Conditional Access policy state changed
- Tenant
- Contoso
- Workload
- Microsoft Entra
- Resource
- Require MFA for administrators
Exact Change
state
Deterministic Microsoft 365 Monitoring
Receive deterministic, source-backed notifications for Intune, Entra, and Teams external access without deploying a SIEM.
Read-only connectors. No SIEM deployment. No model-based inference.
Conditional Access policy state changed
Exact Change
state
External member added to Finance shared channel
Exact Change
membership
Intune compliance policy setting changed
Exact Change
Require encryption
The Problem
Microsoft 365 changes arrive through different sources, at different speeds, and with different levels of detail. MSP teams need a precise record of supported high-value changes without operating another broad security platform.
Entra and Intune audit records differ from Teams change notifications.
Old and new values are available only when Microsoft includes them.
Consultants need one operating view across separate customer tenants.
Exact Supported Examples
Each notification names the matched rule and reports only the values Microsoft supplied.
01
Conditional Access policy state changed from enabled to disabled.
02
External member added to the Finance shared channel with differing tenant ID evidence.
03
Require encryption changed from true to false on a supported compliance policy.
How It Works
Enable only the workload connectors you need, each with a separate least-privilege application.
Versioned rules match supported Microsoft audit records and change notifications without fuzzy classification.
Route a normalized event to email, Teams, Slack, or HTTPS webhooks with source evidence attached.
Workloads
Each connector has its own source, permission boundary, latency class, and public limitations.
Focused outcomes for Conditional Access, roles, applications, credentials, grants, guests, selected groups, and cross-tenant access.
Supported policy, profile, assignment, app, script, update, enrollment, and Intune RBAC configuration families.
External team membership, private and shared channel membership, and verified shared-channel access changes.
Delivery Channels
A change is billed once regardless of permitted fan-out. Delivery retries and test notifications do not increment usage.
MSP Multi-Tenant View
Organize customer tenants under one MSP organization, keep connector health visible, and preserve tenant boundaries in every event, route, and role.
Organization Owners and Admins manage connections and destinations. Analysts can inspect normalized events without receiving tenant administration rights.
Expired consent, revoked permissions, subscription failures, poller lag, and delivery failures are designed to surface as product health signals.
Contoso
Entra · Intune · Teams
Fabrikam
Entra · Intune · Teams
Northwind Traders
Entra · Intune · Teams
Pricing
Prices and limits below are read from the same domain configuration used by the product. Taxes are calculated separately.
Explore the core workflow for 10 days.
$0.00per tenant / month
Focused monitoring for a smaller customer estate.
$4.99per tenant / month
Built to Scale
Higher-volume monitoring for growing MSP operations.
$19.99per tenant / month
Coverage Limitations
Entra and Intune are polled every 5 minutes. Teams membership changes can use near-real-time notifications. Microsoft source ingestion can add delay, and ChangeWitness does not promise a fixed delivery time. Old and new values appear only when Microsoft supplies them.
Microsoft Graph integrations use the beta API channel exclusively. Beta schema changes are monitored through contract tests and fail-closed validation.
Open Coverage CatalogSecurity and Permissions
Customers consent only to the workloads they enable. Connector signing uses certificate-based authentication with production keys designed for Azure Key Vault.
The service cannot modify monitored Microsoft 365 configurations. Monitoring subscriptions are created only where Microsoft requires them for change delivery.
EU Hosting
Core application Functions run in Vercel fra1 and product data is placed in Supabase eu-central-1. Named subprocessors may process limited data elsewhere, including Resend email metadata and logs in the United States.
Core compute
Vercel Functions · Frankfurt
Product data
Supabase · Frankfurt
Disclosed exception
Resend metadata and logs · United States
Trust Center
Review exact permissions, hosting disclosures, subprocessors, retention, legal drafts, and service status in one public trust center.
FAQ
No. The service cannot modify monitored Microsoft 365 configurations. It uses read permissions and creates monitoring subscriptions required by Microsoft.
POST requests are used only to create, renew, or remove the monitoring subscriptions Microsoft requires. They are not used to change monitored configurations.
No. Rules are deterministic, versioned, source-backed, and testable. ChangeWitness does not use model-based classification or generated conclusions.
Core application Functions and product data are placed in Frankfurt. Named subprocessors may process limited data elsewhere, including Resend email metadata and logs in the United States.
Raw Microsoft payloads are deleted after successful normalization. Restricted dead-letter handling may retain encrypted poison messages for up to 24 hours.
A 20 percent grace allowance applies to paid plans. After grace is exhausted, ingestion and dashboard history continue, while individual external delivery becomes one daily quota summary per tenant.
Disconnect the workload in ChangeWitness, then revoke consent for the connector enterprise application in Microsoft Entra.
Put a witness on critical changes.
Start with a focused, source-backed view across the Microsoft 365 tenants you manage.