Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Step by step how to check your m365 tenant for config drift.

Open jbradley419 opened this issue 10 months ago • 1 comments

Could someone please show step-by-step how to check your tenant for config drift? So far I have exported the tenant config using the Export-M365DSCConfiguration command. How do I set this as my baseline and scan for changes?

Thank you

jbradley419 avatar Apr 24 '24 13:04 jbradley419

There is no "one-size-fits-all" tutorial here, since there are too many ways to use the M365DSC. The general logic will be the same. Here's how I see it.

If you run M365DSC in a persistent mode (LCM on a constantly running VM)

In the easiest scenario, you just configure the LCM to ApplyAndAutocorrect and let it take care of the drift for you. If you need a more complex process (reviews/approvals, integration/pipeline etc) - set the LCM to ApplyAndMonitor and track the EventLog entries in any way you like (Azure Monitor, local script - whatever). Just follow this article: https://microsoft365dsc.com/user-guide/get-started/monitoring-drifts/

If you run M365DSC in a non-persistent mode (LCM set to ApplyOnly - container or something similar)

You'd have to detect drift yourself. What you choose (pipeline, scheduled task etc) is up to you. You have two options here.

  1. You can take snapshots on a periodic basis and use https://microsoft365dsc.com/user-guide/cmdlets/New-M365DSCDeltaReport/ to compare them.

  2. You can automatically convert a config to a blueprint after a successful push (or start with Blueprint from the beginning) and use https://microsoft365dsc.com/user-guide/cmdlets/Assert-M365DSCBlueprint periodically to check against drift.

What's important is that both CMdlets support JSON mode, so you basically check if your JSON shows any drift and decide on the rest of your process (auto-push, ask for approval etc) based on what you need. Also, in both cases you can do partial checks (do partial exports for snapshots, partial blueprints of just check parts of JSON) if you need different schedules/processes (different people/policies, for example) for different aspects of your tenant's configuration.

Hope this helps

apcsb avatar Apr 24 '24 18:04 apcsb

Thanks @apcsb for the great summary

andikrueger avatar May 06 '24 20:05 andikrueger