The Journal
“Who changed that Conditional Access policy?”
Now there's an answer. Tenant Hawk journals every config change in your Microsoft 365 tenant - the exact field, the before and after value, and the admin who made it. Like a git history for your tenant.
Read-only Graph access · 2-minute setup · Journal included in Pro
Journal
contoso.com · this week
The audit log wasn't built for this
Microsoft records changes - in raw JSON, across three portals, with retention measured in weeks.
Audit logs expire
30–90 days of retention on most licenses. The change that explains today's incident may already be gone.
No diffs, no story
Audit entries tell you a policy was updated - not which field, or what the value was before. You're left reconstructing history from memory.
The Journal keeps both
Full before/after state for every change, forever, in one timeline. When sign-ins break on Thursday, you can see what changed on Tuesday.
How the Journal works
Baseline on first scan
Your tenant's Conditional Access, authentication, and Intune configuration is snapshotted read-only. No agents, no write access.
Diff on every scan
Each daily scan compares current state to the last snapshot. Any created, modified, or deleted policy becomes a journal entry with a field-level diff.
Attributed automatically
Entries are matched against the Entra audit log so each change carries the admin (or app) that made it.
Tracks Conditional Access policies, named locations, authorization & authentication methods policies, and Intune compliance & configuration profiles.
Journal FAQ
How is the Journal different from the Entra audit log?
Entra and Purview audit logs expire after 30–90 days on most licenses, live across multiple portals, and show raw JSON payloads without diffs. The Journal is one readable timeline that shows the exact field that changed, its before and after value, and who made the change - and it doesn't age out.
What changes does the Journal track?
Conditional Access policies, named locations, the authorization policy, the authentication methods policy, Intune compliance policies, and Intune configuration profiles. Coverage expands over time - each scan snapshots the current state and records any delta.
How does Tenant Hawk know who made a change?
Changes are matched against the Entra directory audit log and attributed to the signed-in admin or application that made them. Attribution requires the optional AuditLog.Read.All read permission; without it, changes are still recorded - just unattributed.
Does this require write access to my tenant?
No. Tenant Hawk is read-only end to end. The Journal is built from read-only Microsoft Graph snapshots - we never modify your tenant and never store credentials.
How quickly do changes show up?
The Journal captures on every scan. Pro tenants scan daily, so a change made this morning is journaled - with its diff and actor - by tomorrow at the latest, or immediately when you trigger a rescan.
Can I roll back to a previous configuration?
The Journal stores the complete before and after state of every object, so you always have the exact prior values to revert to. One-click restore for supported policy types is on the roadmap.
Your tenant is changing. Start the record.
The Journal starts capturing from your very first scan - history you can't backfill later.
Start free scan