u/FunctionPitiful — reddlx

Built a CA baseline I use across tenants and a browser deployer to ship it without secrets or pipelines.

40 policies, 11 groups, 4 named locations across 6 personas (users, admins, apps, service accounts, guests, workload agents)
Critical / Recommended / Optional tiering, full catalog in README
Click the Deploy badge → sign in as CA Admin → deploy. No fork, no secrets, no GitHub Actions, no Cloud Shell.
Multitenant SPA with PKCE, delegated Graph only - your admin session does the work, token dies with the tab
Policies created in report-only by default (a few deploy disabled where report-only would have an impact). Skips on display-name collision - never PATCHes existing policies. Dry run included.

Doesn't fill group memberships, IP ranges, or ToU objects — those stay tenant-owned.

https://github.com/Teuftis/ConditionalAccessBaseline-Hardened

MIT. Issues welcome (PRs require collaboration access - open an issue and we can talk). Feedback I'd love: the persona split (especially the Agent persona for workload IDs - anyone running CA on those in prod?), and whether the catalog is missing anything obvious.