Why This Matters — Visibility Is Security
You can't secure what you can't see.
This is the single most important principle in managed services — and the one most often overlooked. The Microsoft 365 ecosystem is vast, constantly evolving, and operated by multiple parties. Changes happen every day, and most of them happen silently.
The visibility gap in native M365
Microsoft 365 does not provide an easy, configurable, unified, real-time change notification system across its services. The native tooling — audit logs, admin center notifications, Message Center posts — is fragmented, delayed, and requires active effort to monitor. Most organisations discover a critical change only when something breaks. By then, the damage is done.
Inforcer closes this gap. The platform's core purpose is to provide context to changes happening across the entire Microsoft 365 platform — not just that something changed, but what changed, when, who made the change, and what the previous value was. That context is surfaced across four core surfaces:
Surface | What It Shows |
Dashboard | Aggregated change summary across all managed tenants — policy drift, compliance score movement, and new alerts at a glance |
Tenant Overview | Per-tenant change feed showing exactly what changed, when, and what the previous value was |
Backup & Restore Engine | Full configuration snapshots with diff comparison — see the before and after of any change, with the ability to roll back |
Alignment Engine | Supercharged, granular drift detection — compares the current tenant state against your defined baseline and surfaces every deviation with detailed context. This is where the visibility becomes actionable — you don't just see that drift occurred, you see exactly which settings drifted, what they drifted to, and how far they are from your |
The Automation & Alerting engine is the real-time layer on top of this visibility. It pushes notifications the moment a change is detected — directly to email, Teams channels, or PSA systems — so you don't have to go looking for problems. Problems come to you.
It's not always the engineer
The assumption that only authorized administrators make changes is dangerous. In reality:
A frantic end user calls the ops desk — they can't access something, it's urgent, they need it now. The ops tech, under pressure, makes an exclusion to a Conditional Access policy or disables an MFA requirement to get operations back on track. That "temporary" change is forgotten within the hour. A security gap now exists that nobody knows about.
Hybrid IT and shared ownership — in the mid-market and enterprise MSP space, shared responsibility models are the norm. Multiple teams, multiple parties, sometimes multiple MSPs all operating in the same tenant. Without change alerting, nobody has a complete picture of what's happening. One team's "fix" becomes another team's security incident.
Microsoft themselves — this is the one most people never consider. At the end of the day, Microsoft has total control over the backend defaults in every tenant. They push changes to default behaviours — meeting policies, sharing settings, authentication defaults — without individual tenant consent. These changes are documented in the Message Center eventually, but they often land in production before the notification arrives.
I still remember the feeling after setting Inforcer up across a part of our managed portfolio for the first time. I came in the next morning and saw 50+ tenants — every single one — showing a single change that had occurred overnight. After digging in, I discovered that Microsoft had modified the default behaviour in Teams Meeting Policies across the entire M365 platform. No prior warning. No opt-in. Every tenant affected simultaneously.
That was the moment it clicked: it isn't just about accountability within your own organization. It's visibility into defaults being modified by Microsoft themselves.
Economies of scale
The Alerting engine is a foundational task — meaning you configure it once, before onboarding your first client, and every tenant you add automatically benefits. This is true economies of scale:
One webhook template serves every tenant
One email alert rule covers your entire portfolio
One PSA integration keeps your ticketing system in sync
The time invested in setting up alerting pays dividends across every tenant, every day, for as long as you manage them.
Alert Delivery Channels
Inforcer supports three alert delivery channels, each serving a different operational need:
Channel | Best For | Setup Complexity |
Compliance records, audit trails, stakeholder notifications | Low | |
Webhooks | Real-time Teams channel notifications, SOC integrations, custom workflows | Medium |
PSA Integration | Auto-ticket creation in ConnectWise, Autotask, HaloPSA, etc. | Medium |
Each alert can be configured to deliver to one, two, or all three channels simultaneously.
