Frequently Asked Questions

Veri-Tech is a Microsoft 365 Compliance & Security Platform that scans your tenant against up to 923 security controls across twelve frameworks (CISA SCuBA, CIS M365, NIST 800-53, NIST CSF, ISO 27001, SOC 2, HIPAA, GDPR, EIDSCA, Maester, ORCA, Veri-Tech), generates standard operating procedures from your live configuration, and can automatically remediate compliance gaps. The platform includes five products: Veri-Docs (document generation), Veri-Guard (M365 compliance scanning & remediation), Veri-Tune (Intune endpoint security with Policy Insights, modify-in-place remediation, and cross-platform coverage for Windows/macOS/iOS/Android), Veri-Patch (Windows feature update intelligence with WUfB policy assignment), and Veri-Vault (config backup, Activity Log, deep search, change detection, drift alerting, config restore, Tenant Reconnect, and Emergency Accounts).

Veri-Tech assesses six domains: Identity (Entra ID / Conditional Access), Intune (device management), Exchange Online, Microsoft Teams, SharePoint Online, and Defender for Office 365. Identity, Intune, and SharePoint are available by default; Exchange, Teams, and Defender require enabling workload permissions in Settings.

Veri-Tech stores the compliance reports and SOPs you generate. It does not persist raw policy data from your tenant between jobs. Tenant metadata (organization name, billing status, permission settings) is stored, but no policy configurations, user data, or credentials are retained.

All data is stored in Microsoft Azure (East US 2 region). Documents are in Azure Blob Storage, tenant metadata in Azure Table Storage, and certificates in Azure Key Vault with HSM backing.

Veri-Tune is the Intune endpoint security product within the Veri-Tech platform. It assesses your Intune configuration against 375 controls covering Windows, macOS, iOS, and Android. Key capabilities include Policy Insights (overlap & conflict detection across every Intune policy, with downloadable detailed and executive reports), modify-in-place remediation (edits existing policies instead of stacking overrides, with previous-value tracking for rollback), AI-generated remediation plans, a 3-tier dispatch workflow (green/amber/red) with Change Advisory, a dedicated per-platform policy assignment page, and automated remediation for both Windows and macOS. Veri-Tune is included with Enterprise and MSP plans.

Veri-Patch is the Windows update management product. It provides end-to-end feature update management — prerequisite validation, telemetry setup with a guided wizard, live update policy viewing (feature rings, quality updates, expedited patches, and driver update profiles with CVE/KB details), assignment status badges across every policy card, direct group assignment for unassigned WUfB policies, compatibility scanning with per-device readiness classification, and automated AU-scoped device group sync. Recurring scan schedules, CSV exports, and shareable HTML reports are built in. Veri-Patch is included with Enterprise and MSP plans.

Veri-Vault is the config backup, change detection, and tenant recovery product. It captures Automatic Scan Snapshots of your M365 configuration alongside every scan, supports deep content search across snapshots, and compares any two snapshots side-by-side with CSV export. Enterprise adds the Vault Activity Log (full audit trail of Vault actions), Tenant Reconnect Wizard (re-bind disconnected tenants), drift alerting with email + webhook delivery, config restore with JIT write permissions, Emergency Accounts (recovery credentials with QR-code TOTP, scrypt hashing, and AES-256-GCM Key Vault encryption), and git integration. Retention: 90 days (Professional), 1 year (Enterprise), 3 years (MSP).

Veri-Guard is the compliance scanning and remediation engine for Microsoft 365. It assesses your tenant against 548 M365 security controls across twelve frameworks (CISA, CIS, NIST 800-53, NIST CSF, ISO 27001, SOC 2, HIPAA, GDPR, EIDSCA, Maester, ORCA, Veri-Tech) and can automatically remediate 330+ of them. Veri-Guard is available on Professional (scanning + remediation) and Enterprise/MSP (scanning + remediation + full platform).

The HIPAA Compliance Pack ($199/mo Enterprise add-on) maps 67 of your Veri-Guard controls to 45 CFR Part 164 across 17 CFR sections, covering Technical safeguards (§164.312), the M365-observable portion of Administrative safeguards (§164.308), and a limited subset of Physical safeguards focused on Workstation Security (§164.310(c)) and Device/Media Controls (§164.310(d)). It does NOT assess workforce security training (§164.308(a)(5)), incident response procedures, risk analysis documentation, contingency plans, Business Associate Agreements (§164.308(b)), or facility access controls (§164.310(a)(1)). A high score on this assessment is evidence of strong M365 configuration — not a substitute for a full HIPAA compliance program. Pair it with organizational controls and an independent HIPAA attestation for an audit-ready posture.

