Veri-Docs
Starter
Veri-Docs generates professional standard operating procedures directly from your live Microsoft 365 configuration. SOPs document what is configured, how each policy is set up, and which users or groups are affected — all formatted with your company branding.
How Veri-Docs Works
Step-by-step walkthrough from start to finish
Connect Your Tenant
A Global Administrator approves read-only access to your Microsoft 365 configuration via Microsoft's standard admin consent flow. No passwords or secrets are shared — authentication uses X.509 certificates with HSM-backed key storage.
Select Output Formats
Choose which formats to generate: Markdown, HTML, PDF, or DOCX. On paid plans, all four formats are available simultaneously. Company branding (logo, name, colors) is automatically applied.
Generate SOPs
Veri-Docs reads your live M365 configuration via the Microsoft Graph API and generates one SOP per policy type found in your tenant. Conditional Access, Intune profiles, compliance policies, app protection, enrollment restrictions, and more — 18 policy types in total.
Download & Archive
Documents are stored in your searchable archive. Download individual files or the entire job as a ZIP. Every generation is versioned and timestamped for audit trails.
Data Handling
What data is collected, processed, stored, and what is never accessed
Data collected during SOP generation
- →Microsoft 365 policy configurations (Conditional Access, Intune, SharePoint, etc.) — read-only, via Graph API
- →User and group display names referenced in policy assignments
- →Named location names and IP ranges in Conditional Access policies
- →License SKU names assigned to your tenant
How data is processed
- →Policy data is read from the Graph API by the worker container (Azure Container Apps Job)
- →Data is structured into SOP documents using Veri-Docs formatting templates
- →Company branding (logo, name, colors) is applied from your Settings
- →Documents are generated in the requested formats (Markdown, HTML, PDF, DOCX)
- →Processing completes in approximately 60 seconds
What is stored after generation
- →Generated SOP documents in Azure Blob Storage (encrypted at rest)
- →Job metadata (timestamp, status, format selections) in Azure Table Storage
- →Retention: 30 days (Starter), 90 days (Professional), 3 years (Enterprise/MSP)
Data Veri-Docs never accesses
- ✗Email content, mailbox data, or calendar entries
- ✗File contents in SharePoint or OneDrive
- ✗User passwords, MFA secrets, or authentication tokens
- ✗Sign-in logs, audit logs, or activity data
- ✗Device hardware details or installed applications
Permissions
Every Graph API permission used, when it's requested, and why
Permission Model
Veri-Docs uses read-only app permissions granted via Microsoft admin consent. No write permissions are ever requested. All authentication uses X.509 certificate credentials with HSM-backed key storage in Azure Key Vault — no client secrets.
Policy.Read.AllRead Conditional Access policies and named locations
DeviceManagementConfiguration.Read.AllRead Intune device configuration profiles and compliance policies
DeviceManagementManagedDevices.Read.AllRead managed device inventory for enrollment profiles
Directory.Read.AllRead user and group display names for policy assignment context
Organization.Read.AllRead tenant name and license SKUs for document headers
Safety Controls
- ✓Read-only access — Veri-Docs cannot modify any tenant configuration
- ✓X.509 certificate authentication — no client secrets in the system
- ✓No raw tenant data stored between jobs — only generated documents are retained
- ✓Revoke access at any time from Settings or Entra admin center
- ✓All data encrypted at rest (AES-256) and in transit (TLS 1.2+)