Configuration Drift and How to Prevent It

An arrow deviates from the expectation

When Secure Isn’t Permanent: Shutting Down Configuration Drift with Recurring Gap Assessments

Every sysadmin has this configuration drift horror story:

  1. Automatic updates ran.
  2. No one noticed it changed a setting.
  3. Everything kept working.
  4. Until it didn’t.

This is how configuration drift begins.

Not with a breach. Not with negligence. But with something as routine as a patch, a licensing change, or a rushed support ticket. These minor, often well-intentioned changes stack up quietly and gradually push your security posture out of alignment with your baseline.

What Is Configuration Drift?

Configuration drift is the slow, often invisible departure from your approved security baseline. Sometimes, legacy tech debt creates the opportunity for drift to set in, but even in cloud-first environments like Microsoft 365, Defender, and Entra, it’s common to find:

  • Global Conditional Access Policies were disabled during a key user’s support issue. They were never re-enabled.

  • Users granted “temporary” administrative privilege. No one remembered to remove the privilege after the ticket closed.

  • Intune compliance rules were disabled to work around someone’s issue after they’ve returned from vacation. They were never turned back on.

  • Guest access enabled in SharePoint to see what another user would see. It was never disabled.

  • Defender for Endpoint policies were weakened for one-off testing. But there wasn’t a ticket associated with the testing, so there wasn’t any tracking for the work performed.

  • Purview rules were removed during a licensing change. No settings were changed, but the functionality stopped.

None of these minor changes trigger alarms, and they’re often functional decisions made under pressure. But they introduce vulnerabilities that accumulate over time.

Good Security Doesn’t Freeze in Place

Configuration drift can feel like an iceberg to the Titanic.

Even if your team deployed the environment using best practices, the config doesn’t remain static. Changes creep in. Settings get overwritten. And unless you’re checking regularly, the gap between your intended security posture and your live configuration will continue to grow.

Until someone has time in their day to go back under the hood and check on those settings. Or an auditor or threat actor finds it first.

Sometimes, this stays hidden simply because no one had re-validated the environment since it was first secured. Other times, it comes from different teams with different objectives. One side is optimizing for performance or usability, while the other is tasked with maintaining security and compliance. When your IT and cybersecurity teams aren’t aligned, configuration drift isn’t just possible – it’s guaranteed.

Why Recurring Gap Assessments Matter

Sometimes it’s best to treat configuration assessments like security snapshots. Snapshots give you the ability to validate what is currently enforced, compare against prior states, and take action before auditors or attackers do.

Routine assessments help organizations:

  • Detect drift introduced by urgent support changes or role turnover

  • Highlight areas where security intent no longer matches configuration (this is the worst look for Security: when it’s just making life harder for no apparent value)

  • Track progress over time and prove improvement

  • Maintain alignment with licensing, business rules, and

One of our favorite ways to perform these assessments is to use a Microsoft Security Gap Assessment to baseline the reference point. This way, every recommendation is practical and actionable based on how your business is licensed and structured. Control outcomes are mapped to control configurations. It’s a level better than knowing X Tool performs Y work.

A Better Way to Monitor What’s Changed

Security tools drift. Configurations change. And most teams are too focused on what’s ahead to take a hard look at what’s already been altered (or there’s just too many tickets to get any time for it).

If you haven’t revisited your configuration since deployment, there’s no shame in that. The goal isn’t to audit the past. It’s to reconnect with what’s actually in place right now.

Make time to compare your last known secure state to your current one. Identify what changed, and decide what still makes sense for your environment today.

Whether it’s your first or next assessment, it’s easy to start here.

Meet with Sittadel

Recent Articles

No results found.

Work with Sittadel:

Schedule A Consultation
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.