Managing Microsoft 365 environments efficiently is critical for IT professionals and Managed Service Providers (MSPs). Microsoft 365 Desired State Configuration (DSC) is a powerful tool that standardizes, monitors, and automates tenant configurations. DSC ensures consistency, prevents drift, and simplifies complex management tasks—making it a go-to solution for IT professionals.
What is Microsoft 365 DSC?
Microsoft 365 DSC is an open-source PowerShell module enabling IT pros to define, export, and enforce configurations across various M365 workloads. Supported workloads include:
- Exchange Online: Mailboxes, retention policies, transport rules.
- SharePoint Online: Sites, lists, permissions, and sharing settings.
- Microsoft Teams: Team policies, meeting configurations, app settings.
- Entra (formerly Azure AD): Conditional access, user settings, and group configurations.
- Intune: Compliance policies, app settings, and device configurations.
For a full list of supported resources, visit the official documentation.
Why Use Microsoft 365 DSC?
Microsoft 365 DSC is built on the principles of PowerShell Desired State Configuration (DSC). This declarative platform ensures IT environments remain in a defined state by continuously monitoring and remediating configuration drift. Microsoft 365 DSC extends these capabilities to the cloud, making it a natural fit for managing modern workloads.
Additionally, Microsoft 365 DSC now includes a Graphical User Interface (GUI), which simplifies configuration and monitoring tasks. This interface allows users to interact with configurations visually, making it more accessible for teams unfamiliar with PowerShell scripting. For more details about the GUI, visit the official DSC page.
Key benefits include:
- Configuration Consistency: Standardize and enforce policies across tenants.
- Drift Detection: Identify and resolve unintended configuration changes automatically.
- ReverseDSC: Export configurations from existing tenants for reuse or backup.
- Tenant Synchronization: Replicate configurations across multiple managed environments.
Prerequisites
Ensure the following before starting:
- A PowerShell environment with the Microsoft 365 DSC module installed.
- Appropriate Microsoft 365 licenses (dependent on workload).
- Administrator permissions for tenant configuration access.
Step-by-Step Guide: Implementing Microsoft 365 DSC
Step 1: Install Microsoft 365 DSC
Open a PowerShell session as an administrator and run the following:
Install-Module -Name Microsoft365DSC -Force
Verify the installation by running:
Get-Module -Name Microsoft365DSC -ListAvailable
Step 2: Authenticate with Microsoft 365
Use the following command to authenticate with your tenant:
Connect-M365DSCConfiguration
Sign in with admin credentials for the tenant you want to manage.
Step 3: Export Current Tenant Configuration
Extract the tenant’s existing configuration using:
Export-M365DSCConfiguration -Quiet -Components @("EXO", "SP", "AAD", "Teams")
This command specifies workloads like Exchange (EXO) and SharePoint (SP). Adjust components as needed.
Step 4: Review the Exported Configuration
Locate the .ps1
script in the export directory. Open it to review settings such as mail flow rules, site permissions, or conditional access policies. Update configurations for your requirements.
Step 5: Apply the Configuration
To enforce configurations on another tenant or reapply to the same tenant:
Start-DSCConfiguration -Path "C:\PathToConfig" -Wait -Verbose
The system will ensure configurations align with the script and notify you of any mismatches.
Step 6: Enable Drift Monitoring (Optional)
While Microsoft 365 DSC inherently checks for compliance with your desired state, enabling detailed drift monitoringcan provide greater insights into changes within your tenant. Drift monitoring refers to tracking deviations from the defined configurations and, optionally, correcting these discrepancies automatically. This capability is built into DSC using modes like:
- ApplyOnly: Applies the configuration once without further checks for drift.
- ApplyAndMonitor: Reports drift but does not correct it.
- ApplyAndAutoCorrect: Reports drift and automatically re-applies configurations to correct discrepancies.
To gain visibility into drift events and compliance status, you can integrate DSC logs with tools like Azure Monitor Logs. By doing this, you can view historical DSC node status, set up alerts for configuration drift, and even trigger automatic remediations. Here’s how you can enable this:
- Integrate with Azure Monitor Logs: Use PowerShell to forward DSC node status logs to Azure Monitor. Logs are categorized under
DscNodeStatusData
and can be queried to identify non-compliant nodes.
Example query to find non-compliant nodes:AzureDiagnostics | where Category == "DscNodeStatus" | where ResultType != "Compliant"
- Set Alerts for Drift: Using Azure Monitor, create alert rules to notify you when a tenant configuration drifts from the desired state. Alerts can include email notifications or trigger automation to remediate drift.
- Visualize Compliance Data: Azure Monitor Logs can also visualize compliance over time, offering a clear picture of your tenant’s health and any recurring configuration issues.
Learn more about integrating DSC with Azure Monitor Logs in the Microsoft Learn documentation
This optional step enhances your ability to manage configurations across large-scale or dynamic environments, ensuring your Microsoft 365 tenant remains compliant and aligned with organizational policies.
Real-Life Examples of DSC Configurations
Example 1: Exchange Online Configuration
Below is an example script for managing mailbox retention and transport rules:
Configuration ConfigureExchange {
Import-DscResource -ModuleName 'Microsoft365DSC'
Node localhost {
EXOMailboxPlan DefaultMailboxPlan {
Name = "DefaultMailboxPlan"
LitigationHold = $true
RetentionHold = $false
}
EXOTransportRule SpamFilterRule {
Name = "Block Spam"
Enabled = $true
SpamAction = "Quarantine"
}
}
}
Example 2: Intune Device Compliance Policy
Configure a policy to enforce compliance for Windows devices:
Configuration ConfigureIntune {
Import-DscResource -ModuleName 'Microsoft365DSC'
Node localhost {
IntuneDeviceCompliancePolicyWindows10 DefaultPolicy {
Name = "Win10 Compliance Policy"
PasswordRequired = $true
BitLockerEnabled = $true
}
}
}
Example 3: Conditional Access with Entra (Azure AD)
Create a conditional access policy to require MFA for external users:
Configuration ConfigureEntra {
Import-DscResource -ModuleName 'Microsoft365DSC'
Node localhost {
AzureADConditionalAccessPolicy MFAForGuests {
Name = "MFA for External Users"
State = "Enabled"
GrantControls = @("RequireMultiFactorAuthentication")
UserType = "Guest"
}
}
}
Additional Resources
Conclusion
Microsoft 365 DSC simplifies tenant management by automating and enforcing configurations, reducing manual effort, and maintaining compliance. Built on PowerShell DSC principles, it empowers IT pros to maintain consistency and prevent configuration drift. The addition of a GUI enhances its accessibility, making it easier for teams to interact with and monitor their configurations visually.
What do you use for tenant automation and deployment? Do you prefer Azure Automation Runbooks, Terraform, Nerdio, Eido, or other tools? Share your experiences and let’s discuss the best approaches for streamlining tenant management!