Alert Types Available
Inforcer provides a library of pre-built alert types that monitor specific aspects of the M365 ecosystem:
Alert Type | What It Detects |
Policy Change Monitoring | Any change to Conditional Access policies, authentication policies, sharing policies, Intune, Defender, Purview DLP rules — additions, modifications, and deletions |
Administrators without MFA | Admin accounts that do not have MFA registered or enforced |
Apple MDM Certificate Expiration | Apple MDM push certificate approaching expiry — critical for iOS/macOS device management |
Drop in Secure Score | Microsoft Secure Score decrease detected — something got worse |
New Global Administrator Account Created | A new account has been assigned the Global Administrator role |
App Registration Credential Expiration | Enterprise application secrets or certificates approaching expiry |
New Enterprise Application Registration | A new Enterprise Application has been registered in the tenant |
📚 Full alert values reference: docs.inforcer.com — Alert Values — list of available template variables, dynamic values, and placeholders for each alert type.
💡 Tip: Start with Policy Change Monitoring and Administrators without MFA — these two alerts alone provide more visibility than most native M365 tooling combined.
Setup Location in Inforcer
Navigate to: Inforcer → Automate (left sidebar) → Alerting
From this page you can:
Create a new alert — select the alert type, give it a friendly name, and configure delivery channels
View all configured alerts — see status, type, and delivery settings at a glance
Edit or disable existing alerts — adjust thresholds, add channels, or pause notifications
Each alert shows three delivery configuration icons:
Icon | Channel | Purpose |
✉️ | Configure recipient email addresses | |
| Webhook | Configure webhook URL and payload template |
🖥️ | PSA | Configure PSA ticket creation |
Step 1: Email Alert Configuration
Email is the simplest starting point. Every alert should have at least one email recipient as a baseline.
Configuration Steps
Navigate to Automate → Alerting
Click Create a new alert
Select the Alert Type from the dropdown (e.g. "Policy Change Monitoring")
Enter a Friendly Name (e.g. "[default] Policy Changes Notification")
Click the Email icon (✉️) in Alert Settings
Configure the email delivery:
6a. Add Recipients
Enter one or more recipient email addresses. You can add multiple addresses — each will receive a copy of the alert.
6b. Set the Email Subject
The subject line supports template variables that dynamically populate with tenant-specific data. This is critical when managing multiple tenants — without dynamic subjects, every alert email looks the same in your inbox.
Recommended subject format:
Policy Changes - {{tenant.name}} - {{tenant.id}}Available template variables for subjects:
Variable | Output |
| The tenant's display name (e.g. "Contoso Ltd") |
| The tenant's Inforcer ID |
| The Microsoft 365 tenant GUID |
| Your custom client reference (e.g. "My Custom Contoso Ltd") |
| The friendly name of the alert |
| The alert summary message |
💡 Tip: Using {{tenant.name}} in the subject means you can create email rules in Outlook to auto-sort alerts by customer — invaluable when managing 20+ tenants.
6c. Configure the Email Body Template
Inforcer includes a built-in Advanced HTML Editor that provides professionally formatted email templates out of the box. You don't need to write any HTML — just load a template.
Steps:
Click Advanced Editor — this opens the full HTML editor with a live preview pane on the right
Click Use Template — this loads the pre-built Inforcer email template with:
Dynamic header showing the alert type and user who triggered the test
Tenant information block (name, GUID, client reference)
Policy Change Summary with colour-coded counters (Added / Changed / Removed)
Per-policy detail cards showing policy type, ID, state, and configuration changes
Previous Value vs New Value comparison (red/green diff highlighting)
Click Apply and Close — this saves the template and returns you to the alert configuration
Save the alert
The template uses Liquid-style template variables (e.g. {{ alert.message }}, {{ tenant.name }}, {% for policy in tracked_changes.policies %}) to dynamically render the alert content. You don't need to edit these — they populate automatically when the alert fires.
Recommended Email Recipients
Recipient | Why |
Shared security mailbox (e.g. | Ensures alerts are seen even when individuals are on leave |
Tenant-specific contact (if applicable) | Customer stakeholders who need visibility into their own environment |
NOC / SOC distribution list | Operational teams who need to act on alerts |
📹 Video Walkthrough — Basic Alert Setup
📹 Video Walkthrough — Email Setup for MDM Certificate Alerts
Step 2: Webhook Configuration (Teams)
Webhooks deliver real-time, richly formatted alert cards directly into Microsoft Teams channels. This is the most operationally impactful delivery method — your team sees changes the moment they happen, in the channels they're already working in.
