β οΈ SECURITY WARNING
This repository contains deployment templates with placeholder values. NEVER commit real secrets, API keys, or credentials to source control.
Use Azure Key Vault for production deployments. See DEPLOYMENT.md for secure deployment instructions.
Automated Azure Logic App for monitoring Microsoft Entra ID configuration drift using UTCM (Unified Tenant Configuration Management) APIs with AI-powered analysis.
Architecture diagram showing the Logic App workflow with parallel API queries, multi-agent AI analysis, and automated email reporting
Alert email sent when configuration drifts are detected with detailed AI analysis and remediation recommendations
- Parallel API Queries: Simultaneously fetches snapshots, monitors, and drifts
- AI-Powered Analysis: Uses GPT-4 and GPT-4o-mini for intelligent insights
- Multi-Agent Architecture: Specialized agents for different data types
- Executive Synthesis: Combines all analyses into actionable reports
- Professional Email Reports: HTML-formatted emails with conditional alerting
- Zero-Drift Success Messages: Celebrates compliance when no issues detected
Unified Tenant Configuration Management (UTCM) is Microsoft's API framework for monitoring and managing configuration baselines across Microsoft Entra ID (formerly Azure AD). UTCM enables organizations to:
- Create Configuration Snapshots: Capture baseline configurations of policies, conditional access, and security settings
- Monitor Continuously: Automatically detect when actual configurations drift from approved baselines
- Track Changes: Identify what changed, when it changed, and assess compliance impact
- Maintain Compliance: Ensure configurations align with organizational security policies
β±οΈ Important: UTCM monitors run at a fixed 6-hour interval (not configurable). The Logic App can run daily or every 6 hours depending on your reporting needs.
This solution leverages three Microsoft Graph Beta endpoints:
/admin/configurationManagement/configurationSnapshotJobs- Baseline snapshots/admin/configurationManagement/configurationMonitors- Active monitoring rules/admin/configurationManagement/configurationDrifts- Detected configuration changes
- Security Teams: Proactive alerts when security configurations drift from approved baselines
- Compliance Officers: Automated evidence of configuration compliance for audits
- IT Administrators: Reduce manual monitoring with AI-powered drift analysis
- Managed Service Providers (MSPs): Monitor multiple client tenants with consolidated reporting
- DevOps Teams: Integrate configuration monitoring into CI/CD pipelines
Get up and running in 15 minutes:
- Create Azure Resources: Resource Group, Key Vault, Logic App (Consumption)
- Register App: Create Entra ID App Registration with UTCM permissions (see below)
- Store Secret: Save client secret in Key Vault
- Deploy: Run
deployment/deploy-secure.ps1PowerShell script - Authorize: Approve Office 365 connection in Azure Portal
- Test: Trigger Logic App manually to verify email delivery
π‘ Recommended: Use the automated deployment script for secure Key Vault integration. See DEPLOYMENT.md for detailed instructions.
Trigger (Daily/6hr) β Query UTCM APIs (Parallel) β AI Analysis (Multi-Agent) β Synthesize β Email Report
| Agent | Model | Purpose | Output |
|---|---|---|---|
| Snapshot Agent | GPT-4o-mini | Analyzes baseline snapshots | Coverage assessment, reliability concerns |
| Monitor Agent | GPT-4o-mini | Analyzes active monitors | Strategic insights, coverage scoring |
| Drift Agent | GPT-4o-mini | Analyzes configuration drifts | Severity classification, remediation plans |
| Analysis Agent | GPT-4o | Executive synthesis | Compact table-based executive summary |
- Initialize Variables: Creates arrays for snapshots, monitors, and drifts
- Query UTCM APIs: Fetches data from Microsoft Graph (parallel execution)
- AI Analysis: Three specialized agents analyze each data type simultaneously
- Executive Synthesis: GPT-4o combines findings into scannable report
- Conditional Alerting: Sends alert (drifts detected) or success (compliant) email
- Azure subscription with permissions to create resources
- Azure Logic Apps (Consumption tier - includes built-in AI Agent actions with Azure OpenAI)
- βΉοΈ No separate Azure OpenAI deployment needed - Logic Apps Agent actions are built-in
- Microsoft 365 / Office 365 connection for email delivery
- Azure Key Vault for secure secret storage (recommended)
- Entra ID App Registration with Microsoft Graph API permissions:
ConfigurationSnapshot.Read.All- Read configuration snapshot jobsConfigurationMonitor.Read.All- Read active monitoring configurationsConfigurationDrift.Read.All- Read detected configuration driftsDirectory.Read.All(optional) - Additional directory contextPolicy.Read.All(optional) - Policy configuration details
- Create a new Logic App
- Import
logic-app/workflow.json - Configure parameters:
tenantId: Your Azure AD tenant IDclientId: App registration client IDclientSecret: Client secret (store in Key Vault recommended)emailRecipient: Email address for reports
- Configure Office 365 connection
- Enable and test
azuredeploy.parameters.json with real secrets. Use Key Vault references or command-line parameters.
# Copy the example parameters file
cp deployment/azuredeploy.parameters.example.json deployment/azuredeploy.parameters.json
# Edit with your values (keep this file local, never commit it)
# Then deploy:
az deployment group create \
--resource-group <your-rg> \
--template-file deployment/azuredeploy-simple.json \
--parameters deployment/azuredeploy.parameters.json| Parameter | Type | Description | Example |
|---|---|---|---|
| tenantId | string | Azure AD Tenant ID | 8c821cde-... |
| clientId | string | Application (client) ID | 61f2fe1c-... |
| clientSecret | securestring | Client secret from Key Vault | (stored securely) |
| emailRecipient | string | Report recipient email | admin@example.com |
| office365ConnectionId | string | Office 365 connection resource ID | /subscriptions/.../connections/office365 |
- gpt-4o: Executive synthesis agent - creates compact executive summaries
- gpt-4o-mini: Three specialized agents - snapshot, monitor, and drift analysis
βΉοΈ These AI models are built into Logic Apps Agent actions - no separate Azure OpenAI deployment or configuration required.
- Subject: π¨ URGENT: Configuration Drifts Detected - X Issue(s)
- Priority: High
- Content: Detailed analysis with remediation recommendations
- Subject: β Configuration Status: All Systems Compliant
- Priority: Normal
- Content: Compliance confirmation with baseline status
- Never commit secrets: Use parameters and Key Vault
- Use Managed Identity: Recommended over client secrets for production
- Rotate credentials: Regularly rotate client secrets (use Key Vault references for easy rotation)
- Least privilege: Grant minimum required permissions
- Audit logs: Monitor Logic App execution history
- Secure deployment: Use the provided deployment scripts that store secrets in Key Vault
.gitignoreconfigured:azuredeploy.parameters.jsonis excluded from version control
MIT License - see LICENSE file
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
- DEPLOYMENT.md - Detailed deployment instructions and troubleshooting
- LICENSE - MIT License terms
- Beta APIs: UTCM APIs are in beta and subject to change without notice
- 6-Hour Monitor Interval: UTCM monitors run every 6 hours (not configurable by users)
- Partial Snapshots: Partial snapshot success may indicate insufficient API permissions
- Office 365 Authorization: Requires manual authorization in Azure Portal after deployment
- Region Availability: UTCM APIs may have regional availability limitations
For issues or questions:
- Open a GitHub issue
- Microsoft Graph UTCM APIs
- Azure OpenAI Service
- Azure Logic Apps