Safeguarding the integrity of your Microsoft 365 and Microsoft Entra ID tenant has never been more critical. As organisations face increasingly sophisticated cyber threats, the risk of unauthorised or undocumented configuration changes continues to grow.

But what happens if your tenant is compromised before you regain access? Or if critical settings are changed without your knowledge?

In this article, we explore Microsoft’s new native Tenant Configuration Management (TCM) capability, consider why configuration drift is such a serious issue, and show how organisations can monitor, recover, and govern tenant configuration more effectively than ever before.

Why Tenant Configuration matters in Microsoft 365

A Microsoft 365 tenant contains hundreds, if not thousands, of configuration settings across services such as:

  • Microsoft Entra ID (formerly Azure Active Directory)
  • Exchange Online
  • Microsoft Teams
  • Intune
  • Microsoft Purview

Many of these settings directly affect security posture, compliance alignment, and user experience, yet they often go undocumented or unchecked. Over time, this creates risk, especially in environments with multiple administrators and evolving business requirements.

Understanding Configuration Drift

Configuration drift occurs when tenant settings change over time without being tracked, reviewed, or intentionally approved. These changes may be small individually, but collectively they can lead to significant governance and security issues.

What causes configuration drift?

Multiple administrators

Many organisations have several global or service-specific admins. Even well‑intentioned changes can introduce inconsistencies when they’re not documented or reviewed centrally.

Unintended or forgotten changes

In long‑standing tenants, it’s common for settings to be changed years earlier with no remaining record of why they were adjusted or whether they are still required.

Permissions and service defaults

Areas such as M365 Group creation, SharePoint configuration, and Teams defaults are frequent sources of untracked changes that impact governance and user behaviour.

The risks of configuration drift

Loss of Governance

Over time, tenant configuration can drift away from organisational standards, security baselines, and internal IT policies, often without anyone noticing.

Compliance Challenges

Frameworks such as Cyber Essentials Plus and ISO 27001 require organisations to demonstrate how configuration is managed and maintained. Without evidence of configuration control, audits become difficult and time‑consuming.

Security and Recovery Risks

In more serious cases, a tenant may be:

  • Accidentally misconfigured
  • Partially corrupted
  • Modified by a malicious actor

Without a configuration backup or baseline, recovery becomes extremely difficult, even after access is restored.

Introducing Microsoft’s Native Tenant Configuration Management (TCM)

Microsoft has recently introduced Tenant Configuration Management, a native capability delivered through Microsoft Graph APIs. Previously, similar outcomes were only achievable through third‑party tools or the open‑source Microsoft365DSC project.

This new capability allows organisations to:

  • Track and monitor configuration drift
  • Roll back unauthorised or unwanted changes
  • Demonstrate compliance through configuration evidence
  • Recover tenant configuration after corruption or compromise

This represents a major shift: configuration‑as‑code is now becoming an integral  Microsoft capability rather than a community‑supported workaround.

What Tenant Configuration Management covers

Tenant Configuration Management currently supports configuration across:

  • Microsoft 365
  • Microsoft Intune
  • Microsoft Entra ID
  • Exchange Online
  • Microsoft Purview
  • Microsoft Teams
  • Selected Defender components

It focuses on tenant‑wide control plane settings such as policies and dynamic groups. It does not back up user data (mailboxes, SharePoint files, OneDrive content), which must still be protected separately – for this we would recommend a Cloud Back Up service 

Note: SharePoint configuration coverage is not yet included, and the feature is currently in Preview, meaning capabilities may change.

How Tenant Configuration Management Works (High Level)

Tenant Configuration Management uses a configuration‑as‑code approach:

  1. Administrators export tenant configuration into JSON templates using Microsoft Graph APIs
  2. These templates act as a baseline for desired configuration
  3. Configuration monitors compare live tenant settings against the baseline
  4. Drift can either:
    • Trigger alerts, or
    • Be automatically remediated back to the desired state

Configuration snapshots are stored temporarily in the tenant and must be exported externally (for example, to GitHub or Azure DevOps) if they are to be retained long‑term.

What does TCM do (deeper dive)

TCM allows admins to export the configuration of their M365 and Entra tenant and monitor for configuration drift, remediate drift and backup their M365 and Entra tenant configuration.

  • Configuration is managed in JSON, so it is digestible and readable by the team
  • APIs are called via using Graph APIs
  • You call an API for snapshot for example, and you select what you want to capture, this will then start a background job called a snapshot job and obtain the current configuration of these settings and then provide a JSON of these settings. This is stored in the tenant itself, and you need to go through the APIs to grab the JSON file and as the solution does not have any document storage, the file is held for 7 days before being deleted
    • Github can be used to pull these, so can Azure Devops or another app that can pull an API
      • There may be an option for Azure Files in the future using Keys to encrypt data and secure it
    • You can then make changes, edit what you want or take as it is and re-upload this configuration or you can use this to create Configuration Monitors
    • Monitors – You can then call the API again and it will set a scheduled task to read the configuration you have in the tenant and compare this to the JSON template you pulled out for changes – Such as, a Conditional Access Policy being in “Report-Only” on the tenant, but you change it to “Enabled”, the task will the report it as a “Drift” – This is for looking at Configuration Drift – If an admin makes a change to a policy but the JSON template is not then updated to reflect this change
    • A Drift can either be a notification that the configuration has changed, or you can set the monitor in remediation mode which will set it back to the configuration you desire
      • These monitors during preview are running every 6 hours, but more schedules will be released as the product develops
    • The solution is only aware of what you define in your configuration template
      • For example, a Conditional Access policy by default has 25 properties, such as excluded groups, included roles etc. if you decide to define as part of your config only included roles, the monitor will only see this and monitor this, not the entire policy. You can set this as granularly as you want as much as the config as code will allow
    • This can be used to monitor and manage multiple tenants
    • You can add parameters to your configuration JSON as well which will allow you to exclude or include certain variables to check these against multiple tenancies
      • For example, a customer has a dev and production tenant, where they want to exclude certain things from the dev tenant but include it in the production tenant, you can add parameters to add these into the JSON before creating the monitors
    • Organisations can also set up Configuration Snapshot Jobs to automate the JSON creation so they can export these as part of that job using a tool to do so, and using this as a Configuration Backup of the tenant in the event of a cyber attack in which an organisation needs to recover configuration after an event
      • This does not cover data, data still needs to be backed up separately
        • Such as Mailboxes, SharePoint data, OneDrive data etc.

