Time-bound access
Time-bound Conditional Access exclusions
Travel exceptions and vendor access should expire. Policytab brokers time-bound exclusion group membership with audit and automatic Entra sync.
Create your account, set up a workspace, and get 14 days of Pro - connect tenants, detect drift, and run impact analysis. No credit card required.
Lifecycle operators control
Exclusions move through pending, active, expired, removed, and cancelled states. Each transition is audit-logged. Maximum duration is enforced server-side (90 days).
When an exclusion expires, a scheduled job marks it expired and can remove the user from the Entra exclusion group - so Q1 travel access does not linger into next year.
- Recommended exclusion group per policy from the reference catalog
- One-click request from sign-in triage with policy and user prefilled
- Manual sync for expired-but-unsynced rows
- MSP fleet view of pending and unsynced exclusions
Still governed CA changes
Activating or cancelling exclusions that touch Entra group membership goes through Graph with rollback on conflict. Exclusions are operational workflow - not a bypass around CA policy review.