Drift emails

When a new run lands and something regressed, Maester Cloud emails a digest: the headline counts and the regressed tests with severity and product, linking to the Changes page. No regression, no noise — a clean run doesn't email you (your portal still records everything).

Sent from your mailbox, with no secrets

Drift emails come from a shared mailbox in your tenant (for example maester-alerts@yourdomain.com), so they're inside your compliance boundary and your recipients trust the sender. One script sets it up:

iwr https://maester.cloud/scripts/New-MaesterCloudMailApp.ps1 -OutFile New-MaesterCloudMailApp.ps1
./New-MaesterCloudMailApp.ps1 -StackIdentityObjectId <from Maester Cloud> `
    -StackIdentityTenantId <from Maester Cloud> `
    -SenderMailbox maester-alerts@yourdomain.com

The script:

1. registers a Maester Cloud Mail app with the Mail.Send application permission and grants admin consent,
2. adds a federated identity credential trusting your dedicated environment's managed identity instead of a client secret; there is no credential to store, leak, or rotate,
3. prints the Exchange commands to lock the app to that one mailbox with an application access policy, so it cannot send as anyone else.

At send time your environment exchanges its own managed identity token for a Graph token in your tenant; the only thing it can do with it is send the digest from the mailbox you chose.

Self-hosted deployments are even simpler: the Mail.Send app role is assigned directly to your Function app's managed identity, with the same access-policy lock recommended.