Microsoft365DSC: Compare M365 Configurations Between Tenants

Introduction to Comparing Microsoft 365 Configurations

Managing multiple Microsoft 365 tenants presents consistency and security challenges. Microsoft365DSC stands out as the reference tool for automating configuration comparison across environments. This free PowerShell DSC-based solution transforms the tedious manual task of verifying settings into an automated and reliable process.

Introduction to Microsoft365DSC

Microsoft365DSC is an open-source framework that leverages PowerShell Desired State Configuration to manage Microsoft 365 configurations using the "Configuration as Code" approach. This modern approach enables you to:

• Automate tenant parameter configuration
• Export existing configurations to files
• Synchronize configurations across different tenants
• Monitor parameter changes in real-time

Benefits of Microsoft365DSC for Configuration Comparison

Using Microsoft365DSC to compare configurations offers several operational benefits:

Efficient Change Tracking

• Rapid identification of configuration changes
• Preservation of critical security policies
• Automatic alerts on configuration drift

Simplified Migration Between Tenants

• Perfect configuration alignment during cross-tenant migrations
• Automated post-migration consistency verification
• Reduced risk of human error

Establishing Best Practices

• Comparative analysis of security configurations
• Identification of optimal configurations
• Unified deployment of best practices

Configuration Comparison with New-M365DSCDeltaReport

The New-M365DSCDeltaReport cmdlet is at the heart of the comparison functionality. It allows two distinct usage scenarios:

Comparing Two Microsoft 365 Tenants

To compare configurations of two different tenants, follow this procedure:

1# Export Tenant A
2Export-M365DSCConfiguration -Credential $TenantACredential -Path "D:\M365DSC\TenantAconfig.ps1"
3 
4# Export Tenant B  
5Export-M365DSCConfiguration -Credential $TenantBCredential -Path "D:\M365DSC\TenantBconfig.ps1"

1New-M365DSCDeltaReport -Source "D:\M365DSC\TenantAconfig.ps1" -Destination "D:\M365DSC\TenantBconfig.ps1" -OutputPath "D:\M365DSC\DiscrepancyReport.html"

Advanced Report Generation Options

Divergence Report Only

To view only different configurations, use the -DriftsOnly parameter:

1New-M365DSCDeltaReport -Source "D:\M365DSC\TenantAconfig.ps1" -Destination "D:\M365DSC\TenantBconfig.ps1" -OutputPath "D:\M365DSC\Report.html" -DriftsOnly $true

JSON Output Format

To get a structured report in JSON format:

1New-M365DSCDeltaReport -Source "D:\M365DSC\TenantAconfig.ps1" -Destination "D:\M365DSC\TenantBconfig.ps1" -OutputPath "D:\M365DSC\Report.json" -Type JSON

Temporal Configuration Comparison

Microsoft365DSC also allows comparing configuration changes for the same tenant over time. This functionality proves particularly useful for:

• Auditing configuration changes
• Identifying security drift
• Tracking parameter evolution

1New-M365DSCDeltaReport -Source "D:\M365DSC\TenantConfigRecent.ps1" -Destination "D:\M365DSC\TenantConfigOld.ps1" -OutputPath "D:\DiscrepancyReport.html"

Validation with Blueprints: Assert-M365DSCBlueprint

The blueprint functionality represents a major advancement in configuration validation. It allows comparing a tenant against approved reference configurations.

Creating a Microsoft 365 Blueprint

A Microsoft365DSC blueprint is a PowerShell DSC file containing:

• Reference configurations
• Severity level metadata
• Explanatory comments

Example blueprint structure:

1Node localhost {
2    AADConditionalAccessPolicy "AADConditionalAccessPolicy-Block Access to M365" {
3        BuiltInControls = @("mfa"); ### L1|We recommend requiring MFA for all users
4        DisplayName = "Block Access to M365";
5        ExcludeUsers = @("AdminGlobal"); ### L2|We recommend excluding the global admin to prevent lockout
6        State = "enabled"; ### L3|We recommend enabling the policy to enforce it
7    }
8}

Metadata Severity Levels

Blueprints use three severity levels:

