Smarter identity security starts with AI

Howdy folks!

I’m happy to share that two powerful, AI-driven capabilities in Microsoft Entra are now generally available – both of which are designed to help you work smarter, reduce risk, and simplify how you manage identity and access:

• Conditional Access Optimization Agent in Microsoft Entra — This agent scans your tenant daily for policy gaps as new users and applications come online. It offers precise, one-click remediations so you can keep policies up to date without the overhead.
• Security Copilot in Microsoft Entra — You can now interact with Copilot in Entra to investigate threats, manage the identity lifecycle of employees and guests, and take action quickly across users, apps, and access. All of this works through natural language, without writing custom queries or scripts.

Note: Both features are available now, powered by Security Copilot. To use them, ensure that you have Security Compute Units (SCUs) provisioned in your tenant using Security Copilot or the Azure portal. Learn more on the Microsoft Security Copilot pricing page.

Check out this Microsoft Mechanics video to learn what’s new in Microsoft Entra and Security Copilot, and to see how to use the latest features in action.

Conditional Access Optimization Agent is now generally available

Let’s start with the Conditional Access (CA) Optimization Agent — the first Security Copilot agent in Microsoft Entra built to run autonomously. Now generally available, this agent evaluates your Conditional Access policies, flags gaps, suggests optimizations, and helps you keep policies aligned with Zero Trust best practices as your environment evolves.

You’ll now see a new Agents blade in the Microsoft Entra admin center. This is the new home for all Security Copilot agents. From here, you can deploy, configure, and monitor agents like the CA Optimization Agent, with more coming soon.

Note: The CA Optimization Agent consumes SCUs only when the agent performs a scan — not continuously. You can monitor SCU usage directly in the agent’s overview page, or the on the Activity tab.

 Microsoft Security Copilot agents for Microsoft Entra are located in the new Agents blade in the Microsoft Entra admin center.

We heard from a lot of you throughout the preview and we’ve refined the experience, as well as added new capabilities, based on your feedback. As a result, the agent now supports new policy coverage scenarios, includes natural language explanations of the agent’s decision to build trust, logs all agent activity for greater transparency, and brings UX improvements that make it easier to review and act on the agent’s suggestions.

At its core, the agent evaluates your existing CA policies against Microsoft’s Zero Trust best practices, including enforcing MFA, blocking legacy protocols, requiring device-based access, and reducing policy redundancy. It flags gaps, suggests improvements, and automatically creates new policies in report-only mode so you can safely preview changes before enforcement. As your environment evolves, the agent continuously checks for drift. For example, it will spot any newly added users or applications that aren’t yet covered by an existing CA policy. It also looks for opportunities to merge any overlapping or redundant policies, helping you simplify your policy landscape without weakening protection. These kinds of optimizations used to require tedious manual reviews, but now they’re surfaced automatically as part of each agent run.

And these optimizations are already delivering real results for our customers. More than 83% of customers who used the agent during preview received actionable recommendations in their first few runs, helping them reduce risk and improve coverage with speed and confidence.

If you’d like to learn more about Security Copilot agents in Microsoft Entra, head to our product documentation on Security Copilot agents in Microsoft Entra. product documentation on Entra agents.

What’s new in GA

I wanted to take some time and go into a little more detail about the improvements we’ve made to the CA Optimization Agent to give you more control:

Broader policy recommendations: The agent now recommends policies that include user risk and sign-in risk, which helps you protect more users, including new or previously excluded ones. (This requires Microsoft Entra ID P2.)

Natural language explanations: You’ll now see plain-language summaries that explain how the agent reached each recommendation, along with a visual map of its activity. This makes it easier to understand the why every change was made.

You can easily understand the agent’s reasoning using the new natural language summaries in the CA Optimization Agent activity map.

 

Audit logging support: You can now track agent activity (such as install, enable, and run history) in the Security Copilot audit log. This gives you better visibility and makes it easier to meet audit and compliance needs.

Better performance and cost control: We’ve improved how the agent uses Security Compute Units (SCUs), so it runs more efficiently. You can now see SCU usage for each run right in the agent overview page, giving you more control over performance and cost.

You can now see the amount of SCUs consumed for each time the CA Optimization Agent runs in the Activities tab of the CA Optimization Agent.

The CA Optimization Agent is available today for all customers with Security Copilot SCUs and a minimum of Microsoft Entra ID P1 or higher. Every customer benefits from daily policy evaluations, proactive gap detection, and easy, one-click remediation.

If your tenant has Entra ID P2, the agent adds even more intelligence, recommending CA updates to include newly added users and helping you apply baseline protections (such as user risk or sign-in risk policies) to better safeguard all users. These advanced capabilities help strengthen your security posture without adding manual overhead.

Our customers are already seeing a big difference – helping them simplify policy management, reduce risk, and keep users and apps protected at scale. Here’s what some of our MVPs and early customers have shared with us:

“The Conditional Access Optimization Agent is like having a security analyst on call 24/7. It proactively identifies gaps in our Conditional Access policies and ensures every user is protected from day one, and with report-only mode and AI-driven recommendations, we can test and refine access policies without disruption. It’s a secure path to innovation that every CISO can trust."

— Julian Rasmussen, Microsoft MVP

 

“The Conditional Access Optimization Agent acts as a trusted advisor to help me tune, trim, and optimize my ever-increasing policy base.”

— Donal Clissmann, Director of Infrastructure, Athora

 

“This agent is quick to deploy and provides value from its very first run. We’re able to reduce identity-related risk with targeted, actionable recommendations — something that used to require weeks of manual review.”

