---
name: feedback-ca-programmatic-management
description: Conditional Access MAY be managed programmatically via the remediation-tool Tenant Admin app (overrides the old "CA stays manual in portal" boundary); strict report-only-first + break-glass-exclude discipline required
metadata:
  type: feedback
---

Conditional Access policies **may be created/modified programmatically** via the `/remediation-tool` **Tenant Admin tier** (`709e6eed` — carries `Policy.ReadWrite.ConditionalAccess` + the Conditional Access Administrator directory role). This **overrides** the prior scope boundary ("CA stays manual in the portal").

**Why:** Mike explicitly directed it 2026-05-27 (Quantum onboarding). His rationale: with a **break-glass account excluded** and policies in **report-only**, the blast radius is near zero, and he wants the capability for scale (templated CA baselines across tenants).

**How to apply — mandatory discipline every time:**
1. Create/modify in **report-only first** — `state: "enabledForReportingButNotEnforced"`. Never create a policy directly `enabled`.
2. Always **exclude the tenant's break-glass account** in `conditions.users.excludeUsers` (create the break-glass GA first if none exists).
3. **Verify impact** in Entra sign-in logs (report-only logs what *would* happen) before enforcing.
4. Get **explicit user confirmation before flipping any policy to `enabled`** on a tenant with real users.
5. Entra **app registrations** still stay manual — only CA is in scope for programmatic management.

Endpoint: `POST/PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies` with the tenant-admin token. Verified working on Quantum tenant 2fd0092b (CA001 MFA-all + CA002 block-legacy, report-only). See [[365-remediation-tool-reference]].