In the article Office 365 Teams Security, we looked at the Microsoft Teams security settings in detail and, using small ad-hoc created Powershell scripts, we were able to set and monitor the Teams configuration. In this article, we will use an open-source tool, created under the stimulus of Microsoft developers and maintained by the community, suitable for monitoring not only Teams but all other aspects of Microsoft 365: The Microsoft365DSC.

DSC stands for Desired State Configuration. But this is only one function offered by the tool. Having access to all the details of the Microsoft 365 configuration, makes it easier to perform multiple tasks.

Microsoft365DSC can be used for the following tasks:

• Export configuration for backup or documentation pourposes.
• Synchronize configuration between multiple tenants. It is possible to keep parts of the configuration in sync between tenant A and B just applying the exported settings from A into B.
• Monitor the configuration. By running the script regularly, it is possible to detect deviations from the desired state in a very short time and generate alarms via email or EventLog.
• Report configuration drifts. It is also possible to store the configuration deviations in a git repository, leaving track of what was changed, when and why.
• Assess the Microsoft 365 environment. The tool is of enormous help for system auditors: In a few minutes the auditor can get a complete view of the settings and automatically test them against a set of checks required by specific standards.

A simple Use Case

As example, we will use the tool to assess the configuration of a new installation of Microsoft Team, using the Export and Assess capabilities of the Microsoft365DSC tool.

To keep things simple, we will consider only a tiny subset of Microsoft Teams settings, export the values, derive a new desired configuration, and assess the installation.

We will see how simple it is, having the configuration in text format, to reference and document each feature, assess, and track them.

Exporting the Actual Configuration

The Microsoft365DSC tool can be used to extract the vast majority of every component’s setting in Microsoft 365. The tool is primarly used programmatically in Powershell, but also provides an interactive WebUI where all configuration sections are visible and actionable.

WebUI Version

We can start just invoking in Powershell Export-M365DSCConfiguration and a WebUI will popup, with all selectable configuration sections.

Select the sections you are interested in and the program will dump the configuration in form of a Powershell script.

Powershell Version

Via Powershell it is possible to extract the same information and download the configuration of different parts of Microsoft 365. Microsoft provides a list of Resources that can be extracted.

Create the Desired State Configuration

Once dumped, the policy can be assessed and modified to identify the desired state. In this example, we assessed and monitor just two aspects of Microsoft Teams: TeamsGuestMeetingConfiguration and TeamsGuestMessagingConfiguration.

PS C:\Users\Rocco Gagliardi> Export-M365DSCConfiguration -Quiet -ComponentsToExtract @('TeamsGuestMeetingConfiguration','TeamsGuestMessagingConfiguration') -GlobalAdminAccount (Get-Credential)

# Generated with Microsoft365DSC version 1.21.224.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
    [parameter()]
    [System.Management.Automation.PSCredential]
    $GlobalAdminAccount
)

Configuration M365TenantConfig
{
    param (
        [parameter()]
        [System.Management.Automation.PSCredential]
        $GlobalAdminAccount
    )

    if ($null -eq $GlobalAdminAccount)
    {
        <# Credentials #>
        $Credsglobaladmin = Get-Credential -Message "Global Admin credentials"

    }
    else
    {
        $Credsglobaladmin = $GlobalAdminAccount
    }

    $OrganizationName = $Credsglobaladmin.UserName.Split('@')[1]
    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.21.224.1'

    Node localhost
    {
        TeamsGuestMeetingConfiguration 6f78f455-4e0c-4768-8e93-54023291b9d2
        {
            AllowIPVideo         = $False;
            AllowMeetNow         = $True;
            GlobalAdminAccount   = $Credsglobaladmin;
            Identity             = "Global";
            ScreenSharingMode    = "EntireScreen";
        }
        TeamsGuestMessagingConfiguration 2a65b3a9-78be-4eb0-a268-993281efd8b8
        {
            AllowGiphy             = $False;
            AllowImmersiveReader   = $True;
            AllowMemes             = $False;
            AllowStickers          = $True;
            AllowUserChat          = $True;
            AllowUserDeleteMessage = $True;
            AllowUserEditMessage   = $True;
            GiphyRatingType        = "Moderate";
            GlobalAdminAccount     = $Credsglobaladmin;
            Identity               = "Global";
        }
    }
}
M365TenantConfig -ConfigurationData .\ConfigurationData.psd1 -GlobalAdminAccount $GlobalAdminAccount

Setting the Parameter

Once a value has been assessed and the status approved, can be defined as the desired state. Using a special syntax it is possible to define also the importance of the parameter (L1, L2, L3) and a message to display in case of drifting. For example:

AllowGiphy             = $False; ### L2| We don't recommend the use of Giphy in chats for guest participants. Set this value to False.

Check the Status of the Policy

Once the desired status has been set, a continuous control of the configuration and the alarms to be generated in case of deviation can be programmed.

Simply run the Assert-M365DSCBluePrintUrl program and this will generate a deviation report and related alarms.

PS C:\DSC> Assert-M365DSCBlueprint -BluePrintUrl C:\DSC\M365TenantConfig.ps1
WARNING: The names of some imported commands from the module 'Microsoft.PowerApps.Administration.PowerShell' include unapproved verbs that might make them less discoverable.
To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.

cmdlet Assert-M365DSCBlueprint at command pipeline position 1
Supply values for the following parameters:
OutputReportPath: c:\DSC

Credentials
Selected BluePrint contains (2) components to assess.
Initiating the Export of those (2) components from the tenant...
[1/2] Extracting [TeamsGuestMeetingConfiguration]...
[2/2] Extracting [TeamsGuestMessagingConfiguration]...
Export took {45 seconds}

An HTML report is generated with suggested alignments. Configuration drifts can also be reported via EventLog or Mail for further integration in SIEM.

Microsoft365DSC Blueprints

Microsoft engineers plan to maintain a centralized community-driven set of installations Blueprints. Even if at the moment the repository looks pretty void, check them regularly or contribute. The idea behind the project is to provide a shared and accepted policy for every part of Microsoft 365 to be implemented without great knowledge or investment in testing. In the meantime, you may check our Teams Blueprint.

Summary

Microsoft invests heavily in the security of its products, especially the cloud ones. However, to satisfy the majority of the public using its products, Microsoft must strike a balance between usability and security. Correct configuration and monitoring of such complex products can become a nightmare for many administrators. With Microsoft365DSC it is possible to define a desired state, compare it and align it with other implementations reviewed by subject matter experts, and continuously monitor the compliance of our installation against predefined standards.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://github.com/microsoft/M365DSCBlueprints
• https://github.com/microsoft/Microsoft365DSC..
• https://github.com/microsoft/Microsoft365DSC/wiki/Resources-List
• https://github.com/scipag