Security drift: the slow leak in your security posture

Security drift is configuration drift that weakens your defenses: the MFA requirement that got an exclusion, the sharing control loosened for one meeting, the admin role that stayed permanent. No alert fires, because every change was made on purpose by someone with the rights to make it. The posture you audited is simply no longer the posture you have.

See where your tenant has drifted, free

Security drift vs configuration drift

All security drift is configuration drift, but not all configuration drift is a security problem. A renamed group is drift; nobody cares. An admin excluded from Conditional Access is security drift: the change directly weakens a control. The distinction matters because the volume of harmless change in a busy tenant is enormous, and the discipline is separating the changes that weaken security from the noise. That triage is the heart of configuration drift management.

The most common security drift we see across tenants:

  • A Conditional Access exclusion added under pressure and never restored, so MFA quietly stops covering the excluded group.
  • A privileged role granted permanently during an outage because PIM activation felt slow.
  • SharePoint external sharing flipped to "Anyone" for one file, tenant-wide, forever.
  • A service principal secret that has not rotated in years while the app registration accumulated permissions.
  • A baseline control switched off during a migration, with the ticket to re-enable it closed as done.

Why security drift beats point-in-time reviews

A security review is a photograph. Drift is a film that keeps running after the camera stops. A tenant that passed its assessment in January is not that tenant by March: admins changed things, projects created exceptions, Microsoft moved defaults. This is why security drift is called the silent killer: each individual change was reasonable, no alarm ever fired, and the accumulated gap only becomes visible when someone goes looking, or when someone breaks in.

The counter is baseline drift monitoring: define the secure baseline once, mapped to a standard such as CISA SCuBA or the Microsoft cloud security benchmark, then compare the live tenant against it continuously. The sensing half of that loop is drift detection; the full practice, including ranking and remediation, is drift management. At fleet scale, Senserva Drift Manager runs it continuously across every tenant you manage.

Frequently asked questions

What is security drift?

Security drift is the gradual weakening of your security posture through configuration changes: exclusions, loosened controls, standing privileges, and disabled policies that accumulate after your last review. Each change is deliberate and authorized, which is why no alert fires and why it goes unnoticed until enumerated.

How is security drift different from a misconfiguration?

A misconfiguration is a wrong setting at a point in time. Security drift is the process that produces misconfigurations continuously: a correct configuration decaying into a wrong one through everyday changes. Fixing today's Microsoft 365 misconfigurations without monitoring drift means the same list grows back.

How do I monitor for security drift in Microsoft 365?

Set a baseline mapped to a recognized standard, compare the live tenant against it continuously rather than quarterly, rank the diverging changes by security impact, and route each one to a fix. Senserva runs this loop with nearly 700 checks across Microsoft 365, Entra ID, Intune, and Defender.

Does tenant configuration drift affect compliance?

Directly: drift is how a tenant that passed an audit falls out of compliance before the next one. Continuous monitoring keeps you on baseline between assessments and produces the evidence that you stayed there.

Sponsored by Senserva

Siemserva by Senserva reports patch status for your own devices: which ones are missing the updates on this page, ranked by what attackers actually exploit.

Please link to this page to stay current.

  • Patch status in one scan: which devices are affected, which are not
  • Missing updates ranked by CISA KEV and EPSS, so you fix the right things first
  • Data from Intune, Microsoft Defender, Windows Autopatch, and Azure Update Manager, with more sources on the way
  • Third-party app patching too: updates published to Intune by PatchMyPC, Scappman, Robopack, or any vendor, read vendor-neutrally
  • Optional AI Enhanced Reporting: plain-language summaries and recommended next steps written into your reports
  • Then go further: 650+ security checks find the drift management gaps across Microsoft 365, Intune, Defender, and Entra ID, with compliance evidence and Senserva Trustworthy AI remediation
Senserva patching for Microsoft 365
Two minutes, click to play

Patching in action in two minutes. Watch page · All videos.

3 actively exploited CVEs are unmitigated on devices in this tenant, per CISA KEV.View fix-first list ↓
312
Devices scanned
Intune + Autopatch + Defender
3
Exploited updates missing
CISA KEV, unmitigated
905
Microsoft updates tracked
Refreshed daily, MSRC + NVD
650+
Security checks in scan
Patch, config, identity, logs

Triage order for this list

Same order in the dashboard, the report, and every AI answer
1st · overrides everything
Actively exploited (KEV)
e.g. KB5040219, CVE-2026-31210
2nd · tiebreaker
Severity (Critical → Low)
MSRC + EPSS probability
3rd · tiebreaker
Days waiting
Oldest unresolved first

Ranked missing updates, fix-first order

27 findings · showing top 2
#UpdateCVESeveritySourceDevicesWaiting
1KB5040219
Windows 11 23H2 cumulative
CVE-2026-31210
KEV EPSS 0.94
CriticalDefender4119 daysAdd to fix-first
2KB5040088
.NET Framework security update
CVE-2026-29981
KEV
CriticalIntune1712 daysAdd to fix-first
Estimated dashboard, sample data for illustration

Ask Senserva

via Claude + MCP
Which devices are still missing the fix for CVE-2026-31210?
41 devices are missing KB5040219, which resolves CVE-2026-31210. This CVE is on CISA KEV, so CISA BOD 22-01 calls for remediation within 14 days. You are at 19 days and counting.
source: scan_db · defender_posture · kev_join, not model memory
Senserva is a Microsoft Intelligent Security Association member. Get Going with Senserva Senserva patching Built for IT admins and security teams, with audit-ready data for compliance.