{
"title": "inforcer TDR for MSPs: Microsoft 365 Context for Better Threat Response",
"content": "inforcer, a company known for its multi-tenant Microsoft 365 management platform, has launched an early-access Threat Detection and Response (TDR) solution tailored for managed service providers (MSPs). The announcement came during the Pax8 Beyond conference in Salt Lake City in June 2026, where the company showcased how its new security module extends its existing tenant management product to deliver context-rich threat detection and automated incident response.

The TDR platform represents a natural evolution for inforcer, which built its reputation on simplifying the management of Microsoft 365 configurations, policies, and licensing across hundreds of tenants. By now ingesting and analyzing security telemetry from the same tenants, inforcer aims to close the loop between knowing a tenant’s configuration and protecting it from active threats.

The MSP Security Dilemma: Too Many Alerts, Too Little Context

For MSPs, managing security for multiple Microsoft 365 clients is a high-stakes balancing act. They must defend against a barrage of sophisticated attacks—phishing kits that harvest credentials, business email compromise (BEC) schemes, token theft, and ransomware that spreads through SharePoint and Teams—all while keeping costs under control and meeting service-level agreements.

Microsoft 365 itself generates a trove of security data: sign-in logs from Azure AD, audit logs from the unified audit log, email metadata from Exchange Online, and alerts from Microsoft Defender for Office 365. The challenge is not a lack of signals but an overload of them. A mid-sized MSP might field thousands of alerts per day across its customer base, with only a tiny fraction representing genuine threats. Without context about the affected user, their role, the data they can access, and the tenant’s security posture, analysts waste time chasing false positives—or worse, miss real intrusions.

Traditional SIEM solutions can normalize and correlate these signals, but they often require extensive curation and dedicated security operations personnel, resources many MSPs lack. Moreover, SIEMs typically lack the Microsoft 365-specific context needed to distinguish a risky sign-in that warrants immediate action from one that is simply unusual but benign.

inforcer’s TDR platform addresses this problem head-on by leveraging its existing deep knowledge of each managed tenant. Since inforcer already inventories all users, groups, applications, devices, and conditional access policies as part of its configuration management tooling, it possesses a comprehensive graph of the tenant’s normal baseline. When a security alert fires, that graph is instantly queried to provide enrichment: Is the user a privileged admin? Do they have inbox rules forwarding externally? Are there recent file downloads from unmanaged devices? This context allows the system to calculate a precise severity score and recommend or automate the appropriate response.

Under the Hood: Detection and Enrichment Architecture

The TDR engine continuously ingests telemetry from Microsoft 365 via the Microsoft Graph API and dedicated security APIs. It pulls data from:

  • Azure AD sign-in and audit logs: to detect anomalous sign-ins, impossible travel, and token replay attempts.
  • Unified Audit Log (UAL): to track file operations, mailbox rule changes, and group membership modifications.
  • Exchange Online message trace and anti-spam headers: to identify phishing emails that bypassed gateway filters.
  • Microsoft Defender for Office 365 alerts: including Safe Links and Safe Attachments detonations.
  • Microsoft 365 Cloud App Security (if licensed): for shadow IT and abnormal user behavior analytics.
Data is processed through a custom-built pipeline that uses a combination of static detection rules (e.g., known-bad IPs, suspicious email patterns) and machine learning models trained on millions of tenant-days of activity. The models are designed to adapt to the seasonal and behavioral patterns of different types of organizations.

Crucially, every detection is immediately enriched with the tenant’s known configuration. For example, a sign-in from an unfamiliar location is correlated with the user’s typical travel patterns stored in inforcer’s configuration database. If the user’s role rarely involves travel and no conditional access policies exempt that IP, the severity is bumped. If the sign-in also coincides with a risky email delete operation or a new mailbox rule creation, the system correlates these events into a cohesive incident timeline.

Automated Response: From Minutes to Milliseconds

Once an incident is confirmed, speed is critical. inforcer TDR provides a library of automated response playbooks that MSPs can customize per customer. These playbooks are executed through the Microsoft Graph API and can include:

  • User account actions: disable account, reset password, revoke refresh tokens, force sign-out.
  • Mailbox remediation: delete malicious emails, disable forwarding rules, purge inbox rules, remove OAuth app permissions.
  • Configuration enforcement: ensure MFA is enabled, block legacy auth, or tighten conditional access policies automatically if they have been tampered with.
  • Notification and logging: create a ticket in the PSA, send a report to the MSP’s SOC channel, and log all actions for compliance.
The platform also supports co-existence with Microsoft’s own Defender for Office 365 automated investigation and response (AIR). MSPs can choose to let TDR augment AIR by taking additional actions that Microsoft’s built-in tools might not cover, such as resetting third-party app passwords or applying custom conditional access policies.

All automated actions are recorded in a detailed timeline that MSPs can use for customer reports and incident post-mortems. The goal is to instantly halt an attack’s progress, then provide the full forensic picture so the MSP can explain to the client what happened and why.

Multi-Tenant Visibility Designed for MSPs

The TDR console is built from the ground up for multi-tenant management. Analysts see a unified dashboard that aggregates alerts across all managed tenants, with filters for severity, tenant, detection type, and response status. Each incident is presented as a card with a summary of the affected users, assets, and timeline.

One-click drill-down takes the analyst to a tenant-specific view that overlays the incident on inforcer’s existing configuration map, showing exactly which policy violations or configuration weaknesses contributed to the risk. This tight integration reduces the need to switch between a separate security tool and the management platform, saving time and reducing the chance of error.

The dashboard also supports role-based access control, enabling MSPs to restrict junior analysts to low-severity alerts while senior staff handle critical incidents. Multi-tenant reporting allows MSPs to demonstrate value to their customers with monthly security posture scores and incident response metrics.

A Channel-First Strategy with Pax8

inforcer’s decision to launch at Pax8 Beyond underscores its commitment to the MSP