Entra Conditional Access optimization agent

Microsoft recently announced cool and handy feature Conditional Access optimization agent. In the nutshell, it helps organizations make sure all users are covered by a policy by running regular scans (every 24 hrs) and providing recommendations and one-click 'Apply suggestion' option (add user to existing policy or create brand new policy).

Microsoft covered this feature in great details here, so I will not repeat same in this post but rather will provide few advises:

1. The feature is in preview, so be mindful and always double check when selecting 'Apply Suggestion'. New policies created by optimization agent are created in report-only mode, which provides a safety net. However, adding all users to existing policy might break things if you don't exclude service accounts and such;

2. Agent runs under the identity and permissions of the user who enabled the agent in your tenant. For this reason, you need to use account with permanently assigned roles;

3. Keep principle of least privilege in mind. Feature requires Security Admin or Global Admin role but you can assign Conditional Access Administrators with Security Copilot access, which gives your Conditional Access Administrators the ability to use the agent as well.

4. Exclude break-glass account/s from policy created by Conditional Access Optimization Agent.

   
   

   Overall, optimization agent seems to be promising and features like policy consolidation recommendations can save many hours of labor-intensive analysis. Instead, you run optimization agent and review results in minutes.

   
   

   However, in preview it will only analyze MFA, legacy auth, device code flow, and device-based controls.

   Suspecting you might have gaps in Conditional Access Policies coverage? Contact us and we'll do full assessment of your environment to assure you're fully protected.