Back to Blog
Security
10 min read

How to Detect Conditional Access Drift in Microsoft 365

Your Conditional Access policies looked airtight when you configured them. But somewhere between deployment and today, something changed. This is Conditional Access drift, and it happens silently until it is too late.

Nikolai Poverud

Founder & CEO

·January 22, 2026

Your Conditional Access policies looked airtight when you configured them. MFA required for all users. Risky sign-ins blocked. Unmanaged devices restricted. But somewhere between that initial deployment and today, something changed. Maybe an admin disabled a policy during troubleshooting and forgot to re-enable it. Maybe a new cloud app was added without proper coverage. Maybe an exclusion group grew beyond its intended scope.

This is Conditional Access drift, and it is one of the most insidious threats to M365 security because it happens silently, incrementally, and often without anyone noticing until it is too late.

According to recent research, misconfigured identity policies are responsible for one in three cloud breaches. For mid-sized organizations running lean IT teams, detecting and preventing this drift is not just a best practice; it is essential to maintaining your security posture.

What is Conditional Access Drift?

Conditional Access drift occurs when your CA policies deviate from their intended, approved configuration. Think of it as the gap between what you think your security controls are doing and what they are actually doing.

This drift happens for several reasons:

Emergency modifications that never get reverted. An admin disables MFA requirements during an urgent executive presentation, intending to re-enable it immediately afterward. Three weeks later, it is still disabled.

Manual changes without documentation. Someone adjusts a policy to fix a user access issue but does not update the change log or inform the security team.

Policy conflicts and overlaps. As your CA framework grows, policies can interact in unexpected ways, creating gaps or redundancies that are difficult to track.

Group membership changes. The exclusion group meant for two break-glass accounts now contains fifteen people, including contractors and former employees.

New applications without coverage. Your organization adopts a new SaaS tool, but nobody updates the CA policies to include it. Users access it without any access controls.

The challenge is that configuration drift creeps up almost invisibly, and by the time you identify which configurations have drifted, something has probably already gone wrong.

Why Conditional Access Drift is Dangerous

Conditional Access is the core of your Microsoft 365 Zero Trust implementation. When it drifts from your intended state, you are not just dealing with a compliance checkbox issue. You are dealing with real security exposure.

Security Gaps That Attackers Exploit

When a CA policy gets switched to report-only mode or disabled entirely, the controls it was supposed to enforce simply stop working. Users can sign in without MFA. Risky sign-ins proceed unchallenged. Unmanaged devices gain access to sensitive data.

This is not a theoretical concern. The Russia-backed group Midnight Blizzard exploited Entra ID misconfigurations in the Microsoft breach, demonstrating that even sophisticated organizations can fall victim to identity configuration weaknesses.

Compliance Violations

Most security frameworks, from SOC 2 to ISO 27001 to NIST, require consistent enforcement of access controls. If your CA policies say one thing in your documentation but do another in practice, you are out of compliance. Auditors will not accept "we thought it was configured correctly" as an explanation.

Unknown Attack Surface Expansion

Every drifted policy potentially expands your attack surface in ways you cannot see. 82% of data breaches in 2023 involved cloud-stored data, and a significant portion of those traced back to configuration issues rather than sophisticated attacks.

Operational Disruption

Drift does not only create security problems. Conditional Access misconfigurations are the number one cause of self-inflicted IT outages. A policy change can lock administrators out of the tenant entirely, requiring a call to Microsoft Support and days of downtime.

Manual Detection Methods (and Their Limitations)

Most organizations attempt to detect CA drift using manual methods. While these approaches are better than nothing, they come with significant limitations.

Azure AD Audit Logs

Microsoft Entra ID captures policy changes in audit logs. You can navigate to Monitoring & Health, then Audit Logs, and search for activities like "Update conditional access policy" or "Delete conditional access policy."

The problem: Audit logs show what changed but not whether the change was authorized. You see that Policy X was modified on Tuesday at 3 PM, but you still need to manually compare it against your baseline to determine if the change represents drift.

PowerShell Scripts

Using Microsoft Graph PowerShell, you can export your current CA configuration:

Connect-MgGraph -Scopes "Policy.Read.All"
Get-MgIdentityConditionalAccessPolicy | ConvertTo-Json -Depth 10 | Out-File "CAPolicies.json"

This gives you a snapshot of your policies, which you can compare against a previous export. However, the cmdlet requires complex handling to generate a detailed report and returns values as IDs rather than user-friendly names.

More critically, this approach only works if someone remembers to run the script regularly, maintains the baseline files, and actually performs the comparison.

Periodic Manual Reviews

Some organizations schedule quarterly CA policy reviews, where a security team member walks through each policy to verify it matches the documented configuration.

This approach has obvious problems for mid-sized organizations with limited IT staff. Quarterly reviews mean up to 90 days of potential drift going undetected. Manual reviews are tedious and error-prone. And as your policy count grows, comprehensive reviews become increasingly impractical.

Why Manual Methods Do Not Scale

The fundamental issue with all manual detection methods is that they require consistent human effort, and humans have other priorities. When your security engineer is fighting a phishing incident or onboarding new users, CA drift detection falls to the bottom of the to-do list.

Meanwhile, 55% of cloud breaches in 2025 trace back to configuration drift or oversight, and that percentage is not improving.

Automated Detection with Desired State Configuration

The alternative to manual detection is automated monitoring using Desired State Configuration (DSC) principles. DSC flips the traditional security model: instead of periodically checking what you have, you define what you should have and continuously verify against that baseline.

How DSC Works for Conditional Access

Define your desired state. Document exactly how each CA policy should be configured: which users are included or excluded, what conditions trigger the policy, what controls are enforced, and what state the policy should be in.

