Governed CA writes

Conditional Access change management

Every CA write in Policytab runs dry-run → approval (when required) → apply, with snapshot-backed rollback. No direct portal-style edits.

Create your account, set up a workspace, and get 14 days of Pro - connect tenants, detect drift, and run impact analysis. No credit card required.

Conditional Access change request list with dry-run and approval states

State machine operators can trust

Change requests move through draft, dry-run, approval, apply, and rollback states. Failed dry-runs stay blocked until re-run. Stale dry-runs cannot apply. A compare-and-swap on status prevents double-apply races.

Five change kinds: state, assignment, condition, grant controls, application
Per-kind warnings: critical disable, MFA removal, AND→OR loosening, admin portal bypass
Pre and post snapshot on every successful apply
Bulk change sets fan the same payload across selected tenants

Graph writes only through the workflow

Policytab invokes Microsoft Graph to patch policies only from the approved apply path. Operators see the dry-run diff in the console; security reviewers get append-only audit entries for every transition.

Try it on your Entra tenant

Connect a tenant, take a snapshot, and compare Conditional Access policies against your baseline in minutes.