Admins, do you think your prime responsibility ends up with just setting up the right configurations in your Microsoft 365 tenant? It’s not; it’s an endless quest! 💯 You’ve gotta keep your eyes peeled for any sneaky changes in Microsoft 365 settings – be it accidental slips or mischievous moves! 👀 In simple, all you need to conduct is regular configuration changes auditing in Microsoft 365.
How do we do it? Let’s get into the see the different ways and find out which turns out to be the most efficient for Microsoft 365 admins.
How to Monitor Configuration Changes Made in M365?
When it comes to monitoring configuration changes in our Microsoft 365 environment, our first instinct is to rely on the comprehensive data provided by the Microsoft 365 audit logs. These logs serve as a treasure trove of information, offering insights into various user activities and application activities occurring within the M365 environment.
However, navigating through these logs can quickly become overwhelming! 😫 It’s like searching for a needle in a haystack. Amidst this sea of data, pinpointing specific settings changes is a hassle, requiring significant time and effort. Plus, it’s frustrating as you don’t get alerts right away or an easy way to undo any changes. But don’t worry! Microsoft has got a better alternative for us – Microsoft365DSC tool!
What is Microsoft365DSC Tool?
It’s time to put an end to checking audit logs in Microsoft 365 for settings’ changes! Microsoft 365 admin can utilize this free Microsoft365DSC tool to track configuration changes in M365 tenant! 😎
Microsoft365DSC is an open-source powerful tool designed to configure and manage Microsoft 365 tenant settings using a “configuration-as-code” approach. It is built on a PowerShell DSC framework, which can be used to define the desired state of the organization.
Microsoft365DSC helps you handle all sorts of tasks for effective Microsoft 365 management. For example, with M365DSC, you can,
- Automate Microsoft 365 configurations, settings, and policies
- Monitor Microsoft 365 configuration changes
- Compare Microsoft 365 tenant settings
- Get reports on Microsoft 365 tenant settings
- Sync Microsoft 365 settings for tenant-to-tenant migration
With Microsoft365DSC on your side, you can relax knowing that your Microsoft 365 settings are being watched over. Plus, it doesn’t just spot config changes in Microsoft 365—it’s got your back with its three key capabilities. Let’s see that in the below section.
Merits of Monitoring M365 Configuration Changes with Microsoft365DSC
Here’s why Microsoft365DSC can be a go-to tool for efficient Microsoft 365 monitoring.
Detect | Remediate | Get Alerts on Microsoft 365 Configuration Changes
- Detect Microsoft 365 Settings’ Changes: A centralized monitoring hub to audit Microsoft 365 settings’ changes across all M365 resources.
- Reset Outlook Settings to Default Settings: Quickly spot and fix the drift by restoring the desired state configuration automatically, not just with Outlook, but to every Microsoft 365 service.
- Alert on M365 Config Drifts: Get notified with email alerts regarding drifted Microsoft 365 settings and stay on top of Microsoft 365 configuration changes.
How Microsoft365DSC Helps You Monitor M365 Configuration Drifts?
You can auto-deploy the baseline configuration using ‘Start-M365DSCConfiguration’. Once you auto-deployed M365 settings using Microsoft365DSC, the LCM (Local Configuration Manager) takes charge of regular checks, without requiring manual turning on! Plus, the DSC engine helps autonomously compare the existing M365 tenant settings with the desired state every 15 minutes by triggering the M365DSC.
But here’s where it gets even better: 👉 When it detects a configuration drift in Microsoft 365, the M365DSC doesn’t just stop at identification—it jumps into action!
It assists you by logging the Office 365 configuration changes in Windows Event Viewer, automatically rectifying the drifts, and promptly alerting you about these changes.
All three above actions help you streamline the troubleshooting process and ensure that you’re always on top of any changes. Now, let’s see them in detail below.
Check for Configuration Drifts in Microsoft 365 with Microsoft365DSC
Here are 3 distinct actions that you can perform upon detecting any changes in the Microsoft 365 desired state settings:
- Log configuration drifts in Event Viewer
- Reset modified Microsoft 365 settings with M365DSC
- Alert when detected changes in Microsoft 365 settings
Log Microsoft 365 Configuration Drifts in Event Viewer Using M365DSC
Logging all Microsoft 365 configuration changes is a strategic move. This logging mechanism serves as a valuable historical repository. Also, it offers a transparent and easily accessible record of every setting’s modification detected in Microsoft 365.
