Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Conditional Access optimization agent features a conversational interface that enables administrators to interact with the agent using natural language. This chat capability makes it easier to understand suggestions, request more information, and update policy details generated by the agent. With the chat capability, you can focus only on the details of the policy suggestion that you need so you can make the right decision.
Prerequisites
- You must have at least the Microsoft Entra ID P1 license.
- You must have available security compute units (SCU).
- Conditional Access Administrator, Security Administrator, and Global Administrator roles can use the chat capability.
Limitations
- Only included and excluded users and roles can be modified using chat. Application assignments and other fields aren't currently supported.
- Only the scenarios listed in What you can do with chat are currently available.
What you can do with chat
With the Conditional Access optimization agent chat interface, you can use natural language to get more information on a policy suggestion or have the agent present the suggestions in a different order.
Explain agent capabilities
The Conditional Access Optimization Agent provides several capabilities, so it might help to ask the agent what it can do and how it assists with policy management. The agent can explain its supported functions.
Sample prompts:
- What can the Conditional Access Optimization Agent help me with?
- Summarize your capabilities.
Prioritize suggestions
With the chat capability you can ask the agent to help you prioritize the suggestions. The agent compares the potential impact of the policy changes and provides a ranked list of suggestions based on Zero Trust principles, so you don't have to review the full list and make that decision yourself.
Sample prompts:
- Which suggestion should I implement first?
- Prioritize the suggestions.
If you ask the agent to prioritize the list of suggestions then ask it for more details on a specific suggestion, the agent uses the order of the prioritized list.
Request more detail
Instead of digging through the details of each suggestion, you can ask the agent for more information. After asking the agent to prioritize the full list of suggestions, you can ask it to provide more details on a specific policy suggestion. You can also ask for more details on a policy suggestion by accessing the chat from the policy details.
Sample prompts:
- Tell me more about the first suggestion.
- Explain the suggestion 'Turn on Risky Users policy'.
If you didn't ask the agent to prioritize the order of the suggestions and you ask for more details on the first suggestion, the agent tells you about the first item in the Recent suggestions list.
Explain agent findings
Ask the agent to to describe the details about the findings included in a policy suggestion. The agent will clarify the logic behind the suggestion and its impact on security and user experience.
Sample prompts:
- Who are the 12 users included in this suggestion?
- What are the 100 unprotected applications discovered by the agent?
- Why should I enable this policy?
- What happens if I accept a phased rollout suggestion?
Summarize all agent findings
If the agent identified several suggestions, it might be difficult to keep track of potential changes or impacted users, groups, and applications. You can ask the agent to summarize all findings across multiple suggestions to get a high-level overview. The agent provides an overview of the key suggestions, grouped by priority or category.
Sample prompts:
- Summarize my Conditional Access assessment.
- Provide an overview of all suggestions.
Understand agent decisions
In some cases, the agent might identify several policy suggestions that, at first glance, might appear similar to other policies. You can ask the agent to help you understand why one policy was selected for an update when multiple policies could apply. You can ask in the chat why the agent chose a specific policy for update.
Sample prompts:
- Why was this policy selected for update instead of others?
- Explain policy choice.
Edit a policy
You can use the chat capability to edit a policy that was referenced in an agent suggestion by changing what users or roles are included or excluded.
Sample prompts:
- Exclude user1 from this policy.
- Add breakglass accounts to this policy.
- Include the Helpdesk Administrator role.
Note
The Conditional Access optimization agent can identify users and groups that are likely to be emergency ("breakglass") accounts and proactively suggest excluding them from a policy.
At this time, editing included or excluded applications is not supported.
How to use chat
You can access the chat from the main Conditional Access Optimization Agent page or from any policy suggestion details page.
Sign in to the Microsoft Entra admin center as at least a Security Administrator.
Browse to Conditional Access Optimization Agent.
- Select Chat with agent from the agent page to chat with the agent about all policy suggestions.
- Or select Review suggestion for any policy suggestion then select Chat with agent to chat with the agent about that specific policy suggestion.
Enter a prompt in the chat window using natural language from the supported scenarios in the What you can do with chat section. The following quick-start prompts are provided to help you get started.
- Summarize: What is my overall assessment of Conditional Access policies?
- Analyze: What suggestions should I implement first to optimize my Zero Trust posture?
- Troubleshoot: Tell me more about this suggestion.
- Learn: What can you help me with?
Review the response and apply the recommended changes. For more information, see the Confirm changes in chat section. Every chat response provides the option to copy the response and provide feedback on the response.
Confirm changes in chat
After getting more details and any necessary clarifications on the policy suggestion, you can have the agent make adjustments to the policy directly from the chat. Because the suggestion could be to update an existing policy or create a new policy in report-only mode, it's important to know what happens when you confirm any suggested changes.
Update an existing policy
To illustrate what happens when you confirm a change to an existing policy, let's take a closer look at the suggestion to add 21 users to an existing policy.
In the chat, the agent was asked to exclude any breakglass accounts and it identified five accounts that match.
When you select Confirm, the agent makes changes directly to the policy. The original suggestion, however, was to add 21 users to the policy. Because we excluded 5 users from the policy update, this suggestion will continue to appear in the recent suggestions lists. Any future agent runs will likely identify the users that we excluded. If you don't want to make any changes to the policy, select Cancel.
Create a new policy
When the agent creates a new policy in report-only mode you can use the chat make adjustments to the policy and even turn on the policy. In the following example to create a new policy, the agent was asked to include a specific user. When you're using chat for new policies, the first Confirm button updates the policy in report-only mode.
You're prompted a second time to turn on the policy. If you select Confirm at this step, the policy is turned on. Select Cancel to save the report-only changes without turning on the policy.
