OCIPO
IT Development

Building a DevOps Pipeline for Microsoft 365 Tenant Configuration

By Tech Ents Team  ยท  February 14, 2025

Share: LinkedIn ๐• / Twitter

The Configuration Drift Problem

Without infrastructure-as-code, Microsoft 365 tenant configurations drift over time. Someone enables a sharing policy "temporarily." An admin changes a conditional access policy without documentation. Six months later, no-one knows what the intended baseline was, and auditing the current state is a manual, error-prone process.

Microsoft365DSC: Infrastructure as Code for M365

Microsoft365DSC is a PowerShell Desired State Configuration resource module that covers virtually every aspect of Microsoft 365 configuration: Exchange Online, SharePoint, Teams, Intune, Azure AD, and more. A DSC configuration file describes the desired state, and the module can both export the current state (as a baseline) and enforce the desired state (idempotently).

AADConditionalAccessPolicy MFA-AllUsers
{
    DisplayName             = "Require MFA for All Users"
    State                   = "enabled"
    IncludeUsers            = @("All")
    GrantControlOperator    = "OR"
    BuiltInControls         = @("mfa")
    Ensure                  = "Present"
    Credential              = $Creds
}

The Pipeline Architecture

A typical M365 DevOps pipeline:

  1. Repository: DSC configuration files stored in Azure DevOps Repos or GitHub.
  2. Pull Request workflow: Configuration changes go through PR review before merging. A peer review gate for tenant changes is a significant security improvement over direct admin portal access.
  3. CI pipeline: On PR, run Microsoft365DSC in test mode โ€” it connects to the tenant and reports what would change, without making any changes.
  4. CD pipeline: On merge to main, apply the configuration to the tenant. Target dev/test tenants first, production after approval gate.

Drift Detection

Run a scheduled pipeline (nightly or weekly) that compares the live tenant state against the DSC baseline and raises an alert if drift is detected. This catches manual changes made outside the pipeline and creates an audit trail.

Getting Started

The migration path for an existing, manually-managed tenant starts with exporting the current configuration as a DSC baseline using Export-M365DSCConfiguration. Store that export in source control, then migrate new changes to the pipeline workflow. You do not need to boil the ocean โ€” start with the highest-risk configuration areas: conditional access policies, external sharing settings, and Teams governance policies.

# IT Development
← Older post
Writing IT Job Descriptions That Actually Attract the Right Candidates
Newer post →
Windows Server Patch Management: A Practical Guide for 2025
← Back to all posts
© 2025 Tech Ents  |  Intelligent IT. Delivered.  |  Privacy Policy  |  Terms