Skip to main content

Drift Detection

Monitor and detect configuration changes in your Microsoft 365 environment

driftmonitoringconfigurationchanges

Drift Detection

Securtea's drift detection monitors your Microsoft 365 configuration for unauthorized or unexpected changes. Catch security misconfigurations before they become incidents.

What is Configuration Drift?

Configuration drift occurs when settings in your environment deviate from their intended state. This can happen due to:

  • Manual changes - Administrators modifying settings
  • Automated scripts - PowerShell or automation tools
  • Policy changes - Group Policy or Intune updates
  • Third-party integrations - OAuth apps or connectors
  • Malicious actors - Unauthorized access

Why Drift Detection Matters

Undetected configuration changes can:

RiskImpact
Security gapsWeakened authentication or access controls
Compliance violationsFalling out of framework requirements
Service disruptionsBreaking business processes
Data exposureUnintended external access

How It Works

Securtea monitors drift in three phases:

1. Baseline Establishment

Define your expected configuration state:

  • Capture current settings as baseline
  • Define expected values for critical settings
  • Set comparison rules (exact match, contains, regex)

2. Scheduled Monitoring

Automated scans check your environment:

  • Configurable frequency (hourly, daily, weekly)
  • Targeted resource type filtering
  • Efficient API usage to minimize impact

3. Change Detection

When differences are found:

  • Create drift events with severity classification
  • Track status throughout lifecycle
  • Generate alerts via your preferred channels

Key Features

Multi-Resource Monitoring

Monitor drift across M365 services:

ServiceResource Types
Microsoft Entra IDUsers, groups, applications, roles
Conditional AccessPolicies, named locations
Exchange OnlineMail flow rules, policies
SharePointSite settings, sharing policies
TeamsTeam settings, meeting policies

Flexible Baselines

Create baselines tailored to your needs:

  • Point-in-time snapshots - Capture current config
  • Policy-based baselines - Define expected state
  • Template baselines - Use industry standards

Severity Classification

Classify drift by impact:

SeverityDescriptionResponse Time
CriticalImmediate security riskHours
HighSignificant compliance concern24 hours
MediumNotable change requiring review1 week
LowMinor deviation1 month

Alert Channels

Receive notifications through:

  • In-app - Dashboard notifications
  • Email - Team distribution lists
  • Webhook - Integration with ITSM tools

Getting Started

Enable Drift Detection

  1. Navigate to Drift Detection in the sidebar
  2. Click Configure Monitoring
  3. Set scan schedule (recommended: daily)
  4. Select resource types to monitor
  5. Click Save Configuration

Create Your First Baseline

  1. Go to Drift Detection > Baselines
  2. Click Create Baseline
  3. Select resource type
  4. Configure comparison rules
  5. Click Create

Review Drift Events

When drift is detected:

  1. Go to Drift Detection > Events
  2. Review open events
  3. Investigate changes
  4. Take action (acknowledge, resolve, ignore)

Drift Event Lifecycle

Event Statuses

StatusMeaning
OpenNew event awaiting review
AcknowledgedUnder investigation
ResolvedFixed, baseline updated
IgnoredAccepted risk, suppressed

Workflow

Detected → Open → Acknowledged → Resolved
                               → Ignored

Best Practices

Baseline Management

  • Review and update baselines quarterly
  • Update after planned changes
  • Document baseline decisions

Alert Configuration

  • Set severity thresholds appropriate to your environment
  • Avoid alert fatigue with proper filtering
  • Ensure the right people receive the right alerts

Investigation Process

  1. Identify who made the change
  2. Determine if change was authorized
  3. Assess security impact
  4. Remediate or document as acceptable

What's Next?

Global Search

Search for pages, settings, and documentation