Data flow: Portal-edit drift detection (snapshot hash)
Historical note: An earlier design used Microsoft Graph change-notification subscriptions (
graph-notifications,graph-subscription-create,graph-subscription-renew). Microsoft does not support CA policy change webhooks. That path is disabled (cron unscheduled in migration20260618140000). Drift from portal edits is detected via snapshot hash comparison on resync and nightly snapshot.
Current flow
sequenceDiagram
autonumber
participant Customer as Customer admin (Azure portal)
participant Graph as Microsoft Graph
participant Resync as resyncTenant / nightly-snapshot
participant App as Policytab (lib/snapshot/resync)
participant SbDB as Supabase Postgres
Customer->>Graph: Edit a CA policy in portal
Note over Resync,Graph: Later - manual resync or nightly cron
Resync->>Graph: graph-policies-read
Graph-->>Resync: policies JSON
Resync->>SbDB: insert policy_snapshot (new hash)
App->>App: firePolicyChangedInPortalAlertIfNeeded(prev hash, new hash)
App->>SbDB: insert alert policy.changed_in_portal (dedupe tenant:hour)
Dedupe and triage
- Alert kind:
policy.changed_in_portal - Dedupe key mirrors the old subscription handler: one alert per tenant per hour (
lib/alerts/policy-changed-in-portal.ts) - Operators triage from Alerts; drift vs baseline is on the tenant Drift page after resync