Skip to main content

Drift Detection Overview

Monitor and detect configuration changes in your Microsoft 365 environment

driftmonitoringconfiguration

Configuration Drift Detection

Securtea's drift detection feature continuously monitors your Microsoft 365 configuration for unauthorized or unexpected changes.

What is Configuration Drift?

Configuration drift occurs when settings in your environment change from their intended baseline state. This can happen due to:

  • Manual configuration changes
  • Automated scripts or policies
  • Third-party integrations
  • Malicious actors

How It Works

Securtea monitors your Microsoft 365 configuration in three steps:

1. Baseline Configuration

First, establish a baseline of your expected configuration:

  • Capture current settings as baseline
  • Define expected values for critical settings
  • Set comparison rules (exact match, contains, regex)

2. Scheduled Monitoring

Securtea automatically scans your environment:

  • Configurable scan frequency (hourly, daily, weekly)
  • Resource type filtering
  • Efficient API calls to minimize impact

3. Drift Detection

When changes are detected:

  • Create drift events with severity levels
  • Track status (open, acknowledged, resolved, ignored)
  • Generate trend analytics
  • Send alerts via email, webhooks, or in-app notifications

Key Features

Multi-Resource Monitoring

Monitor drift across various resource types:

  • Security Policies - Conditional Access, MFA settings
  • Exchange Online - Mail flow rules, retention policies
  • SharePoint - Sharing settings, external access
  • Teams - Guest access, meeting policies
  • Azure AD - Group settings, application permissions

Flexible Comparison Rules

Choose how to detect drift:

  • Exact Match - Setting must match baseline exactly
  • Contains - Setting must contain specific values
  • Regex - Use regular expressions for complex patterns

Severity Levels

Classify drift by impact:

  • Critical - Immediate security risk
  • High - Significant compliance concern
  • Medium - Notable change requiring review
  • Low - Minor deviation from baseline

Drift Management

Handle detected drift events:

  • Acknowledge - Mark as reviewed
  • Resolve - Fix and close
  • Ignore - Suppress future alerts for this change
  • Comment - Add notes and context

Getting Started

To enable drift detection:

  1. Navigate to Drift Detection in the dashboard
  2. Click Configure Monitoring
  3. Set your scan schedule (recommended: daily)
  4. Select resource types to monitor
  5. Click Save Configuration

Creating Your First Baseline

  1. Go to Drift Detection > Baselines
  2. Click Create Baseline
  3. Select a resource type (e.g., "Conditional Access Policies")
  4. Choose comparison rule
  5. Click Create

Best Practices

Baseline Management

  • Review baselines quarterly
  • Update after planned changes
  • Document baseline decisions

Alert Configuration

  • Set severity thresholds
  • Configure notification channels
  • Avoid alert fatigue

Workflow Integration

  • Connect to ticketing systems
  • Automate remediation where possible
  • Create runbooks for common drift scenarios

API Access

Programmatically access drift data:

// Get drift events
const events = await api.drift.listEvents({
  status: "open",
  severity: "critical",
});

// Acknowledge drift event
await api.drift.updateEvent({
  id: "evt_123",
  status: "acknowledged",
  comment: "Planned change - approved by security team",
});

See API Reference for complete documentation.

Related Features

Global Search

Search for pages, settings, and documentation