By default, Microsoft365DSC will automatically log all the Microsoft 365 settings’ changes in the Windows event log of your system. In case of unexpected issues or incidents, having a comprehensive log in the Event Viewer allows you efficient troubleshooting.
How to View Logs in Windows Event Viewer?
To view and analyze event logs in Windows, follow the steps below.
- Click Start, search for Event Viewer, and open it.
- Expand the Applications and Services Log section.
- Click the M365DSC option and two horizontal tabs will open.
- The first tab shows all the warnings, along with timing and properties, indicating changes to your Microsoft 365 settings.
- You can click any of the warnings, and the detailed insights into the changes will be clearly shown in the below tab.
Here are some of the Microsoft 365 settings and policies you can easily keep track of with Windows Event Viewer. The Windows Event Viewer logs not only the below settings changes but also records everything specified in the M365DSC export cmdlet Web UI.
Monitor Configuration Drift of Entra ID | 1. Monitor Conditional Access policy configuration drift 2. Track Entra ID Cross-tenant access settings changes 3. Identify Azure Authentication Methods policy drifts |
Microsoft 365 Exchange Online Settings’ Monitoring | 1. Audit mailbox permission changes in Microsoft 365 2. Track mailbox automatic reply configuration discrepancy 3. Audit changes to Exchange Online mailbox properties |
Monitor Microsoft Teams Settings’ Changes | 1. Retrieve Teams channel policy drifts 2. Manage MS Teams guest meeting settings changes 3. Monitor Microsoft Teams files policy drifts |
Audit SharePoint Online Setting Changes | 1. Monitor access setting requests in SharePoint Online 2. Audit SharePoint External sharing settings drift in Microsoft 365 3. Identify SPO storage entity setting changes 4. Monitor changes to Microsoft 365 retention policies |
Monitor Microsoft 365 OneDrive Settings Changes | 1. Monitor settings of OneDrive in Microsoft 365 |
Track Changes in Microsoft 365 Intune Settings | 1. Monitor Office 365 admin audit log settings changes 2. Spot Intune account protection policy drifts |
Monitor Security and Compliance Policies | 1. Monitor misconfigured auto sensitivity label rule 2. Monitor DLP policy changes |
Reset Microsoft 365 Changes with Microsoft365DSC
So far, you’ve learned how to observe changes made in M365 settings using Event Viewer. Now, let’s move to the next step!
Let’s say you’ve implemented some new tenant-wide settings like Teams meeting policies, Exchange Online (EXO) mailbox rules, and SharePoint Online sharing settings that adhere to your organization’s policy. Later, you notice changes made in the Teams meeting policies and mailbox rules.
How will you find out what changes are made in the setting, when and how will you restore it to the default setting you configured?
- Again, reconfiguring the DSC file, converting it to a MOF file, and redeploying the baseline configurations via M365DSC? Ughhh! 😫 That’s a lot of work!
How to Change the Configuration Mode in LCM Setting?
Here comes the simplest solution from the Microsoft365DSC itself! 😉 Wondering how to do it. Let’s get into the part and simplify the process.
The default “configuration mode” in Microsoft365DSC is set to ApplyAndMonitor, which only monitors configuration drifts without making any changes. However, if we want to revert to old values automatically upon any change, we must change the configuration mode, as the default doesn’t allow us to do so! ☹️
To enable auto-correction, switch the configuration mode to “ApplyAndAutocorrect” in the Local Configuration Manager. This enables automatic correction of drifts in Microsoft 365 settings whenever changes are detected.
Once set, you can,
- Manage Teams settings and permissions changes automatically
- Audit and reset SharePoint Online permission changes
- Revert security settings in MS Teams automatically
- Auto-reset Azure AD configuration to default settings
Not only the above settings can be auto corrected, but you can also be able to reset the settings specified in the web UI of the export cmdlet.
To set the configuration mode as “ApplyAndAutoCorrect”, follow the steps below.
