Use Microsoft365DSC to keep your Power Platform tenant settings into sync

Since I have a Microsoft 365 background, I always like to keep in touch with that side of the Microsoft Clouds. Of course, Power Platform is my main focus nowadays, but I have still been keeping tabs on the M365 world.

One of the things I have been really interested in is Microsoft365DSC (M365DSC). A couple of years back it was called Office365DSC, and it has since been getting better and better. But first, let's talk about what it actually is.

M365DSC is an open-source project which Nik Charlebois started a couple of years back. DSC stands for desired state configuration. It solves a problem that a lot of companies have: when you have a lot of admins who administer your environment, how do you make sure the settings in all the different admin portals are the correct ones? This is a big problem for large enterprises, because sometimes one of the admins could change a setting and when you don’t notice that, it’s hard to find who actually changed that setting. The Microsoft 365 audit log entries have a retention of 90 days (E3 license) or 365 days (E5 license), so when it’s past the 90 or 365 days, it could mean that you won’t be able to find the log of who did it anymore.

The great thing about M365DSC is that you’re able to create a configuration that’s the single source of truth for everyone in the company and apply that to the tenant. You can also report on that, for instance, compare a configuration to a tenant and see what the differences are or create a report of what the settings are in that configuration.

I have been working at multiple enterprises over the years and I really see the need for this. A lot of companies don’t know this exists. Hopefully, some assets like the new M365DSC white paper will change that. This white paper shows you how to use M365DSC together with Azure DevOps. It’s a must-read for every admin that does something with M365.

PPTenantSettings Module

It’s possible to create your own module for M365DSC. That’s something I did a couple of weeks back for Power Platform tenant settings. This means you can now export the Power Platform tenant settings as a config via the following PowerShell script after you have followed the M365DSC installation guide.

$creds = Get-Credential
Export-M365DSCConfiguration -Credential $creds -ComponentsToExtract @(“PPTenantSettings”) -Path "C:\DSCExtracts\"

This could export something like the following configuration:

Configuration Example
{
  param(
    [Parameter(Mandatory = $true)]
    [PSCredential]
    $credsGlobalAdmin
  )
  Import-DscResource -ModuleName Microsoft365DSC

  node localhost
  {
    PPTenantSettings TenantSettings
    {
      IsSingleInstance                               = 'Yes'
      WalkMeOptOut                                   = $false
      DisableNPSCommentsReachout                     = $false
      DisableNewsletterSendout                       = $false
      DisableEnvironmentCreationByNonAdminUsers      = $true
      DisablePortalsCreationByNonAdminUsers          = $false
      DisableSurveyFeedback                          = $false
      DisableTrialEnvironmentCreationByNonAdminUsers = $false
      DisableCapacityAllocationByEnvironmentAdmins   = $true
      DisableSupportTicketsVisibleByAllUsers         = $false
      DisableDocsSearch                              = $false
      DisableCommunitySearch                         = $false
      DisableBingVideoSearch                         = $false
      DisableShareWithEveryone                       = $false
      EnableGuestsToMake                             = $false
      ShareWithColleaguesUserLimit                   = 10000
      GlobalAdminAccount                             = $GlobalAdminAccount
    }
  }
}

In a Twitter thread, I saw this week someone who suggested using the Set-TenantSettings cmdlet to turn off the survey feedback. In the above configuration, that would mean just switching DisableSurveyFeedback from $false to $true.

Now, this is a setting you can only change through PowerShell, but imagine that someone would change that without talking to other admins. The other admins could get confused by the change and change it back, but if you would put the configuration in source control (like what is explained in the M365DSC white paper) you can easily make sure that people need approval by other admins to apply a change. And if someone is out of the office for a while, they could catch up with all the changes immediately after their break.

Reporting

If you have two configurations, let's say one configuration with the proposed new config and one with the current configuration, you'll be able to create a delta report of it. To expand on the above example, let's assume we want to change the DisableSurveyFeedback setting to $true, that would mean our config would change to:

Configuration Example
{
  param(
    [Parameter(Mandatory = $true)]
    [PSCredential]
    $credsGlobalAdmin
  )
  Import-DscResource -ModuleName Microsoft365DSC

  node localhost
  {
    PPTenantSettings TenantSettings
    {
      IsSingleInstance                               = 'Yes'
      WalkMeOptOut                                   = $false
      DisableNPSCommentsReachout                     = $false
      DisableNewsletterSendout                       = $false
      DisableEnvironmentCreationByNonAdminUsers      = $true
      DisablePortalsCreationByNonAdminUsers          = $false
      DisableSurveyFeedback                          = $true
      DisableTrialEnvironmentCreationByNonAdminUsers = $false
      DisableCapacityAllocationByEnvironmentAdmins   = $true
      DisableSupportTicketsVisibleByAllUsers         = $false
      DisableDocsSearch                              = $false
      DisableCommunitySearch                         = $false
      DisableBingVideoSearch                         = $false
      DisableShareWithEveryone                       = $false
      EnableGuestsToMake                             = $false
      ShareWithColleaguesUserLimit                   = 10000
      GlobalAdminAccount                             = $GlobalAdminAccount
    }
  }
}

If I want to do a delta comparison between those two configurations, the only script I have to run is this:

New-M365DSCDeltaReport -Source 'C:\DSC\SourceConfig.ps1' -Destination 'C:\DSC\DestinationConfig.ps1' -OutputPath 'C:\Output\Delta.html'

In this case, the source is the configuration you want to apply, and the destination is the configuration that's active in the tenant now. The above cmdlet would give you an output like this:

This way you can easily see which resources are configured differently - and before you apply the configuration, you will know what value the destination has as well.

Conclusion

Microsoft365DSC is an amazing resource for Microsoft 365 already, but for the Power Platform, it's getting better and better! Apart from PPTenantSettings, there's also a module for Power Platform environments.

The PPTenantSettings module is only the start, but there is a big opportunity here for Power Platform admins. Imagine having a PPDlpPolicies module where you can configure your DLP Policies and keep these into sync. I believe this is a great step forward and hope you will try this out as well. And if you are already convinced after this, make sure to contribute if you have the time!