Knowledge Base
Compliance

Evidence Collection: What Gets Captured Automatically

By
Creative writer team
May 10, 2026
5 min read
Share this article
regentra-v2.webflow.io/knowledge-base/evidence-collection-what-gets-captured-automatically

Table of contents

See it in Action

Explore Regentra your way — start a 14-day full-access trial with no credit card required, or book a personalized 45-minute walkthrough.

Start Free TrialRequest a Demo

A clear breakdown of what Regentra collects automatically once your integrations are connected — what each signal is, which controls it satisfies, and what still requires manual input from your team.

What evidence means in a compliance context

In a compliance program, evidence is the documentation that proves a control is implemented and operating as intended. It is not enough to say that MFA is enforced — an auditor needs to see a record demonstrating that MFA was active, applied to the right accounts, and functioning during the period under review. That record is evidence.

Traditionally, compliance evidence has been collected manually: a team member logs into each system, pulls a report or takes a screenshot, names the file, and stores it somewhere organized enough to be found when the auditor asks for it. This process is time-consuming, error-prone, and produces a static snapshot at the moment of collection — not a continuous record covering the full audit period.

Regentra replaces manual evidence collection for a significant portion of your compliance controls by pulling data automatically from your connected integrations, mapping it to the controls it satisfies, and maintaining a continuously updated record that covers the audit period from the day the integration was first connected.

How automatic evidence collection works in Regentra

When you connect an integration — Microsoft 365, Entra ID, Intune, AWS, or GCP — Regentra begins querying that environment on a defined schedule. Each query pulls specific data points relevant to compliance controls: user configurations, policy settings, access records, device states, and security events. The data is mapped to the controls it supports, stored with a timestamp, and immediately reflected in your compliance score and evidence library.

You do not need to trigger evidence collection manually. Once an integration is connected and authorized, collection runs automatically. Each time the data is refreshed, the evidence record updates — so your compliance posture reflects the current state of your environment, not the state it was in the last time someone manually exported a report.

Every automatically collected evidence record shows the data source, the collection timestamp, the specific data captured, and the controls it has been mapped to. This attribution is what makes the evidence auditor-ready: each artifact has a traceable origin, a clear timestamp, and a documented relationship to the compliance controls it supports.

Why this matters at audit time: When an auditor asks for evidence that MFA was enforced throughout the past twelve months, automatically collected evidence provides a timestamped record covering every refresh cycle during that period — not a single screenshot taken the week before the audit. The difference in audit defensibility is significant.

What is collected from Microsoft 365

The Microsoft 365 integration is the highest-value connection available in Regentra for organizations running Microsoft environments. It covers the broadest range of security signals and satisfies the largest number of compliance controls of any single integration.

Once the Microsoft 365 integration is authorized, Regentra automatically collects:

  • MFA enrollment status — which users have MFA registered, which authentication methods are in use, and which accounts have no MFA configured. Mapped to access control requirements across HIPAA, NIST CSF, SOC 2, and CMMC.
  • Conditional access policy configuration — the full configuration of all conditional access policies in the tenant, including which users and applications they apply to, the conditions that trigger them, and the access controls they enforce.
  • Sign-in risk events — records of risky sign-in activity detected by Microsoft's identity protection, including risk level classifications and any actions taken in response. Mapped to incident detection and monitoring controls.
  • Password policy configuration — the organization's password complexity, length, and expiry settings as configured in the Microsoft 365 tenant.
  • Stale account detection — user accounts that have not been active within a defined period, flagged as a potential access control gap. Relevant to access review and privilege management controls.
  • Admin role assignments — a current record of which accounts hold administrative privileges in the Microsoft 365 environment, including Global Administrator, Exchange Administrator, and other privileged roles.

What is collected from Microsoft Entra ID

The Entra ID integration extends the Microsoft 365 connection with identity-specific data that is particularly relevant to access control and privilege management controls across most major compliance frameworks.

From Entra ID, Regentra automatically collects:

  • Full user directory — a current list of all users in the organization's Entra ID tenant, including account status, group memberships, and assigned licenses. Used to populate the compliance tenant's user inventory and identify accounts that may require review.
  • Privileged role assignments — a detailed record of which accounts are assigned to privileged roles within Entra ID, including time-bound role activations through Privileged Identity Management if configured.
  • Guest and external account inventory — external accounts with access to the tenant, flagged for review against third-party access control requirements.
  • Security group configuration — group memberships relevant to access scoping, particularly for organizations using groups to control access to sensitive resources or applications.
  • Application registrations and service principals — non-human identities with permissions in the tenant, relevant to machine identity and service account management controls.

What is collected from Microsoft Intune

The Intune integration surfaces device compliance data — evidence that the endpoint devices accessing your environment meet defined security standards. This is a compliance area that is frequently under-evidenced in manual programs because the data exists in Intune but requires deliberate effort to export and organize.

From Intune, Regentra automatically collects:

  • Device compliance status — whether each enrolled device meets the compliance policies configured in Intune, including encryption status, OS version currency, and security configuration requirements.
  • Enrolled device inventory — a current list of all devices managed by Intune, including device type, operating system, enrollment date, and last check-in time.
  • Non-compliant device records — devices that have failed one or more compliance policy checks, with details of which policies were violated. Mapped to endpoint security and device management controls.
  • Encryption status — whether device storage encryption is enabled on enrolled endpoints, relevant to data protection controls across HIPAA, NIST CSF, and SOC 2.
Intune requirement: Device compliance data from Intune is only available for devices that are enrolled in Intune management. Devices that are not Intune-enrolled — including personal devices used for work access or unmanaged endpoints — will not appear in the automatically collected device inventory and require a separate approach to evidence collection.

