tools/ca-policy-check

Would your Conditional Access survive an audit — or lock you out?

Sign in read-only and this page pulls your Conditional Access policies live from Microsoft Graph and runs 12 health checks: break-glass exclusions, legacy auth, MFA coverage, risk policies, report-only drift and more — each mapped to the Essential Eight, CIS v8 and NIST CSF 2.0. There is no backend: your browser talks to Graph directly. Nothing is sent or stored.

ca-policy-check --sign-in
Delegated read-only permission: Policy.Read.All Only hosts contacted: login.microsoftonline.com · graph.microsoft.com Verify it: DevTools → Network while this runs

Sign in with a Microsoft work account holding Security Reader or Global Reader. Policy.Read.All needs one-time admin consent in your tenant. A popup opens — allow it if your browser asks.

policy inventory

policystateuserscontrols

Failed checks are the surface — a full assessment reviews your whole identity perimeter with a quoted fix list. Fixed price, one week → ./view pricing

questions before you sign in

What exactly am I consenting to?
One delegated, read-only Microsoft Graph permission: Policy.Read.All. Delegated means the tool can only read what your signed-in account can already read, only while this page is open. It reads your Conditional Access policies — it cannot create, change or delete them.
Why does it need admin consent?
Reading policy configuration always requires one-time approval by a Global Administrator — a Microsoft rule for this permission class, not ours. In most small businesses and MSPs the person running this check is that admin, so it's one extra click on the consent screen.
Why does the consent screen say "unverified"?
Sentavo is a new independent practice and hasn't completed Microsoft's publisher verification yet. The warning describes the publisher, not the permission — which remains read-only, listed in full on that same screen, and revocable by you at any time (see below). If that's not enough assurance today, fair — verify the traffic yourself first (next question).
How do I verify nothing leaves my browser?
Open DevTools (F12) → Network tab, then run the tool. Every request is visible: you'll see login.microsoftonline.com (sign-in) and graph.microsoft.com (your policies) — and nothing else. No calls to us, no analytics, no third parties. The page source is unminified if you'd rather read the code.
Can the results be wrong?
The 12 checks are heuristics for a directional read. They can't see Security Defaults, per-user MFA, or the intent behind an exclusion — so treat a FAIL as "go look", not "you're breached". A clean sweep also isn't a design review; it means the common failure patterns aren't present.
What role do I need, and how do I revoke access afterwards?
Your account needs Security Reader or Global Reader. To remove the app afterwards: Entra admin centre → Enterprise applications → Sentavo Tools → Delete. The session token expires when you close the tab — nothing persists.

Reads /identity/conditionalAccess/policies via Microsoft Graph with delegated permissions. Checks are heuristics for a directional read — they can't see Security Defaults, per-user MFA or named-account intent, and they don't replace a design review. The app can be revoked any time in Entra → Enterprise applications.