Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra agents can automate many identity and access management operations in your organization to help reduce manual workloads. These agents work seamlessly with Microsoft Security Copilot to automate repetitive tasks, provide suggestions, and help administrators focus on higher-value strategic work.
Microsoft Entra agents analyze your identity environment, apply best practices, and take automated actions to improve your identity and access security posture and operational efficiency. They integrate directly with Microsoft Entra services, using your organization's identity data and configuration to provide contextual, actionable insights.
What are Microsoft Entra agents?
Microsoft Entra agents are AI-powered tools that operate in your organization's identity environment to automate and optimize identity and access management tasks. The agents are grounded in the concepts and tasks for a specific product area, like Conditional Access. These agents can:
- Automate routine tasks - Handle time-consuming, repetitive identity and access management operations
- Provide suggestions - Analyze your environment and suggest improvements based on Microsoft best practices and Zero Trust principles
- Operate autonomously - Run on schedules or triggers to continuously monitor and optimize your identity infrastructure
- Integrate seamlessly - Work within your organization's existing Microsoft Entra workflows
- Learn and adapt - Improve suggestions over time, based on your environment and feedback
Each agent works a little differently, but at their core, they first analyze your current environment within the boundaries of the agent's capabilities. If the agent identifies a gap, opportunity, or potential issue, it can take action on your behalf. Each agent provides the context, reasoning, and activity history for how it came up with the suggestion.
Administrators can configure the agent to run automatically or trigger the agent to run manually.
Because each of the agents perform a specific set of tasks, they need a specific set of configurations to operate within the boundaries of that task. The administrator also needs certain Microsoft Entra roles to set up and manage the agent.
- Agent identity: A unique agent identity is created when the agent is turned on. Learn more about agent identities.
- Permissions: The agent identity is granted specific read and write permissions needed to perform its tasks.
- Role-based access: The administrator needs specific roles to set up, manage, and use the agent.
Available Microsoft Entra agents
The following agents are currently available for Microsoft Entra. Due to the fast pace at which these agents are released and updated, each agent might have features at various stages of availability. Preview features are added frequently.
Access Review Agent
Empower your reviewers to make fast and accurate access decisions. The Access Review Agent with Microsoft Entra ID Governance delivers insights and recommendations so reviewers can complete their work through a simple conversation, right inside Microsoft Teams.
| Attribute | Description |
|---|---|
| Identity | A unique agent identity for authorization is created when the agent is turned on. The agent uses this identity to scan your tenant for active access reviews, gather additional insights, and save its recommendations and justifications for the reviewer. For more information, see: How it works. Final decisions, submitted through the Microsoft Teams conversation, use the reviewer's identity. |
| Licenses | Microsoft Entra ID Governance or Microsoft Entra Suite |
| Permissions | Get details for access reviews Read details and lifecycle workflow history for users, groups, apps, and access packages. Save access review recommendations and justifications |
| Plugins | Microsoft Entra |
| Products | ID Governance Access Reviews |
| Role-based access | Both Identity Governance Administrator and Lifecycle Workflows Administrator are required to configure and use the agent |
| Trigger | Runs every 24 hours or triggered manually |
Application Lifecycle Management Agent (Preview)
The App Lifecycle Management Agent (Preview) helps you manage the full lifecycle of apps in Microsoft Entra, from discovery and onboarding to risk remediation and decommissioning. It correlates identity and network signals from Global Secure Access telemetry data to surface unmanaged private apps and Microsoft Entra application data. It provides clear, AI-driven recommendations to reduce app sprawl and enforce governance at scale. This agent is currently being deployed and might not be available in all tenants.
| Attribute | Description |
|---|---|
| Identity | A unique agent identity for authorization is created when the agent is turned on. The agent uses this identity to scan your tenant with specific permissions to review network logs and application data to provide insights and suggestions for application management. The agent identity includes role-based access used for any write actions, such as creating and disabling applications, dismissing suggestions, and sending emails or Teams notifications. |
| Licenses | Microsoft Entra ID P2 or Workload Identity Premium P2 for App Risk Remediation suggestions and/or Microsoft Entra Suite or Microsoft Entra Private Access licenses for Application Discovery & Onboarding suggestions |
| Permissions | Read access for Global Secure Access network logs. Read access for users, applications, and service principals. Read access for Microsoft Entra recommendations. |
| Plugins | Microsoft Entra |
| Products | Global Secure Access Microsoft Entra recommendations Enterprise Applications App Management |
| Role-based access | Set up the agent and manage the agent: Cloud Application Administrator Application Administrator Global Secure Access Administrator Security Administrator View the output suggestions from the agent: Reports Reader Security Reader Globl Reader |
Conditional Access Optimization Agent
The Conditional Access Optimization Agent ensures comprehensive user protection by analyzing your Conditional Access policies and recommending improvements. The agent evaluates your current policy configuration against Microsoft best practices and Zero Trust principles.
| Attribute | Description |
|---|---|
| Identity | A unique agent identity for authorization is created when the agent is turned on. The agent uses this identity to scan your tenant's Conditional Access policies and configurations for gaps, overlap, and misconfigurations. |
| Licenses | Microsoft Entra ID P1 |
| Permissions | Review policy configuration Create new policies in report-only mode Suggest policy changes requiring approval |
| Plugins | Microsoft Entra |
| Products | Microsoft Entra Conditional Access |
| Role-based access | Security Administrator to configure the agent Conditional Access Administrator to use the agent |
| Trigger | Runs every 24 hours or triggered manually |
Identity Risk Management Agent (Preview)
The Identity Risk Management Agent in Microsoft Entra ID Protection helps administrators investigate potential risks, learn about potential effects, and take decisive action to protect their organization's critical assets.
| Attribute | Description |
|---|---|
| Identity | Uses Microsoft Entra Agent ID for authorization |
| Licenses | Microsoft Entra Agent ID |
| Permissions | Read Microsoft Entra ID Protection risk detections and risk history Read sign-in and audit logs Read user information |
| Plugins | Microsoft Entra |
| Products | Security Copilot Microsoft Entra ID Protection |
| Role-based access | Security Administrator |
| Trigger | Runs every 24 hours, triggered manually, or continuous monitoring |
Getting started with Microsoft Entra agents
Prerequisites
- You must have available security compute units (SCU).
- In order to purchase security compute units, you need to have an Azure subscription. Create your free Azure account.
- Review Privacy and data security in Microsoft Security Copilot
Setup process
- Enable Security Copilot using the Security Copilot setup guide.
- Sign in to the Microsoft Entra admin center using the least privileged role required for the agent you want to configure.
- Browse to Agents and select View details for the agent you want to configure.
Agents in the Microsoft ecosystem
While this article focuses on Microsoft Entra agents, similar agents are available across other Microsoft security products. For more information, see Microsoft Intune, Microsoft Defender, and Microsoft Purview.