Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Organizations that use Conditional Access policies to protect access to resources should establish standards and patterns to stay organized. For example, having a consistent naming convention can keep you organized and prevent policy overlap or gaps. The Conditional Access Optimization Agent can use a document from your organization that maps out these standards so that agent reasons with context using the patterns that you design.
Instead of relying only on generic best practices, the agent incorporates your organization's own conventions, such as how you name policies, how you separate admins from regular users, and which accounts must always be excluded. This helps produce recommendations that better reflect how Conditional Access is managed in your tenant.
Knowledge Bases are especially useful in environments where:
- Different user personas require distinct policy sets, such as admins, workforce users, and contractors
- Policy naming standards are enforced
- Breakglass accounts must be consistently excluded
How the knowledge base works
The general process for setting up and using the knowledge base is as follows:
Upload guidance: An administrator uploads a single Word (.docx) or PDF document that describes organizational Conditional Access standards.
Interpretation by the agent: The agent parses the document and extracts Conditional Access–related guidance, even when it's embedded within broader governance or operational documentation.
Structured understanding: The agent generates a natural‑language summary representing its understanding of the uploaded guidance.
Application to future recommendations: The approved understanding is applied to future Conditional Access recommendations generated by the agent. Existing recommendations aren't modified retroactively.
Once you've successfully added your guidance to the knowledge base, the Conditional Access Optimization Agent can follow guidance in several key areas.
Persona‑based policy design
You can describe how different user populations are secured using separate Conditional Access policies. Examples include:
- Administrators use a dedicated set of policies
- Regular workforce users use a separate baseline policy set
- Contractors are governed by their own policies
When multiple policies enforce the same control (such as MFA), the agent uses this guidance to select the correct policy based on the user's persona.
Policy naming conventions
You can specify how Conditional Access policies should be named, including required structure, ordering, and terminology.
The agent uses this guidance when:
- Creating new policies
- Merging similar policies
- Generating policy rename recommendations
Breakglass account handling
You can define which accounts or groups represent emergency access (breakglass) identities and how they must be excluded.
The agent applies this guidance when:
- Creating new policies
- Identifying missing exclusions
- Recommending updates to existing policies
Recommendations influenced by the knowledge base
The knowledge base can be used by the Conditional Access Optimization Agent in the following scenarios:
Baseline policy creation: Newly recommended policies follow your tenant's naming standards and include the correct exclusions.
Policy merge recommendations: When similar policies are consolidated, the resulting policy reflects your organization's standards.
User drift remediation: When new users fall outside existing coverage, the agent selects the appropriate policy based on persona guidance.
Breakglass remediation: Recommendations to exclude emergency access accounts include the correct users or groups.
Policy naming remediation: If a policy doesn't follow defined naming standards, the agent recommends an appropriately named replacement.
When should you use the knowledge base?
Consider using the knowledge base of your organization:
- Maintains strict Conditional Access naming standards
- Separates policies by user persona or risk profile
- Audits Conditional Access policies regularly
- Needs recommendations to align with internal governance processes
Scope and limitations
During the Preview, the knowledge base has the following constraints:
- One knowledge base document per tenant
- Supported file formats: Word (.docx) and PDF
- Maximum file size: 5 MB
- The knowledge base only applies to future agent runs
The upload process might fail if the document doesn't meet the listed criteria. If the document has a sensitivity label applied, the upload might also fail. Because organizations can customize the criteria for sensitivity labels, we can't suggest a specific sensitivity label.