Enhancing Data Understanding
Rocco Gagliardi
How to monitor Microsoft 365
DSC stands for Desired State Configuration. But this is only one function offered by the tool. Having access to all the details of the Microsoft 365 configuration, makes it easier to perform multiple tasks.
Microsoft365DSC can be used for the following tasks:
As example, we will use the tool to assess the configuration of a new installation of Microsoft Team, using the Export and Assess capabilities of the Microsoft365DSC tool.
To keep things simple, we will consider only a tiny subset of Microsoft Teams settings, export the values, derive a new desired configuration, and assess the installation.
We will see how simple it is, having the configuration in text format, to reference and document each feature, assess, and track them.
The Microsoft365DSC tool can be used to extract the vast majority of every component’s setting in Microsoft 365. The tool is primarly used programmatically in Powershell, but also provides an interactive WebUI where all configuration sections are visible and actionable.
We can start just invoking in Powershell Export-M365DSCConfiguration
and a WebUI will popup, with all selectable configuration sections.
Select the sections you are interested in and the program will dump the configuration in form of a Powershell script.
Via Powershell it is possible to extract the same information and download the configuration of different parts of Microsoft 365. Microsoft provides a list of Resources that can be extracted.
Once dumped, the policy can be assessed and modified to identify the desired state. In this example, we assessed and monitor just two aspects of Microsoft Teams: TeamsGuestMeetingConfiguration
and TeamsGuestMessagingConfiguration
.
PS C:\Users\Rocco Gagliardi> Export-M365DSCConfiguration -Quiet -ComponentsToExtract @('TeamsGuestMeetingConfiguration','TeamsGuestMessagingConfiguration') -GlobalAdminAccount (Get-Credential) # Generated with Microsoft365DSC version 1.21.224.1 # For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC param ( [parameter()] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) Configuration M365TenantConfig { param ( [parameter()] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) if ($null -eq $GlobalAdminAccount) { <# Credentials #> $Credsglobaladmin = Get-Credential -Message "Global Admin credentials" } else { $Credsglobaladmin = $GlobalAdminAccount } $OrganizationName = $Credsglobaladmin.UserName.Split('@')[1] Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.21.224.1' Node localhost { TeamsGuestMeetingConfiguration 6f78f455-4e0c-4768-8e93-54023291b9d2 { AllowIPVideo = $False; AllowMeetNow = $True; GlobalAdminAccount = $Credsglobaladmin; Identity = "Global"; ScreenSharingMode = "EntireScreen"; } TeamsGuestMessagingConfiguration 2a65b3a9-78be-4eb0-a268-993281efd8b8 { AllowGiphy = $False; AllowImmersiveReader = $True; AllowMemes = $False; AllowStickers = $True; AllowUserChat = $True; AllowUserDeleteMessage = $True; AllowUserEditMessage = $True; GiphyRatingType = "Moderate"; GlobalAdminAccount = $Credsglobaladmin; Identity = "Global"; } } } M365TenantConfig -ConfigurationData .\ConfigurationData.psd1 -GlobalAdminAccount $GlobalAdminAccount
Once a value has been assessed and the status approved, can be defined as the desired state. Using a special syntax it is possible to define also the importance of the parameter (L1, L2, L3) and a message to display in case of drifting. For example:
AllowGiphy = $False; ### L2| We don't recommend the use of Giphy in chats for guest participants. Set this value to False.
Once the desired status has been set, a continuous control of the configuration and the alarms to be generated in case of deviation can be programmed.
Simply run the Assert-M365DSCBluePrintUrl program and this will generate a deviation report and related alarms.
PS C:\DSC> Assert-M365DSCBlueprint -BluePrintUrl C:\DSC\M365TenantConfig.ps1 WARNING: The names of some imported commands from the module 'Microsoft.PowerApps.Administration.PowerShell' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. cmdlet Assert-M365DSCBlueprint at command pipeline position 1 Supply values for the following parameters: OutputReportPath: c:\DSC Credentials Selected BluePrint contains (2) components to assess. Initiating the Export of those (2) components from the tenant... [1/2] Extracting [TeamsGuestMeetingConfiguration]... [2/2] Extracting [TeamsGuestMessagingConfiguration]... Export took {45 seconds}
An HTML report is generated with suggested alignments. Configuration drifts can also be reported via EventLog or Mail for further integration in SIEM.
Microsoft engineers plan to maintain a centralized community-driven set of installations Blueprints. Even if at the moment the repository looks pretty void, check them regularly or contribute. The idea behind the project is to provide a shared and accepted policy for every part of Microsoft 365 to be implemented without great knowledge or investment in testing. In the meantime, you may check our Teams Blueprint.
Microsoft invests heavily in the security of its products, especially the cloud ones. However, to satisfy the majority of the public using its products, Microsoft must strike a balance between usability and security. Correct configuration and monitoring of such complex products can become a nightmare for many administrators. With Microsoft365DSC it is possible to define a desired state, compare it and align it with other implementations reviewed by subject matter experts, and continuously monitor the compliance of our installation against predefined standards.
Our experts will get in contact with you!
Rocco Gagliardi
Rocco Gagliardi
Rocco Gagliardi
Rocco Gagliardi
Our experts will get in contact with you!