Practical Use Cases for TCM

Tenant Configuration Management is particularly valuable in:

  • Multi‑admin environments where changes happen frequently
  • Compliance‑driven organisations working toward Cyber Essentials Plus or ISO 27001
  • Long‑standing tenants with limited configuration history
  • Security‑focused organisations that want a recovery option after an incident.

Licensing and Cost Considerations

Tenant Configuration Management is available to organisations with M365 E3 or Entra ID P1. The feature can be used for free during preview, but with capacity limitations such as the number of items that the APIs can download / call and what the JSON template will be able to monitor for. Right now, Microsoft are looking at options to increase capacity too, but the commercials are not finalised yet. The costing will be part of the license set that organisations have, unless specific requirements around capacity are needed.

The main limitations are around Objects. Objects are individual items, such as a group, policy, not the individual items in a policy / group. There are also limitations on the number of objects that can be monitored by a monitor

Commercial licensing and expanded capacity are still being finalised by Microsoft.

What’s Coming Next?

Following public preview, Microsoft plans to introduce:

  • A Graphical User Interface (GUI) to reduce reliance on APIs
  • Expanded Defender integration
  • Improved scheduling and monitoring flexibility.

Final Thoughts

Tenant Configuration Management gives organisations something they’ve historically lacked: a native, Microsoft‑supported way to track, protect, and recover tenant configuration.

If you’re responsible for Microsoft 365 security (https://www.compete366.com/security-solutions), compliance, or governance, now is the time to start understanding how this capability fits into your wider operational and recovery strategy.

If you’d like guidance on assessing, implementing, or operationalising Tenant Configuration Management in your environment, speak to our team. We help organisations design secure, compliant Microsoft 365 tenants, and ensure they stay that way.

One final thing

If you’ve enjoyed reading this Blog Post, then sign up at the bottom of this page to receive our monthly newsletter where we share new blogs, technical updates, product news, case studies, company updates, Microsoft and Cloud news (scroll down to the sign up block on this page)

We promise that we won’t share your email address with other business or parties, and will keep your details safe. You can choose to unsubscribe at any time.

Published On: March 19th, 2026 / Categories: M365 / Tags: , /

Related Posts

Microsoft Defender and Purview

New Security and Compliance add-on licensing for M365 Business Premium

October 2nd, 2025

Grow your business with AI you can trust

September 23rd, 2025
Microsoft Copilot v ChatGPT

How Secure is your Data in ChatGPT vs Microsoft Copilot?

July 28th, 2025
AI Consulting Services

Using Microsoft AI – applications for SMBs beyond the hype

July 1st, 2025

Contact our Microsoft specialists

Phone or email us to find out more – or book a free, no-obligation call with our technical consultants using the contact form.

“It’s great to work with the Compete366 team, the team members are really knowledgeable, helpful and responsive. No question is too difficult for them. They have really helped us to manage our Azure costs and ensure we have the right environment. When we bring a new customer on-board we can scale up immediately via the Azure portal and quickly make environments available to our customers.”

“We also find that there’s never a heavy sales pitch from them – they are technically focused and recommend what’s right for us.”

Paul Coyne, Rusada

“We had great support from the Compete366 AVD expert, who was really helpful, and guided me through options to tackle issues that arose.”

“The great thing about our AVD set up is that we have a custom set up for each project which Compete366 showed me how to do. And with the scalability and flexibility of AVD – we can meet clients’ expectations and get project users up and running more quickly.”

Amir Dangol, Senior IT Manager, Integrity

“We were immediately impressed with the advice that the Compete366 specialists in Azure Architecture were able to provide. This was all new to us and we really needed some external expertise that we could use to get our questions answered. The beauty of working with Compete366 is that we transferred our Azure consumption to them, and at the same time received all of their advice and guidance free of charge.”

Tim Entwistle, Head of Software Development, Herrco

“Working with Compete366 has been like extending our own team – they are extremely and easy to work with. Right from the outset, it was clear what was on offer – everything was presented to us in a straightforward and uncomplicated way. They also provided just the right level of challenge to our developers and saved us time and money by suggesting better ways to implement our infrastructure.”

Oliver Mackereth, Project Director, Hanse

“Compete366 were able to help us leverage some useful contacts in Microsoft. We really value the expert advice and guidance that they have offered us in setting up a highly scalable infrastructure. We are also setting in place a regular monthly meeting which will allow us to further refine our architecture and ensure we keep on track as our requirements grow and change.”

Matt Brocklehurst, Technical Director - AWOL Adventure

“I have been delighted with the migration, where my team worked very hard, supported by expert advice from Compete366, and achieved everything in the timescale we had set out. Compete 366 made sure that we didn’t make any expensive mistakes, and guided us through the process”

Darrell Cann, Managing Director, APEX
Jon Milward
Director

By submitting your details, you agree to be contacted.