Would your Conditional Access survive an audit — or lock you out?
Sign in read-only and this page pulls your Conditional Access policies live from Microsoft Graph and runs 12 health checks: break-glass exclusions, legacy auth, MFA coverage, risk policies, report-only drift and more — each mapped to the Essential Eight, CIS v8 and NIST CSF 2.0. There is no backend: your browser talks to Graph directly. Nothing is sent or stored.
Sign in with a Microsoft work account holding Security Reader or Global Reader. Policy.Read.All needs one-time admin consent in your tenant. A popup opens — allow it if your browser asks.
policy inventory
| policy | state | users | controls |
|---|
Failed checks are the surface — a full assessment reviews your whole identity perimeter with a quoted fix list. Fixed price, one week → ./view pricing
questions before you sign in
▸What exactly am I consenting to?
▸Why does it need admin consent?
▸Why does the consent screen say "unverified"?
▸How do I verify nothing leaves my browser?
▸Can the results be wrong?
▸What role do I need, and how do I revoke access afterwards?
Reads /identity/conditionalAccess/policies via Microsoft Graph with delegated permissions. Checks are heuristics for a directional read — they can't see Security Defaults, per-user MFA or named-account intent, and they don't replace a design review. The app can be revoked any time in Entra → Enterprise applications.