New Microsoft Graph UTCM APIs Reduce Microsoft 365 Configuration Drift

Microsoft has introduced new Unified Tenant Configuration Management (UTCM) APIs in public preview through Microsoft Graph. These APIs enable organizations to consistently control, manage, and monitor configuration settings across one or multiple Microsoft 365 workloads.

Why is configuration drift a growing problem in Microsoft 365 tenants?

The new UTCM APIs address the problem of configuration drift in Microsoft 365 tenants, where settings gradually change without administrators realizing it. In traditional tenant management, admins access resources using their credentials. However, this model provides limited centralized control and poor visibility into the overall configuration state.

Consequently, administrators often cannot easily tell when tenant settings have deviated from the intended baseline, which increases the risk of security, compliance, and governance issues.

The new Unified Tenant Configuration Management (UTCM) solution is a set of APIs within Microsoft Graph. This service aims to give administrators a built‑in way to track configuration changes across Microsoft 365 workloads without relying entirely on custom scripts or third‑party tools.

“The UTCM APIs address this challenge by enabling automated monitoring of tenant settings. With the monitoring APIs in UTCM, you can ensure your configurations remain secure and consistent, and quickly identify any deviations from the desired state,” Microsoft explained.

How does the UTCM baseline and drift detection model work?

Microsoft’s UTCM APIs use a baseline‑and‑comparison model to identify configuration drift in Microsoft 365 tenants. It allows administrators to capture configuration snapshots, which record the tenant’s settings at a specific point in time and act as a trusted baseline. They then create configuration monitors that automatically compare the live tenant environment against this stored baseline on a recurring schedule.

Additionally, these APIs detect configuration drift when current settings no longer match the approved snapshot. This approach provides a straightforward and structured way to identify changes as they occur without advanced enforcement or automatic remediation.

Supported workloads

The UTCM APIs support major Microsoft 365 services such as Microsoft Entra, Exchange Online, Microsoft Teams, Microsoft Intune, Microsoft Defender, and Microsoft Purview. It allows organizations to track configuration drift across multiple workloads.

Common use cases and limitations

According to Microsoft, the UTCM APIs are commonly used to create configuration baselines for audits and security reviews and monitor tenants for unintended or unauthorized configuration changes. This service also helps to simplify troubleshooting by capturing a clear snapshot of current settings and supports governance across large or multi‑workload environments where manual oversight is impossible. UTCM centralizes configuration data in a declarative format to help IT admins proactively detect drift and maintain compliance without relying entirely on manual checks or custom tools.

Lastly, Microsoft has acknowledged several limitations with the UTCM APIs. As of this writing, configuration snapshots are limited to collecting up to 20,000 resources per tenant each month and are automatically deleted after seven days. Moreover, configuration monitors run on a fixed six‑hour schedule that cannot be customized, and each tenant can only create up to 30 monitors. Currently, monitoring is also capped at 800 configuration settings per day.