DaemonLayer does not assume it can act on any request. Every sensitive action, password reset, mailbox access, profile change, is evaluated against a configurable trust ladder before anything executes. When trust is established, it acts. When it is not, a human decides.
The Problem
Most automation platforms take one of two approaches: block everything sensitive behind human approval, making automation pointless for the cases that matter most, or skip the check entirely and hope nothing goes wrong.
DaemonLayer takes a third path. A configurable trust ladder evaluates every requester against a set of progressively permissive rules. When trust is established, actions execute automatically. When it is not, a human is asked, and their approval builds trust for next time.
The Trust Ladder
Every request that involves a sensitive M365 action moves through the trust ladder from top to bottom. The first rung that matches authorizes the action.
DaemonLayer checks if the requester is the target user's direct manager in Microsoft 365. If matched, the action is auto-authorized immediately and the manager is added to the approver list for future requests.
If the requester is on the client's approver list, their confidence score is checked against the workflow's risk threshold. Low-risk workflows require 50% or above. Medium risk requires 70% or above. High risk, such as granting personal mailbox access, requires 90% or above.
If the requester is the target user themselves, some workflows permit self-service. Sensitive operations like password reset still require identity verification via a one-time code before the action executes.
If none of the above rungs match, an approval request is sent to MSP admins with full context: requester, target, action, risk level. Each approval raises the requester's confidence score, reducing the need for future HITL approvals.
Approver Discovery
DaemonLayer discovers and scores approvers for each client by querying M365 and PSA data. Scores stack: a Global Admin with direct reports scores higher than a manager alone.
Users with direct reports, executive titles, admin roles, HR functions, and PSA contacts are discovered and scored automatically. Discovery runs immediately on M365 connection and refreshes weekly.
Sources combine: a user who is a Global Admin, has direct reports, and is a PSA billing contact accumulates a higher score than any single signal alone. Risk thresholds are evaluated against this composite score.
Add any approver manually with a starting confidence of 80, sufficient for Low and Medium risk workflows out of the box. Manually added approvers are never overwritten by auto-discovery and can be toggled at any time.
Authorization thresholds are not one-size-fits-all. Forwarding an email is not the same as granting full mailbox access. Each workflow carries a defined risk level and the trust ladder applies the appropriate threshold.
Related
A 30 minute walkthrough on your PSA setup. We show exactly what DaemonLayer would handle for your team, on your data, with no obligation.
No sales deck. No obligation. Live walkthrough on your environment.