— Jason Revill, Global Security Technology Lead, Avanade

 

Security Copilot in Microsoft Entra is now generally available

Alongside the CA Optimization Agent, we’re also announcing the general availability of Security Copilot in Microsoft Entra, built directly into the Microsoft Entra admin center. Since first launching in public preview at Microsoft Ignite 2024, we’ve expanded its coverage and made it faster, smarter, and more capable than ever.

Expanded Coverage for real-world identity scenarios

Security Copilot in Microsoft Entra now supports a wider range of real-world identity and access scenarios – helping you investigate, monitor, and respond faster using natural language. Just ask a question, and Copilot works across your Microsoft Entra data to bring clear, actionable insights. Here’s how Security Copilot in Microsoft Entra can now help.

Identity Insights and Investigation

Get a complete view of users, groups, sign-ins and risk, all in one place:

• Users: Investigate a user’s sign-ins, roles, apps, groups, and permissions.
• Groups: Understand group membership, access paths, and permissions.
• Sign-In Logs: Analyze abnormal or failed sign-ins to detect access issues or suspicious activity.
• Audit Logs: See who made changes to identities, policies, or configurations across Microsoft Entra.
• Lifecycle Workflows: Manage onboarding/offboarding workflows and flag issues across joiner, mover, leaver tasks.
• Risky Users: Investigate high-risk users and prioritize remediation.

Access Governance and Review

Simplify reviews and reduce excessive permissions:

• Access Reviews: Get summarized recommendations to streamline decisions.
• Entitlement Management: Review access package settings and assignments.
• Entra ID RBAC: Spot over-privileged roles and analyze assignment.

App and Resource Protection

Quickly identify risky apps, secure configurations, and improve licensing hygiene:

• App Risk: Investigate app behaviors, detect misconfigurations, and flag risky integrations.
• Microsoft Entra Recommendations: Act on best-practice guidance, security alerts, and policy recommendations.
• License Utilization: Analyze license usage to optimize costs and tie licenses to active identities.

Monitoring and Posture Management

Get a clearer view of your tenant, to keep it healthy and secure:

• Alerts in Scenario Health Monitoring: Detect risks tied to misconfigurations or coverage gaps.
• SLA in Scenario Health Monitoring: Identify performance or reliability issues affecting key identity workflows.
• Tenants: Investigate cross-tenant access, trust relationships, and tenant-specific risk.
• Domains: Verify domain health and review exposure risks.
• MFA Auth Methods: Audit usage and enforce phishing-resistant MFA.

What’s else is new for Security Copilot in Microsoft Entra

We’ve made major platform upgrades that help Copilot in Entra better understand your intent. It can ask clarifying questions when needed, and even correct itself if it gets off track. This means you can expect Copilot to answer more complex questions, deliver clearer answers, and save you time digging through data.

Smarter Answers, Less Effort

Here’s what that looks like in action.

Security Copilot interprets your intent, and automatically:

• Finds users recently flagged as risky.
• Looks for recently created groups in the audit logs.
• Returns a natural language summary of what it found.

This is a big step up from preview, where these kinds of questions weren’t entirely supported. And, if you ask a question that is unclear or has multiple possible meanings, Security Copilot knows when to ask for more clarification.

These improvements come from a new way Copilot dynamically builds and runs queries based on your natural language — letting it reason through bigger, more complex questions in one go. It can resolve ambiguity, ask for clarification, and self-correct to make sure you get the most accurate insights from your Microsoft Entra data.

In short, Copilot feels more intuitive, flexible, and powerful — turning what used to take multiple steps into a quick, simple conversation.

These updates make Copilot a true layer across your entire identity estate, helping you cut through complexity, work faster, and act with confidence.

And we’re not done. We’re continuously expanding support for new scenarios, embedding AI directly into your daily workflow.

To see what’s available now, and stay updated on upcoming scenarios, check out our documentation on using Security Copilot in Entra for identity protection.

Let’s make identity smarter—with a little help from AI

You shouldn’t need to dig through multiple blades, scripts, or logs just to answer a simple question or fix a policy gap. Now you don’t have to. With Security Copilot in Microsoft Entra, you can ask real questions in plain language and get answers you can trust—grounded in your tenant’s data. Whether you’re troubleshooting sign-in issues or right-sizing access, Copilot helps you move faster and stay focused on what matters. And with the Conditional Access Optimization Agent, you get a second set of (AI) eyes on your policies—finding gaps, surfacing recommendations, and helping you enforce Zero Trust at scale.

Both Security Copilot in Microsoft Entra and the CA Optimization Agent are available now for you to use, if you’re a Microsoft Entra customer and have Security Copilot SCUs provisioned. If you’re already using Security Copilot, you can access the capabilities I talked about in this blog right in the Microsoft Entra admin center – no separate install required. The CA Optimization Agent requires at least Microsoft Entra ID P1, and some advanced capabilities (like risk-based recommendations) require Entra ID P2.

For a further breakdown of pricing, licensing, and how to provision SCUs, check out our Microsoft Security Copilot pricing page.

I’m excited to see how you’ll put these new capabilities to work in your daily workflows. Your feedback and stories inspire us to keep making Security Copilot smarter and more helpful every day. As always, let us know what you think of these new features once you try them out. We’re listening and eager for your feedback.

- Alex

 

Additional Resources

• Learn more about Security Copilot in Microsoft Entra, its experience, and how to get started. Visit Microsoft Learn: Microsoft Security Copilot + Microsoft Entra.
• Learn more about the new scenarios for Security Copilot in Microsoft Entra in Microsoft Learn: New Microsoft Security Copilot scenarios in Microsoft Entra.
• Watch the CA Optimization Agent overview webinar: Supercharging IAM efficiency: Meet the Conditional Access Optimization Agent.
• Learn more about the enhancements made to the CA Optimization Agent for GA: Supercharging IAM Efficiency: Updates to the Conditional Access Optimization Agent

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community