Getting started
What Policytab is
An operations console for Microsoft Entra Conditional Access. You connect customer tenants on the Connect page using single-tenant Graph app registrations in each customer's Entra directory (paste credentials or set up an app; there is no platform multitenant OAuth app). Policytab surfaces drift, impact analysis, MFA posture, time-bound exclusions, and a safe change-management workflow with mandatory dry-run and rollback.
Who it's for: MSPs managing customer tenants, internal IT running a single company tenant, and teams with several Entra tenants in one organization (subsidiaries, dev/test, geo splits). Every connected organization is called a tenant throughout the UI.
Signing in
Visit your Policytab URL (e.g. https://app.policytab.com) and sign in with your email and password. Policytab uses Supabase Auth email/password for operator accounts. Entra is used only to access connected customer tenants via Graph; Entra SSO is not available for console sign-in.
If sign-in succeeds but you land on a dashboard with no tenants and no data, your account exists in Supabase Auth but is not mapped to a workspace. Contact your workspace owner with your sign-in email.
What the dashboard tells you
The dashboard is a rollup across every tenant in your workspace. Each row is one connected Entra tenant, with:
- Status pill:
pending(consent not done),consented(consent done, awaiting import),imported(live, daily-driver),disconnected(consent revoked or credentials rotated out),suspended(you suspended this tenant) - License: Entra ID P1 / P2 detection (drives which features are available on this tenant)
- Open alerts: count of unacknowledged alerts. Critical-severity is highlighted
- Stale admins: MFA-posture: admin users whose registered methods haven't been touched in >180d
- Exclusions pending: exclusion requests waiting for an approver
- Last resync: when an admin last clicked Resync or a system event triggered one
With a single connected tenant, the dashboard is one row with the same workflows on the tenant detail pages.
Click any tenant row for its detail page.
The five hero workflows
- Drift check:
/tenants/<id>/drift- compares the latest CA snapshot against this tenant's comparison baseline (importedsnapshot by default, or a workspace baseline you assign asmsp_custom) - Impact analysis:
/tenants/<id>/impact- "if I move CA101 from report-only to enforced, who would likely have been blocked over the last 7 days?" - MFA posture:
/tenants/<id>/mfa- registration + staleness + admin call-out - Time-bound access:
/tenants/<id>/exclusions- temporary exclusion group membership; auto-removed at expiry - Change request:
/tenants/<id>/changes- propose → dry-run → approve → apply → rollback
Enterprise capabilities
Self-serve on Enterprise (Settings → Enterprise for an overview):
- Dedicated database - included on Enterprise; our team provisions the isolated instance after checkout and schedules cutover from the shared platform
- Outbound notifications - Notifications (Slack, Teams, email via your Resend account, signed webhooks)
- Scheduled digests - Scheduled compliance reports
- CSV exports - Exports guide (audit log, compliance reports, MFA, policies)
- Retention - unlimited audit and alert history (Pro: 30 days; sign-in analysis windows up to 90 days on Enterprise)
Contact us for a countersigned DPA, deployment requirements, and priority support during Enterprise onboarding.
Roles
- Owner: full control, including notification channel + workspace settings
- Admin: propose + apply changes, manage exclusions, ack alerts, run resyncs
- Read-only: sees everything, can't mutate
Role is set on the operator account by the workspace owner. Role changes take effect on the user's next sign-in (the JWT claim is re-issued).