Entra ID CA Policy Builder

Design Entra ID Conditional Access policies visually

☕ Support

Build a custom Conditional Access policy step by step. The preview updates live as you make selections.

Step 1 of 7

Live Preview

Start filling in the wizard to see your policy preview here.

Live Preview

Preview appears as you build.

Generate deploy-ready output for your policy set. Always deploy in Report-Only mode first.

📤

Nothing to export

Add policies first, then come back to export.

📥 Import existing policies from Graph API JSON

Paste your exported Graph API JSON array to review existing policies.

🤔 How many policies do I need?

Organisation Type	Recommended	Typical Range
🏢 Small business (< 100 users)	6-8	Starting Point + MFA for guests
🏦 Enterprise (Intune, E3/E5)	12-16	Starting Point + Enterprise tier
🏫 Education (students + staff)	8-12	Starting Point + approved apps + ToU
🔒 High security (finance, gov)	16-20	All three tiers

💡 Start with fewer policies and add as needed. Every policy you add increases complexity — only add what you'll actively maintain.

Conditional Access Quick Reference

What is Conditional Access?

An if-then policy engine in Microsoft Entra ID. If a user matches conditions (who, where, device), then enforce controls (MFA, block, compliant device). Multiple policies combine with AND logic.

The Two Phases

Phase 1: Collect session details (location, device, risk). Phase 2: Enforce — if any policy blocks, access is denied. Otherwise, all grant controls from all matching policies must be satisfied.

Break-Glass Accounts

Emergency access accounts excluded from ALL CA policies. At least 2 cloud-only accounts with Global Admin, using phishing-resistant MFA. Test monthly.

Report-Only Mode

Test a policy without enforcing it. Sign-in logs show what would happen. Run for 1-2 weeks before enabling. Up to 20 policies in report-only simultaneously.

Key Requirement

Entra ID P1 (included in M365 E3/E5, Business Premium). Risk-based policies need P2 (included in E5). Device compliance needs Intune.

Common Mistakes

❌ No break-glass exclusion · ❌ Block policy too broad · ❌ Skipping report-only · ❌ Forgetting legacy auth · ❌ Not blocking admin sign-ins from untrusted locations

Frequently Asked Questions

1. What is a Conditional Access policy?

A Conditional Access policy is an if-then statement in Microsoft Entra ID that evaluates sign-in signals (who, what, where, device state, risk level) and enforces access controls (block, require MFA, require compliant device). It's the core Zero Trust policy engine for Microsoft 365 and Azure.

2. Do I need to connect my tenant to use this tool?

No. This tool is 100% client-side — it runs entirely in your browser with zero API calls. No tenant connection, no login, no data leaves your device. It's designed for safe policy planning before you touch your production environment.

3. What Zero Trust tiers are the templates based on?

Templates follow Microsoft's official Zero Trust identity and device access framework with three tiers: Starting Point (minimum recommended for all organisations), Enterprise (for orgs with managed devices), and Specialised (for highly sensitive environments and privileged access).

4. Can I export policies to deploy in my tenant?

Yes. The Export tab generates deploy-ready PowerShell commands (New-MgIdentityConditionalAccessPolicy) and Graph API JSON that you can paste directly into your terminal or automation scripts. Always deploy in Report-Only mode first.

5. What does the safety linter check?

The linter runs 8 automated checks against your policy set: break-glass account exclusions, admin lockout risk, overly broad blocks, report-only recommendations, policy conflicts, coverage gaps, legacy auth blocking, and admin MFA coverage.

6. Does this replace the Entra admin portal?

No. This is a design and planning tool. You still need the Entra admin portal (or PowerShell/Graph API) to actually create and enforce policies. This tool helps you plan correctly before deploying.

7. What licence do I need for Conditional Access?

Conditional Access requires Microsoft Entra ID P1 (included in Microsoft 365 E3/E5, Business Premium, A3/A5). Risk-based policies require Entra ID P2 (included in E5). Some features require additional licences like Intune or Defender for Cloud Apps.

8. How is this different from other CA tools?

This tool uniquely combines a template library, custom builder, policy-SET linting (not just single-policy), Zero Trust baseline scoring, rollout safety checks, and deploy-ready export — all in one free, offline tool. No other tool offers all of these together without requiring a tenant connection.

9. Is this tool still being improved?

Yes! This is a V1 release and we're actively improving it based on user feedback. If you have suggestions, find a bug, or want a new feature, please visit our Community Feedback page at aguidetocloud.com/feedback/ — every piece of feedback is read and acted on.

📺 Learn more: Watch our tutorials on Conditional Access, Zero Trust, and Microsoft Entra ID. Follow A Guide to Cloud & AI for step-by-step walkthroughs.

⚠️ Design-time tool only. This tool helps you plan Conditional Access policies offline. It does not connect to your tenant, does not read real data, and cannot enforce policies. All analysis is heuristic-based — always test in Report-Only mode before enabling. Compliance mappings are illustrative and do not constitute certification guidance. Refer to official Microsoft documentation for the most up-to-date information.