Continuous, Intelligent Configuration Snapshots
Lavawall® doesn’t just record that a Conditional Access policy was modified. It snapshots the actual policy state every time it changes, computes a JSON-Patch diff against the previous version, rates the change for severity, and correlates it with the M365 audit log to show you who made the change and where they made it from.In the M365 dashboard, the Configuration Changes section shows recent changes ordered by severity and time.
Note: if this section is missing, the company doesn’t have the M365 Configuration Change Monitoring feature enabled. Toggle it from the billing page if your subscription includes it.
The top part of the view shows a count of changes by severity over the last 24 hours, 7 days, and 30 days. Critical changes (Conditional Access policies disabled, Global Administrator roles assigned, app registrations granted high-privilege Graph scopes) get pushed to the top.
If you click any change, you’ll see the JSON-Patch diff against the previous version, the M365 audit-log row that triggered the change, the UPN of who made it, and the IP and country it was made from.
You’ll never have to dig through Microsoft’s 30-day audit log retention to figure out who disabled the MFA enforcement policy at 2am. And you’ll never lose the previous-state value because Microsoft’s audit log doesn’t record it.
Best of all, you’ll get notifications for high-severity changes (CA policy disabled, Global Admin role assigned) so you can investigate before the change becomes the lead-in to a breach.
Configuration Object Coverage
Lavawall® snapshots ~25 object types across Microsoft 365, Entra ID, Intune, and Azure subscriptions. The full coverage by category:Note: this is not an exhaustive list. We continuously add new object types based on changes we see in the wild and customer requests
- Entra ID identity: Conditional Access policies
- Named locations & authentication strengths
- Authentication methods policy
- Directory role assignments & PIM eligible / active assignments
- Group memberships (security & mail-enabled)
- Custom security attributes
- Domain configuration & verified-domain state
- Application objects: App registrations
- Service principals
- OAuth permission grants (delegated & admin-consented)
- Application role assignments
- Microsoft 365 tenant: Organisation-wide settings
- Domain configuration
- Shared mailbox configurations
- Intune device management: Device-configuration profiles
- Compliance policies
- App protection policies
- Autopilot deployment profiles
- Azure subscriptions: RBAC role assignments
- Network Security Group rules
- Key Vault access policies
- Managed identities
- Subscription-level policy assignments
- Resource group RBAC
Most M365 / Entra config-backup tools cover identity only. Lavawall® covers identity plus Intune plus Azure subscription scope — the rest of the cloud surface area where misconfiguration causes incidents.
Severity-Rated Change Feed
Not every configuration change is critical. A renamed named location is informational; a disabled Conditional Access policy that required MFA on admin sign-ins is critical. Lavawall® rates every detected change at detection time so the change feed surfaces the urgent stuff first.The five severity levels:
- Critical: CA policy disabled or deleted, Global Administrator role assigned, app registration granted high-privilege Graph scopes (Mail.ReadWrite.All, Files.ReadWrite.All, Directory.ReadWrite.All), NSG rule opening RDP/SSH to the internet, Key Vault access policy granting service principal full secret access.
- High: Privileged role assignment, named-location modification, authentication methods policy modification, app registration redirect URI added, Intune compliance baseline loosened.
- Medium: Group membership change in security-sensitive groups, Intune device-config profile modification, RBAC role assignment to subscription Reader / Contributor.
- Low: Standard group membership change, named-location renamed, app registration display name changed, Intune profile assignment scope modification.
- Informational: Object created or modified with no security-impacting fields changed.
You can filter the change feed by severity, object type, user (UPN), tenant, and time range. High-severity changes also drive the notification rules that push to email and the Lavawall® dashboard bell icon.
Audit-Log Correlation
Every change row in the feed shows the M365 audit-log evidence: the UPN of who made the change, the IP they made it from, the country that IP belongs to, the M365 audit event ID, and the exact timestamp Microsoft recorded.The correlation works by matching detected configuration changes against the CON_M365_Audit_Events table within a ±30 minute window of the snapshot detection time. When the snapshot engine detects a change in a CA policy, it looks for audit events targeting the same object ID, picks the closest in time, and links them.
This is the difference between “a CA policy was modified” (useful, if you can find it) and “the policy that required MFA on admin sign-ins was disabled by junior@client.com from 198.51.100.7 in Russia at 2:14am” (actionable).
