Most tenant incidents don’t start with a clever exploit; they start with a well‑meaning change that outlives its context. A "temporary" Conditional Access exclusion during an outage, an app that’s granted one extra Graph permission to unblock a team, or an Intune setting tweak for a single hardware model can quietly become permanent. Weeks later, nobody remembers the reason, and your tenant drifts into a riskier state.

In this session we’ll build a small, repeatable drift detection loop using PowerShell and Microsoft Graph that produces a reviewable diff. We’ll focus on a curated set of "things that bite you" in Entra ID including Conditional Access policies, named locations, authentication method policies, and app/service principal permission-related configuration. Then we'll work through a process to capture changes and ultimately generate a change report a human can review. The goal is to show how you can turn the "check your tenant every few months" chore into a lightweight governance habit that actually fits into your workflow.