MODIFIED docs/security-copilot/conditional-access-agent-optimization-phased-rollout.md

Modified by Sarah Lipsey on Jan 8, 2026 3:47 PM
📖 View on learn.microsoft.com

+7 / -9 lines changed

Commit: acrolinx-fixes

Changes:

Before

After

manager: pmwongera
 
ms.reviewer: jodah
ms.date: 01/05/2026
 
ms.service: entra-id
ms.subservice: conditional-access
---
# Conditional Access Optimization Agent phased rollout
 
The Conditional Access Optimization Agent for Microsoft Entra includes a phased rollout capability that helps organizations deploy new Conditional Access policies safely and efficiently. This Microsoft Security Copilot feature in Microsoft Entra enables administrators to introduce policies gradually, monitor their impact, and minimize disruptions. This phased rollout capability provides gradual deployment of new policies to minimize the chance of widespread disruption to end users and reduce the need for manual analysis and planning, saving weeks of effort. As with all aspects of the Conditional Access Optimization Agent, administrators retain full control of the policy changes, such as group selection and rollout pacing. Clear reasoning for the rollout plan is also provided to maintain transparency.
 
This article explains how the phased rollout process works, outlines prerequisites, and describes the built-in safeguards that help ensure a smooth deployment.
 
 
When the Conditional Access Optimization Agent creates a new policy in report-only mode, it can suggest turning on the policy with a phased rollout. The agent analyzes sign-in data and existing policies to define a phased rollout plan.
 
Policies that are intended to apply to *all users* and need to be turned on are eligible for a phased rollout. Because there are five distinct phases to a rollout plan, you must have at least five groups for the rollout plan to apply. To determine which groups to use, the agent looks at groups that were previously or are currently used in Conditional Access policies. The agent looks at those groups to see how other Conditional Access policies affected them, to gauge potential impact. The agent looks at the size of the groups and then uses all these factors to assign the groups to the phases starting with the low impact groups and ending with the higher-impact groups.
 
There are three steps in the phased rollout process:

manager: pmwongera
 
ms.reviewer: jodah
ms.date: 01/08/2026
 
ms.service: entra-id
ms.subservice: conditional-access
---
# Conditional Access Optimization Agent phased rollout
 
The Conditional Access Optimization Agent for Microsoft Entra includes a phased rollout capability that helps organizations deploy new Conditional Access policies safely and efficiently. This Microsoft Security Copilot feature in Microsoft Entra enables administrators to introduce policies gradually, monitor their impact, and minimize disruptions. This phased rollout capability provides gradual deployment of new policies to minimize the chance of widespread disruption to end users and reduce the need for manual analysis and planning, saving weeks of effort. As with all aspects of the Conditional Access Optimization Agent, administrators retain full control of the policy changes, such as group selection, rollout pacing, and deployment. Clear reasoning for the rollout plan is also provided to maintain transparency.
 
This article explains how the phased rollout process works, outlines prerequisites, and describes the built-in safeguards that help ensure a smooth deployment.
 
 
When the Conditional Access Optimization Agent creates a new policy in report-only mode, it can suggest turning on the policy with a phased rollout. The agent analyzes sign-in data and existing policies to define a phased rollout plan.
 
Policies that are intended to apply to *all users* and need to be turned on are eligible for a phased rollout. Because there are five distinct phases to a rollout plan, you must have at least five groups for the rollout plan to apply. To determine which groups to use, the agent looks at groups that were previously or are currently used in Conditional Access policies. The agent looks at those groups to see how other Conditional Access policies affected them, to gauge potential impact. The agent looks at the size of the groups and then uses all these factors to assign the groups to the phases starting with the low impact groups and ending with the higher impact groups.
 
There are three steps in the phased rollout process:

MODIFIED docs/security-copilot/conditional-access-agent-optimization-settings.md

Modified by Sarah Lipsey on Jan 8, 2026 3:47 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: acrolinx-fixes

Changes:

Before

After

manager: pmwongera
ms.reviewer: jodah
 
ms.date: 01/05/2026
 
ms.update-cycle: 180-days
ms.service: entra-id
The agent settings described in this article cover standard options like triggers, notifications, and scope. But the settings also include advanced options like custom instructions, Intune integrations, and permissions.
 
> [!IMPORTANT]
> The ServiceNow integrations in the Conditional Access Optimization Agent is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## How to configure agent settings
 
## Trigger
 
The agent is configured to run every 24 hours, based on when it's initially configured. You can manually run the agent at any time.
 
## Microsoft Entra objects to monitor

manager: pmwongera
ms.reviewer: jodah
 
ms.date: 01/08/2026
 
ms.update-cycle: 180-days
ms.service: entra-id
The agent settings described in this article cover standard options like triggers, notifications, and scope. But the settings also include advanced options like custom instructions, Intune integrations, and permissions.
 