If a change happens that doesn’t have a matching audit event — for example, a programmatic change made by a service principal — the row still shows the change with severity, but flags that the actor couldn’t be identified from audit logs.
Plan → Approve → Execute Rollback
Rollback is a write operation against a production tenant. It needs to be deliberate. Lavawall® treats rollback as a strict three-step lifecycle:1. Plan — click Plan Rollback on a change, on multiple changes, on all changes by a specific user, or on an entire object’s history to a chosen point in time. Lavawall® computes the exact list of Microsoft Graph (or Azure Resource Manager) API calls that would be made to revert the changes, in dependency order. No calls happen against Graph yet.
2. Approve — an admin reviews the action plan in the dashboard. Each action shows the API endpoint, the HTTP method, the body that will be sent, and the expected response. The admin clicks Approve. Still no calls happen against Graph.
3. Execute — an operator runs the executor on the m365sync host (CLI:
m365sync --mode=rollback-execute --rollback-id=<id>). Now Graph calls happen, in dependency order, with full per-action logging back to the dashboard.
Modes that change how execute behaves:
- Dry-run. Even at execute time, dry-run prints every Graph call to the log without making any of them. Use this on every rollback at least once before flipping to live execution.
- Continue-on-error. By default, the rollback aborts on the first failed action. Continue-on-error keeps going and surfaces all failures at the end. Useful when you’re reverting many independent changes and want partial success.
- Action ordering. Dependencies are respected automatically. NSG rules apply before subscription role assignments; CA policies apply before named locations they reference; app registrations exist before service principals reference them.
Notifications & Email Digests
High-severity changes can trigger Lavawall® notifications and email digests just like any other event in the platform. Configure rules per company, per object type, and per severity in the M365 dashboard.Common rule patterns MSPs deploy on day one:
- Critical changes → immediate email to the on-call rotation
- High changes → daily digest to the account manager
- Medium & below → aggregated weekly QBR report
- Anything from a non-employee UPN → immediate, regardless of severity
- Anything from an unexpected country → immediate, regardless of severity
How It’s Different From Mailbox Backup
Lavawall® is configuration backup, not content backup. The two are complementary:- Mailbox backup (Dropsuite mail backup, SkyKick, Veeam, N-able Cove) backs up the contents of mailboxes, OneDrive, SharePoint sites, and Teams. You restore an email or a file.
- Configuration backup (Lavawall®) backs up the tenant settings — Conditional Access policies, role assignments, app registrations, Intune profiles, NSG rules. You restore a policy that was disabled, a role assignment that was deleted, an Intune profile that got loosened.
Storage Efficiency
Lavawall® stores snapshots as content-addressable blobs. Each snapshot’s SHA-256 hash of the canonicalised JSON is the storage key, so identical states (the most common case — nothing changed in the last hour) only get stored once. Objects over 8KB are gzip-compressed automatically.For a typical 50-user tenant with all object types enabled at default polling intervals, configuration snapshot storage is typically under 100MB per year.
Retention is configurable per object type. Default retention is 90 days for high-volume types and 365 days for security-sensitive types (CA policies, role assignments). Both are extendable per company.
How To Enable
M365 Configuration Change Monitoring is a billable feature gated by your subscription:- Change monitoring (detect, log, notify; no rollback) — included in the Lavawall® Professional tier.
- Backup & rollback (everything plus point-in-time revert) — included in the Complete tier, or available a-la-carte at C$3.95 / US$2.95 per user per month on lower tiers.
The first snapshot per object type happens within minutes of enablement; subsequent polling runs at configurable intervals (default 15 minutes for high-severity types, hourly for others).
If you have any questions or need further assistance, feel free to reach out through our chat, phone or email on our contact page!
Related Pages
- What is M365 configuration backup?
- What is Entra ID backup?
- What is configuration drift?
- Best M365 / Entra / Azure configuration backup
- Lavawall® vs Cayosoft Guardian
- Lavawall® vs Dropsuite (NinjaOne)
- Lavawall® vs AvePoint
- Lavawall® vs CIPP
- Lavawall® vs N-able Cove
- M365 / Entra / Azure breach detection
- Configuration vulnerabilities
- Lavawall® pricing