Skip to main content

Deterministic Microsoft 365 Monitoring

Know when critical Microsoft 365 configurations change.

Receive deterministic, source-backed notifications for Intune, Entra, and Teams external access without deploying a SIEM.

Read-only connectors. No SIEM deployment. No model-based inference.

CriticalSource-backed

Conditional Access policy state changed

Tenant
Contoso
Workload
Microsoft Entra
Resource
Require MFA for administrators

Exact Change

state

enableddisabled
ENTRA_CA_POLICY_STATE_CHANGED v1Source latency: Polled every 5 minutes
HighSource-backed

External member added to Finance shared channel

Tenant
Contoso
Workload
Microsoft Teams
Resource
Finance shared channel

Exact Change

membership

not presentdirect member
TEAMS_EXTERNAL_MEMBER_ADDED_TO_CHANNEL v1Source latency: Near real time
CriticalSource-backed

Intune compliance policy setting changed

Tenant
Contoso
Workload
Microsoft Intune
Resource
Corporate device compliance

Exact Change

Require encryption

truefalse
INTUNE_PROPERTY_CHANGED v1Source latency: Polled every 5 minutes

The Problem

Audit records are plentiful. Useful, accountable signals are not.

Microsoft 365 changes arrive through different sources, at different speeds, and with different levels of detail. MSP teams need a precise record of supported high-value changes without operating another broad security platform.

Scattered sources

Entra and Intune audit records differ from Teams change notifications.

Uneven evidence

Old and new values are available only when Microsoft includes them.

Multi-tenant pressure

Consultants need one operating view across separate customer tenants.

Exact Supported Examples

Specific outcomes, backed by specific source evidence.

Each notification names the matched rule and reports only the values Microsoft supplied.

01

Conditional Access state

Conditional Access policy state changed from enabled to disabled.

02

Shared channel membership

External member added to the Finance shared channel with differing tenant ID evidence.

03

Intune policy setting

Require encryption changed from true to false on a supported compliance policy.

How It Works

From tenant consent to a traceable notification in 3 steps.

  1. 01

    Consent Read-Only Connectors

    Enable only the workload connectors you need, each with a separate least-privilege application.

  2. 02

    Match Deterministic Rules

    Versioned rules match supported Microsoft audit records and change notifications without fuzzy classification.

  3. 03

    Deliver the Exact Record

    Route a normalized event to email, Teams, Slack, or HTTPS webhooks with source evidence attached.

Workloads

Purpose-built coverage for 3 Microsoft 365 workloads.

Each connector has its own source, permission boundary, latency class, and public limitations.

Microsoft Entra

Focused outcomes for Conditional Access, roles, applications, credentials, grants, guests, selected groups, and cross-tenant access.

Source
Directory audit records
Latency
Polled every 5 minutes

Microsoft Intune

Supported policy, profile, assignment, app, script, update, enrollment, and Intune RBAC configuration families.

Source
Intune audit records
Latency
Polled every 5 minutes

Microsoft Teams

External team membership, private and shared channel membership, and verified shared-channel access changes.

Source
Graph change notifications
Latency
Near real time

Delivery Channels

Send one correlated change to the destinations your team already uses.

A change is billed once regardless of permitted fan-out. Delivery retries and test notifications do not increment usage.

  • Email
  • Microsoft Teams
  • Slack
  • HTTPS webhooks

MSP Multi-Tenant View

One operating view across the customer tenants you manage.

Organize customer tenants under one MSP organization, keep connector health visible, and preserve tenant boundaries in every event, route, and role.

Organization Owners and Admins manage connections and destinations. Analysts can inspect normalized events without receiving tenant administration rights.

Expired consent, revoked permissions, subscription failures, poller lag, and delivery failures are designed to surface as product health signals.

Tenant Operations

Contoso

Entra · Intune · Teams

Monitoring

Fabrikam

Entra · Intune · Teams

Review consent

Northwind Traders

Entra · Intune · Teams

Monitoring

Pricing

Per-tenant plans with clear usage boundaries.

Prices and limits below are read from the same domain configuration used by the product. Taxes are calculated separately.

Trial

Explore the core workflow for 10 days.

$0.00per tenant / month

  • 100 billable changes
  • 7 days of history
  • 2 destinations
Start Trial

Starter

Focused monitoring for a smaller customer estate.

$4.99per tenant / month

  • 100 billable changes
  • 30 days of history
  • 5 destinations
Start Starter

Built to Scale

Pro

Higher-volume monitoring for growing MSP operations.

$19.99per tenant / month

  • 10,000 billable changes
  • 90 days of history
  • 25 destinations
Start Pro

Coverage Limitations

Source speed and detail depend on Microsoft.

Entra and Intune are polled every 5 minutes. Teams membership changes can use near-real-time notifications. Microsoft source ingestion can add delay, and ChangeWitness does not promise a fixed delivery time. Old and new values appear only when Microsoft supplies them.

Microsoft Graph integrations use the beta API channel exclusively. Beta schema changes are monitored through contract tests and fail-closed validation.

Open Coverage Catalog

Security and Permissions

Separate connector apps. Exact read permissions.

Customers consent only to the workloads they enable. Connector signing uses certificate-based authentication with production keys designed for Azure Key Vault.

entra

  • AuditLog.Read.All

intune

  • DeviceManagementApps.Read.All

teams

  • Team.ReadBasic.All
  • Channel.ReadBasic.All
  • TeamMember.Read.All
  • ChannelMember.Read.All

The service cannot modify monitored Microsoft 365 configurations. Monitoring subscriptions are created only where Microsoft requires them for change delivery.

EU Hosting

Frankfurt placement for core compute and product data.

Core application Functions run in Vercel fra1 and product data is placed in Supabase eu-central-1. Named subprocessors may process limited data elsewhere, including Resend email metadata and logs in the United States.

Core compute

Vercel Functions · Frankfurt

Product data

Supabase · Frankfurt

Disclosed exception

Resend metadata and logs · United States

Trust Center

The operational details should be inspectable before consent.

Review exact permissions, hosting disclosures, subprocessors, retention, legal drafts, and service status in one public trust center.

FAQ

Direct answers to common implementation questions.

Can the app modify my tenant?

No. The service cannot modify monitored Microsoft 365 configurations. It uses read permissions and creates monitoring subscriptions required by Microsoft.

Why are POST requests used?

POST requests are used only to create, renew, or remove the monitoring subscriptions Microsoft requires. They are not used to change monitored configurations.

Do you use AI or LLMs?

No. Rules are deterministic, versioned, source-backed, and testable. ChangeWitness does not use model-based classification or generated conclusions.

Where is data hosted?

Core application Functions and product data are placed in Frankfurt. Named subprocessors may process limited data elsewhere, including Resend email metadata and logs in the United States.

Do you store raw audit logs?

Raw Microsoft payloads are deleted after successful normalization. Restricted dead-letter handling may retain encrypted poison messages for up to 24 hours.

What happens when quota is reached?

A 20 percent grace allowance applies to paid plans. After grace is exhausted, ingestion and dashboard history continue, while individual external delivery becomes one daily quota summary per tenant.

How do I remove access?

Disconnect the workload in ChangeWitness, then revoke consent for the connector enterprise application in Microsoft Entra.

Put a witness on critical changes.

Start with a focused, source-backed view across the Microsoft 365 tenants you manage.