Daily workflows

Morning: triage open alerts

1. Dashboard → look at the Open alerts card. Critical (red) first.
2. Click Alerts tab → filter to Open.
3. For each alert:
   • breakglass.signin - a break-glass account signed in. Confirm this was a known fire drill / outage response. If not, treat as incident.
   • breakglass.membership_changed - someone was added or removed from the break-glass group. Open Break-glass for the roster and recent changes.
   • breakglass.exclusion_missing - a blocking CA policy does not exclude break-glass. Open Break-glass (or propose a policy assignment change) before you need emergency access.
   • exclusion.expired - the cron has marked an exclusion as expired. Open the tenant's Time-bound access page and use Sync N expired to Entra to remove the user from the group (this is intentionally a manual operator action, not auto-dispatch).
   • policy.changed_in_portal - someone edited a CA policy directly in the Azure portal. Click into the tenant's Drift page to see what changed vs. baseline.
4. Acknowledge each handled alert. The audit log records who acknowledged what.

Mid-day: drift check on important customers

1. Dashboard → sort by Last resync ascending.
2. Click any tenant that hasn't resynced in 24h+ → Resync now on the tenant detail page.
3. Open Drift → review the critical-severity gaps. A "missing" critical policy from the tenant's comparison baseline is the biggest red flag.
4. If something needs fixing → Propose change to start a change-request workflow.

Customer support escalation: "User X is locked out"

1. Tenant detail → Sign-ins → enter the user's UPN, filter to Failure, 7-day window.
2. Find the failing sign-in → see which CA policy blocked + the failure reason.
3. Open Users (or click the UPN on Sign-ins) → /tenants//users/ for lockout triage. Policies are ranked by failure count.
4. Decide:
   • Genuine block (user tried to sign in from a blocked country) → educate the user, no action.
   • Misconfigured (user shouldn't be in scope) → Propose change to fix the policy assignment, dry-run + apply.
   • Time-limited exception (exec traveling, vendor needs access) → click Time-bound access on the triage row. The form prefills group + user from Graph when possible. Approve → user is added to the exclusion group until expiry.

End of week: MFA posture review

1. Tenant detail → MFA for each customer.
2. Look at Stale admins - admins whose registered methods haven't been touched in >180 days. Flag for the customer.
3. Look at Amber users - using SMS-only methods. These are the easiest upgrades (Authenticator push).

Cross-customer fleet view

For MSPs with many tenants, the Tenants list (/tenants) shows consent state, drift signals, and quick links into each customer. Use filters and search to find tenants that need attention.