Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Audit only specific objects for a given resource

Open YenNantes opened this issue 1 year ago • 1 comments

Hi, Is there a way when using Assert-M365DSCBlueprint to audit only specific objects for a given resource and tell M365DSC not to check the others.

For example we have some standard transport rules that should be created on all my company's tenants but local M365 admins are free to add their own transport rules if they need to. I would like to audit that the standard transport rules are created and configured properly but do not audit the other transport rules. The problem right now is that even if I only have the transport rules that I want to audit on my blueprint file, Assert-M365DSCBlueprint will retrieve all transport rules from the remote tenant and find that they are not existing on the blue print file. I would like to find a way to ignore them.

Same for groups, I would like to check that some specific standard Entra ID groups exists.

Thanks

YenNantes avatar Jan 18 '24 13:01 YenNantes

There is the M365DSCRuleEvaulation Resource which would basically allow the usage of an configuration to monitor your requirements: https://www.youtube.com/watch?v=RPDxCPo8y_k

Your could integrate this resource in a configuration and only run Test-DSCConfiguration against the other tenants.

Internally this resources uses the option to convert a configuration to an PowerShell objects and applies an filters on this object.

https://github.com/microsoft/Microsoft365DSC/blob/17063879cb773d17673302fed84352bed0b9c1eb/Modules/Microsoft365DSC/DSCResources/MSFT_M365DSCRuleEvaluation/MSFT_M365DSCRuleEvaluation.psm1

Please have a look at the code starting at line 190, if you can somehow repurpose it.

andikrueger avatar Jan 18 '24 14:01 andikrueger

I was not able to achieve what I need using the M365DSCRuleEvaluation feature. This feature is more to control that all resources from a specific type match the given properties when my need is more for a given resource type to audit only specific instances and ignore the others. I found a workaround by building a post-processing script that parse the json generated by Assert-M365DSCBlueprint and for those resource types remove all the findings related to resources that I do not want to audit. Not great but better than nothing...

YenNantes avatar Jun 12 '24 12:06 YenNantes