Veri-Tech assesses up to 923 security controls total: 548 M365 controls via Veri-Guard and 375 Intune endpoint controls via Veri-Tune. The exact number depends on your plan and which workloads are enabled.

A typical scan completes in 1-3 minutes depending on the number of policies in your tenant and which workloads are enabled. Exchange and Teams workloads may add additional time as they require PowerShell-based checks.

Controls are sourced from twelve frameworks across three categories: seven detection sources (CISA SCuBA, CIS Microsoft 365, EIDSCA, NIST SP 800-53, Maester, ORCA, and Veri-Tech Recommended Controls) that Veri-Tech scans for directly; four compliance mappings (NIST CSF, ISO 27001, SOC 2, GDPR) that cross-reference detection controls to these frameworks; and one dedicated assessment (HIPAA) via the HIPAA Compliance Pack add-on. Every cross-framework mapping is sourced from authoritative public data — official NIST crosswalks, CISA CSVs, AICPA mappings, and the ISO 27701-to-GDPR bridge.

Controls are skipped when prerequisites are not met — for example, controls requiring Entra ID P2 licensing are skipped if your tenant only has P1. Controls for disabled workloads (Exchange, Teams, Defender) are also excluded. Enable workload permissions in Settings to increase coverage.

Yes. From the Compliance Hub, select two assessments to compare side-by-side. The comparison view highlights controls that changed status between scans, making it easy to detect configuration drift.

Veri-Guard scans your M365 configuration (Identity, Exchange, Teams, SharePoint, Defender). Veri-Tune focuses specifically on Intune endpoint management — device compliance policies, configuration profiles, security baselines, and app protection. Veri-Tune uses assignment-aware dual scoring, showing both your deployed (effective) and configured (total) compliance posture.

Veri-Tune calculates two scores: a "deployed" score that only counts controls assigned to device groups (reflecting effective compliance), and a "configured" score that counts all policies regardless of assignment. This helps identify policies that exist but aren't assigned to any devices — a common gap in Intune environments.

When Veri-Tech deploys a Conditional Access policy, it is created in report-only mode. This means the policy logs what would happen but does not enforce any restrictions. You can review the impact in the Entra admin center before manually switching the policy to "on."

Break-glass accounts are emergency access accounts that are excluded from all Conditional Access policies deployed by Veri-Tech. They ensure you can always access your tenant even if a policy is misconfigured. At least one must be configured before write permissions can be granted.

In JIT mode, write permissions are granted immediately before a remediation job starts and automatically revoked by the worker after the job completes. Your tenant never has unnecessary standing write access. You can also manually revoke write permissions at any time from Settings → Permissions.

No. Veri-Tech only creates new policies or updates specific settings on existing policies to meet compliance requirements. It never deletes existing policies. Conditional Access policies are always deployed in report-only mode.

Each remediable control has a disruption risk rating (None, Low, Medium, High, Critical) that indicates how likely the change is to affect end users. For example, enabling MFA is rated "High" because it changes the sign-in experience, while updating a device compliance setting is rated "Low." Review disruption risk before selecting controls for remediation.

Veri-Tune uses scoped JIT write permissions (only 3 Graph permissions vs 14 for M365 remediation) to modify existing Intune policies in place — editing the specific misconfigured settings rather than creating override policies that stack on top. Previous values are captured for rollback. You get a per-control toggle (Modify vs. Override), a 3-tier dispatch workflow (green/amber/red) that generates Change Advisory + runbook artifacts before writing anything, and a dedicated per-platform assignment page for configured-but-unassigned policies. Both Windows and macOS device configuration and compliance policies are auto-remediated. Write permissions are auto-revoked after the operation completes.

Policy Insights is a dedicated Veri-Tune scanner that reads every Intune policy in your tenant and surfaces settings that appear in 2+ policies — flagging three conditions: value conflicts (policies fighting each other with contradictory values), redundant duplicates (same setting, same value, in multiple policies), and unassigned overrides (overriding policies that aren't actually assigned to any group). Setting-centric and policy-centric views, filters by severity/platform/conflict class, and downloadable Detailed and Executive reports in HTML, Markdown, or PDF. Access via the Policy Insights tab on the Tune results page or the full page at /tune/[jobId]/policy-insights.

