Skip to content

ErKiran/conditional-access-cli

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
cmd
cmd
 
 
docs
docs
 
 
graph
graph
 
 
helper
helper
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
cred.env
cred.env
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

CA-CLI

A powerful command-line tool for Microsoft Entra Conditional Access policy analysis, simulation, and testing.

Overview

CA-CLI helps IAM engineers and administrators validate, test, and understand Conditional Access policies through:

  • Policy Analysis: List and explain policies in human-readable format
  • What-If Simulation: Test sign-in scenarios against policies
  • Batch Testing: Run hundreds of scenarios concurrently for regression testing

Think of it as policy QA automation for Microsoft Entra ID.

Features

1. List Policies

ca list

list

View all Conditional Access policies with:

  • Policy state (enabled, report-only, disabled)
  • Target users and groups
  • Target applications
  • Conditions (platform, client, location, risk)
  • Grant controls (MFA, compliant device, approved app)
  • Session controls (sign-in frequency, app controls)

2. Explain Policy

./ca explain "High Risk Sign In Protection"

explain

Deep-dive into a single policy with detailed conditions and controls.

3. What-If Simulation

./ca whatif \
  --user kiruu1234@iamkiran.onmicrosoft.com \
  --app office365 \
  --platform windows \
  --client browser \
  --country US \
  --ip 40.77.182.32

single_what_if

Simulate a sign-in scenario and see:

  • Which policies apply
  • Which policies don't apply (and why)
  • What controls are required
  • Final access decision (allowed / MFA required / blocked)

Filter to specific policy:

./ca whatif \
  --user kiruu1234@iamkiran.onmicrosoft.com \
  --app office365 \
  --platform windows \
  --client browser \
  --country US \
  --ip 40.77.182.32
  --policy "MFA-Pilot-Users"

4. Batch Testing

ca batch --input scenarios.csv --csv results.csv --json results.json --workers 10

batch

Run bulk What-If evaluations for regression testing and policy validation.

Input CSV format:

scenario_id,user,app,platform,client,country,ip,policy
TC-001,alice@contoso.com,office365,windows,browser,US,40.77.182.32,
TC-002,bob@contoso.com,office365,ios,mobile,CA,52.12.10.1,MFA-Pilot
TC-003,charlie@contoso.com,salesforce,android,mobile,UK,52.212.1.44,

Output includes:

  • Terminal summary (total scenarios, success/fail, top policies)
  • CSV report (for Excel analysis)
  • JSON report (for integrations)

Installation

Prerequisites

  • Go 1.21+
  • Microsoft Entra ID tenant
  • App registration with permissions:
    • Policy.Read.All (Application)
    • User.Read.All (User if wants to use email/UPN instead of GUID)

Setup

  1. Clone repository:
git clone https://github.com/ErKiran/conditional-access-cli.git
cd conditional-access-cli

  1. Create app registration in Azure:

    • Go to Azure Portal → Entra ID → App registrations → New
    • Add API permissions: Policy.Read.All, User.Real.All
    • Grant admin consent
    • Create client secret

  2. Configure credentials:

cp cred.env credentials.env

Edit credentials.env:

CLIENT_ID=your-app-registration-client-id
CLIENT_SECRET=your-client-secret
TENANT_ID=your-tenant-id
  1. Build:
go build -o ca
  1. Run:
./ca list

Usage Examples

Validate Policy Before Rollout

# Test pilot group across platforms
ca batch --input pilot-scenarios.csv --csv pilot-results.csv --workers 5

Exception Testing

# Test break-glass account
ca whatif \
  --user breakglass@contoso.com \
  --app office365 \
  --platform windows \
  --client browser

Regression Testing

# After policy change, rerun test suite
ca batch --input regression-suite.csv --json baseline.json --workers 10

# Compare with previous baseline
diff baseline-before.json baseline.json

Key design decisions:

  • Uses official Graph What-If API (beta endpoint)
  • Concurrent worker pool for batch processing
  • User UPN → object ID resolution with caching
  • Rate-limit friendly (configurable workers)

Use Cases

1. Pre-Deployment Validation

Test policy against representative user/app/platform combinations before enabling.

2. Pilot Analysis

Validate pilot group behavior across scenarios.

3. Exception Review

Test VIP accounts, contractors, BYOD devices.

4. Regression Testing

Rerun scenario suite after policy changes to detect unintended impacts.

5. Incident Investigation

Explain why a specific sign-in failed or succeeded.

Contributing

Contributions welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Add tests for new functionality
  4. Submit a pull request

License

MIT License - see LICENSE for details.

Acknowledgments

Built with:

Author

Built by Kiran Adhikari as part of IAM automation tooling.

Why this exists: Conditional Access testing in the Azure Portal is manual and time-consuming. This tool brings developer-style QA automation to IAM policy management.

Who is this for:

  • IAM engineers validating policy changes
  • Security teams doing pre-rollout testing
  • Admins troubleshooting sign-in issues
  • Anyone managing Conditional Access at scale

About

Policy QA Automation for Entra Conditional Access

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages