The 2 AM Fix You Didn't Have to Make
Picture this: It's Tuesday at 2 AM. Someone in your IT department re-enables legacy authentication to troubleshoot an executive's email issue. They forget to disable it afterward.
Without auto-remediation, that misconfiguration sits there until your next security scan, maybe days later. An attacker with stolen credentials now has a window.
With auto-remediation, the change is detected within minutes. Legacy auth is automatically disabled. An alert lands in your inbox with full context. You review it over morning coffee instead of scrambling to fix it.
This is the difference between reactive security and continuous enforcement.
What Is Auto-Remediation?
Auto-remediation automatically reverses configuration drift when your Microsoft 365 tenant deviates from your defined security baseline. Instead of just alerting you to problems, the system fixes them.
The concept is simple:
- You define your desired state (legacy auth should be disabled)
- TrueConfig continuously monitors for drift
- When drift is detected, it's automatically corrected
- You get notified with full audit details
How TrueConfig Auto-Remediation Works
Step 1: Detection
Continuous scanning compares your tenant's actual configuration against your baseline. When a deviation is detected, the system evaluates whether it's eligible for auto-remediation.
Examples of detectable drift:
- Legacy authentication protocols re-enabled
- Security Defaults disabled
- Risk-based Conditional Access policies turned off
- New standing admin assignments (flagged for review)
Step 2: Evaluation
Not every deviation should be auto-fixed. The system checks:
- Is auto-remediation enabled for this control? You control which controls can be auto-fixed.
- Is this an acknowledged exception? Intentional deviations marked as exceptions are skipped.
- Is the change within safe parameters? Rate limiting prevents runaway remediation.
Step 3: Remediation
If the deviation passes evaluation, TrueConfig executes the fix through the Microsoft Graph API:
- Legacy auth re-disabled
- Security Defaults re-enabled
- Policy settings restored
Step 4: Notification and Logging
Every remediation generates:
- Alert with before/after state
- Audit log entry with timestamp
- Attribution of the original change (when available)
- Link to review in the TrueConfig dashboard
Supported Controls
Auto-remediation is available for controls where automatic correction is safe and well-defined:
| Control | Auto-Remediation Action |
|---|---|
| Legacy Authentication | Disable when enabled |
| Security Defaults | Re-enable if disabled |
| User Risk Policy | Re-enable if disabled |
| Sign-in Risk Policy | Re-enable if disabled |
| Block Legacy Auth (CA Policy) | Re-enable if disabled |
Additional controls are added regularly as we validate safe remediation patterns.
Safety Gates: Why They Matter
Auto-remediation is powerful. Unchecked, it could cause problems, like disabling a setting that was intentionally changed for a valid business reason. That's why TrueConfig includes multiple safety gates:
Per-Control Toggle
You choose exactly which controls can be auto-remediated. Start with one low-risk control, build confidence, then expand.
Dry Run Mode
Enable dry run to see what would be remediated without actually making changes. Run it for a week to understand the pattern of drift in your tenant before going live.
Exception Management
Mark specific deviations as "intentional exceptions." Auto-remediation will skip these while still alerting you if they change further.
Rate Limiting
If the system detects unusual drift patterns, like dozens of changes in a short period, it pauses auto-remediation and alerts you. This prevents runaway automation and catches potential security incidents.
Complete Audit Trail
Every remediation is logged with before/after state. If something unexpected happens, you have full visibility to investigate and roll back if needed.
The Business Case
For mid-market IT teams, the math is straightforward:
Without auto-remediation:
- Drift detected in weekly scan (3-7 day exposure)
- Manual review and remediation (30-60 minutes per finding)
- Same issues reappear (repeat work)
With auto-remediation:
- Drift detected in minutes
- Corrected automatically (zero manual effort)
- Same issues stay fixed
One customer reduced their weekly security remediation time from 8 hours to under 1 hour. Most of that remaining hour is reviewing the auto-remediation log and handling genuine exceptions.
Getting Started
- Review your baseline: Ensure your baseline reflects your actual security requirements
- Enable for one control: Start with Legacy Authentication blocking, it's low-risk and high-impact
- Run in dry run mode: See what would be remediated for one week
- Go live: Enable enforcement and review the daily digest
- Expand gradually: Add controls as you gain confidence
Common Questions
What if auto-remediation breaks something?
Every remediation is logged with before/after state. You can manually reverse any change. Rate limiting prevents bulk changes that could cause widespread issues.
Can I exclude specific users or scenarios?
Yes. Exception management lets you mark specific deviations as intentional. Those won't be auto-remediated.
Does this replace manual review?
For routine drift, yes. For complex policy decisions, exceptions, and new configurations, you still apply human judgment. Auto-remediation handles the 80% that's routine so you can focus on the 20% that matters.
TrueConfig auto-remediation keeps your Microsoft 365 tenant aligned with your security baseline, automatically. See it in action