ASD's Blueprint for Secure Cloud

Automated Deployment

Estimated reading time: 5 minutes

Overview

Files and instructions for the automated deployment of Blueprint configurations are provided per-service on each of the corresponding Configuration pages. Please refer to the relevant Configuration page for each service for more detailed guidance on automated deployment.

ServiceDeployment Mechanism(s)Deployment coverage
Entra ID- Desired State ConfigurationPartial
Microsoft 365- N/ANone
Microsoft Intune- Desired State ConfigurationPartial
Microsoft Defender- Desired State ConfigurationPartial
Microsoft Purview- Desired State ConfigurationPartial
Exchange Online- Desired State ConfigurationPartial
SharePoint Online- Desired State ConfigurationPartial
Microsoft Teams- Desired State ConfigurationFull
Power Platform- N/ANone

Deployment Mechanisms

Microsoft 365 Desired State Configuration (M365DSC)

M365DSC is a configuration as code tool developed by Microsoft to automate the configuration of Microsoft 365 tenancies. It is the primary tool used to automate the deployment of the configuration guidance in the Blueprint.

Prerequisites

To deploy Microsoft365DSC configuration, the following prerequisites are required:

  • Microsoft365DSC PowerShell Module with dependencies installed. Instructions can be found here.
  • Powershell 5.1 with WinRM set up. Refer to WinRM Setup
  • Understanding of PowerShell Desired State Configuration and Microsoft 365 Administration. Refer to Microsoft365DSC Prerequisites
  • DSC File for the targeted M365 service.
  • A Configuration Data file. This file must be placed in the same directory as the DSC file.
Configuration Data File
Configuration Data (.psd1)
Note: download the linked .txt file and rename to .psd1
DSC File
The DSC files are located in the top level configuration pages of each service as linked in the table above.

To deploy the configuration in each of the DSC files, the relevant .ps1 file must first be converted to a Managed Object Format (MOF) file. Before doing this, a service principal must be set up for M365DSC to use.

Creating the service principal

M365DSC provides a command to automate the creation of a service principal. Before this command can be used, the following components are required:

  • Credentials of an existing account on the tenancy with the permissions to create a service principal and grant admin consent to the required API permissions.
$creds = Get-Credential # Credentials of existing account

Update-M365DSCAzureAdApplication -ApplicationName 'M365DSC' -Type Certificate -CreateSelfSignedCertificate -CertificatePath .\M365DSC.cer -Permissions @( @{Api='Graph';PermissionName='Organization.Read.All'} ) -Credential $creds

This will create the service principal with a basic read permission along with a certificate to be used for authentication. The certificate with the private key will be stored in the current user’s personal certifcate store. In order for powershell DSC to use this certificate, it must be imported with the private key into the local machine’s personal certificate store.

Determine required permissions

The service principal will require specific Microsoft API permissions to access and update the exisitng tenancy configuration. A list of required permissions can be generated with the following powershell command

Get-M365DSCCompiledPermissionList -ResourceNameList [List of components to be modified] -PermissionType Application -AccessType Update

A list of components can easily be generated using the M365DSC Export Web UI. Before the service principal can be used, admin consent must be granted for the API permissions requested. Refer to Microsoft app-only access guidance.

More information on permissions can be found on the M365DSC Authentication and Permissions page.

Updating the Configuration Data

The NonNodeData section of the ConfigurationData.psd1 file must be populated with the relevant details.

Deploying the Configuration

To convert the DSC file into a MOF file, run the .ps1 file in an elevated PowerShell window.

Once the MOF has been generated, run the following command to deploy the configuration.

Start-DSCConfiguration -Path [Path to folder where MOF is located] -Wait -Verbose -Force

M365DSC will then deploy the configuration to the tenancy. This may take some time.

After the configuration has finished deploying, run the following commands to stop the M365DSC process.

Stop-DSCConfiguration -Force
Remove-DSCConfigurationDocument -Stage Current

This will stop M365DSC from monitoring for configuration drift.

Troubleshooting
Version of M365DSC specified in DSC file is outdated

In the DSC file, change the version parameter in the Import-DscResource command to the version currently installed.

Errors during DSC deployment and/or missing settings

If any settings fail to deploy automatically via Microsoft365DSC then they will require manual configuration.

If significant or reoccurring errors are encountered, please feel free to contact us using the details in the banner at the foot of this page.

Security & Governance

  • None identified

Design

  • None identified

Configuration

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra