Veri-Tech
Support/Products/Veri-Vault

Veri-Vault

Professional

Veri-Vault captures Automatic Scan Snapshots of your Microsoft 365 configuration alongside every compliance scan, detects changes between snapshots, and provides drift alerting, full config restore, and tenant recovery via Emergency Accounts. Professional gets snapshot browsing, deep content search, and change detection; Enterprise adds restore, drift alerting, the Vault Activity Log, Tenant Reconnect Wizard, and git integration.

18Snapshot types
AutoChange detection
EnterpriseRestore
ProfessionalMin tier

How Veri-Vault Works

Step-by-step walkthrough from start to finish

1

Automatic Scan Snapshots

Config snapshots are captured automatically alongside every compliance scan. Each snapshot records the full configuration state of your tenant across all supported policy types, with completeness indicators and size-trend stats so you can see coverage at a glance.

2

Browse, Search & Compare

Browse snapshots by date, view individual policy configurations, and run deep content search across snapshot contents. Compare any two snapshots side-by-side with search and filter on the diff to see exactly what changed — which settings were added, modified, or removed. Export any comparison as CSV.

3

Vault Activity Log (Enterprise)

The Vault Activity Log shows a full history of snapshots taken, comparisons run, restores applied, exports downloaded, and every admin action. Filterable by date, user, and action type for audit readiness.

4

Drift Alerting (Enterprise)

Configure drift alerting to get notified when configuration changes are detected outside of expected change windows. Alerts are delivered via email or HMAC-signed webhooks.

5

Config Restore & Tenant Reconnect (Enterprise)

Restore your tenant configuration to any previous snapshot state. The Tenant Reconnect Wizard re-binds a disconnected tenant (expired consent, changed app reg, migrated tenancy) so restores keep working. Restore operations use JIT write permissions and are logged in the activity log.

6

Emergency Accounts for Tenant Recovery (Enterprise)

Create Emergency Accounts (formerly "break-glass") with QR-code TOTP setup, live password strength scoring, OWASP-minimum scrypt hashing, and AES-256-GCM Key Vault encryption. Emergency login is rate-limited and session-scoped.

Data Handling

What data is collected, processed, stored, and what is never accessed

Data collected during snapshots

  • Microsoft 365 policy configurations across all supported policy types (read-only, via Graph API)
  • Conditional Access policies, Intune profiles, compliance policies, and security baselines
  • Policy assignment targets (user and group references)
  • Named locations, authentication methods, and enrollment settings

How data is processed

  • Configuration state is serialized and stored as a point-in-time snapshot
  • Change detection compares snapshot pairs to identify added, modified, and removed settings
  • Drift alerting evaluates changes against configured thresholds and windows
  • Restore operations apply snapshot state via Graph API with JIT write permissions

What is stored after snapshots

  • Full config snapshots in Azure Blob Storage (encrypted at rest)
  • Change detection results and diff metadata in Azure Table Storage
  • Restore audit trail entries with timestamps and before/after values
  • Retention: 90 days (Professional), 3 years (Enterprise/MSP)

Data Veri-Vault never accesses

  • Email content, mailbox data, or calendar entries
  • File contents in SharePoint or OneDrive
  • User passwords, MFA secrets, or authentication tokens
  • Sign-in logs, audit logs, or individual user activity
  • Device hardware details or installed applications

Permissions

Every Graph API permission used, when it's requested, and why

Permission Model

Veri-Vault uses read-only app permissions for snapshot capture and change detection. Restore operations (Enterprise only) use Just-In-Time write permissions that are granted before the restore and auto-revoked after completion.

Policy.Read.All
Read
Always

Read Conditional Access policies and named locations for snapshots

DeviceManagementConfiguration.Read.All
Read
Always

Read Intune configuration profiles and security baselines for snapshots

Directory.Read.All
Read
Always

Read directory objects for policy assignment context

Policy.ReadWrite.ConditionalAccess
Write
JIT only

Restore Conditional Access policies from snapshots

DeviceManagementConfiguration.ReadWrite.All
Write
JIT only

Restore Intune configuration from snapshots

Safety Controls

  • Snapshots are read-only — no tenant modifications during capture
  • Restore operations require explicit JIT write permission consent
  • Full activity log of every restore, comparison, export, and admin action
  • Emergency Accounts with rate-limited login, scrypt password hashing, and AES-256-GCM TOTP secrets in Azure Key Vault
  • Tier-based snapshot retention with automatic cleanup (90d Professional / 1yr Enterprise / 3yr MSP)
  • All data encrypted at rest (AES-256) and in transit (TLS 1.2+)

Capabilities

Automatic Scan Snapshots alongside every compliance scan
Deep content search across snapshot contents (Professional+)
Side-by-side change detection between any two snapshots with search and filter on the diff
Snapshot completeness indicators and size-trend stats
Auto-select recent snapshots in compare flows
CSV/JSON export for snapshots; CSV export for comparisons
Download All Runbooks as ZIP from any snapshot
Full config restore from any snapshot (Enterprise)
Tenant Reconnect Wizard for re-binding disconnected tenants (Enterprise)
Vault Activity Log — snapshots, comparisons, restores, exports, admin actions (Enterprise)
Drift alerting with configurable thresholds — email + HMAC-signed webhooks (Enterprise)
Emergency Accounts with QR-code TOTP setup and live password strength (Enterprise)
Git integration for config-as-code workflows (Enterprise)

Frequently Asked Questions

When are snapshots captured?
Automatic Scan Snapshots are captured alongside every compliance scan. If you run daily scheduled scans, you get daily config snapshots.
What is the difference between Professional and Enterprise Vault?
Professional gets Automatic Scan Snapshots, deep content search, change detection, CSV/JSON export, and ZIP runbook downloads. Enterprise adds the Vault Activity Log, full config restore, Tenant Reconnect Wizard, drift alerting, Emergency Accounts with TOTP, and git integration.
What are Emergency Accounts?
Emergency Accounts (formerly "break-glass accounts") are recovery credentials that let a designated operator regain access to Vault in a tenant-lockout scenario — expired Graph consent, app registration wiped, or lost admin access. They are protected by OWASP-minimum scrypt password hashing, QR-code TOTP multi-factor, AES-256-GCM secret encryption in Azure Key Vault, and rate-limited login. Creating one is optional but recommended for Enterprise customers.
Can restore break my tenant?
Restore operations use the same safety controls as remediation — JIT write permissions, activity logs, and emergency account protection. You can restore individual policy types or full snapshots, and every restore is captured with before/after values.
How long are snapshots retained?
Snapshots are retained for 90 days on Professional, 1 year on Enterprise, and 3 years on MSP. Tier-based automatic cleanup runs on a schedule.

All Products · Full Permission Reference · AI Features & Privacy · Control Frameworks

Questions? Submit a ticket · Email support