Data flow: Portal-edit drift detection (snapshot hash)

Historical note: An earlier design used Microsoft Graph change-notification subscriptions (graph-notifications, graph-subscription-create, graph-subscription-renew). Microsoft does not support CA policy change webhooks. That path is disabled (cron unscheduled in migration 20260618140000). Drift from portal edits is detected via snapshot hash comparison on resync and nightly snapshot.

Current flow

sequenceDiagram
  autonumber
  participant Customer as Customer admin (Azure portal)
  participant Graph as Microsoft Graph
  participant Resync as resyncTenant / nightly-snapshot
  participant App as Policytab (lib/snapshot/resync)
  participant SbDB as Supabase Postgres

  Customer->>Graph: Edit a CA policy in portal
  Note over Resync,Graph: Later - manual resync or nightly cron
  Resync->>Graph: graph-policies-read
  Graph-->>Resync: policies JSON
  Resync->>SbDB: insert policy_snapshot (new hash)
  App->>App: firePolicyChangedInPortalAlertIfNeeded(prev hash, new hash)
  App->>SbDB: insert alert policy.changed_in_portal (dedupe tenant:hour)

Dedupe and triage

• Alert kind: policy.changed_in_portal
• Dedupe key mirrors the old subscription handler: one alert per tenant per hour (lib/alerts/policy-changed-in-portal.ts)
• Operators triage from Alerts; drift vs baseline is on the tenant Drift page after resync

Related docs

• Data flow: resync
• pg_cron jobs