Policy Drift Detection
Clophi tracks changes to your Azure policy definitions, assignments, and initiatives against captured baselines. You can instantly revert policy drifts or accept modifications.
Overview
Clophi monitors your Azure policy infrastructure for configuration changes. Every 3 minutes, a detection cycle reviews both your policy definitions and assignments to compare their current state against an established baseline. Any deviation between the current state and its baseline is recorded as drift.
Enabling Policy Drift Detection
Open the Policy Dashboard and select the policies you want to monitor. Drift detection can be enabled on definitions and assignments independently.
Baselines
When drift detection is enabled on a policy, Clophi captures its current state as the baseline. Any subsequent change will cause the policy to be marked as Drifted on the drift info dashboard.
Reviewing Policy Drift Details
The Policy Drift Info tab displays every detected change for a policy, categorized by operation type:
- ModifiedA property value has changed.
- CreatedA new property or element has been added.
- DeletedAn existing property or element has been removed.
Changed properties are identified using Azure alias paths which reflect their location in the policy schema. For example, properties.policyRule.if targets the rule's if block, while properties.parameters targets the parameter definitions object.
Accepting Drift
If a detected change is intentional, click Set as Baseline to accept it. This action:
- Updates the baseline to the policy's current state.
- Sets the drift state to
false. - Removes the previous baseline from version history.
- By manually accepting a drift, you also bear the responsibility for updating your policy repository to reflect these changes.
Policy State
The Policy State tab provides a complete audit trail of every change applied to a monitored policy. For each version, you can see:
- When the change occurred.
- Which identity performed the change.
You can select any version from the dropdown to inspect the full policy state, presented as an ARM template.
Trusted Identities
Trusted identities are the Object IDs of service principals that your CI/CD pipelines use when they get triggered by an accepted pull request. By registering these identities with Clophi, you tell the system which changes are part of your authorized deployment flow and which repository is to be considered as baseline (source of truth).
When a change is made by a trusted identity, Clophi:
- Marks the change as trusted.
- Automatically updates the baseline to reflect the new resource state.
- Clears any existing drift state on the resource.
Configuring multiple identities
To register multiple service principals, provide their Object IDs as a comma-separated list:
aae847a8-06a7-4545-b78a-a771734646b6, 801bf48e-e5c1-4dfa-871f-5c29f87417ff, ea2d2ea9-10bc-435b-be66-27c820b2b86fRevert to Baseline
The Revert to Baseline action creates a policy as its captured baseline state. The creation is performed by Clophi's policy contributor service principal.
For Revert to Baseline to function correctly, Clophi's policy contributor service principal Object ID must be added to your Trusted Identities list. Otherwise, the revert deployment itself will be detected as drift.
