Conditional Access Optimization Agent Keeps a Wary Eye on Connections

All around Microsoft, program managers and executives are seeking opportunities to deploy artificial intelligence in products, preferably if that usage justifies the requirement for an additional license. Some of the resulting ideas are good, like the Facilitator agent for Teams group chats. Others need more time to appreciate the use case, if one exists. The point is that you can expect more AI-powered features (whether Copilot in apps or a variety of agents) to appear in Microsoft 365 applications as time passes.

Entra ID Brings AI to the Table

All of which brings me to New innovations in Microsoft Entra to strengthen AI security and identity protection, published on March 24, 2025, where Alex Simons sets out the case for using AI to increase security and explains how Microsoft is applying AI in Entra ID.

Before I go further, let me know how disappointed I am that many technical conferences focusing on Microsoft 365 ignore or give lip service to Entra ID. The foundation of any successful and secure Microsoft 365 tenant is a well-managed Entra ID instance. It’s regrettable that Entra ID doesn’t receive the attention that it should on the schedules for even some major conferences. For instance, the current session lineup for the “Microsoft 365 Community conference” mentions Entra once and Copilot 46 times. That tells a story, mostly in terms of where Microsoft marketing money is going.

Smarter Policy Management Through the Conditional Access Optimization Agent

In any case, my attention was drawn to the Conditional Access Optimization Agent (now in private preview), which offers “smarter policy management.” Apparently, the agent monitors how an Entra ID tenant processes inbound connections to understand where the connections originate, the resources they access, and the authentication paths used. It picks up details like new user accounts and applications. The agent then puts the information together to figure out if the conditional access policies used by the tenant can be optimized.

I like this idea. It’s a good example of applying artificial intelligence to a bounded set of data with a clear intention (that the tenant can alter with custom instructions). Unlike human administrators, some of whom are well capable of assessing the state of health of conditional access within a tenant, agents work all the time with a relentless focus on their instructions and the data they’ve been given.

The claims advanced in the article seem a little misleading (the agent hardly “protected” 700K sign-ins for the example tenant just by watching and processing connection data, and creating a new group containing 16 users to add to an existing conditional access policy isn’t rocket science either), but it’s possible to see the value that such an agent can bring by relieving administrators of the mundane task of reviewing conditional policy settings and sign-in logs on an ongoing basis to look for potential gaps and anomalies worth investigating.

Security Copilot Brings the AI Smarts

The Conditional Access Optimization Agent is one of six Security Copilot agents unveiled on March 24. Getting Security Copilot (the “proactive problem solver”) on board is where the cost arises. It’s hard to know just how much putting manners on your policies will cost because Security Copilot charges on the basis of Security Compute Units (SCU). Provisioned SCUs cost $4/hour in the U.S., but there’s no information available about how many SCUs the Conditional Access Optimization Agent will consume over a month or however long it takes for the agent to come up with its suggestions.

Organizations that use Security Copilot already probably have a good grasp on costs and can estimate (better than I can) the costs to add extra tasks. One way to look at it is that an experienced consultant who knows conditional access inside out might charge a day or two to review a tenant’s policies. For the purpose of easy maths, let’s say that the bill is $2,000, or 500 SCUs. Looking at the situation like that seems to make using Security Copilot a no-brainer. However, it’s a very black and white example and IT is full of grey. It will be interesting to learn about the real-life experience of operational tenants in terms of both agent output and cost.

So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.