If you are like most IT admins out there, its likely you do not have a great way of managing configuration settings and security baselines within Microsoft 365 today. Many of you are using physical checklist to deploy your baselines and keeping up with configuration changes is often a manual process. If you want to learn how to automate this process across one to many Microsoft tenants, stay tuned because in this article, we will be covering a cool topic called Desired State Configuration and I will be showcasing a tool called Simeon Cloud which allows you to automate the backup, deployment, and monitoring of all of your configuration baselines.
What is Desired State Configuration?
I like to think of Desired State Configuration like a combination of a backup solution and a traditional imaging solution. Now I may have just triggered some of you talking about imaging but hang in there with me. You are basically defining your desired state, i.e. how you would image a tenant or all of the Microsoft Tenants you manage today. This includes everything from all of the security configurations like conditional access policies all the way to the individual applications you deploy. From there you take a snapshot of that image, like a backup, so that you can continuously compare the existing state of a tenant or tenants with the desired state that you have defined.
Microsoft 365 DSC
Microsoft 365 DSC has been around for a while now and leverages PowerShell on the backend to perform the actions I just described.
Now if you go try to implement Microsoft 365 DSC you will find that its not exactly the easiest process. In fact, the whitepaper on how to configure DSC is over 80 pages. In configuring it myself, it took over 8 hours just to configure a single Microsoft tenant and you have to be proficient at things such as spinning up VMs in Azure, managing Azure Dev Ops, and deploying digital certificates.
The need for DSC for MSPs
Like I mentioned at the beginning of the article, many of you out there are likely using manual checklist to configure what you would call your desired state today. If you are a Managed Service Provider, its likely you are following that checklist for each customer you onboard and have no automated way to detect what we call drift, or changes in the tenant that divert against your baseline.
In today’s workforce, we are managing more tools than ever before and compliance requirements are getting more strict to follow. Many businesses are looking for a compliance framework to follow regardless if they fall under strict regulations. I believe that using a desired state configuration tool for automation will be commonplace in the next 3 to 5 years to meet the growing needs of security and compliance.
Simeon Cloud | Benefits of DSC Tool
As I mentioned earlier, setting up Microsoft DSC wasn’t exactly the most intuitive or user friendly process. I was looking for something with more of a front-end to simplify the management process. My search led me to a tool called Simeon Cloud and was a tool we actually used at the previous MSP I worked for.
Let me walk through 4 major benefits of desired state configuration using the Simeon portal to show you what I am talking about
#1 Monitoring, Backup, Reporting
As an IT Admin, you need to be able to define you baseline, back it up, and then have continuous monitoring and reporting of how a Microsoft tenant or Microsoft Tenant(s) stack up to that baseline. In the Simeon portal, you are able to connect Microsoft 365 Tenants and compare their existing configuration settings against Simeon’s recommendations or you can use a tenant as your “golden image” for the baselines you want to define. These baselines are no joke, there is an extensive list across all of the Microsoft Product offerings including Azure AD, Exchange, Intune, SharePoint, and the Defender Portal. When a tenant is connected you are able to get an instant backup or snapshot of the existing configuration and there is immediate reporting of how that tenant compares against you baseline.
#2 Compliance
The initial configuration of your baseline is only half the equation when it comes to being compliant. You need a way to detect any drift or movement away from your baseline. This only gets harder with the more tenants you mange.
With your baselines defined In Simeon, tenants are synced daily to detect any drift and reports are generated to show any tenant outside of compliance. You are able to immediately reconcile the differences to realign the tenant with your baseline. Additionally, you are able to leverage the baselines for application package files so that you can easily deploy and repackage any Intune application across many tenants. I think that is a really cool part about what Simeon does that brings in a whole other management layer to the solution
#3 Lifecycle Management
We all know that Microsoft is changing or introducing new features on the regular. A mature business should be testing changes in a demo environment first before introducing those into production. Additionally, all changes should be reviewed from a test before being added or changed within your baseline. Leveraging Azure Dev Ops on the backend, Simeon allows you to keep a replica of the baselines across development and production environments and gives you a workflow approvable structure when you are ready to promote a change into production.
#4 Multi-Tenant Management
A desired state configuration tool needs to support more than one Microsoft Tenant. As an MSP, keeping up with changes and baselines across all of your Microsoft Customer environments can be a huge headache and its impossible to keep up with drift manually. Simeon allows you to standardize your baselines across all of your customers and get alerts on any drift daily.
Ex. The ability to push apps/configs from one tenant to another.
Conclusion
I would highly recommend checking out a desired state tool to help automate the configuration settings in the Microsoft tenants that you manage today. Microsoft 365 DSC is free and is a good place to start to understand the mechanics of what you are working with. If you are looking to automate the process with more of a friendly front end user experience, definitely check out Simeon Cloud. I was able to set up a trial very easily and had one of their engineers walk me through the entire portal.