Guest blog courtesy of Augmentt.
Most M365 security incidents don't begin with a sophisticated attack. They begin with a setting that quietly changed six months ago that nobody noticed. That's configuration drift, and for MSPs managing dozens or hundreds of tenants, it's one of the most persistent and underappreciated threats in their clients' environments.Understanding what drift is, how it happens, and what it takes to stay ahead of it is foundational to delivering a credible M365 security practice.
What is configuration drift?
Configuration drift is the gradual divergence between a client's current Microsoft 365 environment and the security baseline you originally set. It's not a one-time event; it's a process. Each manual change, one-off exception, or missed update nudges the environment a little further from where it should be.In a single-tenant environment managed by an internal IT team, drift is manageable. The team has intimate familiarity with the environment and typically reviews it regularly. For an MSP managing 50 or 100 tenants, the math changes completely. There are simply too many environments, too many settings, and too many potential change events for any team to track manually.How drift happens in practice
Drift rarely happens because someone made a careless mistake. It happens because managing a live environment means making trade-offs constantly. A client calls in with an urgent request: a travelling executive needs an MFA exception. A technician disables a conditional access policy temporarily to troubleshoot an issue and forgets to re-enable it. A new app integration requires a permission change that nobody documents.Over time, these small, individually reasonable changes compound. The environment your team hardened at onboarding no longer resembles what's running today. And because the changes were spread across months and dozens of service tickets, there's no single moment where the gap became obvious.Common drift vectors in M365 environments include:- Conditional access policies disabled for troubleshooting and not re-enabled
- MFA exceptions granted to individual users that persist indefinitely
- Legacy authentication protocols re-enabled for specific app compatibility
- Admin roles assigned temporarily and never revoked
- External sharing settings relaxed at a client's request without a review date