Executing Blueprint Validation

Use the Assert-M365DSCBlueprint cmdlet to validate your tenant:

1Assert-M365DSCBlueprint -BluePrintUrl "D:\M365DSC\SecurityBlueprint.ps1" -OutputReportPath "D:\M365DSC\ValidationReport.html" -Credentials (Get-Credential)

Practical PowerShell Scripts

Automated Comparison Script

1# Multi-tenant automated comparison script
2$TenantA = "tenant-a.onmicrosoft.com"
3$TenantB = "tenant-b.onmicrosoft.com"
4$OutputPath = "D:\M365DSC\Reports"
5 
6# Authentication
7$CredA = Get-Credential -Message "Credentials for $TenantA"
8$CredB = Get-Credential -Message "Credentials for $TenantB"
9 
10# Export configurations
11Export-M365DSCConfiguration -Credential $CredA -Path "$OutputPath\$TenantA-config.ps1"
12Export-M365DSCConfiguration -Credential $CredB -Path "$OutputPath\$TenantB-config.ps1"
13 
14# Generate report
15$ReportPath = "$OutputPath\Comparison-$(Get-Date -Format 'yyyyMMdd').html"
16New-M365DSCDeltaReport -Source "$OutputPath\$TenantA-config.ps1" -Destination "$OutputPath\$TenantB-config.ps1" -OutputPath $ReportPath
17 
18Write-Host "Report generated: $ReportPath" -ForegroundColor Green

Blueprint Validation Script

1# Automated validation with blueprint
2$BlueprintPath = "D:\M365DSC\Blueprints\SecurityBaseline.ps1"
3$ReportPath = "D:\M365DSC\Reports\Validation-$(Get-Date -Format 'yyyyMMdd').html"
4$Credentials = Get-Credential
5 
6try {
7    Assert-M365DSCBlueprint -BluePrintUrl $BlueprintPath -OutputReportPath $ReportPath -Credentials $Credentials
8    Write-Host "Validation successful. Report: $ReportPath" -ForegroundColor Green
9}
10catch {
11    Write-Error "Error during validation: $($_.Exception.Message)"
12}

Specialized Use Cases by Microsoft 365 Service

Entra ID - Critical Configurations

• Conditional Access Policies: Monitoring MFA rules
• Cross-tenant Settings: Validating external access
• Authentication Methods: Controlling login options

Exchange Online - Essential Parameters

• Mailbox Permissions: Auditing access rights
• Auto-reply Policies: Standardizing parameters
• OWA Configuration: Standardizing web interface

Microsoft Teams - Crucial Settings

• Channel Policies: Managing communications
• Guest Meeting Settings: Securing external access
• File Policies: Controlling content sharing

SharePoint Online - Security

• Access Requests: Approval processes
• External Sharing: Security levels
• Storage Entities: Configuring spaces

Technical Terms Glossary

Configuration as Code (CaC): An infrastructure management approach where configurations are defined via versioned code.

PowerShell DSC: Desired State Configuration - Microsoft framework for managing system configuration declaratively.

Blueprint: A reference configuration template containing best practices and explanatory metadata.

Drift: Configuration drift - The gap between desired state and current state of a configuration.

Cross-tenant: Relating to interactions and migrations between different Microsoft 365 tenants.

Delta Report: A difference report highlighting discrepancies between two configurations.

Useful Links and Documentation

• Official Microsoft365DSC Documentation
• Microsoft365DSC GitHub Repository
• Microsoft PowerShell DSC Guide
• Microsoft 365 Security Blueprints
• Microsoft 365 Compliance Center

Conclusion

Microsoft365DSC revolutionizes comparative management of Microsoft 365 configurations. This free tool transforms a complex and time-consuming task into an automated and reliable process. Whether for migrations, security audits, or establishing best practices, Microsoft365DSC has become essential for modern Microsoft 365 administrators.

The integration of blueprints with contextual metadata further elevates this solution, offering not only drift detection but also improvement recommendations. Adopt this "Configuration as Code" approach now for proactive management of your Microsoft 365 environments.