Monitoring: Drift Detection
Learn about Planning Your Role Template Structure in Tello
Published Date: May 1, 2026 | Last Updated: May 28, 2026
Overview
Drift detection is how Tello IAM identifies and responds to permission changes that occur in connected applications outside of the platform. When a User's access changes in an application — through a direct edit in that system, a manual admin action, or an automated process — without a corresponding action in Tello IAM, that change is considered drift.
Drift represents a gap between what Tello IAM has configured and what actually exists in the connected system. Left unresolved, drift means the platform's record of a User's access no longer reflects reality.
How drift is detected
Tello IAM compares the permissions it has configured for each User against the permissions detected in connected applications on every sync. When a discrepancy is found — a permission present in the application that Tello IAM did not assign, or a permission missing that Tello IAM expects to be there — it is flagged as drift.
Drift detection is active by default for all connected integrations. It can be disabled per integration when needed. See Configuring Integrations for details on managing drift detection settings.
Drift detection settings
Each integration can be configured with one of 2 drift detection behaviors:
- Enabled (default) — when a permission changes in the connected application without a corresponding action in Tello IAM, the change is flagged as drift. The User's status updates to
Issueand the event surfaces on the Dashboard for Administrator review. The Administrator chooses how to resolve each event. - Disabled — Tello IAM accepts the permissions in the connected application as authoritative and updates its own records to match. No drift events are generated. This mode is useful during initial setup or when adopting an existing permission state without flagging every difference as a violation.
Where drift surfaces
When drift is detected, it appears in 3 places:
- Dashboard — the anomaly appears in the Anomalies section for immediate visibility
- User record — the affected User's status updates to
Issueon the Users page - Team manager notification — the manager of the Team the User belongs to receives an email notification
Resolving a drift event
Each drift event requires a decision: enforce what Tello IAM has configured, or accept what changed in the source application.
- Navigate to Users and select the User with a status of
Issue. - In the Access Grants tab, select the flagged integration under Direct Integrations to view the issue detail. The detail identifies the specific discrepancy — for example, a group membership that was added directly in Entra ID that Tello IAM did not assign.
- Select Resolve → to open the resolution options.
- Choose one of the following:
- Use values from Tello IAM — Tello IAM overwrites the connected application to restore the configured permission state. Use this when the change in the source application was unauthorized, accidental, or incorrect.
- Use values from [source application] — Tello IAM updates its own record to match the connected application. Use this when the change was intentional and should be reflected in Tello IAM going forward.
- Select Resolve. Tello IAM applies the selected resolution and clears the
Issuestatus from the User record.
Important: Selecting "Use values from Tello IAM" actively modifies the connected application. Confirm the intended resolution before selecting it — this will remove or restore the specific permission in the source system immediately.
Drift and Role Templates
Drift most commonly occurs when permissions are edited directly in a connected application after a Role Template has been assigned. Because Role Templates define the expected permission state, any deviation from that state detected on sync will be flagged.
If drift is recurring for a User — the same permission keeps changing in the source application — it may indicate that the assigned Role Template does not fully represent what that User needs. In that case, consider updating the Role Template to include the recurring permission, or reviewing whether direct edits in the source application are appropriate for that User's function.
Disabling drift detection for an integration
Drift detection can be disabled for a specific integration when the Administrator wants Tello IAM to treat the source application as the system of record rather than enforcing the configured permission state. This is most appropriate during initial onboarding of an integration or when temporarily allowing direct edits in the source system.
To update drift detection settings for an integration, navigate to Integrations, select the integration row, and select Configure. See Configuring Integrations for full steps.
Related articles
- Dashboard — where drift anomalies surface for review
- Managing Users — resolve drift on User records
- Configuring Integrations — manage drift detection settings per integration
- Getting Started Part 3: Verifying & Managing User Permissions — drift detection in context of initial setup
Seasoft Security Solutions LLC | TelloIAM