Your tenant stays yours
Decolla provisions Windows devices through your own Microsoft Intune and Autopilot tenant, under scopes you can read in full before you consent. Here is what we hold, why we hold it, and where the limits are.
The question you're right to ask
Any tool that asks to connect to your Intune tenant is asking you to extend your security boundary. If that decision goes wrong, the vendor doesn't sit in the incident review — you do. So scepticism isn't an obstacle to work around here; it's the correct starting position, and this page is written for it.
Decolla comes out of a working UK IT consultancy that has sat on your side of that decision — the side that carries the risk for tenants it touches. The security model below is the one we would demand before connecting anything to a tenant we were responsible for. The honest move is to answer the awkward questions before you have to ask them.
It runs in your tenant — not ours
Decolla provisions Windows devices through your own Microsoft Intune and Windows Autopilot tenant. Every policy, application, script and setting in your approved plan is created as a first-class object in your tenant, and delivered to devices by Microsoft's own machinery. Your devices talk to Microsoft, not to us.
That means installs, enrolment and policy sync run at Microsoft's pace — Decolla doesn't sit in the delivery path, and doesn't claim to speed it up. What it removes is the weeks of assembly: researching, building and wiring up the configuration yourself. There is no parallel management plane, and no routing of your device management through our infrastructure.
What we hold — and why
Decolla holds your plan — the itemised build definition you read and approved. It's kept so the build can be run, audited against what you agreed, and rolled back if you change your mind. That's what the plan is for, and that's why it's retained.
Access to your tenant is consent-based: Decolla acts only under the consent you grant in your own tenant, against the scope list published before you connect — and you can review or revoke that consent at any time. We're pre-launch, so there are no "customers like you" statistics to show you; inventing them would be dishonest, and we won't.
Every scope, published before you connect
Before Decolla connects to your tenant, the full list of Microsoft Graph scopes it requests is published for you to read — each scope, and what it's needed for. No "permissions will be requested at setup" placeholder, no scope that appears only once you're mid-consent.
You grant consent in your own tenant, and you review or revoke it there whenever you choose, using the same Entra controls you'd apply to any other application. If the published list doesn't survive your scrutiny, don't connect — that's the point of publishing it first.
Reversibility, declared per item — and its honest limit
Nothing runs until you've read and approved a written plan. Every item in it shows its delivery method and its reversibility class before you say yes: auto, reversible, or flagged irreversible. No item is quietly assumed to be undoable.
Rollback — per item or for the whole build — removes what Decolla put into your tenant. The honest limit: rollback covers Decolla's own changes only. It cannot un-fail a Microsoft install or rescue a stuck Enrolment Status Page, and no tool can honestly promise that. We'd rather you read that sentence here than discover it mid-incident.
Who's behind it — and where it stands
Decolla is a product of The Cloud Platform Ltd, a UK company built on a working IT consultancy — the kind that answers to its own clients for the tenants it touches, and built Decolla out of that work rather than around it.
Where it stands today: Decolla is in private build. You won't find customer logos or testimonials on this page, because there are no customers yet, and we won't manufacture any. If the model above holds up to your scrutiny — your tenant, published scopes, a plan you approve, limits stated in writing — the early-access waitlist is the only way in. Sceptical readers are exactly who we want on it.
See it on a real device.
Decolla is in private build — early-access members see a build defined, deployed and rolled back first.
Get early access