Frequently asked questions

Probably not. Policytab is for teams that operate Microsoft Entra Conditional Access - MSPs and internal IT with Entra ID P1 or P2. If you only need email, Teams, and files with default Microsoft 365 security, stay in the Microsoft 365 admin center.

Policytab is a multi-tenant operations console for Microsoft Entra Conditional Access. MSPs and internal IT teams use it for drift detection against a baseline, sign-in impact analysis, MFA posture, time-bound exclusions, and gated CA changes with dry-run and rollback.

No. Policytab sits beside the Entra admin center for CA operations at scale - drift, impact, fleet rollup, and change workflow. You still manage identities, licenses, and non-CA settings in Entra.

Conditional Access requires Entra ID P1 or P2 (or equivalent Microsoft 365 licensing that includes Entra ID P1). Identity Protection risk actions require Entra ID P2. Policytab detects tenant capabilities and gates features accordingly.

Policytab snapshots CA policies, groups, and named locations on resync and nightly backup, then compares them to each tenant's effective comparison baseline (imported CA snapshot by default, or a workspace baseline you assign per tenant). Portal edits surface on the next snapshot - not via live Graph change notifications.

Policytab's extended CA baseline (~45 policies plus groups and named locations) builds on the open-source Teuftis/ConditionalAccessBaseline-Hardened project, with Policytab profiles and framework mappings. Import from GitHub under Baseline library, edit if needed, then assign per tenant. It is not a global default - each customer compares against their assigned workspace baseline or imported snapshot.

Yes, on Pro and Enterprise. Every write runs dry-run validation, optional second-admin approval, pre/post snapshots, and rollback. There is no bypass around the change-management workflow.

Policytab runs on encrypted cloud infrastructure (AWS, ca-central-1 by default). Each connected Entra tenant is scoped to your workspace. Graph app credentials are encrypted at rest.

No. Policytab is an independent product built for Microsoft Entra Conditional Access. Microsoft, Entra, Azure, and Microsoft 365 are trademarks of Microsoft Corporation.

Each Microsoft Entra tenant you connect to Policytab - your organization's production tenant for internal IT, or each customer tenant for MSPs. Your first connected tenant is included in the Pro or Enterprise base fee; each additional tenant is $10/mo.

No. Every new workspace starts with a 14-day Pro trial (no credit card). When the trial ends, choose Pro or Enterprise to continue. There is no read-only tier after trial.

Your trial ends and the console locks until you subscribe to Pro ($59/mo + $10/tenant) or Enterprise. Pick a plan at Settings → Billing after you sign in.

Yes - every new workspace gets 14 days of Pro automatically when you create it. No credit card required. After that you must choose a paid plan to continue.

Yes. Upgrades take effect immediately. Downgrades take effect at the next renewal. Add or remove tenant line items in Stripe when your fleet size changes.

Enterprise includes a dedicated database for your workspace, outbound Slack, Teams, email, and signed webhook alerts, scheduled compliance digests, CSV exports, unlimited audit retention, and sign-in analysis windows up to 90 days (Microsoft Graph limit). Configure notification channels at Settings → Notifications after upgrading.

Yes on Enterprise when requested. Console sign-in is email and password by default; we enable Entra SSO for operators during Enterprise onboarding when your contract requires it.

Hosted on AWS (ca-central-1 by default). Customer Entra credentials are encrypted at rest. Contact us if you need a specific region or DPA.