TrueConfig is a Desired State Configuration (DSC) platform for Microsoft 365. It monitors your Entra ID tenant, detects when security configurations drift from your defined baseline, and can automatically remediate deviations. Think of it as Infrastructure as Code for Microsoft 365 identity and access management.

What is Desired State Configuration for Microsoft 365?

Desired State Configuration (DSC) for Microsoft 365 means defining what your tenant security settings should look like (the desired state), then having software continuously ensure the actual configuration matches that definition. TrueConfig scans your tenant, compares it against your baseline, and alerts you or auto-fixes when things change.

How does TrueConfig compare to Microsoft Secure Score?

Microsoft Secure Score gives you a point-in-time snapshot and recommendations. TrueConfig goes further by continuously monitoring for configuration drift, alerting when settings change from your baseline, auto-remediating deviations with safety gates, and providing a full audit trail of all changes.

Will TrueConfig make changes to my production tenant?

No. TrueConfig operates in read-only monitoring mode by default. We never make changes to your Microsoft 365 environment without your explicit approval. Auto-remediation is an opt-in feature that requires you to enable it per-control, and every change can be previewed before execution.

What Microsoft permissions does TrueConfig need?

TrueConfig requires read-only permissions to evaluate your configuration (Directory.Read.All, Policy.Read.All, RoleManagement.Read.All, etc.). For optional auto-remediation features, write permissions are requested separately and only when you explicitly enable those features. You control exactly what access to grant.

What if auto-remediation breaks something?

Every remediation action has a 24-hour rollback window. One click to undo any change. High-risk actions also require manual approval before they run. TrueConfig includes safety gates to prevent dangerous or disruptive changes.

How long does a TrueConfig scan take?

Most tenants complete their first scan in 2-5 minutes. Larger environments with thousands of users may take up to 15 minutes. Subsequent incremental scans are much faster. You can see progress as each security control gets evaluated.

What Microsoft 365 configurations does TrueConfig monitor?

TrueConfig monitors 55 security controls across categories including Conditional Access policies, Privileged Identity Management (PIM), authentication methods, directory settings, guest access policies, admin role assignments, app registrations, and Exchange Online settings.

Do I need to install anything to use TrueConfig?

No. TrueConfig requires no agents, no software installation, and no firewall rules. Just sign in with your Microsoft work account and grant the requested permissions. Everything runs in the cloud.

Is TrueConfig secure?

Yes. TrueConfig uses OAuth 2.0 with Microsoft consent framework and zero-knowledge architecture—we never store your Microsoft credentials. All data is encrypted at rest and in transit. We are hosted in EU data centers, GDPR compliant, and SOC2 certified.

How much does TrueConfig cost?

TrueConfig offers a 7-day free trial with full Pro features. Paid plans start at Essential €99/month (1 tenant), Pro €299/month (3 tenants), and Scale €599/month (15 tenants). Annual billing saves up to 20%.

Can I try TrueConfig before purchasing?

Absolutely. TrueConfig offers a 7-day free trial with all Pro features. We recommend connecting a dev/test tenant first, then adding production when ready. No credit card required to start.

What happens when my TrueConfig trial ends?

After your 7-day trial, pick a paid plan or your account goes read-only (you can still see your last scan results). We never delete your data without warning and you can upgrade anytime.

For the one IT person running M365 at a 100 to 500 person company

Catch the stale Global Admin before your CEO does.

We check your Microsoft 365 tenant every 15 minutes. When a new Global Admin appears, MFA gets disabled, or a guest you forgot about is still sitting in a finance group, you get a Teams message before anyone in HR or legal sends you that awkward email.

Free scan • No credit card • 5 minutes to connect

Trusted by 50+ IT teams • "Found 12 stale admins on day one"

Your tenant right now (probably)

3 things you'd rather know about

Drifting

7 Global Admins

You created 2 of them

MFA policy disabled

A colleague turned it off 3 days ago

Legacy auth enabled

On 4 accounts, including one ex-employee

This is what we find in most M365 tenants on day one.

