Microsoft 365 now powers the core of modern business, but without strong configuration management, its complexity makes a single misstep a potential disaster — potentially exposing data, disrupting operations, or derailing compliance.
This article covers:
Microsoft 365 configuration management is critical for maintaining cyber resilience, compliance, and business continuity. With thousands of interconnected configurations governing identity, access, security, and compliance, even a single misconfiguration can cause major downtime or data exposure. Yet most organizations still rely on manual or ad-hoc processes that leave them vulnerable. A mature configuration management approach that includes backup, monitoring, drift detection, and auditability is essential. Whether through automation, configuration-as-code, or purpose-built tools like CoreView, organizations should view configuration management as a core part of their Microsoft 365 security, governance, and resilience strategy—not an afterthought.
Microsoft 365 cyber resilience, security, and governance depend on tenant configuration management. Microsoft 365 is not just a few productivity apps – it is now the digital backbone of most modern businesses.
Large organizations often have more than 250,000 unique tenant configurations – covering everything from policies and settings to roles and conditional access rules, which together form the complex blueprint of how everything works in an organization. Configurations are the only thing standing between your business-as-usual operations and complete chaos.
A single misconfiguration could lock your whole business out of your tenant, expose you to a devastating cyberattack, or even lead to catastrophic downtime across a global supply chain, as happened with the 2024 CrowdStrike bug. Misconfiguration is among the top causes of cloud breaches, with up to 99% of cloud incidents being rooted in configuration errors.
Given the significance of tenant configurations and managing them carefully, it is surprising that Microsoft 365 configuration management does not get more attention. Yet, Microsoft 365 configuration remains a time-consuming, error-prone, manual process. Microsoft can’t help you if you lose your tenant configurations, and most businesses are woefully unaware of this – and equally unprepared when a catastrophic event does hit. Organizations without configuration backups and robust configuration management face the burden of trying to piece together their tenants manually. You definitely do not want this to happen to you.
A mature configuration management approach is not optional – it is foundational to a solid cyber resilience, security, risk, and compliance posture in Microsoft 365. But for as tantalizing as the idea of “mature configuration management” sounds, there is a gap between that ideal maturity state and how your business can actually get there.
Let’s talk about how to introduce configuration management to your M365 environment and what that means in practice. A mature M365 configuration management posture is within reach. It just takes a step-by-step approach to achieve, starting with a few big-picture considerations:
It is not unusual for Microsoft users to accidentally misconfigure their tenant. Some misconfigurations are loud and obvious (for example, a misconfigured conditional access policy locking all users out of the tenant). Others, though, are quiet and remain under the radar until they are exposed (for example, a misconfigured defender policy creating security gaps).
Misconfigurations happen, whether via error, privilege misuse, use of stolen credentials, or social engineering. Verizon’s annual Data Breach Investigations report cites human error as the root of at least 74% of data breaches – one big reason why you don’t want to be left to reconfigure anything manually. And a widely cited statistic places 99% of the blame for cloud security incidents on misconfigurations. Meanwhile, Microsoft and independent analyses show a 79% increase in configuration tampering in 2023.
No matter the misconfiguration type or why it happened, no one wants to find misconfigurations the hard way – that is, only after they are deployed into their production tenant. And this is where configuration management – and configuration change management – comes into play.
In fact, even Microsoft recommends that: “...alterations to the intended configuration of a Microsoft Entra tenant are subject to robust change management processes.” Think about the fact that more than half of organizations report having 250+ Entra apps with read-write permissions and almost zero oversight. This represents a massive attack surface you probably were not even aware of. And this is just ONE aspect of Microsoft 365 you need to consider when thinking about misconfigurations.
To enable a more thorough change management process, organizations must create dev and test tenants to test configuration changes before they are deployed in production.
However, creating distinct Entra tenants with consistent configurations is practically impossible with Microsoft’s native tooling, meaning that a third-party solution (like CoreView) can make this possible.
Another key component of configuration management is the ability to back up and restore tenant configurations.
For decades, businesses have been faithfully backing up their data to ensure rapid recovery in the event of a disaster. But organizations with Microsoft 365 at their core are finally waking up to the fact that 1. data backup is not sufficient when tenant configurations are not backed up as well, and 2. Microsoft does not back up your configurations – that’s 100% on you.
In the event your tenant is encrypted or its configurations are completely altered or deleted, you will need to be able to rebuild your tenant quickly. Yet, without tenant configuration backups, a business faces weeks of trying to reassemble its configurations from scratch.
CoreView’s Chief Revenue Officer Mark Cravotta likens it to losing your personal computer and the way you’ve set it up to be exactly the way you want it: “It would be very difficult to replicate a backup manually. There is always going to be missing information or configurations that you’ve spent years building.”
Organizations facing this challenge have to go through the mind-numbing task of reconfiguring their tenant piece by piece. With 5,000+ configuration types and over one million unique configurations in the largest tenants, an organization that relies on Microsoft 365 for its day-to-day business operations may not survive the time it takes to rebuild their tenant.
