Manage365 Docs

Alerts & notifications

Every actionable event in Manage365 — a standards drift, an Essential Eight score drop, a looming NDB deadline, a Defender incident — creates an alert. Alerts have a severity (low | medium | high | critical), a dedupe key, a resource reference, and an ack / resolve lifecycle.

Where alerts come from

  • Standards drift sweeper — hourly baseline vs live diff.
  • Compliance auto-scan — weekly Sunday scan; score drop triggers alert.
  • NDB deadline sweeper — T-24h and T-6h on the 72-hour notification clock; T-7d and T-3d on the 30-day assessment clock.
  • Defender / Entra risk — incidents and risky sign-ins pulled in every 15 minutes.
  • HIBP breach monitor — scheduled checks per tenant for pwned addresses.
  • M365 service health — outages on services your tenants use.
  • JIT admin timeouts — failed auto-revoke after a grant window.
  • Custom alert rules — user-defined conditions on any tracked data.

Dedupe

Every alert has a dedupeKey. Re-raising the same key just bumps the existing alert's count and last-seen time rather than creating a noise storm. Keys are stable across restarts so a re-run of the same sweeper produces at most one alert per event.

Channels

In Settings → Notifications → Channels:

  • Email via Resend (if RESEND_API_KEY is set; logs-only otherwise).
  • Microsoft Teams via incoming webhook.
  • Slack via incoming webhook.
  • Generic webhook — JSON POST for n8n, Power Automate, Rewst.
  • PSA ticket — auto-create a HaloPSA / ConnectWise / Autotask ticket (see integration docs).

Severity filters per channel. Failed deliveries are retried with exponential backoff and surfaced in the channel card.

Escalation rules

At Settings → Notifications → Escalation rules you can chain channels so an unacknowledged alert moves from L1 to L2 to L3 at configurable intervals. The sweep runs in-process every 60 seconds.

The weekly digest

An opt-in Monday-morning roll-up email (see the Weekly digest card on the Notifications page). Covers: new alerts in the last 7 days, top 10 open alerts with tenant context, open NDB incidents (and any overdue the 30-day deadline), audit event volume. White-labelled with your MSP brand. Defaults to MSP Owner + MSP Admin emails if no explicit recipients configured.

Ack, resolve, silence

On the Alerts page:

  • Ack — someone's looking at it. Stops escalation.
  • Resolve — the underlying issue is fixed; resolution notes go into the audit log.
  • Silence — suppress dedupe-keyed re-raises for a window. Used for known-noisy sources while you fix the root cause.