What the alerts look like in Teams
Inforcer webhook alerts render as structured Adaptive Cards in Teams, showing:
Tenant name and ID — which customer was affected
Change summary — count of policies added, changed, and removed
Colour-coded change list — green for additions, amber for modifications, red for removals
Individual policy details — policy name, type, ID, and state
Configuration Steps
Navigate to Automate → Alerting
Select an existing alert or create a new one
Click the Webhook icon (
</>) in Alert SettingsEnter the Webhook URL (from your Teams channel's incoming webhook connector or Teams Workflows)
Select or customise the payload template
Test the webhook to verify delivery
Save
Inforcer Webhook Template Library
Inforcer provides a curated library of pre-built webhook templates optimised for Microsoft Teams Adaptive Cards. These templates are ready to use and cover common alert scenarios with rich formatting.
📚 Full template library: docs.inforcer.com — Teams Webhook Library
📹 Video Walkthrough — Webhook Configuration in Teams
Step 3: PSA Integration
PSA integration automatically creates tickets in your professional services automation platform when alerts fire. This ensures changes don't just get seen — they get tracked, assigned, and resolved.
Supported PSA Platforms
Inforcer integrates with major MSP PSA platforms including:
ConnectWise Manage
Datto Autotask
HaloPSA
Configuration steps vary by PSA platform. Refer to the Inforcer documentation for platform-specific setup guides.
Recommended Alerts to Get Started
The table below is a suggested starting point — not a rigid requirement. Every environment is different. Use this as a guide to build your initial alerting configuration and expand from there as your operational maturity grows.
Priority | Alert | Webhook | PSA | Why Start Here | |
🔴 Critical | Policy Change Monitoring | ✅ | ✅ | Optional | The single most valuable alert — catches every CA, auth, sharing, and DLP policy change across all tenants, including changes made by Microsoft |
🔴 Critical | Administrators without MFA | ✅ | ✅ | ✅ | Admin accounts without MFA are the #1 compromise vector. This catches newly created admins or MFA deregistration |
🔴 Critical | New Global Administrator Account Created | ✅ | ✅ | ✅ | Immediate awareness of privilege escalation — whether legitimate or a sign of compromise |
🟡 Important | Drop in Secure Score | ✅ | ✅ | Optional | Early warning that something in the tenant got worse — useful for spotting drift between baseline reviews |
🟡 Important | App Registration Credential Expiration | ✅ | Optional | ✅ | Prevents service outages from expired secrets/certificates — PSA ticket ensures it gets scheduled |
🟡 Important | New Enterprise Application Registration | ✅ | ✅ | Optional | Detects shadow IT, consent phishing, or unauthorised app registrations before they gain access to data |
🟡 Important | Apple MDM Certificate Expiration | ✅ | Optional | ✅ | A missed renewal breaks iOS/macOS management for the entire tenant — this gives you lead time |
💡 Start small, expand later. If you're just getting started, enable Policy Change Monitoring and Administrators without MFA first. These two alone will transform your visibility. Add the rest as you build confidence in the workflow.
What Policy Change Alerts Actually Show
When a policy change is detected, the alert includes a detailed change report:
Email Format
The email alert contains:
Tenant header — tenant name, GUID, and onmicrosoft.com reference
Policy Change Summary — count of policies added, changed, and removed
Per-policy detail — each policy listed with:
Policy name
Policy type (e.g. Conditional Access Policy)
Policy ID (GUID)
Change state (Added / Changed / Removed)
Colour coding — ✅ green for added, ✏️ amber for changed, ❌ red for removed
Teams Webhook Format
The Teams card provides the same information in a compact, scannable format:
Baseline label — which baseline detected the change (e.g. "Contoso - CIS")
Summary counters — Added / Changed / Removed counts
Colour-coded policy list — each change on its own line with an icon indicating the change type
Inforcer branding — direct link back to the Inforcer platform for investigation
Summary
Item | Detail |
Task Type | Foundational — configure once, benefits all tenants |
Priority | 🔴 Critical — deploy before onboarding tenants |
Time to Configure | ~30 minutes for full email + webhook setup |
Ongoing Effort | Zero — alerts run automatically |
Licence Requirement | Included in Inforcer platform — no additional M365 licensing |
Impact | Immediate, portfolio-wide visibility into every change across every managed tenant |
Visibility is security. The Alerting engine is not a nice-to-have — it is the foundation that every other security control depends on. A perfectly configured baseline means nothing if someone quietly changes it and nobody notices.