> [!IMPORTANT]
> The ServiceNow integration in the Conditional Access Optimization Agent is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## How to configure agent settings
 
## Trigger
 
The agent is configured to run every 24 hours, based on when it was initially configured. You can manually run the agent at any time.
 
## Microsoft Entra objects to monitor

MODIFIED docs/security-copilot/conditional-access-agent-optimization-chat.md

Modified by Sarah Lipsey on Jan 8, 2026 3:47 PM
📖 View on learn.microsoft.com

+6 / -6 lines changed

Commit: acrolinx-fixes

Changes:

Before

After

author: shlipsey3
ms.reviewer: jodah
manager: pmwongera
ms.date: 01/05/2026
ms.update-cycle: 180-days
ms.service: entra-id
ms.subservice: conditional-access
 
### Prioritize suggestions
 
With the chat capability you can ask the agent to help you prioritize the suggestions. The agent compares the potential impact of the policy changes and provides a ranked list of suggestions based on [Zero Trust principles](/security/zero-trust/zero-trust-overview), so you don't have to review the full list and make that decision yourself.
 
Sample prompts:
- *Which suggestion should I implement first?*
- *Prioritize the suggestions.*
 
If you ask the agent to prioritize the list of suggestions then ask it for more details on a specific suggestion, the agent uses the order of the prioritized list.
 
### Request more detail
 

author: shlipsey3
ms.reviewer: jodah
manager: pmwongera
ms.date: 01/08/2026
ms.update-cycle: 180-days
ms.service: entra-id
ms.subservice: conditional-access
 
### Prioritize suggestions
 
With the chat capability, you can ask the agent to help you prioritize the suggestions. The agent compares the potential impact of the policy changes and provides a ranked list of suggestions based on [Zero Trust principles](/security/zero-trust/zero-trust-overview), so you don't have to review the full list and make that decision yourself.
 
Sample prompts:
- *Which suggestion should I implement first?*
- *Prioritize the suggestions.*
 
If you ask the agent to prioritize the list of suggestions, then ask it for more details on a specific suggestion, the agent uses the order of the prioritized list.
 
### Request more detail
 

MODIFIED docs/security-copilot/conditional-access-agent-optimization-review-suggestions.md

Modified by Sarah Lipsey on Jan 8, 2026 3:47 PM
📖 View on learn.microsoft.com

+4 / -4 lines changed

Commit: acrolinx-fixes

Changes:

Before

After

author: shlipsey3
ms.reviewer: jodah
manager: pmwongera
ms.date: 12/11/2025
ms.update-cycle: 180-days
ms.service: entra-id
ms.subservice: conditional-access
This article provides an overview of the logic behind the suggestions and reports and how to review and act on those suggestions.
 
> [!IMPORTANT]
> The ServiceNow integrations in the Conditional Access Optimization Agent is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Prerequisites
Below the policy suggestion summary, you can take several actions. The options change based on the type of suggestion. For example, suggestions to turn on a new policy have different options than a suggestion to update the settings of an existing policy.
 
- **Review policy changes**: View a summary or JSON details of the suggestion.Further details described in the [Review policy changes](#review-policy-changes) section.
- **Turn on policy**: Turn on new policies that were created in report-only mode by the agent.
- **Mark suggestion as reviewed**: Select from the down arrow on the **Turn on policy** button to indicate that you've reviewed the suggestion without applying it.
- **Snooze for 14 days**: Select from the down arrow on the **Turn on policy** button to temporarily hide the suggestion. The suggestion reappears in the list after 14 days.

author: shlipsey3
ms.reviewer: jodah
manager: pmwongera
ms.date: 01/08/2026
ms.update-cycle: 180-days
ms.service: entra-id
ms.subservice: conditional-access
This article provides an overview of the logic behind the suggestions and reports and how to review and act on those suggestions.
 
> [!IMPORTANT]
> The ServiceNow integration in the Conditional Access Optimization Agent is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Prerequisites
Below the policy suggestion summary, you can take several actions. The options change based on the type of suggestion. For example, suggestions to turn on a new policy have different options than a suggestion to update the settings of an existing policy.
 
- **Review policy changes**: View a summary or JSON details of the suggestion.Further details described in the [Review policy changes](#review-policy-changes) section.
- **Turn on policy**: Turn on new policies created in report-only mode by the agent.
- **Mark suggestion as reviewed**: Select from the down arrow on the **Turn on policy** button to indicate that you reviewed the suggestion without applying it.
- **Snooze for 14 days**: Select from the down arrow on the **Turn on policy** button to temporarily hide the suggestion. The suggestion reappears in the list after 14 days.

