Visual Builder
Create drift detection rules with a point-and-click interface
Visual Builder
The visual builder provides a point-and-click interface for creating drift detection rules without writing code or complex expressions.
Overview
The visual builder helps you:
- Create baselines without technical expertise
- See real-time preview of what will be monitored
- Test rules before activating them
- Iterate quickly on rule configuration
Accessing the Visual Builder
- Navigate to Drift Detection > Baselines
- Click Create Baseline
- Select Visual Builder
Building Rules
Step 1: Select Resource Type
Choose what to monitor:
| Category | Resource Types |
|---|---|
| Identity | Users, Groups, Service Principals |
| Access | Conditional Access, Named Locations |
| Mail Flow Rules, Anti-Phishing | |
| Collaboration | SharePoint Sites, Teams |
| Security | Security Defaults, MFA Settings |
Click a resource type to continue.
Step 2: Choose Specific Resources
Select which resources to include:
- All Resources - Monitor every resource of this type
- Specific Resources - Select individual items
- By Criteria - Filter by properties (e.g., "Policies named 'Admin*'")
Step 3: Select Properties
Choose which properties to monitor:
The builder shows available properties for your resource type:
☑ displayName
☑ state (enabled/disabled)
☑ conditions
☑ users
☑ applications
☑ locations
☐ grantControls (optional)
Check properties you want to monitor for changes.
Step 4: Configure Rules
For each selected property, define the comparison rule:
Simple Properties
For text and boolean values:
| Property | Rule Type | Example |
|---|---|---|
| state | Exact Match | "enabled" |
| displayName | Contains | "MFA" |
| isEnabled | Exact Match | true |
Complex Properties
For nested objects and arrays:
| Property | Rule Type | Example |
|---|---|---|
| conditions.users | Contains | "All Users" |
| grantControls | Has Value | "mfa" |
Step 5: Set Severity
Assign severity for drift events:
- Critical - Changes here pose immediate security risk
- High - Significant security concern
- Medium - Review recommended
- Low - Informational
Step 6: Preview and Test
Before saving, preview your rule:
- Click Preview
- See which resources match your criteria
- View sample baseline data
- Test against current configuration
The preview shows:
- Resources that will be monitored
- Current values for selected properties
- Any existing drift that would be detected
Rule Examples
Monitor MFA Policy State
Goal: Ensure MFA policy stays enabled
Resource: Conditional Access Policies
Filter: displayName contains "MFA"
Property: state
Rule: Exact Match = "enabled"
Severity: Critical
Track Admin Group Members
Goal: Detect changes to admin group membership
Resource: Groups
Filter: displayName = "Global Admins"
Property: members
Rule: Exact Match (current members)
Severity: High
Monitor External Sharing
Goal: Ensure SharePoint external sharing is restricted
Resource: SharePoint Tenant Settings
Property: sharingCapability
Rule: One Of ["Disabled", "ExistingExternalUserSharingOnly"]
Severity: High
Advanced Features
Conditional Rules
Create rules that only apply under certain conditions:
IF resource.displayName contains "Production"
THEN severity = Critical
ELSE severity = Medium
Combined Properties
Monitor multiple properties together:
Monitor when:
- state changes to "disabled" AND
- displayName contains "Security"
Exception Patterns
Exclude specific resources from monitoring:
Monitor: All Conditional Access Policies
EXCEPT: displayName contains "Test" OR "Dev"
Testing Rules
Dry Run
Before activating:
- Click Test Rule
- Scan runs against current configuration
- Results show what would be detected
- Adjust rules based on results
Simulation Mode
Enable simulation mode:
- Rule runs on schedule
- Generates preview events (not actual alerts)
- Review simulation results
- Activate when confident
Editing Visual Rules
Modify Existing Rules
- Open the baseline
- Click Edit in Visual Builder
- Modify any step
- Save changes
Convert to Advanced
For complex rules, convert to code:
- Open the baseline
- Click Convert to Expression
- Edit the JSON/expression directly
- Visual builder link is removed
Converting to expression is one-way. You cannot convert back to visual builder.
Best Practices
Start Simple
- Begin with basic exact-match rules
- Add complexity as needed
- Test thoroughly before production
Use Descriptive Names
Name baselines clearly:
- ✅ "CA Policy - Require MFA for Admins - State Check"
- ❌ "Policy Check 1"
Group Related Rules
Create baselines that cover related configurations:
- All Conditional Access policy states
- All mail flow rule settings
- All SharePoint sharing settings
Document Intent
Add descriptions to explain:
- Why this rule exists
- What security risk it mitigates
- Who to contact for questions
Troubleshooting
Properties Not Showing
If expected properties don't appear:
- Verify resource type selection
- Check API permissions
- Some properties require specific licenses
Rule Too Broad
If rule matches too many resources:
- Add filter criteria
- Select specific resources instead of all
- Use more specific property selectors
Rule Not Matching
If expected resources aren't monitored:
- Check filter criteria for typos
- Verify resource exists with expected properties
- Preview rule to see what matches