Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra agents can automate many identity and access management operations in your organization to help reduce manual workloads. These agents work seamlessly with Microsoft Security Copilot to automate repetitive tasks, provide suggestions, and help administrators focus on higher-value strategic work.
Microsoft Entra agents analyze your identity environment, apply best practices, and take automated actions to improve your identity and access security posture and operational efficiency. They integrate directly with Microsoft Entra services, using your organization's identity data and configuration to provide contextual, actionable insights.
What are Microsoft Entra agents?
Microsoft Entra agents are AI-powered tools that operate in your organization's identity environment to automate and optimize identity and access management tasks. The agents are grounded in the concepts and tasks for a specific product area, like Conditional Access. These agents can:
- Automate routine tasks - Handle time-consuming, repetitive identity and access management operations
- Provide suggestions - Analyze your environment and suggest improvements based on Microsoft best practices and Zero Trust principles
- Operate autonomously - Run on schedules or triggers to continuously monitor and optimize your identity infrastructure
- Integrate seamlessly - Work within your organization's existing Microsoft Entra workflows
- Learn and adapt - Improve suggestions over time, based on your environment and feedback
Each agent works a little differently, but at their core, they first analyze your current environment within the boundaries of the agent's capabilities. If the agent identifies a gap, opportunity, or potential issue, it can take action on your behalf. Each agent provides the context, reasoning, and activity history for how it came up with the suggestion.
Administrators can configure the agent to run automatically or trigger the agent to run manually.
Available Microsoft Entra agents
The following agents are currently available for Microsoft Entra. Due to the fast pace at which these agents are released and updated, each agent might have features at various stages of availability. Preview features are added frequently.
Conditional Access optimization agent
The Conditional Access optimization agent ensures comprehensive user protection by analyzing your Conditional Access policies and recommending improvements. The agent evaluates your current policy configuration against Microsoft best practices and Zero Trust principles.
Key capabilities:
- Identifies users and applications not covered by Conditional Access policies
- Recommends policies for multifactor authentication enforcement or device-based controls (compliance, app protection, domain-joined devices)
- Detects and helps block legacy authentication and device code flows
- Creates new policies in report-only mode for safe testing
- Builds a phased rollout plan for policy implementation
| Attribute | Description |
|---|---|
| Trigger | Runs every 24 hours or can be triggered manually |
| Permissions | Reviews policy configuration, creates new policies in report-only mode, suggests policy changes requiring approval |
| Identity | Runs with the permissions of the administrator who configured the agent |
| Products | Microsoft Entra Conditional Access, Security Copilot |
| Plugins | Microsoft Entra |
| Role requirements | Security Administrator or Global Administrator to configure the agent |
Getting started with Microsoft Entra agents
Prerequisites
- You must have at least the Microsoft Entra ID P1 license.
- You must have available security compute units (SCU).
- In order to purchase security compute units, you need to have an Azure subscription. Create your free Azure account.
- Security Administrator or Global Administrator automatically have the required permissions to configure agents.
- Review Privacy and data security in Microsoft Security Copilot
Setup process
- Enable Security Copilot using the Security Copilot setup guide.
- Sign in to the Microsoft Entra admin center as a Security Administrator.
- Browse to Agents and select View details for the agent you want to configure.
Agents in the Microsoft ecosystem
While this article focuses on Microsoft Entra agents, similar agents are available across other Microsoft security products. For more information, see Microsoft Intune, Microsoft Defender, and Microsoft Purview.