DriftmarkDriftmark

Security

Security at Driftmark

Driftmark is designed to provide visibility into Microsoft Entra ID configuration while maintaining strict security principles and minimal access requirements.

Driftmark is built by identity and access management practitioners with deep experience designing and securing Microsoft Entra ID environments.

Read-only access to Microsoft Entra ID

Driftmark connects to Microsoft Entra ID using Microsoft Graph APIs with read-only permissions. The platform collects configuration metadata required to capture configuration snapshots and detect configuration drift across identity controls.

Driftmark does not modify Microsoft Entra ID configuration.

Read-only Microsoft Graph access
No policy or role modification
No identity lifecycle changes

Required Microsoft Graph permissions

Driftmark requires Microsoft Graph permissions to read configuration data across key identity control families. Permission scope covers configuration visibility for the following families:

Identity & Access
Security Policies
Privileged Access (PIM)
Identity Governance
Applications & Service Principals
External Collaboration

Configuration data collected by Driftmark

Driftmark collects configuration metadata required to capture configuration snapshots and evaluate drift across identity controls. This includes policy configuration, role assignments, application configuration, access settings, and governance configuration.

Data Driftmark does NOT collect

Passwords
Authentication secrets
User credentials
Sign-in logs
Authentication tokens

Configuration snapshot storage

Driftmark stores configuration snapshots that represent the state of identity configuration at specific points in time. These snapshots allow comparison between states to detect configuration drift and support review workflows.

Only configuration metadata necessary for drift detection and reporting is stored.

Data residency

Driftmark is built with regional data residency support. Customers can use a regional Driftmark environment so their workspace data is stored in the region selected for that workspace.

Canada region

The Canada region hosts data for customers located in Canada and for customers who choose Canada as their Driftmark storage region.

United States region

The United States region hosts data for customers located in the United States and for customers who choose the United States as their Driftmark storage region.

During signup, customers can choose the region that best matches their organization's data residency needs. For users outside Canada and the United States, Canada is the default region, and the United States region remains available as an option.

By default, Driftmark directs visitors to a regional site instance based on IP geolocation. Visitors from United States IP addresses are directed to the United States site, while visitors from Canada and the rest of the world default to the Canadian site.

Regional selection applies to Driftmark application data such as workspace records, configuration snapshots, report artifacts, and related billing or subscription state stored by the regional application.

Security principles

Least privilege access

Driftmark requests only the permissions required to read configuration state.

Configuration visibility without modification

Driftmark observes configuration state but does not change tenant settings.

Secure communication

All communication with Microsoft Graph and the Driftmark platform occurs over encrypted HTTPS connections.

Azure Front Door perimeter

Driftmark uses Azure Front Door as a secure front-facing entry point for the application. Azure Front Door provides global layer-7 traffic routing and delivery while also serving as an important security perimeter in front of the regional Driftmark application instances.

Web Application Firewall

WAF capabilities help protect the application from common web attack patterns such as SQL injection, cross-site scripting, and malicious automated traffic.

DDoS resilience

Front Door helps absorb and route traffic at the network edge, contributing protection against distributed denial-of-service attacks across network and application layers.

TLS termination and encryption

TLS is handled centrally at the edge, supporting encrypted data in transit and centralized certificate management for public application endpoints.

Private backend connectivity

Where supported, private connectivity patterns can limit direct public exposure of backend Azure services while Front Door remains the controlled public entry point.

Responsible disclosure

If you believe you have discovered a security vulnerability in Driftmark, please contact us.

Built by identity security practitioners

Driftmark is developed by identity and access management practitioners with deep experience in Microsoft Entra ID architecture, governance, and security operations.

The platform is designed to reflect real-world identity security challenges faced by enterprise environments.