
Conditional Access policies grow with your environment — but so do the gaps. New employees, shadow IT applications, AI agents with their own identities: each can fall outside your existing policies. The Conditional Access Optimization Agent in Microsoft Entra scans your tenant daily and shows exactly where coverage is missing.
Conditional Access policies are never truly finished. Every new employee, every SaaS application that a department quietly adopts, every AI agent that executes actions on behalf of a user — each of these elements can fall outside the scope of your existing identity policies. In a mid-size organisation, that can add up to dozens of uncovered accounts and applications over the course of a year.
Microsoft addresses this with the Conditional Access Optimization Agent, an automated AI agent that runs through your Entra tenant daily, compares newly appeared identities against your existing policies, and flags where protection is missing. The agent became available as a public preview in June 2026 and is rolling out in phases to tenants with the required licences.
The Conditional Access Optimization Agent is an integrated agent within Microsoft Security Copilot in the Entra admin environment. Unlike classic alerts that you only see after something goes wrong, this agent works preventively: it checks every day whether new users, applications, or agent identities have appeared that are not covered by existing Conditional Access policies.
The recommendations the agent generates are not applied automatically. Newly proposed policies are always created in report-only mode, so you can assess the effect before enabling them. A human administrator approves every recommendation — the agent analyses, the human decides.
The agent looks in three directions simultaneously. First, it flags identities without policy coverage: new employees created in the past 24 hours not yet covered by any Conditional Access policy, onboarded applications that fall outside the policy scope, and AI agents such as Copilot Studio agents or Power Automate flows that operate with delegated permissions but exist as separate identities outside your user-focused policies.
Second, the agent evaluates your existing policies for overlaps and redundancy. Organisations that have been building policies for years often have dozens of rules where several address the same situation. The agent flags candidates for consolidation, improving manageability and reducing the risk of conflicting rules.
Third, it generates policy review reports: statistics about spikes and dips in sign-in patterns that may indicate misconfigurations. If a policy is triggered ten times more often than average, that is a signal that something has changed in your environment or in the behaviour of users.
The agent tests your existing and missing policies against Microsoft's Zero Trust guidelines and formulates targeted recommendations. It checks whether MFA is required for all users involved in risky sessions, whether device compliance or app protection is enforced for access to sensitive applications, whether legacy authentication protocols and the device code flow pattern are still active, and how risk-based policies for high-risk users and sign-ins are configured.
Noteworthy is the explicit attention for agent identities. As organisations deploy more Copilot Studio agents, automation flows, and external AI integrations, a new category of non-human identities emerges with access to company data via delegated permissions. Classic Conditional Access was designed for human users — the Optimization Agent is the first automated check that treats agent identities as a separate risk category.
To enable the Conditional Access Optimization Agent you need at minimum a Microsoft Entra ID P1 licence. This is included in Microsoft 365 Business Premium, E3, and E5, and in Frontline Worker F1 and F3 licences with the Entra P1 add-on. Organisations on the Entra Free tier cannot use the agent.
Beyond the Entra licence, Security Compute Units (SCUs) are required. SCUs are the billing unit for Microsoft Security Copilot. Each run of the Conditional Access Optimization Agent consumes less than one SCU on average, meaning daily runs represent very limited consumption. SCUs are purchased separately via the Security Copilot capacity settings.
For role requirements: activating the agent requires the Security Administrator role in Entra. Managing recommendations and approving or rejecting new policies can be done by a Conditional Access Administrator. Organisations with role separation can use this to set up a secure review process.
The activation process is straightforward. Sign in to the Microsoft Entra admin centre and navigate via the left-hand menu to Security. Then choose Security Copilot agents. You will see an overview screen with available agents — find the Conditional Access Optimization Agent tile. Click View details and then Start agent to activate the agent for your tenant.
After activation, the agent completes its first scan within 24 hours and the first summary report appears. That report shows per category — missing coverage, redundancy, misconfigurations — how many findings there are and what recommendations are being made. You decide which ones to tackle, in what order, and with what urgency.
The most underappreciated value of the Conditional Access Optimization Agent is the explicit scan for AI agent identities. As organisations increasingly work with Copilot Studio agents, Power Automate flows with delegated permissions, and external AI integrations via the Graph API, the number of non-human identities in Entra grows.
These identities are not always visible in standard user reports and fall outside the scope of classic user-focused Conditional Access policies. An agent that sends emails on behalf of an employee, reads SharePoint files, or exports data to external systems has access to business-sensitive information — without that access being subject to the MFA and compliance requirements that apply to the employee themselves.
The Optimization Agent maps these identities and links them to the recommendation to set up risk-based policies that also cover agent identities. That is a fundamental step towards a Zero Trust approach suited to the reality of 2026, where AI agents are a structural part of the IT environment.
Four concrete actions for IT teams that want to implement the Conditional Access Optimization Agent. First: check that your licences are sufficient. Entra P1 is the minimum threshold — if you are on Business Premium, E3, or E5, you already have this. Second: ensure Security Compute Units are available via the Security Copilot capacity settings. Without SCUs the agent will not start.
Third: assign the correct roles. A Security Administrator activates the agent; a Conditional Access Administrator manages the daily recommendations. Keep functions separated if your organisation requires it. Fourth: schedule a weekly review moment for the recommendations. The agent does its work daily, but the value arises when you process recommendations systematically rather than letting them pile up for weeks.
Want help setting up the Conditional Access Optimization Agent, cleaning up existing policies, or drafting a Zero Trust roadmap for your Entra environment? Contact Zarioh for a practical conversation about your situation.