MODIFIED docs/id-governance/entitlement-management-sap-integration.md

Modified by Mark Wahl on Jan 8, 2026 5:53 PM
📖 View on learn.microsoft.com

+4 / -3 lines changed

Commit: move prereq

Changes:

Before

After

- The Microsoft Entra User Account configuring the connector and Access Packages must be synced to SAP Cloud Identity Services (IAS) and SAP IAG.
    - Make sure you run the “*Repository Sync*” and “*SCI User Group Sync Job*” on SAP IAG after you provision the Microsoft Entra users to SAP Cloud Identity Services.
 
## Prepare your SAP Identity Access Governance instance to connect with Microsoft Entra
 
### 8. Set the secret within Azure Key Vault
 
The SAP IAG instance secret created in [Register IAG Sync system administrator](#1-register-iag-sync-system-administrator) must be added to the Azure Key Vault. To add a secret to an Azure Key Vault, do the following steps:
 
1. Navigate to the key vault you created in the [Create an Azure Key Vault](#7-create-an-azure-key-vault) in the Azure portal.
1. On the Key Vault left-hand sidebar, select **Objects** then select **Secrets**.
        - To obtain this value: Sign in to SAP BTP Cockpit, navigate to **Instances and Subscriptions**, locate your SAP IAG Service instance (Service Technical Name: `grc-iag-api`), select **View Credentials**, and copy the `clientID` value.
    - Leave the other values to their defaults. Select **Create**.
 
## Connect your SAP IAG instance in Microsoft Entra
 
**Prerequisite: You will need an Azure subscription containing an Azure Key Vault to store your credentials for Microsoft Entra to interact with SAP IAG**

- The Microsoft Entra User Account configuring the connector and Access Packages must be synced to SAP Cloud Identity Services (IAS) and SAP IAG.
    - Make sure you run the “*Repository Sync*” and “*SCI User Group Sync Job*” on SAP IAG after you provision the Microsoft Entra users to SAP Cloud Identity Services.
 
You will also need an Azure subscription, containing an Azure Key Vault, to store your credentials for Microsoft Entra to interact with SAP IAG.
 
## Prepare your SAP Identity Access Governance instance to connect with Microsoft Entra
 
 
### 8. Set the secret within Azure Key Vault
 
The SAP IAG instance secret created in [Register IAG Sync system administrator](#1-register-iag-sync-system-administrator) must be added to the Azure Key Vault. Copy the `clientsecret` parameter from your SAP IAG service credentials and add it to your Key Vault as a new secret. To add a secret to an Azure Key Vault, do the following steps:
 
1. Navigate to the key vault you created in the [Create an Azure Key Vault](#7-create-an-azure-key-vault) in the Azure portal.
1. On the Key Vault left-hand sidebar, select **Objects** then select **Secrets**.
        - To obtain this value: Sign in to SAP BTP Cockpit, navigate to **Instances and Subscriptions**, locate your SAP IAG Service instance (Service Technical Name: `grc-iag-api`), select **View Credentials**, and copy the `clientID` value.
    - Leave the other values to their defaults. Select **Create**.
 
For more information, see [Set and retrieve a secret from Azure Key Vault using the Azure portal](/azure/key-vault/secrets/quick-create-portal).
 
## Connect your SAP IAG instance in Microsoft Entra

MODIFIED docs/security-copilot/conditional-access-agent-optimization.md

Modified by Sarah Lipsey on Jan 8, 2026 3:47 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: acrolinx-fixes

Changes:

Before

After

manager: pmwongera
ms.reviewer: jodah
 
ms.date: 12/11/2025
 
ms.update-cycle: 180-days
ms.service: entra-id
The Conditional Access optimization agent evaluates policies such as requiring multifactor authentication (MFA), enforcing device based controls (device compliance, app protection policies, and domain-joined devices), and blocking legacy authentication and device code flow. The agent also evaluates all existing enabled policies to propose potential consolidation of similar policies. When the agent identifies a suggestion, you can have the agent update the associated policy with one click-remediation.
 
> [!IMPORTANT]
> The ServiceNow integrations in the Conditional Access optimization agent is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Prerequisites

manager: pmwongera
ms.reviewer: jodah
 
ms.date: 01/08/2026
 
ms.update-cycle: 180-days
ms.service: entra-id
The Conditional Access optimization agent evaluates policies such as requiring multifactor authentication (MFA), enforcing device based controls (device compliance, app protection policies, and domain-joined devices), and blocking legacy authentication and device code flow. The agent also evaluates all existing enabled policies to propose potential consolidation of similar policies. When the agent identifies a suggestion, you can have the agent update the associated policy with one click-remediation.
 
> [!IMPORTANT]
> The ServiceNow integration in the Conditional Access optimization agent is currently in PREVIEW.
> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
## Prerequisites

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files