Skip to Content
AddonsTrust CenterDrift Detection

Drift Detection

Continuously monitor Microsoft 365 tenant configurations for deviations from established compliance baselines. Drift Detection identifies when settings change unexpectedly, categorizes the severity of each deviation, and can automatically remediate critical drift before it becomes a compliance violation.

Note: Drift Detection runs as a continuous background process, comparing live tenant configurations against your defined compliance baselines. When drift is detected, alerts are generated, evidence is captured, and optional auto-remediation policies can restore the baseline state without manual intervention.

Drift Overview

MetricValue
Critical Drift5
Warning Drift18
Settings In Baseline247
Auto-Remediated (7d)12

Baseline Definition and Management

  • Framework-Aligned Baselines — Pre-built configuration baselines mapped to SOC 2, HIPAA, CMMC, NIST 800-171, CIS Microsoft 365 Benchmarks, ISO 27001, and GDPR.
  • Custom Baselines — Define your own configuration baselines by selecting specific settings and expected values. Export a working tenant’s configuration as a baseline template.
  • Baseline Versioning — Track changes to baselines over time with full version history. Compare versions side-by-side. Roll back to previous versions when framework requirements are updated.
  • Baseline Assignment — Assign baselines to individual tenants, tenant groups, or all tenants. Support for multiple baselines per tenant for multi-framework compliance.

Monitored Configuration Areas

AreaSettings MonitoredCheck Frequency
Azure AD / Entra IDConditional Access policies, Security Defaults, Authentication Methods, Password policies, B2B settingsEvery 4 hours
Exchange OnlineTransport rules, Anti-spam policies, DKIM/DMARC, Mailbox auditing, Journal rules, Litigation holdEvery 6 hours
SharePoint OnlineExternal sharing settings, Access control policies, Site-level permissions, Sensitivity labelsEvery 6 hours
Microsoft IntuneDevice compliance policies, Configuration profiles, Windows Update rings, BitLocker settingsEvery 6 hours
Microsoft DefenderSafe Links, Safe Attachments, Anti-phishing policies, Alert policies, ASR rulesEvery 4 hours
Compliance CenterDLP policies, Retention policies, Sensitivity labels, Audit log settings, eDiscoveryEvery 6 hours
TeamsMeeting policies, Messaging policies, External access, Guest access, App permissionsEvery 12 hours

Drift Categories and Severity

CategorySeverityDescriptionExample
Security Policy RemovedCriticalA security policy or control has been deletedConditional Access policy removed
Security Feature DisabledCriticalA required security feature was turned offMFA registration requirement disabled
Policy WeakenedHighA policy was modified to be less restrictiveExternal sharing expanded from specific domains to all
Configuration ChangedMediumSetting value changed from baseline expectationPassword expiration changed from 90 to 180 days
New Unmanaged SettingLowNew configuration discovered not in baselineNew Conditional Access policy created outside OpsPilot365
  • Drift Timeline — Visual timeline showing when drift events occurred, their severity, and resolution status. Filter by tenant, configuration area, or framework.
  • Recurring Drift Report — Identifies settings that repeatedly drift from baseline, indicating root-cause issues such as unauthorized admin changes or conflicting Group Policy Objects.
  • Tenant Drift Score — Aggregated drift score per tenant showing overall baseline adherence. Compare drift scores across your managed tenant portfolio.

Auto-Remediation Policies

Warning: Auto-remediation automatically reverts configuration changes to the baseline state without manual intervention. Enable only for well-tested baselines and settings where automatic reversion is safe and expected. All auto-remediation actions are logged in the audit trail.

Policy SettingOptionsDescription
Auto-RemediateEnabled / DisabledMaster switch for automatic drift correction
ScopeAll drift, Critical only, Selected settingsWhich drift events trigger auto-remediation
DelayImmediate, 1 hour, 4 hours, 24 hoursGrace period before auto-remediation executes
Notify BeforeYes / NoSend notification before auto-remediation applies
Max Actions per Day1-100 or UnlimitedRate limit to prevent runaway automation
ExclusionsSettings list, Tenants, Time windowsExclude specific settings or tenants from auto-remediation

Best Practices

  • Start with framework-aligned baselines and customize incrementally based on client requirements
  • Enable auto-remediation only for well-understood settings with low user impact (e.g., audit logging)
  • Set a grace period delay on auto-remediation to allow planned changes to be approved before reversion
  • Review the recurring drift report monthly to identify root causes and implement permanent fixes
  • Use baseline versioning to track when compliance requirements change
  • Configure drift alerts to route to the technician responsible for each tenant group
  • Export drift history before compliance audits to demonstrate continuous monitoring

API Reference

  • GET /api/addons/trust-center/drift — List current drift events with filtering
  • GET /api/addons/trust-center/drift/history — Retrieve drift event history
  • GET /api/addons/trust-center/baselines — List all defined compliance baselines
  • POST /api/addons/trust-center/baselines — Create a new compliance baseline
  • PUT /api/addons/trust-center/baselines/:baselineId — Update a baseline definition
  • POST /api/addons/trust-center/drift/scan — Trigger an on-demand drift scan
  • GET /api/addons/trust-center/drift/auto-remediation — Get auto-remediation policy configuration
  • PUT /api/addons/trust-center/drift/auto-remediation — Update auto-remediation policy settings
Last updated on
Controls LibraryEvidence Collection