🛡️ CA Policy Builder¶
Built: 2026-04-12
URL: aguidetocloud.com/ca-builder/
Status: ✅ Live (v3)
Pattern: Prompt Polisher / Readiness Checker (100% client-side JS, zero API calls)
What It Does¶
Interactive Conditional Access policy design tool for Microsoft Entra ID. IT admins can:
- Choose a scenario (Small Business, Enterprise, Education, High Security) → get the right policy mix in 1 click
- Browse 20 pre-built policy templates organized by Zero Trust tier (Starting Point / Enterprise / Specialised)
- Build custom policies with a 7-step guided wizard
- Review their full policy set with Zero Trust score (0-100) + 8 automated safety linter checks
- Edit policies in the wizard, with duplicate detection
- Export deploy-ready PowerShell + Graph API JSON with syntax highlighting
- Import existing policies from Graph API JSON for review
- Print the review as a policy document for change management
- All 100% offline — no tenant connection, no login, no data leaves the browser
Architecture¶
content/ca-builder/_index.md ← Hugo content (SEO front matter + 8 FAQs)
layouts/ca-builder/list.html ← 4-tab dashboard template
static/css/ca-builder.css ← Deep Purple #7C3AED accent (~20KB)
static/js/ca-builder.js ← Builder engine v3 (~65KB)
data/ca-builder/templates.toml ← 20 policy templates
data/ca-builder/conditions.toml ← All CA conditions + controls reference
data/ca-builder/compliance.toml ← ISO 27001 / NIST / SOC 2 / Essential Eight mappings
data/ca-builder/changelog.toml ← What Changed entries
Integration Points¶
| File | Change |
|---|---|
layouts/_default/baseof.html |
page-ca-builder body class |
static/css/style.css |
.page-ca-builder nav accent (deep purple) |
layouts/partials/nav.html |
Added to Free Tools dropdown + active state |
layouts/free-tools/list.html |
Tool card with deep purple accent |
hugo.toml |
Bumped cache_version + tool_count = 16 |
The 4 Tabs¶
Tab 1: 📋 Templates (Default)¶
Landing experience: Scenario-based quick-start grid with 4 persona presets:
| Scenario | Policies | What's Included |
|---|---|---|
| 🏢 Small Business | 6 | All Starting Point |
| 🏦 Enterprise | 14 | Starting Point + Enterprise tier |
| 🏫 Education | 10 | SP + approved apps, guest MFA, ToU |
| 🔒 High Security | 18 | All 3 tiers + Azure Management |
Below the quick-start: 20 template cards grouped by tier (🟢 SP / 🟡 ENT / 🔴 SPEC), each with:
- Name + description + ⭐ Popular badge (top 6)
- 💡 Risk explanation
- 🔗 Dependency hints (Intune, Entra ID P2, MCAS)
- Collapsible "Show policy details" toggle
- ➕ Add / ✏️ Customize & Add / 📖 Learn More
- "Add All" button per tier section header
Adaptive quick-start: Banner changes state: - Empty set → Show scenario grid - SP added → Nudge to add Enterprise - Has policies → Show count + "Review & Export" CTA
Tab 2: 🔨 Build¶
7-step wizard with clickable step indicators + progress bar:
- Name & Intent — Policy name (validated ≥3 chars) + security goal
- Users & Groups — Radio selection + text inputs for specific roles/groups
- Target Apps — Radio + custom app text input
- Conditions — Collapsible sections, radios for single-choice, checkboxes for multi
- Grant Controls — Block vs Grant radio cards + control checkboxes (validated ≥1)
- Session — Sign-in frequency, persistent browser, MCAS, CAE
- Review & Add — Policy summary card
Features: live preview card (desktop sidebar + mobile inline), duplicate name detection, edit mode (re-opens wizard for existing policies), template pre-fill via Customize & Add.
