Manage365 Docs

Standards & drift

A “standard” in Manage365 is a named configuration (usually a small set of Graph API calls) that should hold true across a tenant. Apply it to set the configuration now. Monitor it to catch drift when someone changes it later.

Apply flow

  1. In Standards, pick a standard from the library or your own custom list.
  2. Select target tenants (single, group, or all tenants).
  3. Hit Apply. A job is queued; the UI streams progress via WebSocket.
  4. Target latency: under 60 seconds per tenant thanks to Graph batching. CIPP-style hour-scale applies are not a thing here.

The built-in library

Twenty-plus standards ship out of the box. Highlights:

  • Block legacy authentication — removes basic auth from every protocol.
  • Require MFA for admins — conditional access policy + fallback if one is missing.
  • Disable anonymous calendar sharing — OWA mailbox policy.
  • Enable mailbox audit logging — on new + existing mailboxes.
  • Configure DKIM — enables signing on all accepted domains.
  • Restrict guest user access — AAD policy: guests see only their own profile.
  • Ban outbound forwarding — anti-BEC transport rule.
  • Enable audit log retention (1 year) — unified audit for NDB evidence.

Drift detection

Apply records a baseline. The periodic drift sweep (hourly by default) re-reads the live config and compares it to that baseline. When a drift is detected Manage365 creates ahigh-severity alert with the diff and the remediation action the standard would re-apply.

Acknowledge the alert to accept the drift as expected, or hitRe-apply to put things back. Accepted drifts are tracked per-tenant so you don't get nagged again.

Custom standards

The standard definition is small TypeScript that runs against the Graph client. Professional tier limits you to 10 custom standards; Business and Enterprise are unlimited. The template marketplace (Business tier+) lets you share custom standards with other MSPs.

Scheduling

Every standard can be scheduled per-tenant. Common patterns:

  • Apply and monitor — apply now, re-apply on drift.
  • Report-only — audit without touching config.
  • Weekly enforce — re-apply every Sunday regardless of drift (catches config changes the drift-check might miss in the window).

Rollback

Standards record the previous state before modifying anything. Open the audit log entry, click Rollback, and Manage365 reverses the change. Not every Graph operation is trivially reversible — where rollback isn't safe the UI disables the button and points you at the manual Graph call.