Wave 15 · Identity and Endpoint Expansion Microsoft / Entra / Conditional Access proof Synthetic policy snapshots + exception exports

Conditional Access policy drift, admin exclusions, and device/risk posture that stay operator-readable.

This control plane turns Conditional Access snapshots into one identity-governance surface: report-only admin policies, exclusion sprawl, device-trust gaps, missing sign-in risk coverage, weak session controls, and the remediation packets needed before audit or incident windows drift.

Overview Policy Lane Control Gaps Exception Posture Verification Docs

Commercial Front Door

Conditional Access, identity protection, and tenant-governance operations for platform, IAM, and security teams.
Audit-safe visibility into policy enforcement, exclusions, device trust, and app-targeting posture without exposing tenant credentials.

Proof Layer

Offline posture analyzer + CLI + dashboard surface.
This repo includes a reusable analyzer that reads Conditional Access exports and turns them into owner, control-gap, and remediation packets.

Why it matters

Recruiters looking for Azure / Entra / Conditional Access / Intune / identity governance should see real admin work: policy enforcement, exclusions, device trust, and audit-safe cleanup proof.

Operator Snapshot

policy enforcement · exclusions · device trust · risk coverage

policy bundles

Synthetic Conditional Access bundles across workforce and privileged-admin scopes.

current bundles

Snapshots fresh enough to trust for enforcement and audit decisions.

gaps

Observed control deviations across policy, device, risk, session, and app targeting.

blocking gaps

Control changes actively weakening the expected Conditional Access posture.

device gaps

Compliant-device enforcement or unmanaged endpoint gates still missing.

risk gaps

Sign-in risk coverage that needs repair before the policy set is called healthy.

Why operators care

conditional access proof · recruiter signal

guardrails first

Repair the posture before certifying the tenant

Restore admin enforcement, shrink emergency exclusions, reattach compliant-device checks, re-enable sign-in risk coverage, and close app-targeting gaps before calling Conditional Access posture healthy.

control evidence

Turn policy bundles into operator proof

Every lane stays tied to owner, control family, resource path, and the next concrete remediation move.

recruiter signal

Show real Conditional Access depth

This is real Entra Conditional Access proof, not generic cloud copy.