Wave 15 · Identity and Endpoint Expansion Microsoft / Entra / Conditional Access proof Synthetic policy snapshots + exception exports

Conditional Access policy drift, admin exclusions, and device/risk posture that stay operator-readable.

This control plane turns Conditional Access snapshots into one identity-governance surface: report-only admin policies, exclusion sprawl, device-trust gaps, missing sign-in risk coverage, weak session controls, and the remediation packets needed before audit or incident windows drift.

Overview Policy Lane Control Gaps Exception Posture Verification Docs

Commercial Front Door

Conditional Access, identity protection, and tenant-governance operations for platform, IAM, and security teams.
Audit-safe visibility into policy enforcement, exclusions, device trust, and app-targeting posture without exposing tenant credentials.

Proof Layer

Offline posture analyzer + CLI + dashboard surface.
This repo includes a reusable analyzer that reads Conditional Access exports and turns them into owner, control-gap, and remediation packets.

Why it matters

Recruiters looking for Azure / Entra / Conditional Access / Intune / identity governance should see real admin work: policy enforcement, exclusions, device trust, and audit-safe cleanup proof.

Control Gaps

severity · owner · resource

Risk	Owner	Control family	Subject	Message
high stale-policy-export	Platform Reliability	—	/tenants/kg-prod/policy-bundles/privileged-admin	Policy snapshot for "Privileged admin protections" is stale and should be refreshed before certifying Conditional Access posture.
high report-only-admin-policy	Entra IAM	Policy	CA-PRIV-Require-MFA-Compliant-Device	Admin-facing Conditional Access policy on "CA-PRIV-Require-MFA-Compliant-Device" is no longer enforcing the expected control path.
high emergency-access-exclusion-drift	Entra IAM	Exclusion	CA-PRIV-Exclude-Emergency-Accounts	Emergency or break-glass exclusion drift is active on "CA-PRIV-Exclude-Emergency-Accounts" and should be tightened before the next access review cycle.
high compliant-device-gap	Endpoint Engineering	Device	CA-WF-Require-Compliant-Device	Compliant-device enforcement is weakened on "CA-WF-Require-Compliant-Device" and no longer matches the expected device-trust posture.
high sign-in-risk-coverage-missing	Identity Protection	Risk	CA-RISK-SignIn-Protection	Risk-based Conditional Access coverage is incomplete on "CA-RISK-SignIn-Protection" and should be restored before this policy set is called healthy.
medium session-control-gap	Identity Protection	Session	CA-WF-SharePoint-Session-Controls	Session controls are incomplete on "CA-WF-SharePoint-Session-Controls", reducing Conditional Access containment and auditability.
medium uncovered-app-gap	Application Access	App	ServiceNow HR onboarding	A critical app or workload path is not fully targeted by Conditional Access on "ServiceNow HR onboarding".
low stale-gap-window	Platform Reliability	Exclusion	CA-PRIV-Exclude-Emergency-Accounts	Gap on "CA-PRIV-Exclude-Emergency-Accounts" has remained unresolved for 31 hours.
low stale-gap-window	Platform Reliability	Risk	CA-RISK-SignIn-Protection	Gap on "CA-RISK-SignIn-Protection" has remained unresolved for 41 hours.
low stale-gap-window	Platform Reliability	Session	CA-WF-SharePoint-Session-Controls	Gap on "CA-WF-SharePoint-Session-Controls" has remained unresolved for 27 hours.