Now in beta for MSPs

Conditional Access,
managed at fleet scale.

Drift detection, impact analysis, MFA posture, and a safe change-management workflow across every customer Entra tenant you run. One console, every customer, never another "who changed CA101 yesterday?"

Free for up to 3 customer tenants. No credit card. Admin consent in one click.

policytab.com/dashboard

Tenants

Open alerts

Critical

MFA stale admins

Customer fleetlive

Contoso Ltd.P2

all clear

Acme IndustriesP1

3 open alerts

Fabrikam Co.P2

1 open alerts

NorthwindP1

all clear

Built on, for, and around Microsoft Entra

Microsoft Graph v1.0Entra ID P1 / P2Microsoft IntuneMirage CA BaselineSupabase

The problem

Every CA change is a guess until someone gets locked out.

The Azure portal shows you policies. It doesn't show you what's changed since last Tuesday, who'd be affected by enabling that policy, or which exec is about to lose access because their travel exception expired silently last night.

You can't see drift

Someone tweaked a CA policy in the portal three weeks ago. You'll find out at the next audit. Or when something breaks.

You can't predict impact

Flipping report-only → enforced is a coin flip. "Should be fine" until the Monday standup with 47 helpdesk tickets.

Exclusions never expire

That 24-hour travel exception from Q1 last year? Still active. So is the contractor who left in March.

What you get

Eight tracks. One console. Every customer.

Continuous

Drift detection

Snapshot every CA policy on every Resync. Compare against the Mirage baseline. Critical drift surfaces in red on the dashboard — not in a quarterly audit.

Pre-flight

Impact analysis

"Who gets blocked if I enforce CA101?" Pulls sign-in logs from Graph, aggregates in memory, shows 7 days of "would block" before Apply.

Daily-driver

MFA posture

Per-user fresh / amber / stale with confidence. Stale admins on the dashboard — not buried in a 5,000-row report.

Auto-expire

Exclusion workflow

Time-bound group memberships with reason + approver + auto-removal. Travel exception expires? Removed from Entra on the cron.

Triage

Sign-in viewer

Triage "user X is locked out" in 30 seconds. UPN filter, see the policy that blocked, one-click temporary exclusion with the right group recommended.

<1 min

Real-time drift alerts

Microsoft Graph change-notification subscriptions. Portal edit triggers a warning alert within ~1 minute. Slack / Teams / email / signed webhooks.

Critical

Break-glass monitoring

Sign-in by BG_BreakGlass member? Critical alert in 5 minutes. Dedicated posture page tracking last-checked + group membership health.

Safe-by-default

Change management

Dry-run every CA write. Per-kind diff + warnings (Critical-disable, MFA-removal, admin-portal-bypass). Pre + post snapshot. One-click rollback.

Built like the things we manage

Multi-tenant isolation, end-to-end auditable.

We're an identity-management product. We treat our own identity model the same way.

Schema-per-tenant in shared Postgres with row-level security on every shared table
Customer Graph credentials stored in Supabase Vault, scoped service-role access only
Custom Access Token Hook injects msp_id into every JWT — RLS scopes everything
Append-only audit log: UPDATE and DELETE revoked at the grant layer, enforced by pgTAP
Multi-tenant Entra app reg with admin consent per customer — no shared client secret in your env

policy: tenant_select_own_msp

create policy tenant_select_own_msp
  on public.tenant
  for select
  using (msp_id = public.current_msp_id());

-- current_msp_id() reads the JWT claim
-- injected by the access-token hook —
-- you can't see another MSP's tenants
-- even with a stolen anon key.

Pricing

Free for the first three customer tenants.

Pay only as you scale your MSP book. No per-seat fees on the customer side. No surprise costs when Microsoft adds a new SKU.

Onboard your first customer in 5 minutes.

Microsoft admin consent, automatic baseline import, drift report on day one.

Conditional Access,
managed at fleet scale.

Free for up to 3 customer tenants. No credit card. Admin consent in one click.

Multi-tenant isolation, end-to-end auditable.

We're an identity-management product. We treat our own identity model the same way.

Schema-per-tenant in shared Postgres with row-level security on every shared table

Customer Graph credentials stored in Supabase Vault, scoped service-role access only

Custom Access Token Hook injects msp_id into every JWT — RLS scopes everything

Append-only audit log: UPDATE and DELETE revoked at the grant layer, enforced by pgTAP

Multi-tenant Entra app reg with admin consent per customer — no shared client secret in your env

create policy tenant_select_own_msp on public.tenant for select using (msp_id = public.current_msp_id()); -- current_msp_id() reads the JWT claim -- injected by the access-token hook — -- you can't see another MSP's tenants -- even with a stolen anon key.

Conditional Access,managed at fleet scale.

Every CA change is a guess until someone gets locked out.

You can't see drift

You can't predict impact

Exclusions never expire

Eight tracks. One console. Every customer.

Drift detection

Impact analysis

MFA posture

Exclusion workflow

Sign-in viewer

Real-time drift alerts

Break-glass monitoring

Change management

Multi-tenant isolation, end-to-end auditable.

Free for the first three customer tenants.

Onboard your first customer in 5 minutes.

Conditional Access,managed at fleet scale.

Every CA change is a guess until someone gets locked out.

You can't see drift

You can't predict impact

Exclusions never expire

Eight tracks. One console. Every customer.

Drift detection

Impact analysis

MFA posture

Exclusion workflow

Sign-in viewer

Real-time drift alerts

Break-glass monitoring

Change management

Multi-tenant isolation, end-to-end auditable.

Free for the first three customer tenants.

Onboard your first customer in 5 minutes.

Conditional Access,
managed at fleet scale.

Conditional Access,
managed at fleet scale.