Veri-Vault
Professional
Veri-Vault captures automated snapshots of your Microsoft 365 configuration alongside every compliance scan, detects changes between snapshots, and provides drift alerting and full config restore capabilities. Professional gets basic snapshots and change detection; Enterprise adds restore, drift alerting, emergency access, and git integration.
How Veri-Vault Works
Step-by-step walkthrough from start to finish
Automatic Snapshots
Config snapshots are captured automatically alongside every compliance scan. Each snapshot records the full configuration state of your tenant across all supported policy types.
Browse & Compare
Browse snapshots by date, view individual policy configurations, and compare any two snapshots side-by-side to see exactly what changed — which settings were added, modified, or removed.
Drift Alerting (Enterprise)
Configure drift alerting to get notified when configuration changes are detected outside of expected change windows. Alerts are delivered via email or HMAC-signed webhooks.
Config Restore (Enterprise)
Restore your tenant configuration to any previous snapshot state. Restore operations use JIT write permissions and are logged in the full audit trail. Emergency access restore is available for critical scenarios.
Data Handling
What data is collected, processed, stored, and what is never accessed
Data collected during snapshots
- →Microsoft 365 policy configurations across all supported policy types (read-only, via Graph API)
- →Conditional Access policies, Intune profiles, compliance policies, and security baselines
- →Policy assignment targets (user and group references)
- →Named locations, authentication methods, and enrollment settings
How data is processed
- →Configuration state is serialized and stored as a point-in-time snapshot
- →Change detection compares snapshot pairs to identify added, modified, and removed settings
- →Drift alerting evaluates changes against configured thresholds and windows
- →Restore operations apply snapshot state via Graph API with JIT write permissions
What is stored after snapshots
- →Full config snapshots in Azure Blob Storage (encrypted at rest)
- →Change detection results and diff metadata in Azure Table Storage
- →Restore audit trail entries with timestamps and before/after values
- →Retention: 90 days (Professional), 3 years (Enterprise/MSP)
Data Veri-Vault never accesses
- ✗Email content, mailbox data, or calendar entries
- ✗File contents in SharePoint or OneDrive
- ✗User passwords, MFA secrets, or authentication tokens
- ✗Sign-in logs, audit logs, or individual user activity
- ✗Device hardware details or installed applications
Permissions
Every Graph API permission used, when it's requested, and why
Permission Model
Veri-Vault uses read-only app permissions for snapshot capture and change detection. Restore operations (Enterprise only) use Just-In-Time write permissions that are granted before the restore and auto-revoked after completion.
Policy.Read.AllRead Conditional Access policies and named locations for snapshots
DeviceManagementConfiguration.Read.AllRead Intune configuration profiles and security baselines for snapshots
Directory.Read.AllRead directory objects for policy assignment context
Policy.ReadWrite.ConditionalAccessRestore Conditional Access policies from snapshots
DeviceManagementConfiguration.ReadWrite.AllRestore Intune configuration from snapshots
Safety Controls
- ✓Snapshots are read-only — no tenant modifications during capture
- ✓Restore operations require explicit JIT write permission consent
- ✓Full audit trail of every restore action with before/after values
- ✓Emergency access restore available for critical scenarios (Enterprise)
- ✓All data encrypted at rest (AES-256) and in transit (TLS 1.2+)