. It becomes a continuous operational capability - helping you secure both human and non-human identities across authentication, access, and risk.

Get started today

If you have Microsoft 365 E5, the Conditional Access Optimization Agent will become available through a phased rollout. Once available in your tenant, you can enable it directly in the Microsoft Entra admin center and start using it right away.

We are continuing to expand these capabilities and will evolve the agent based on your feedback.

 Enable the Conditional Access Optimization Agent → Security Copilot agents - Microsoft Entra admin center

 

Swaroop Krishnamurthy

Principal Product Manager, Microsoft Entra

Swaroop Krishnamurthy | LinkedIn

 

Additional resources

• Microsoft Entra Conditional Access optimization agent | Microsoft Learn
• Conditional Access Optimization Agent knowledge base (Preview) | Microsoft Learn
• Conditional Access Optimization Agent phased rollout | Microsoft Learn

  

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community