Quick Start — Get a Zero Trust Baseline in 1 Click
Microsoft recommends 6 Starting Point policies as the minimum for every organisation. Add them all instantly, then review and export.
or browse individual templates below
Entra ID CA Policy Builder
Design Entra ID Conditional Access policies visually
Design Entra ID Conditional Access policies visually
Browse 20 pre-built policy templates based on Microsoft's Zero Trust framework. Add to your set or customise before adding.
How many policies do I need?
| Organisation Type | Recommended | Typical Range |
|---|---|---|
| Small business (< 100 users) | 6–8 | Starting Point + MFA for guests |
| Enterprise (Intune, E3/E5) | 12–16 | Starting Point + Enterprise tier |
| Education (students + staff) | 8–12 | Starting Point + approved apps + ToU |
| High security (finance, gov) | 16–20 | All three tiers |
Start with fewer policies and add as needed. Every policy you add increases complexity.
Build a custom Conditional Access policy step by step. The preview updates live as you make selections.
Conditional Access Quick Reference
What is Conditional Access?
An if-then policy engine in Microsoft Entra ID. If a user matches conditions (who, where, device), then enforce controls (MFA, block, compliant device). Multiple policies combine with AND logic.
The Two Phases
Phase 1: Collect session details (location, device, risk). Phase 2: Enforce — if any policy blocks, access is denied. Otherwise, all grant controls from all matching policies must be satisfied.
Break-Glass Accounts
Emergency access accounts excluded from ALL CA policies. At least 2 cloud-only accounts with Global Admin, using phishing-resistant MFA. Test monthly.
Report-Only Mode
Test a policy without enforcing it. Sign-in logs show what would happen. Run for 1-2 weeks before enabling. Up to 20 policies in report-only simultaneously.
Key Requirement
Entra ID P1 (included in M365 E3/E5, Business Premium). Risk-based policies need P2 (included in E5). Device compliance needs Intune.
Common Mistakes
No break-glass exclusion · Block policy too broad · Skipping report-only · Forgetting legacy auth · Not blocking admin sign-ins from untrusted locations
Step 1 of 7
Live Preview
Start filling in the wizard to see your policy preview here.
Live Preview
Preview appears as you build.
Review your policy set. The linter checks for safety risks and scores your Zero Trust baseline alignment.
No policies yet
Add policies from the Templates tab or create one in the Build tab to start reviewing your set.
Generate deploy-ready output for your policy set. Always deploy in Report-Only mode first.
Nothing to export
Add policies first, then come back to export.
Import existing policies from Graph API JSON
Paste your exported Graph API JSON array to review existing policies.
Frequently Asked Questions
1. What is a Conditional Access policy?
A Conditional Access policy is an if-then statement in Microsoft Entra ID that evaluates sign-in signals (who, what, where, device state, risk level) and enforces access controls (block, require MFA, require compliant device). It's the core Zero Trust policy engine for Microsoft 365 and Azure.
2. Do I need to connect my tenant to use this tool?
No. This tool is 100% client-side — it runs entirely in your browser with zero API calls. No tenant connection, no login, no data leaves your device. It's designed for safe policy planning before you touch your production environment.
3. What Zero Trust tiers are the templates based on?
Templates follow Microsoft's official Zero Trust identity and device access framework with three tiers: Starting Point (minimum recommended for all organisations), Enterprise (for orgs with managed devices), and Specialised (for highly sensitive environments and privileged access).
4. Can I export policies to deploy in my tenant?
Yes. The Export tab generates deploy-ready PowerShell commands (New-MgIdentityConditionalAccessPolicy) and Graph API JSON that you can paste directly into your terminal or automation scripts. Always deploy in Report-Only mode first.
5. What does the safety linter check?
The linter runs 8 automated checks against your policy set: break-glass account exclusions, admin lockout risk, overly broad blocks, report-only recommendations, policy conflicts, coverage gaps, legacy auth blocking, and admin MFA coverage.
6. Does this replace the Entra admin portal?
No. This is a design and planning tool. You still need the Entra admin portal (or PowerShell/Graph API) to actually create and enforce policies. This tool helps you plan correctly before deploying.
7. What licence do I need for Conditional Access?
Conditional Access requires Microsoft Entra ID P1 (included in Microsoft 365 E3/E5, Business Premium, A3/A5). Risk-based policies require Entra ID P2 (included in E5). Some features require additional licences like Intune or Defender for Cloud Apps.
8. How is this different from other CA tools?
This tool uniquely combines a template library, custom builder, policy-SET linting (not just single-policy), Zero Trust baseline scoring, rollout safety checks, and deploy-ready export — all in one free, offline tool. No other tool offers all of these together without requiring a tenant connection.
9. Is this tool still being improved?
Yes! This is a V1 release and we're actively improving it based on user feedback. If you have suggestions, find a bug, or want a new feature, please visit our Community Feedback page at aguidetocloud.com/feedback/ — every piece of feedback is read and acted on.
Design-time tool only. This tool helps you plan Conditional Access policies offline. It does not connect to your tenant, does not read real data, and cannot enforce policies. All analysis is heuristic-based — always test in Report-Only mode before enabling. Compliance mappings are illustrative and do not constitute certification guidance. Refer to official Microsoft documentation for the most up-to-date information.