Microsoft Entra Conditional Access, managed at fleet scale.
Drift detection, sign-in impact analysis, MFA posture, and governed CA changes across every Entra tenant you connect - one production tenant or dozens of customers.
For MSPs and internal IT teams who operate Microsoft Entra Conditional Access (Entra ID P1/P2). Not for organizations that only need basic Microsoft 365 email and files.
- No credit card required
- 14-day Pro trial
- Entra Global Admin required to connect
Built on Microsoft Graph and Entra ID P1/P2 · drift defaults to the Policytab Conditional Access reference catalog
From connect to drift report in one sitting
Same flow for internal IT and MSPs - choose workspace type at onboarding.
1. Create your workspace
Sign up with your work email. New workspaces get a 14-day Pro trial - no credit card.
2. Connect an Entra tenant
Admin consent in the customer or production tenant, first policy snapshot - usually under five minutes.
3. Compare and model
See CA drift vs baseline, review MFA posture, and run impact analysis before any write reaches Entra.
Every CA change is a guess until someone gets locked out
The Entra admin center shows current policies. It does not show what changed last Tuesday, who would be affected by enforcement, or which travel exception expired silently.
Drift is invisible
Portal edits from three weeks ago surface at the next audit - or when something breaks.
Impact is unknown
Report-only to enforced is a coin flip until the Monday standup with 47 helpdesk tickets.
Exclusions linger
That Q1 travel exception and the contractor who left in March may still be in Entra groups.
Core capabilities
Drift detection
Snapshot Entra CA policies on resync and nightly backup. Compare to the tenant comparison baseline you assign at onboarding.
Impact analysis
Model who would likely be blocked before you enforce a CA policy - from recent Microsoft Graph sign-ins.
MFA posture
Per-user fresh, amber, and stale buckets with confidence labels - stale admins surfaced on the dashboard.
Exclusion workflow
Time-bound CA exclusion group membership with reason, approver, and automatic Entra sync at expiry.
Sign-in viewer
Pass-through Microsoft Graph sign-in triage. Filter by UPN, see blocking policies, request exclusions.
Resync-backed alerts
Drift and portal edits when snapshots refresh. In-app on Pro; Slack, Teams, email, and webhooks on Enterprise.
Scoped tenant access, auditable changes
Workspace ownership is enforced server-side before tenant data returns. CA writes run through dry-run, optional approval, and snapshot-backed rollback.
- Tenant reads are scoped to your workspace on the server before any tenant data is returned
- Graph app credentials encrypted at rest (TLS in transit); privileged access only after tenant ownership checks
- Append-only audit log for administrative actions in Policytab
- Per-tenant Graph app in the customer Entra directory (single-tenant registration you control - no Policytab-wide multitenant OAuth app)
- CA changes run through dry-run, optional approval, and snapshot-backed rollback
When you sign in, Policytab resolves your workspace on the server before any tenant list or policy data is returned. Another MSP or company workspace cannot read your connected Entra tenants, even if someone guesses a tenant ID in a URL.
Conditional Access writes always run through dry-run, optional second-admin approval, and snapshot-backed rollback - not direct portal-style edits.
Alongside the Microsoft Entra admin center
Policytab complements Entra for Conditional Access at scale - not a replacement for identity administration.
| Task | Entra admin center | Policytab |
|---|---|---|
| See Conditional Access drift across tenants | Manual policy review per tenant in the Entra admin center | Workspace dashboard with per-tenant comparison baselines and resync alerts |
| Predict impact before enforcing a policy | Report-only mode, then hope - or export sign-ins yourself | Impact analysis over recent Microsoft Graph sign-in logs before apply |
| Safe, auditable CA changes | Direct portal edits with no dry-run or rollback trail | Dry-run, approval workflow, pre/post snapshots, one-click rollback |
Connect your first Entra tenant
Create your account, set up a workspace, and get 14 days of Pro - connect tenants, detect drift, and run impact analysis. No credit card required.
No standalone Free plan. After your 14-day Pro trial, choose Pro or Enterprise to keep using Policytab. Contact us · FAQ