- Copy and save the DSC code in .ps1 format.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
param ( [parameter()] [System.Management.Automation.PSCredential] $Credential ) [DscLocalConfigurationManager()] Configuration LCMConfig { param ( [parameter()] [System.Management.Automation.PSCredential] $Credential ) if ($null -eq $Credential) { <# Credentials #> $CredsCredential = Get-Credential -Message "Credentials" } else { $CredsCredential = $Credential } Node localhost { Settings { ConfigurationMode = 'ApplyAndAutoCorrect' } } } # Save the configuration script to a file LCMConfig -OutputPath "<FilePath>" |
- Then, we need to convert the configuration file to an MOF file. To do it, run the below cmdlet in PowerShell. Once done, a MOF file is created in the specified path.
1 |
.\<filename> -Credential (Get-credential) |
- Now, we can implement the setting in the MOF file using the below cmdlet.
1 |
Set-DscLocalConfigurationManager -Path "MOF File Path" |
Get Alerts When Detected Changes in Microsoft 365 Settings
Let’s say your fellow admin’s account is compromised. What will the attackers do first? They will likely prioritize disabling Conditional Access policies, modifying Exchange Online mailbox permissions, SharePoint Online access settings, and other barriers hindering their way!
And if you check the Event Viewer for drifted M365 settings several hours later, it’s not worth it! Because, the attacker might have already finished their malicious activities.
Then what helps best in places like this? A reminder system? Of course, yes! 💯 Fortunately, Microsoft365DSC paves for that too. By integrating Azure DevOps pipelines with Microsoft365DSC, you can receive email alerts whenever drifts in any settings are detected, thereby ensuring the security of M365 apps and services.
These alerts not only notify you promptly but also provide detailed reports of what the drifts are. So, even in the busiest of times, you’ll never miss a beat when it comes to,
- Audit sharing settings changes in SharePoint Online
- Detect mailbox permission changes in Exchange Online
- Azure AD settings change audit
- Track changes in Azure AD role settings
- Detect changes in privileged accounts in Azure AD
- Find Power BI settings changes
Points to Note:
1. The Microsoft365DSC tool will only monitor and compare components & resources specified in the desired state configuration (DSC) file for any changes. If changes are made to components not listed in the DSC file, Microsoft365DSC will ignore these changes, and it will not alert or log them in the Event Viewer. Furthermore, if you manually add a new configuration in Office 365 that isn’t specified in the DSC file, M365DSC won’t notify you about this activity.
2. Think you’ve configured an object in the DSC file and deployed it using M365DSC. Later, if you manually delete the specified object, the next synchronization with M365DSC will indicate the object as “Absent” in the Event Viewer. This feature helps you catch any deletion events that occur without your knowledge.
3. Instead of waiting for the sync time and scrolling through logs in the event viewer, you can use the following cmdlet to detect changes. However, it will not provide the exact change, such as drifted property and values. Instead, it will display the component name without exposing any further details.
1 |
Test-DscConfiguration -Detailed |Select * |
4. You can also configure the sync time based on your requirement, instead of relying on the default value of 15 mins. You can set any value between 15 to 44640 based on your requirements.
5. The system continuously monitors for drifts once you’ve deployed the configuration using “Start-DSCConfiguration.” If you wish to halt this monitoring, you can use “Stop-DSCConfiguration.” However, it’s advisable not to stop and delete the document file after deployment, as monitoring drifts is necessary to keep track of crucial settings and policy changes.
6. Suppose you deployed a configuration using “Start-DscConfiguration” previously. After several days, you made some changes to the configuration and needed to redeploy it using the same cmdlet. During this process, you don’t need to stop the previous configuration using “Stop-DscConfiguration” and start deploying the new one. You can directly run “Start-DSCConfiguration” with the new configuration file, as only the latest deployed configuration file is considered for monitoring drifts.
In essence, they are not just points to be taken note of; it’s how precisely M365DSC helps you in monitoring the settings without missing a beat!
Keep Microsoft 365 Settings in Check with Microsoft365DSC Now!
That’s all! Your other prime responsibility of tracking the configuration changes in the tenant can be easily ticked off with M365DSC. So, don’t be late! Use M365DSC, stay informed, and make quick decisions to strengthen your Microsoft 365 security.
I hope this blog brings you more information about how you can effectively audit Microsoft 365 setting changes with Microsoft365DSC. Furthermore, feel free to reach out to us in the comment section for further assistance needed.