Tab 3: 🔍 Review¶
Zero Trust Baseline Score (0-100): SVG ring + per-tier progress bars showing "X of Y (Z%)". Custom policies contribute via keyword matching.
| Score | Label |
|---|---|
| 0-30 | 🔴 Minimal |
| 31-50 | 🟠 Basic |
| 51-70 | 🟡 Developing |
| 71-85 | 🟢 Strong |
| 86-100 | 🌟 Comprehensive |
Rollout Safety Linter — 8 checks with summary bar:
| Check | What It Catches |
|---|---|
| Break-glass (per-policy) | Lists specific policies missing exclusion |
| Admin lockout | Block-all without break-glass |
| Broad block | All users + all apps block |
| Report-only | Reminder to test first |
| Conflicts (condition-aware) | Block vs grant for overlapping scope |
| Azure Management | Unprotected portal/CLI |
| Legacy auth | Unblocked legacy protocols |
| Admin MFA | No MFA for admin roles |
Also: Compliance mapping (ISO 27001, NIST 800-53, SOC 2, Essential Eight) in collapsible section, Edit/Remove buttons per card, Clear All with confirm, Undo on remove, Share link.
Tab 4: 📤 Export¶
5 format sub-tabs with copy/download:
| Format | What |
|---|---|
| ⚡ PowerShell | New-MgIdentityConditionalAccessPolicy with syntax highlighting |
| 📋 Graph API JSON | POST-ready JSON with syntax highlighting |
| 📊 CSV | Summary table |
| 📄 Documentation | Printable text document |
| 🚀 Rollout Plan | 5-phase deployment checklist |
"What to do next" checklist appears below PS/JSON output. Import from JSON: Paste Graph API export to review existing policies.
Key Differentiators (What No Competitor Does Together)¶
| Feature | Our Tool | AccessLens | CloudToolStack | Jasper Simulator |
|---|---|---|---|---|
| No login required | ✅ | ❌ | ✅ | ✅ |
| Scenario presets | ✅ | ❌ | ❌ | ❌ |
| 20+ template library | ✅ | ❌ | ❌ | ❌ |
| Policy-SET linting | ✅ | ✅ | ❌ | ❌ |
| "Will this lock me out?" | ✅ | ❌ | ❌ | ❌ |
| Zero Trust score | ✅ | ❌ | ❌ | ❌ |
| Deploy-ready PS + JSON | ✅ | ❌ | ❌ | ❌ |
| Import existing policies | ✅ | ❌ | ❌ | ❌ |
| Edit policies in wizard | ✅ | ❌ | ❌ | ❌ |
| Print CSS | ✅ | ❌ | ❌ | ❌ |
| Syntax highlighting | ✅ | ❌ | ❌ | ❌ |
Version History¶
| Version | Date | Changes |
|---|---|---|
| v1 | 2026-04-12 | Initial: 4 tabs, 20 templates, basic builder, linter, export |
| v2 | 2026-04-12 | 21 UX fixes: export fidelity, specific inputs, linter accuracy, validation, quick-start, add-all, custom ZT score, undo, customize-&-add, conditions bug, CAE, card collapse, tier grouping, ZT labels, compliance mapping, custom tier style, mobile preview, linter summary, shareable URL, clickable steps, export CTA |
| v3 | 2026-04-12 | 19 enhancements: scenario presets (Big Idea), edit policy, duplicate detection, mobile step label, syntax highlighting, how-many helper, dependency hints, what-to-do-next, print CSS, popular badges, import from JSON, save/compare sets, blog CTA, adaptive quick-start |
Design Decisions¶
| Decision | Rationale |
|---|---|
Deep Purple #7C3AED |
Security/trust colour, distinct from violet and blue |
| 4 tabs not 6 | Rubber-duck critique: 6 fragments UX |
| No SVG flow diagram | CA isn't linear if-then — policy cards more accurate |
| "Design-time linting" framing | Without tenant data, analysis is heuristic |
| Rollout safety as USP | "Will this lock people out?" is #1 admin fear |
| Scenario presets as landing | #1 user question: "What's right for MY org?" |
| Per-policy break-glass check | Any-policy pass was false confidence |
| Print CSS | IT teams need printable docs for change management |
SEO¶
- Target keywords: "conditional access policy builder", "CA policy builder free", "conditional access templates", "zero trust conditional access"
- JSON-LD: WebApplication + FAQPage (8 questions)
- Shareable URLs: Policy set encoded in URL params
- Cross-links: From Copilot Readiness Checker (Pillar 2) + Licensing Simplifier (Entra ID P1/P2)
Maintenance¶
- Quarterly: Check MS Learn for new CA features, template updates, Graph API changes
- When Microsoft adds conditions/controls: Update
conditions.toml+ JS - When Zero Trust recommendations change: Update
templates.toml