TrueConfig is a Desired State Configuration (DSC) platform for Microsoft 365. It monitors your Entra ID tenant, detects when security configurations drift from your defined baseline, and can automatically remediate deviations. Think of it as Infrastructure as Code for Microsoft 365 identity and access management.

What is Desired State Configuration for Microsoft 365?

Desired State Configuration (DSC) for Microsoft 365 means defining what your tenant security settings should look like (the desired state), then having software continuously ensure the actual configuration matches that definition. TrueConfig scans your tenant, compares it against your baseline, and alerts you or auto-fixes when things change.

How does TrueConfig compare to Microsoft Secure Score?

Microsoft Secure Score gives you a point-in-time snapshot and recommendations. TrueConfig goes further by continuously monitoring for configuration drift, alerting when settings change from your baseline, auto-remediating deviations with safety gates, and providing a full audit trail of all changes.

Will TrueConfig make changes to my production tenant?

No. TrueConfig operates in read-only monitoring mode by default. We never make changes to your Microsoft 365 environment without your explicit approval. Auto-remediation is an opt-in feature that requires you to enable it per-control, and every change can be previewed before execution.

What Microsoft permissions does TrueConfig need?

TrueConfig requires read-only permissions to evaluate your configuration (Directory.Read.All, Policy.Read.All, RoleManagement.Read.All, etc.). For optional auto-remediation features, write permissions are requested separately and only when you explicitly enable those features. You control exactly what access to grant.

What if auto-remediation breaks something?

Every remediation action has a 24-hour rollback window. One click to undo any change. High-risk actions also require manual approval before they run. TrueConfig includes safety gates to prevent dangerous or disruptive changes.

How long does a TrueConfig scan take?

Most tenants complete their first scan in 2-5 minutes. Larger environments with thousands of users may take up to 15 minutes. Subsequent incremental scans are much faster. You can see progress as each security control gets evaluated.

What Microsoft 365 configurations does TrueConfig monitor?

TrueConfig monitors 55 security controls across categories including Conditional Access policies, Privileged Identity Management (PIM), authentication methods, directory settings, guest access policies, admin role assignments, app registrations, and Exchange Online settings.

Do I need to install anything to use TrueConfig?

No. TrueConfig requires no agents, no software installation, and no firewall rules. Just sign in with your Microsoft work account and grant the requested permissions. Everything runs in the cloud.

Is TrueConfig secure?

Yes. TrueConfig uses OAuth 2.0 with Microsoft consent framework and zero-knowledge architecture—we never store your Microsoft credentials. All data is encrypted at rest and in transit. We are hosted in EU data centers, GDPR compliant, and SOC2 certified.

How much does TrueConfig cost?

TrueConfig offers a 7-day free trial with full Pro features. Paid plans start at Essential €99/month (1 tenant), Pro €299/month (3 tenants), and Scale €599/month (15 tenants). Annual billing saves up to 20%.

Can I try TrueConfig before purchasing?

Absolutely. TrueConfig offers a 7-day free trial with all Pro features. We recommend connecting a dev/test tenant first, then adding production when ready. No credit card required to start.

What happens when my TrueConfig trial ends?

After your 7-day trial, pick a paid plan or your account goes read-only (you can still see your last scan results). We never delete your data without warning and you can upgrade anytime.

For IT teams managing Microsoft 365

Stop firefighting your Microsoft 365 security.

TrueConfig watches your tenant 24/7, catches configuration drift, and auto-fixes deviations before they become audit findings.

Free scan • No credit card • Takes 5 minutes

Trusted by 50+ IT teams • "Found 12 stale admins on day one"

Your tenant right now (probably)

3 things need attention

Drifting

7 Global Admins

Should be 2

MFA policy disabled

3 days ago

Legacy auth enabled

On 4 accounts

This is what TrueConfig finds in most tenants on day one.

Your tenant drifts while you sleep.

Not because anyone screwed up. Just because that's what happens when busy people make quick changes and forget to clean up.

That 'temporary' Global Admin from 6 months ago?

Still has access. Still in your audit report. You'll find out when someone asks why.

The policy someone disabled 'just for testing'?

Legacy auth has been wide open for 3 weeks. You found out from an alert, not your dashboard.

The guest access you set up for that contractor?

He finished 4 months ago. The access didn't. Neither did the 47 others like him.

Here's how it works

No 6-month implementation. No professional services. Just connect and go.

Connect your tenant

See what's drifted

We scan against security best practices and show you exactly what needs attention.

Fix it (or we do)

One-click remediation, or turn on auto-fix for the routine stuff.

Then it just runs

TrueConfig checks your tenant on a schedule. When something drifts, you hear about it fast.

New Global Admin added → notified in 15 minutes

Policy disabled → auto re-enabled

Stale guest access → flagged for cleanup

The goal: You stop thinking about security drift. It's just handled.

Pricing

7-day free trial on all plans. No credit card required.

MonthlyAnnualSave up to 20%

Essential

€83/month

Billed annually (€996/year)

For IT teams establishing their security baseline.

Real-time drift detection
Opinionated security baseline
Configuration audit trail

No credit card required

RECOMMENDED

Pro

€239/month

Billed annually (€2868/year)

For IT teams that need control, history, and one-click fixes.

Everything in Essential
One-click remediation
Change history with explanations

No credit card required

Scale

€499/month

Billed annually (€5988/year)

For organizations with multiple tenants or automated enforcement needs.

Everything in Pro
Automatic enforcement
Multi-tenant support

FAQ

No. Read-only by default. When you enable fixes, you preview every change before it happens.

Read-only to see your config. Write permissions only if you want auto-remediation—and you control exactly what to grant.

24-hour rollback on every change. One click to undo. High-risk actions require manual approval.

Encrypted at rest and in transit. GDPR compliant. Data stored in EU.

No. Sign in with Microsoft, grant permissions, done. 100% cloud-based.

Still have questions? Just ask

See what's drifted in your tenant

5 minutes to connect. No credit card required.