TenLens
Mar 19, 2026

Bugbot for IT: guardrails before you ship a Conditional Access change.

ENEngineering· 7 min read
Bugbot for IT: guardrails before you ship a Conditional Access change.
Conditional Access is version control without the version control. You edit in the portal, click save, and discover the mistake when someone cannot sign in. We built Bugbot for IT to make that moment rarer.

Code teams have CI guardrails. IT teams still ship identity policy from a single portal tab. Bugbot for IT is our preview layer: every CA change is diffed, blast radius is simulated, and apply is blocked when the outcome is reckless.

Why portals are bad at "what breaks?"

The Entra portal answers "what is configured?" It rarely answers "who will this break in production?" That second question is the one that matters when you widen apps.include from Office 365 to all apps, or when you broaden legacy auth blocks.

Mistakes are not careless. They are structural. The UI optimizes for editing, not for review.

Side-by-side policy diff

Every pending change opens in a review surface that looks like a code diff: v12 on the left, v13 on the right, additions in green, deletions in red. Policy names, grant controls, and conditions are normalized so you read the semantic change, not a raw export.

Continuous policy review. Every change diffed, every drift flagged, every Friday.

Blast radius and break-glass paths

Below the diff, Bugbot estimates affected users, apps, and sign-in volume. We highlight break-glass accounts and emergency access paths explicitly. If a change would block your last admin route, you see it before apply, not after the CEO's phone lights up.

  • DiffLine-level CA policy comparison with stable ordering.
  • SimulateWho matches the new conditions, including legacy client apps.
  • DriftPolicies that changed outside TenLens still surface in weekly review.

When apply is disabled

Some changes are valid but dangerous. Others are simply wrong. Bugbot disables Approve when:

  • No break-glass account survives the new grant controls.
  • MFA would be required on a path that your registered devices cannot satisfy.
  • The diff expands scope by more than a threshold you configured for your org.

You can override with a signed reason, which lands in the immutable audit export. Accountability stays intact.

Pair with runbooks and audit export

Bugbot is not a separate product. It lives in the same desktop console as search, reporting, and runbooks. Approve a change, ship the runbook that notifies SecOps, and pin an audit query that watches for regressions.

Want early access to policy guardrails on your tenant? Write to support@tenlens.com.

EN
Engineering
TenLens · Directory platform
Follow
Keep reading
May 27, 2026 · Product

Multi-tenant search, end to end: one ⌘K bar for every directory you run.

6 min read
Jan 22, 2026 · Research

Audit log search at 10k events per second: what we learned indexing Entra at scale.

11 min read
Nov 18, 2025 · Ideas

Why we built TenLens: the case for an identity instrument.

6 min read