แก้ไข

Conditional Access Optimization Agent knowledge base (Preview)

Organizations that use Conditional Access policies to protect access to resources should establish standards and patterns to stay organized. For example, having a consistent naming convention can keep you organized and prevent policy overlap or gaps. The Conditional Access Optimization Agent can use a document from your organization that maps out these standards so that agent reasons with context using the patterns that you design.

Instead of relying only on generic best practices, the agent incorporates your organization's own conventions, such as how you name policies, how you separate admins from regular users, and which accounts must always be excluded. This helps produce recommendations that better reflect how Conditional Access is managed in your tenant.

Knowledge Bases are especially useful in environments where:

  • Different user personas require distinct policy sets, such as admins, workforce users, and contractors
  • Policy naming standards are enforced
  • Breakglass accounts must be consistently excluded

How the knowledge base works

The general process for setting up and using the knowledge base is as follows:

  1. Upload guidance: An administrator uploads a single Word (.docx) or PDF document that describes organizational Conditional Access standards.

  2. Interpretation by the agent: The agent parses the document and extracts Conditional Access–related guidance, even when it's embedded within broader governance or operational documentation.

  3. Structured understanding: The agent generates a natural‑language summary representing its understanding of the uploaded guidance.

  4. Application to future recommendations: The approved understanding is applied to future Conditional Access recommendations generated by the agent. Existing recommendations aren't modified retroactively.

Knowledge base file components

A usable and effective knowledge base file should be detailed, specific, and structured. The file should contain clear and actionable information that the Conditional Access Optimization Agent can use to make informed decisions.

Persona‑based policy design

Describe how different user populations in your organization are secured with Conditional Access policies. When multiple policies enforce the same control (such as MFA), the agent uses this guidance to select the correct policy based on the user's persona. Examples include:

  • Regular workforce users use baseline policies
  • Administrators might be included in the baseline policies as well as a dedicated set of policies for their specific needs
  • Contractors are governed by their own policies separate from the baseline

If your Conditional Access strategy applies certain policies to full-time employees, describe how full-time employees are defined. For example, are these employees defined with specific user attributes or group membership? Be explicit. If your person-based policy design is based on roles, provide the exact Microsoft Entra ID built-in roles. For example, say "Conditional Access Administrator" not "users with administrative privileges".

Policy naming conventions

Specify how Conditional Access policies should be named, including required structure, ordering, and terminology.

The agent uses this guidance when:

  • Creating new policies
  • Merging similar policies
  • Generating policy rename recommendations

Breakglass account handling

You can define which accounts or groups represent emergency access (breakglass) identities and how they must be excluded.

The agent applies this guidance when:

  • Creating new policies
  • Identifying missing exclusions
  • Recommending updates to existing policies

Add a file to the knowledge base

To add a file to the knowledge base:

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.
  2. Browse to Conditional Access Optimization Agent > Settings > Files.
  3. Select the Upload button.
  4. Either drag and drop the file into the panel that opens or select the Upload file space to navigate to the file on your computer.

The agent processes the file and analyzes it to ensure it includes the necessary information.

Recommendations influenced by the knowledge base

Once you've successfully added your guidance to the knowledge base, the Conditional Access Optimization Agent can follow your guidance in the following scenarios:

  • Baseline policy creation: Newly recommended policies follow your tenant's naming standards and include the correct exclusions.

  • Policy merge suggestions: When similar policies are consolidated, the resulting policy reflects your organization's standards.

  • User drift remediation: When new users fall outside existing coverage, the agent selects the appropriate policy based on persona guidance.

  • Breakglass remediation: Recommendations to exclude emergency access accounts include the correct users or groups.

  • Policy naming remediation: If a policy doesn't follow defined naming standards, the agent recommends an appropriately named replacement.

When should you use the knowledge base?

Consider using the knowledge base if your organization:

  • Maintains strict Conditional Access naming standards
  • Separates policies by user persona or risk profile
  • Audits Conditional Access policies regularly
  • Needs recommendations to align with internal governance processes

Scope and limitations

During the Preview, the knowledge base has the following constraints:

  • One knowledge base document per tenant
  • Supported file formats: Word (.docx) and PDF
  • Maximum file size: 5 MB
  • The knowledge base only applies to future agent runs

The upload process might fail if the document doesn't meet the listed criteria. If the document has a sensitivity label applied, the upload might also fail. Because organizations can customize the criteria for sensitivity labels, we can't suggest a specific sensitivity label.

  • Last updated on