Evidence Collection
Automate the collection, organization, and retention of compliance evidence across your managed Microsoft 365 tenants. Map evidence directly to framework controls, maintain a searchable repository, and streamline the review and approval process for audit readiness.
Note: Evidence Collection automates the most time-consuming part of compliance audits: gathering and organizing proof that controls are implemented and operating effectively. OpsPilot365 captures evidence directly from Microsoft 365 APIs, eliminating manual screenshots and reducing audit preparation time by up to 80%.
Evidence Repository Overview
| Metric | Value |
|---|---|
| Total Evidence Items | 1,247 |
| Auto-Collected | 892 |
| Pending Review | 34 |
| Frameworks Mapped | 7 |
Evidence Types
- Configuration Exports — Automated exports of Microsoft 365 configuration settings captured via Graph API. Includes Conditional Access policies, DLP rules, Exchange transport rules, Intune device compliance policies, and SharePoint sharing configurations. Exported as structured JSON with human-readable summaries.
- Screenshots and Captures — Automated portal screenshots of configuration pages in the Microsoft 365 admin center, Azure AD portal, Intune, and Defender. Timestamped and watermarked for authenticity. Manual screenshot uploads also supported.
- Audit Logs and Reports — Extracts from Microsoft 365 Unified Audit Logs, Azure AD sign-in logs, and admin activity logs. Filtered by date range and activity type. Includes Secure Score reports and compliance assessment results.
- Policy Documents — Upload and link organizational policy documents that satisfy procedural controls. Supports PDF, Word, and plain text formats. Track document versions and approval dates.
- User Activity Reports — Aggregated reports on user activity including MFA registration rates, sign-in patterns, license utilization, and security training completion.
- Attestations — Signed attestation records from technicians or client administrators confirming that manual processes are followed. Supports digital signatures, reviewer comments, and approval timestamps.
Evidence-to-Control Mapping
| Control | Framework | Evidence Required | Collection Method | Status |
|---|---|---|---|---|
| AC-2: Account Management | NIST 800-171 | User access review export, admin role assignments | Automated | Current |
| CC6.1: Access Controls | SOC 2 | Conditional Access policies, MFA status report | Automated | Current |
| 164.312(a): Access Control | HIPAA | Unique user IDs, emergency access procedures | Mixed | Partial |
| A.12.4: Logging | ISO 27001 | Audit log configuration, retention settings | Automated | Current |
| 3.1.1: System Access | CMMC | Access control policy document, user provisioning records | Manual upload | Missing |
Automated Collection Schedules
| Evidence Category | Default Frequency | Retention | Customizable |
|---|---|---|---|
| Configuration exports | Weekly | 13 months | Yes |
| Portal screenshots | Monthly | 13 months | Yes |
| Audit log extracts | Daily | 12 months | Yes |
| Secure Score snapshots | Weekly | 24 months | Yes |
| User activity reports | Monthly | 13 months | Yes |
| Compliance scan results | Per scan schedule | 24 months | Yes |
Evidence Review and Approval Workflow
- Collection — Evidence is automatically collected or manually uploaded. Auto-collected items include metadata such as source API, timestamp, tenant context, and the specific Graph API call used.
- Mapping — Evidence is mapped to the relevant compliance controls. Auto-collected evidence is pre-mapped based on the collection template.
- Review — A compliance reviewer examines the evidence for completeness and accuracy. Reviewers can add notes, request re-collection, or flag issues.
- Approval — Approved evidence is locked and included in the compliance audit package. Creates an immutable record with reviewer identity and timestamp.
- Archival — Approved evidence is stored with retention policies applied. Older evidence is archived but remains accessible for historical audits.
Evidence Repository
- Search and Filter — Full-text search across all evidence items. Filter by framework, control, tenant, evidence type, collection date, review status, and collector.
- Version History — Track changes to evidence items over time. Compare evidence across collection periods.
- Bulk Export — Export evidence packages for external auditors. Generate ZIP archives organized by framework and control with an evidence index spreadsheet.
- Retention Management — Configure retention periods per evidence type and framework. Automatic cleanup of expired evidence with legal hold capability.
Best Practices
- Enable automated evidence collection for all controls that can be verified through Microsoft 365 APIs
- Set collection frequencies to match your audit cycle (weekly for operational, monthly for governance)
- Configure auto-approval for automated evidence to reduce review burden, with periodic spot-checks
- Upload policy documents and attestations promptly to avoid evidence gaps during surprise audits
- Retain evidence for at least 13 months to cover annual audit cycles with overlap
- Export and share evidence packages with external auditors through secure links
API Reference
GET /api/addons/trust-center/evidence— List evidence items with filteringPOST /api/addons/trust-center/evidence— Upload a manual evidence item with control mappingGET /api/addons/trust-center/evidence/:evidenceId— Retrieve a specific evidence itemPOST /api/addons/trust-center/evidence/:evidenceId/approve— Approve an evidence itemPOST /api/addons/trust-center/evidence/collect— Trigger on-demand evidence collectionGET /api/addons/trust-center/evidence/gaps— Identify controls with missing or expired evidencePOST /api/addons/trust-center/evidence/export— Generate an evidence export packageGET /api/addons/trust-center/evidence/schedules— List automated collection schedules
Last updated on