Microsoft adds multi‑tenant drift controls

Microsoft published the Tenant Configuration Management (TCM) APIs in Microsoft Graph (preview) and lists supported workloads as Microsoft Defender, Microsoft Entra, Exchange Online, Microsoft Intune, Microsoft Purview and Microsoft Teams; the Microsoft Learn overview was updated March 12, 2026. (learn.microsoft.com) The TCM/UTCM model exposes snapshot and monitoring APIs that capture tenant configuration as declarative JSON snapshots and run scheduled monitor comparisons, and the service requires onboarding a UTCM/TCM service principal to execute snapshot and monitor jobs. (learn.microsoft.com) Community and reporting posts note the preview surface covers more than 300 resource types across workloads, while connector projects break that down by workload (example counts: Entra ~38, Exchange ~58, Intune ~65+, Purview ~28, Teams ~60). (office365itpros.com) Preview operational limits surfaced by community tooling: only 12 snapshot jobs are visible in the UI and snapshots are retained for 7 days, while a community PowerShell wrapper documents limits of 30 monitors per tenant, 800 daily monitored resources, and a ~6‑hour monitoring cycle. (thelazyadministrator.com) Multiple open‑source projects and connectors already integrate with the UTCM preview, including the TenantBaseline PowerShell module, the M365Watcher project, and a Power Platform/Copilot Studio connector, indicating immediate automation paths for baseline export, drift reporting and Copilot-driven workflows. (github.com) An executive reporting frame for adoption should track four concrete metrics tied to the preview: number of tenants governed from the single governing tenant, total monitored resource types (300+ schema items), drift counts per run with cadence aligned to the 6‑hour monitoring cycle, and snapshot/export frequency given the 7‑day retention window; the TCM service principal must be provisioned and granted ConfigurationMonitoring.ReadWrite.All to operate. (ourcloudnetwork.com)