You're the only one watching, and you can't watch every change.

You're the entire IT team. You ship laptops, fix Teams, debug printers, and somewhere in there you're meant to keep the M365 tenant tidy. Things slip. Not because anyone screwed up, but because nobody's looking.

The 'temporary' Global Admin you granted in March.

It's now November. They still have full tenant access. You'll find out when your CEO forwards an email from the insurance broker asking why 7 people can read everyone's mailbox.

The MFA policy a colleague disabled 'just to test something'.

It's been off for 3 weeks. Nobody told you. You find out at 11pm on a Sunday when a finance account starts sending invoices in Cyrillic.

The contractor you gave guest access to in June.

His project ended in July. His access didn't. There are 47 others like him sitting in your SharePoint, and you have no idea which ones are still active until someone in legal asks.

Here's how it works

No 6-month rollout, no consultants, no security degree required. You connect it on a Tuesday afternoon and by Wednesday morning you know things you've been missing for months.

Sign in with Microsoft

Read-only permissions, granted in 2 clicks. First scan finishes in under 5 minutes. No agent to install, nothing to deploy.

See the 10 to 30 things drifting in your tenant

The exact list: who has too much access, which policies are off, which guests outlived their project. Each one written like a coworker explained it, not like a NIST control.

One click and the policy is back on

Re-enable MFA, remove a stale admin, kill a guest account, all from the alert. Turn on auto-fix for the routine stuff so you can actually sleep on Sunday night.

Then it just runs

We check every 15 minutes. When something changes that shouldn't have, you get a Teams message with what changed, who changed it, and a one-click fix.

New Global Admin appears at 2am → Teams message at 2:15am

Someone turns off Conditional Access → auto re-enabled in 15 minutes

Guest account inactive for 90 days → flagged with the project it came from

The goal: you stop being the person who failed to catch the thing. The tenant just stays tidy on its own.

Cheaper than the breach. Faster than the audit.

7-day free trial on all plans. No credit card. No procurement call.

MonthlyAnnualSave up to 20%

Essential

€83/month

Billed annually (€996/year)

You run M365 alone at a 100 to 250 person company and just need to know what is drifting.

Tenant scanned every 15 minutes
Teams alerts the moment something changes
Plain-English explanation of every finding

No credit card required

RECOMMENDED

Pro

€239/month

Billed annually (€2868/year)

You are the IT team at a 250 to 500 person company and want one-click fixes plus a paper trail when someone asks who changed what.

Everything in Essential
One-click fix on every finding, from the alert
Full change history: who changed what, when, and why

No credit card required

Pro Plus

€499/month

Billed annually (€5988/year)

Two-person IT team at a 500 to 1500 person company, or you inherited a second tenant from an acquisition and need both watched.

Everything in Pro
Auto-fix the routine drift without you clicking
Up to 3 tenants on one bill (handy after an M&A)

No credit card required

FAQ

Yes. We built this for the IT generalist who runs M365 alongside everything else, not for a security specialist. Every alert is written in plain English ('Someone added a new Global Admin called John Smith at 14:32') with a one-click fix. No CIS benchmark numbers, no NIST control IDs, no security jargon you have to Google.

No. Read-only by default. When you turn on fixes, you preview every change before it happens, and there's a 24-hour rollback on everything we do.

Read-only Graph permissions to see your config. Write permissions only if you want auto-fix, and you pick exactly which categories you trust us to touch. No tenant-wide write access ever.

Every change is reversible with one click for 24 hours. High-risk actions (anything touching Global Admin, Conditional Access, or domain settings) always require your approval. Auto-fix is opt-in per category.

Encrypted at rest and in transit. GDPR compliant. Data stays in the EU. We only store config metadata, never user emails, files, or messages.

No agent, no script, no helpdesk ticket. Sign in with your M365 admin account, grant read-only permissions, the first scan finishes before your coffee gets cold.

Still have questions? Just ask

Find out what's drifted before someone else does.

5 minutes to connect. Most solo IT admins find 10 to 30 things they didn't know about on day one. No credit card required.