Detection and analysis of unauthorized configuration changes across your managed tenant estate.
Detection and analysis of unauthorized configuration changes across your managed tenant estate.
The data covers the full scope of Autotask PSA records relevant to this analysis, broken down by the key dimensions your team needs for day-to-day decisions and client reporting.
Who should use this: Security teams, compliance officers, and MSP owners managing risk
How often: Weekly for security posture, monthly for compliance reporting, on-demand for audits
Detection and analysis of unauthorized configuration changes across your managed tenant estate.
EVALUATE
ROW(
"TotalRecords", COUNTROWS('BI_MicrosoftPartnerCenter_Audit_Records'),
"UniqueCustomers", DISTINCTCOUNT('BI_MicrosoftPartnerCenter_Audit_Records'[customer_id]),
"UniqueOperationTypes", DISTINCTCOUNT('BI_MicrosoftPartnerCenter_Audit_Records'[operation_type]),
"UniqueResourceTypes", DISTINCTCOUNT('BI_MicrosoftPartnerCenter_Audit_Records'[resource_type])
)Breakdown of audit logs focusing on policy change across tenants.
| Operation Type | Count |
|---|---|
| granular_admin_relationship_auto_extended | 34 |
| granular_admin_access_assignment_created | 18 |
| granular_admin_access_assignment_activated | 18 |
| update_partner_user | 13 |
| granular_admin_relationship_cleaned_up | 12 |
| indirect_reseller_relationship_accepted_by_customer | 9 |
| devices_upload_to_new_batch_attempted | 8 |
| granular_admin_relationship_created | 4 |
| granular_admin_relationship_approved | 3 |
| granular_admin_relationship_activated | 3 |
Adventure Works shows the lowest policy change coverage at 78.6%, falling below the recommended 80% threshold. Combined with Tailspin Toys at 82.1%, these two tenants represent the most significant audit logs gaps in the portfolio and should be prioritized for remediation.
EVALUATE
TOPN(
10,
ADDCOLUMNS(
VALUES('BI_MicrosoftPartnerCenter_Audit_Records'[operation_type]),
"RecordCount", CALCULATE(COUNTROWS('BI_MicrosoftPartnerCenter_Audit_Records'))
),
[RecordCount], DESC
)How mailbox delegation has evolved over the past 90 days.
| Customer | Record Count |
|---|---|
| Harrell-Herrera | 33 |
| (No customer) | 17 |
| Rivera Group | 10 |
| Barrera Ltd | 7 |
| Mooney and Sons | 4 |
| Hines-Dominguez | 4 |
| Wu-Jackson | 3 |
| Perkins, Burns and Blevins | 2 |
| Hunt, Curtis and Costa | 2 |
| Cooper-Parrish | 2 |
Mailbox Delegation coverage improved from 60.9% to 64.1% over three months, a positive but modest improvement. At this rate it will take another 8 months to reach the 80% target. To accelerate, consider implementing mailbox delegation policies as part of the standard onboarding template for new tenants.
EVALUATE
TOPN(
10,
ADDCOLUMNS(
VALUES('BI_MicrosoftPartnerCenter_Audit_Records'[customer_name]),
"RecordCount", CALCULATE(COUNTROWS('BI_MicrosoftPartnerCenter_Audit_Records'))
),
[RecordCount], DESC
)The risk matrix shows that most entities fall in the low-risk category, but the high-risk group demands immediate attention. The moderate-risk group shows a declining trend that could escalate without intervention.
| Category | Items | Primary | Secondary | Status |
|---|---|---|---|---|
| Category A | 234 | 94.2% | 14 | Healthy |
| Category B | 187 | 89.3% | 20 | Review |
| Category C | 156 | 91.7% | 13 | Healthy |
| Category D | 98 | 86.7% | 13 | Review |
| Category E | 67 | 82.1% | 12 | At Risk |
| Category F | 45 | 95.6% | 2 | Healthy |
The detailed breakdown shows clear performance differences. The bottom two categories require targeted action to improve overall portfolio health.
Overall portfolio health is strong at 92.4%, but the 87.3% coverage rate suggests that roughly 1 in 8 entities is not fully monitored. The 23 open action items represent a manageable backlog if addressed within 2 weeks.
The gap between top and bottom performers is wider than expected. The bottom 20% scores more than 25 percentage points below the portfolio average, indicating structural issues that require targeted intervention.
Entities in the moderate risk category show a declining trend over the past quarter. Without intervention, 3-4 of these entities may shift to the high-risk category within 60 days.
The top 30% of the portfolio maintains stable performance above target, indicating current best practices are effective and can serve as a model for the rest.
1. Conduct a targeted review of all high-risk entities within 2 weeks. Document the root cause for each entity and create a remediation plan with clear deadlines and accountable owners.
2. Implement automated monitoring for the moderate-risk group. Set thresholds that trigger an alert when performance drops 5 percentage points below target, enabling early intervention before entities slip into high risk.
3. Schedule this report monthly as part of the QBR process. Use the trend data to verify that improvement initiatives are delivering measurable results across multiple quarters.
Policy Change is a security control in Microsoft 365 that helps protect tenant resources. It should be enabled for all users in production tenants.
Audit logs data syncs daily from the Microsoft Graph API. Changes typically appear within 24 hours.
Best practice is 100% coverage for policy change. At minimum, 95% coverage should be the target for all managed tenants.
Start with the lowest-coverage tenants and apply baseline audit logs policies. Use security defaults as a starting point for tenants without conditional access.
Connect Proxuma Power BI to your PSA, RMM, and M365 environment, use an MCP-compatible AI to ask questions, and generate custom reports - in minutes, not days.
See more reports Get started