Microsoft365DSC is an Open-Source initiative lead by Microsoft engineers and maintained by the community. It allows tenant admins to write a definition for how your Microsoft 365 tenant should be configured, automate the deployment of that configuration and ensures the monitoring of the defined configuration, notifying and acting on detected configuration drifts. It also allows you to extract a full-fidelity configuration out of any existing Microsoft 365 tenant. The tool covers all major Microsoft 365 workloads such as Exchange Online, Teams, SharePoint, OneDrive, Security and Compliance, Power Platforms, Intune and Planner.
This open-source tool is ideal for configuration monitoring to assist with change management especially useful in an ITIL organisation.
For best security practices we recommend setting this up using an App Registration and Certificate authentication, but this won’t work for Teams/Power Platform/Security/Compliance (as of August 2022). Currently you need to provide credentials in a basic format, however most if not all checks will prompt for modern auth if required to do so.
The User Guide on Microsoft365DSC does provide guidance on securing things if you wish to use this in a scripting environment but to add additional security, I would recommend also encrypting the credentials on the machine you are running the script on, at least until all modules support App Registrations + Certificate authentication.
To do this, first encrypt the password and save it somewhere
"P@ssword1" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\DSC\Password.txt"
Then when referencing the credentials in DSC use
$credsGlobalAdmin=New-Object -TypeName System.Management.Automation.PSCredential ` -ArgumentList "admin@tenant.ac.uk", (Get-Content "c:\dsc\password.txt"| ConvertTo-SecureString)
I wouldn’t recommend exporting the config for everything, instead scope it to what you want to monitor, use the Configuration Export tool available on the Microsoft365DSC – Configuration-as-Code for the Cloud
What config can you backup/monitor?
You can find a list of what DSC can backup/monitor/restore at Microsoft365DSC – Configuration-as-Code for the Cloud
Microsoft has made a brilliant set of videos on what to do and how to use DSC: Microsoft365DSC – YouTube.
Give it a try.
If you have/want any tips/tricks or would like to chat with colleagues in edu orgs about 365, why not join the JISCMail – OFFICE365-MANAGERS List at WWW.JISCMAIL.AC.UK