Configuration drift consists of unexpected changes to your security baseline in Microsoft 365. And, almost invisibly, configuration drift is going to happen – no matter what you do. Businesses often raise the question, “But how many configurations could really have changed?” The answer is: It doesn’t matter. You don’t want to wait for an unrecoverable incident to find out. You would have to do a full manual audit to have confidence as to whether just 1% or a massive 60% of your configurations had changed. Would you want to take that risk, knowing the statistics on misconfigurations and configuration tampering?
Add to this gamble how a lack of visibility into your configuration management clashes with the requirement to comply with major regulatory mandates like NIST, CMMC, CIS, and HIPAA, all of which now require that companies monitor configurations for unauthorized changes.
CoreView’s CRO added, “It’s very important that a company can demonstrate it has a plan for business continuity — that it tests that plan at least annually and remains in compliance. This includes backing up not only critical data but also Microsoft tenant configurations, which are essential components of critical infrastructure requirements. Many companies are unaware that their Microsoft tenant isn’t automatically backed up by Microsoft or their data backup provider. It’s only a matter of time before compliance auditors begin requiring proof of tenant backups from all organizations to meet key business continuity standards.”
Given the sensitivity of configurations in Entra, Defender, and Intune, it’s no surprise that large organizations often try to manually monitor configurations for changes, despite the mind-numbing nature of the work.
The challenge for Microsoft 365 customers is that no matter how absurdly intensive the process is, misconfigurations are among the leading contributors to cyber attacks, forcing them to take action.
Finally, for similar reasons, keeping an audit of configuration changes is necessary for both audits and incident response.
Given the incredible power of conditional access, privilege management, and Defender configurations, it is inconceivable that admins should be allowed to alter these without these changes being audited and saved for future reference.
However, Microsoft’s native capabilities simply do not make this practical.
Before diving into the details of implementing configuration management, let’s look at what each approach involves and the trade-offs of each.
We covered how and why manual config management is not scalable earlier on, but why isn’t PowerShell – the next best thing – adequate? It is a step up from manual but has limitations:
Therefore, many organizations go beyond pure scripting to adopt a declarative, state-based model (configuration as code) in which you declare your ideal configuration and let the system maintain it.
This parallels DevOps philosophies (CI/CD, “infrastructure as code”) applied to configuration management. In fact, a systematic review of continuous deployment practices highlights the importance of automated enforcement, transparency, and testability in reducing drift and errors.
Selecting your configuration management strategy should be based on your organizational scale, maturity, risk appetite, and resources.
If you operate in high-risk sectors (finance, energy, critical infrastructure) or under regulatory mandates (e.g., GDPR, HIPAA, NIS, FedRAMP), you should adopt the strongest possible controls, including auditability, drift detection, and the ability to rollback.
Every tool or process you adopt has ongoing maintenance, staff training, and integration costs. The return is in risk reduction (fewer incidents), faster remediation, audit readiness, and operational efficiency.
Designing and operating configuration management for Microsoft 365 can be done, as discussed, in a number of ways. But the most practical eliminates manual toil and its associated errors.
Let’s take a look at a realistic roadmap to designing and running an effective M365 configuration management program, cutting across identity, security, compliance, applications, and governance.
Begin with alignment between business goals and IT governance. In our experience at CoreView, we have encountered many businesses that want to skip the reflect, document, and plan stage – but this is essential to achieving both success and maturity in managing configuration.
Before you fine-tune everything, lock down the core. This often includes:
Depending on how you are building your configuration management approach, you can build your own solution and define a source of truth for how you want the system configured (e.g., YAML, JSON, Terraform, declarative DSL). Then:
In modern DevOps practice, the principle of shift-left (detect earlier) translates here: find drift early before end users or data are impacted.
Ultimately, this is the “configuration as code” approach – the practice of describing, provisioning, and managing settings with code. It’s a declarative model, allowing you to “declare” the desired state for your environment.
But this is an involved and expensive enterprise, and involves development time, developer toil, and ongoing maintenance. The build-buy calculations would lead most organizations to realize that as critical as configuration management is, it’s not their core focus.
That’s where solutions like CoreView Configuration Manager for Microsoft 365 come in. CoreView lets you template your ideal configurations, detect drift automatically, and enable configuration backup and restore across M365 applications.
Any configuration change should follow a pipeline:
This approach allows safer experimentation. CoreView emphasizes the need for separate dev/test environments for configuration change management, noting that Microsoft’s native tooling makes it practically impossible to clone tenant configurations reliably.
Tenant configuration backups make sense not only as a disaster recovery measure but also as proof of compliance and as a key component of a mature configuration management and cyber resilience strategy.
Your configuration data should feed into:
Enable live or near-real-time alerts for high-risk configuration changes (e.g., enabling external access, disabling MFA). Maintain dashboards of:
Configuration-only backup is often overlooked. Ensure you can:
Despite the evidence, organizations sometimes still don’t see the potential blast radius of badly managed configurations.
Here are some key M365 domains and how configuration management can potentially be the last line of defense:
Effective Microsoft 365 configuration management isn’t just a technical best practice — it’s a core business imperative for resilience, security, and compliance. As M365 continues to evolve, treating configuration management as a strategic discipline will separate those who can recover and adapt quickly from those left exposed.
Download CoreView’s free guide to Configuration Backup and Recovery and learn how to protect your tenant from downtime, misconfigurations, and compliance risks.