Compliance Alerts
Real-time alerting for compliance drift, policy violations, and configuration changes across your managed Microsoft 365 tenants. Stay ahead of compliance gaps with intelligent alerting that monitors controls continuously and notifies your team through multiple channels.
Note: Compliance Alerts is part of the Trust Center add-on module. Alerts are generated automatically when compliance assessments detect drift from established baselines, or when manual checks identify policy violations. Alerts integrate with your existing notification workflows including email, Microsoft Teams, and webhook endpoints.
Alert Overview
| Metric | Value |
|---|---|
| Critical Alerts | 8 |
| Warning Alerts | 23 |
| Informational | 47 |
| Resolved (30d) | 156 |
Alert Severity Levels
| Severity | Description | SLA Target | Example |
|---|---|---|---|
| Critical | Immediate compliance violation affecting regulatory requirements | 4 hours | MFA disabled for Global Admin |
| High | Significant compliance gap that requires prompt remediation | 24 hours | Conditional Access policy deleted |
| Medium | Configuration drift that may impact compliance posture | 72 hours | Audit log retention reduced below 90 days |
| Low | Minor deviation or best-practice recommendation | 7 days | Password expiration policy not aligned with NIST |
| Informational | Status update or scheduled assessment result notification | No action | Weekly compliance scan completed |
Alert Categories
- Configuration Drift — Triggered when tenant configuration deviates from compliance baseline. Monitors Conditional Access policies, Exchange transport rules, SharePoint sharing settings, DLP policies, and Intune device compliance policies.
- Policy Violations — Raised when a user action or system change directly violates a mapped compliance control. Includes unauthorized admin role assignments, external sharing of sensitive content, and disabled security features.
- Assessment Results — Generated after scheduled or on-demand compliance assessments complete. Reports new failures, score changes, and framework-specific compliance status across SOC 2, HIPAA, CMMC, NIST, CIS, ISO 27001, and GDPR.
- License and Entitlement — Alerts when required Microsoft 365 license features needed for compliance controls are missing, expired, or unassigned.
- Evidence Gaps — Flagged when evidence collection for a mapped control has not been refreshed within the required retention window or when evidence approval workflows are overdue.
- Remediation Overdue — Escalation alerts when open remediation actions exceed their SLA target. Includes the responsible technician, affected controls, and the number of days overdue.
Alert Rules Configuration
| Setting | Options | Description |
|---|---|---|
| Trigger Condition | Control failure, Score drop, Drift detected, Evidence gap | The event type that triggers the alert |
| Scope | All tenants, Tenant group, Specific tenant | Which tenants the rule applies to |
| Framework Filter | Any framework, SOC 2, HIPAA, CMMC, NIST, CIS, ISO 27001, GDPR | Limit alerts to specific compliance frameworks |
| Severity Threshold | Critical only, High+, Medium+, All | Minimum severity to trigger notification |
| Suppression Window | None, 1 hour, 4 hours, 24 hours | Suppress duplicate alerts within time window |
| Auto-Assign | Technician, Team, Unassigned | Automatically assign alerts to team members |
Notification Channels
- Email Notifications — Send alert emails to individual technicians or distribution lists. Emails include tenant context, affected controls, framework references, and direct remediation links. Supports digest mode.
- Microsoft Teams — Post alerts to Teams channels using Adaptive Cards with actionable buttons. Technicians can acknowledge, assign, or escalate alerts directly from Teams.
- Webhooks — Send JSON-formatted alert payloads to external systems. Compatible with Slack, PagerDuty, ServiceNow, ConnectWise, Autotask, and custom integrations. Supports HMAC signature verification.
- In-App Notifications — Real-time notifications within the OpsPilot365 console with filtering by severity, tenant, and framework.
Alert Lifecycle Workflow
- Triggered — Alert is generated by a compliance scan, drift detection, or manual check. Notifications are sent to configured channels.
- Acknowledged — A technician acknowledges the alert, stopping escalation timers. The alert is assigned to an owner.
- Investigating — The technician reviews the compliance gap, evaluates affected controls, and determines the appropriate remediation approach.
- Remediating — A remediation action is applied. The alert links to the remediation tracker for progress monitoring.
- Resolved — The compliance control passes verification. Alert is closed with resolution notes and added to the audit trail.
Recent Alerts
- Critical: Conditional Access baseline policy modified — Tenant: Contoso Healthcare, Controls: AC-7, IA-2, Frameworks: HIPAA, SOC 2 (12 minutes ago)
- Warning: External sharing enabled on SharePoint site — Tenant: Fabrikam Legal, Controls: SC-7, AC-21, Frameworks: CMMC, NIST (2 hours ago)
- Info: Scheduled compliance assessment completed — Tenant: Woodgrove Bank, Score: 82% (+2%), 3 new controls passing (6 hours ago)
Best Practices
- Configure separate alert rules for each compliance framework to ensure appropriate routing and SLA tracking
- Use suppression windows to prevent alert fatigue from repeated scan failures during planned maintenance
- Route critical alerts to Teams channels for faster response times and team visibility
- Set up webhook integrations with your PSA tool to automatically create tickets for compliance alerts
- Review and tune alert rules monthly to reduce false positives and improve signal quality
- Enable auto-assignment for critical alerts to ensure no compliance violation goes unowned
API Reference
GET /api/addons/trust-center/alerts— List all compliance alerts with filtering by severity, status, tenant, and frameworkGET /api/addons/trust-center/alerts/:alertId— Get detailed alert information including affected controls and remediation optionsPATCH /api/addons/trust-center/alerts/:alertId/acknowledge— Acknowledge an alert and assign to a technicianPATCH /api/addons/trust-center/alerts/:alertId/resolve— Resolve an alert with resolution notesGET /api/addons/trust-center/alert-rules— List configured alert rulesPOST /api/addons/trust-center/alert-rules— Create a new alert rulePUT /api/addons/trust-center/alert-rules/:ruleId— Update an existing alert ruleGET /api/addons/trust-center/alerts/summary— Get alert counts grouped by severity, status, and tenant
Last updated on