Granular Policy Drift

Avatar
Christian Davis

Many of the policies that we deploy have some settings in which drift is never acceptable, and other settings in which drift is expected. For example, let's take a Conditional Access policy that requires MFA for all users. Many clients will have different combinations of users that need to be excluded from this policy. Let's say that:

  • ALL clients need the following accounts excluded:
    • Break Glass
  • Client A needs the following additional accounts excluded:
    • Migration
    • Scans
    • AppIntegration

These specific, granular drifts for client A are expected and acceptable. However, if we accept drift for this account then any subsequent changes to that policy are automatically accepted by Nerdio. We have no visibility from that point forward of any subsequent changes. This is a big problem for us, because if a technician goes into Client A and excludes John Smith from the policy, that is NOT an acceptable drift from the standard and we need to know about it.

Additionally, there should be the option to set up alerts so we get a ticket generated in our PSA when drift occurs on certain policies.

10

Comments (2 comments)

Sort by
0
Avatar
Carl Long
Thank you for submitting your feature request—we truly value input from our community.

Next steps:
     • We will review your request and update its status as it progresses through our evaluation process.
     • If any clarification is needed, we'll follow up with you directly in the comments.

We also encourage the community to influence our decision through comments, votes, and feedback.
0
Avatar
Adam Atwell

Lets Go!!!

Please sign in to leave a comment.