Remediation rollback lets you undo changes made by automated remediation within a 24-hour window. Before each change, Veri-Tech captures the previous configuration value. If a change causes issues, you can roll back individual controls without affecting other remediation actions. Available on Enterprise and MSP plans.

Veri-Tech offers three tiers plus an MSP track. Starter ($99/mo, or $79/mo billed annually at $948/yr) includes unlimited SOP generations across all 18 policy types and up to 5 team members. Professional ($499/mo, or $399/mo billed annually at $4,788/yr) adds the compliance dashboard, 330+ automated remediation handlers, twelve compliance frameworks, scan comparison, AI-powered insights, basic Veri-Vault (snapshots + deep search + change detection), and up to 25 team members with audit log and session revocation. Enterprise ($999/mo, annual only at $11,988/yr) adds Veri-Tune with Policy Insights, modify-in-place remediation, and macOS/iOS/Android coverage; Veri-Patch with WUfB policy assignment; full Veri-Vault (config restore, drift alerting, activity log, Tenant Reconnect, Emergency Accounts); compliance evidence packages; multi-tenant hub; unlimited team members; and Compliance Copilot. A HIPAA Compliance Pack is available as an add-on for Enterprise. MSP pricing is $399/tenant/mo with volume discounts at 5+ tenants.

Yes. You can upgrade or downgrade your plan at any time from the Billing page. Upgrades take effect immediately. Downgrades take effect at the end of the current billing period.

Contact us for trial availability. We can set up a guided demo with your own tenant data so you can see exactly what Veri-Tech will produce for your organization.

Yes. Go to Settings → Tenant Permissions to see every active Graph API scope. You can also review all permissions with detailed explanations on the Support → Permissions page. Additionally, you can audit our access from the Entra admin center under Enterprise Applications.

You can revoke all permissions from Settings → Tenant Permissions using the "Revoke All Permissions" button. You can also revoke access directly from the Entra admin center by removing consent from the Veri-Tech enterprise application. Revocation is immediate.

No. Veri-Tech authenticates exclusively using X.509 certificate-based authentication with HSM-backed key storage. No client secrets are used anywhere in the system.

SOPs can be exported as Markdown, HTML, PDF, or DOCX. Compliance reports are generated as HTML with interactive sections. Gap analysis reports include a summary dashboard and detailed per-control breakdown.

Documents are retained for the lifetime of your subscription. You can download or delete documents at any time from the Documents page. When your subscription ends, documents are retained for 30 days before being permanently deleted.

Yes. Go to Settings → Branding to upload your company logo, set your organization name, and choose your color scheme. Branding is applied to all generated SOPs and compliance reports.

Plan-tier limits: Starter up to 5 team members, Professional up to 25, Enterprise and MSP unlimited. You can see your current headcount and limit on Settings → Users. When you hit the limit, new invites are blocked until you remove a member or upgrade.

Go to Settings → Users → Invite. Enter the email address and choose a role (Owner, Admin, Viewer, Billing). The invite is active for 7 days and the invited user must sign in with the matching email to accept. You can revoke a pending invite at any time. Enable the "require invite" toggle if you want to block any new user who hasn't been pre-invited.

Owner — full control including billing and ability to delete the tenant. Admin — full operational access (run scans, remediate, manage users) without billing. Viewer — read-only access to dashboards and reports. Billing — billing-only access for finance partners.

Yes. Go to Settings → Users, select the user, and click Revoke session. Propagation is up to 5 minutes (the session token TTL). The user will be signed out automatically on their next request after that window. Their account remains active — they can sign back in unless you also remove them.

The user audit log (Settings → Audit Log, Enterprise) records every significant user event: logins, role changes, invites sent/accepted/expired, users removed, and sessions revoked. Each event captures timestamp, actor, target user, and action details. Filterable by date, user, and action type. Useful for SOC 2 / ISO 27001 audit evidence and incident investigation.

New invites fail with a "user limit reached" message. Users already in the tenant continue to work normally. Options: upgrade to the next tier, or remove an inactive user first. Bulk role changes and session revocation also work when over limit — you just can't add anyone new.