In transit
TLS 1.2 or newer for product and provider connections.
Security
The service cannot modify monitored Microsoft 365 configurations. It uses read permissions and creates monitoring subscriptions required by Microsoft.
Connector Permissions
Customers consent only to the workloads they enable. The Microsoft sign-in application uses delegated openid, profile, and email scopes separately from connector access.
| Connector App | Workload | Application Permissions |
|---|---|---|
| ChangeWitness Entra Connector | Microsoft Entra | AuditLog.Read.All |
| ChangeWitness Intune Connector | Microsoft Intune | DeviceManagementApps.Read.All |
| ChangeWitness Teams Connector | Microsoft Teams | Team.ReadBasic.All, Channel.ReadBasic.All, TeamMember.Read.All, ChannelMember.Read.All |
Connector Authentication
Connector applications use certificate-based Microsoft client credentials. Production signing keys are designed to remain non-exportable in Azure Key Vault, accessed from Vercel through OIDC workload identity federation.
Data Protection
TLS 1.2 or newer for product and provider connections.
Provider-managed encryption for operational data and private storage.
Row Level Security, strict SaaS RBAC, and no direct browser access to operational tables.
Hosting
Named subprocessors may process limited data elsewhere, including Resend email metadata and logs in the United States, as disclosed in the trust center and DPA.
Put a witness on critical changes.
Start with a focused, source-backed view across the Microsoft 365 tenants you manage.