Release Notes
Custom icon
CIPP Documentation
Custom icon
COW Documentation
CIPP GitHub
CIPP API GitHub
Back to all posts

[Bug]: Deny Deviation standard from drift on Tenant dont "run" and set the Drift standard = Non-compliances status

Required confirmations before submitting

  • I can reproduce this issue on the latest released versions of both CIPP and CIPP-API.

    I have searched existing issues (both open and closed) to avoid duplicates.

    I am not requesting general support; this is an actual bug report.

Issue Description

We are experiencing issues with the Drift Template feature in CIPP when applied to multiple tenants.

A Drift Template was created containing 54 standards, which was then assigned to several tenants:

  • 51 standards are configured with “Automatically remediate or deploy when drift is detected.”

  • 3 standards are configured with “Deny Remediation” in the Tenant Drift Template.

The problem occurs with the 3 standards where “Deny Deviation from Drift” is selected in at Tenanats Drift template. These standards remain non-compliant, even though they should be marked as compliant according to the “Golden” drift template.

In the “Policies and Settings Deployed” section, the affected standards only show as:

Deviation - New
and they are never updated to match the compliance state of the Golden template.

When we modify one of these non-compliant standards and instead enable “Automatically remediate or deploy when drift is detected”, it is immediately applied and becomes compliant — confirming the issue is related to the “Deny Deviation” functionality not being enforced properly.

Example Standards Affected:

Disable SMTP Basic Authentication | "Message": "SMTP Basic Authentication for tenant is not disabled" + "Message": "SMTP Basic Authentication for all users is disabled"

Yes Enable or disable 'external' warning in Outlook | "Enabled": true, "AllowList": []

Yes Disables SMS as an MFA method | This setting is not configured correctly | Yes

Expected Behavior:
When “Deny Deviation from Drift” is set to Yes in a Tenant Drift Template, the affected standards should be aligned and marked as compliant with the Golden template.

Actual Behavior:
Standards with “Deny Deviation from Drift” remain non-compliant, never applying the expected configuration, and stay stuck in the “Deviation - New” state.

Impact:
This prevents consistent configuration enforcement across tenants and undermines compliance alignment with the Golden template.

Environment Type

Sponsored (paying) user

Front End Version

v8.6.1

Back End Version

v8.6.1

Relevant Logs / Stack Trace

Please authenticate to join the conversation.

Upvoters
Status

Released

Board

Bug / Fix

ETA
Feb 15, 2026
Date

4 months ago

Author

Kelvin Tegelaar

Subscribe to post

Get notified by email when there are changes.