Continuously monitor. Automated tools compare your live tenant configuration against your defined baseline, typically every 15 minutes or in real-time.

Alert on deviations. When the actual configuration differs from the desired state, you receive an immediate notification rather than discovering it during a quarterly review or, worse, after a breach.

Facilitate remediation. With the drift clearly identified, you can quickly decide whether to revert the change or update your baseline to reflect an intentional modification.

The DSC Advantage

DSC tools can integrate with Microsoft Sentinel to provide automated alerting on policy changes. The key benefit is that you are not asking "did anything change?" You are asking "does reality match our approved configuration?"

This shift from reactive to proactive monitoring is essential for Entra ID security. You cannot protect what you cannot see, and automated drift detection ensures you always see the current state of your access controls.

Key CA Properties to Monitor for Drift

Not all policy changes carry equal risk. When implementing CA policy monitoring, focus on these high-impact properties:

Policy State

This is the most critical property. A policy can be:

  • On: Actively enforced
  • Off: Completely disabled
  • Report-only: Logging but not enforcing

An attacker who gains admin access would love to flip your MFA policy to report-only mode. You should receive an immediate alert if any policy state changes.

Included and Excluded Users and Groups

Watch for:

  • New users added to exclusion groups
  • Break-glass accounts removed from exclusions (creating lockout risk)
  • Changes to the "All Users" scope
  • Guest accounts being excluded from policies

Guest accounts are frequently excluded from Conditional Access policies, creating a pathway for external users to access resources without proper controls.

Conditions

Monitor changes to:

  • Locations: Trusted locations being added or removed
  • Device platforms: New platforms (like Linux) being excluded
  • Client apps: Legacy authentication being re-enabled
  • Risk levels: User or sign-in risk thresholds being modified

Grant Controls

These determine what happens when a policy triggers:

  • MFA requirements being weakened or removed
  • Compliant device requirements being dropped
  • Terms of use requirements being bypassed
  • Authentication strength being downgraded

Session Controls

Often overlooked, session controls affect:

  • App-enforced restrictions
  • Sign-in frequency requirements
  • Persistent browser session settings
  • Continuous access evaluation settings

Best Practices for CA Drift Detection

Implementing effective Microsoft 365 configuration management requires more than just tools. It requires process discipline.

Establish a Documented Baseline

Before you can detect drift, you need to define what "correct" looks like. Document every CA policy with:

  • The business purpose of the policy
  • Exact configuration settings
  • Approved exclusions and justifications
  • Last review date and reviewer

Store this baseline in version control or a configuration management database, not in someone's email or a forgotten SharePoint folder.

Use Automation, Not Manual Checks

Every IT administrator should regularly review their Conditional Access framework, but "regularly" should mean automated continuous monitoring, not calendar reminders for manual reviews.

The industry consensus is clear: the only defense against configuration drift is continuous baseline enforcement, automated detection, and rapid remediation.

Set Up Real-Time Alerts

When drift occurs, you need to know immediately. Configure your monitoring to alert on:

  • Any policy state changes
  • Changes to exclusion groups
  • Modifications to grant controls
  • New policies created outside the change management process

Route these alerts to your security operations team with appropriate severity levels.

Integrate with Change Management

Every CA policy change should follow a documented process:

  1. Change request submitted with business justification
  2. Security review and approval
  3. Implementation in a test environment or report-only mode
  4. Promotion to production
  5. Baseline updated to reflect the approved change

Any change detected outside this process is, by definition, drift that needs investigation.

Conduct Regular Baseline Reviews

Even with automation, you should review your policies at least quarterly to ensure your baseline still reflects current business requirements. Ask:

  • Are there policies that are no longer needed?
  • Are there new scenarios that need coverage?
  • Have exclusions grown beyond their intended scope?
  • Are we using the latest Entra ID features effectively?

Moving from Reactive to Proactive

The difference between organizations that suffer identity-related breaches and those that prevent them often comes down to visibility. If you cannot see drift happening, you cannot stop it before it becomes a security incident.

For mid-sized organizations juggling limited IT resources with enterprise-level security requirements, automated CA drift detection is not a luxury. It is a necessity. The cost of implementing proper monitoring is far lower than the cost of a breach, and the operational benefits of knowing your configuration is correct provide peace of mind that manual checks can never deliver.

TrueConfig provides automated Conditional Access drift detection as part of its Desired State Configuration platform for Microsoft 365. By continuously monitoring your tenant against your defined baseline and alerting on deviations, TrueConfig helps you maintain the security posture you intended, not just the one you hope you have. Learn more

Conditional Access
configuration drift
M365 security
Entra ID
Zero Trust
CA policy monitoring

Related Articles

Security

Geopolitical Conflict Is a Cybersecurity Event: What M365 Admins Must Do Right Now

Wars don't stay on the battlefield anymore. The Middle East conflict has triggered a measurable surge in state-sponsored cyberattacks targeting Microsoft 365 tenants. Here is what IT administrators must do to harden their identity infrastructure before they become collateral damage.

12 min read
Security

Microsoft Is Closing a Conditional Access Loophole on March 27

Starting March 27, 2026, Microsoft Entra ID will begin enforcing Conditional Access policies against sign-ins that have been silently bypassing them for years. If your tenant has CA policies targeting all resources with exclusions, apps like Azure CLI and custom tools will break. Here is what is changing, who is affected, and what to do before the deadline.

9 min read
Security

The 5 Most Overlooked Entra ID Security Configurations That Put Your Organization at Risk

MFA is enabled, Security Defaults are on, but your tenant still has critical gaps. Here are the five Entra ID misconfigurations that slip through most security reviews and how to fix them today.

10 min read