Evidence collection from AWS and GCP

For organizations with infrastructure running on Amazon Web Services or Google Cloud Platform, Regentra connects to both environments to collect cloud-native compliance evidence. These integrations are particularly relevant for organizations pursuing SOC 2, ISO 27001, or NIST CSF alignment, where cloud infrastructure controls represent a significant portion of the control library.

From AWS

The AWS integration collects evidence across identity, access, logging, and configuration domains. This includes IAM user and role configurations, multi-factor authentication status for root and IAM accounts, CloudTrail logging status and configuration, S3 bucket access controls and public access settings, security group configurations, and AWS Config rule compliance status where Config is enabled in the account.

From GCP

The GCP integration covers similar domains within Google Cloud: IAM policy configurations, service account inventory and key usage, audit logging status across services, storage bucket access controls, and organization policy configurations relevant to security baseline controls.

Cloud evidence from both AWS and GCP is mapped to the same control library as identity and device evidence from Microsoft environments. Organizations running hybrid or multi-cloud architectures can see their full compliance evidence picture in a single view, regardless of which environment a specific control's evidence originates from.

Which controls automated evidence satisfies

Automated evidence collection directly contributes to controls across several security domains that appear in most major compliance frameworks. The domains with the strongest automatic coverage are:

  • Access control — MFA enrollment, conditional access policies, privileged role assignments, and stale account detection collectively provide evidence for the majority of access control requirements across HIPAA, NIST CSF, SOC 2, ISO 27001, and CMMC.
  • Identity and authentication management — password policy configuration, admin role inventory, and sign-in risk records address authentication-specific control requirements that appear across most frameworks.
  • Endpoint security — device compliance status and encryption data from Intune satisfy device management and data protection controls in frameworks that require evidence of managed endpoint standards.
  • Monitoring and logging — sign-in risk events, CloudTrail logs, and GCP audit logs contribute to the monitoring and detection controls that require evidence of active security event observation.
  • Asset management — the user directory from Entra ID and the device inventory from Intune together provide the identity and endpoint asset records that asset management controls require.

When you adopt a framework in Regentra, the compliance dashboard shows which controls have evidence already attributed from automated collection and which remain unsupported. Controls with automatic coverage are visibly distinguished from those requiring manual evidence, making it immediately clear where your team's manual effort needs to focus.

What still requires manual evidence upload

Automatic evidence collection covers a substantial portion of most compliance programs — but not all of it. Several control areas require evidence that cannot be pulled from an integration because the underlying data does not exist in a connected system or because the control requires human attestation rather than system data.

Controls that typically require manual evidence include:

  • Physical security controls — access logs for physical facilities, visitor records, equipment disposal documentation, and data center security configurations are not available through cloud or identity integrations and must be uploaded manually.
  • Vendor and third-party management — contracts, Business Associate Agreements, vendor security assessments, and third-party access reviews require manual upload of the relevant documents.
  • Incident response documentation — records of incident response tests, tabletop exercise results, and documented incidents are produced by the organization and uploaded to the relevant control's evidence record.
  • Risk assessment outputs — the results of formal risk assessments, risk treatment decisions, and risk register documentation need to be produced and uploaded by the compliance team.
  • Training completion records — security awareness training completion certificates or records from a learning management system that is not integrated with Regentra require manual upload or CSV import.
  • Penetration test reports — external penetration test results and remediation tracking documentation are produced by the testing firm and uploaded as evidence for vulnerability management controls.

Manual evidence is uploaded directly to the relevant control's evidence record in the compliance dashboard. Each upload is timestamped and attributed to the uploader, maintaining the audit trail that auditors expect to see for manually collected evidence alongside automatically collected records.

How often evidence is refreshed

Automatically collected evidence is not a one-time snapshot. Regentra refreshes connected integration data on a regular schedule so that the evidence record reflects the current state of your environment rather than its state at the time of initial connection.

The refresh cadence varies by integration and data type. Identity and access data — MFA enrollment, admin roles, conditional access policies — refreshes frequently to ensure that changes to user configurations are reflected in the compliance posture promptly. Device compliance data from Intune refreshes at a cadence aligned with Intune's own reporting update cycle. Cloud infrastructure data from AWS and GCP refreshes on a schedule appropriate to the rate of change typical in those environments.

Each refresh creates a new timestamped evidence record rather than overwriting the previous one. This means the evidence library maintains a historical record across all refresh cycles — an auditor reviewing your compliance posture for a twelve-month period sees evidence records from throughout that period, not just the most recent state. The historical record is what gives automatically collected evidence its significant advantage over manual snapshots: it demonstrates continuous operation of controls, not just their state at a single point in time.

If a connected integration becomes disconnected — due to an expired authorization, a tenant configuration change, or a permission update — Regentra flags the integration as inactive and stops collecting evidence from it. An alert is generated in the platform so the issue can be identified and resolved before a significant gap accumulates in the evidence record. Reconnecting the integration resumes collection from the point of reconnection; evidence collected before the disconnection remains available in the historical record.

Automatic evidence collection is most valuable when integrations are connected at the beginning of a compliance program rather than before an audit. The earlier collection starts, the longer the continuous evidence record it builds — and the stronger the audit position that record supports. If you have not yet connected your Microsoft 365, Entra ID, Intune, AWS, or GCP environment, the integration setup in your tenant settings is the most impactful next step you can take today.