Privacy Policy

Last updated: February 2026

Summary

CA Simulator does not collect, store, or transmit any of your data. Period.

How It Works

CA Simulator runs entirely in your browser. When you connect to your tenant, your browser authenticates directly with Microsoft Entra ID using MSAL.js and retrieves data directly from Microsoft Graph API. No data passes through our servers.

What We Don't Do

We do not store your Conditional Access policies
We do not store user information, group memberships, or role assignments
We do not log your simulation scenarios or results
We do not use cookies for tracking
We do not share any data with third parties

Authentication

Authentication is handled entirely by Microsoft's identity platform (MSAL.js with PKCE). Tokens are stored in your browser's sessionStorage and are cleared when you close the tab. We never see or store your credentials or tokens.

Permissions

The app requests read-only delegated permissions:

Policy.Read.All — Read Conditional Access policies
Application.Read.All — Resolve application names
Directory.Read.All — Resolve users, groups, and roles
User.Read.All — User search for simulation
GroupMember.Read.All — Group membership resolution

These are delegated permissions, meaning they operate within the signed-in user's own access level. The app cannot access anything the user cannot already access themselves.

Analytics

We use Vercel Web Analytics, which collects anonymous page view data (page URL, referrer, country) with no cookies and no personal data. See Vercel's privacy policy.

Sample Mode

Sample mode uses hardcoded demo data. No authentication or API calls are made. No data leaves your browser.

Contact

Questions? Reach out on X: @haakonwibe