Examples of M365 DSC Blueprints

[Alexprosp247]

I was wondering if there was any publicly accessible blueprints people use for assessing M365 Tenants or is it just a case of creating the blueprints from scratch? I followed the below video to get started with Blueprints which just covered some examples of Teams meeting policies however it be nice to have examples for other workloads like Entra ID. Any guidance on this is much appreciated!

[andikrueger]

Blueprints are very specific in a way as they could be seen as a recommendation on how to configure settings in M365. From a M365DSC perspective there is no such guidance.

For example:

Let's think of a blueprint for SharePoint and OneDrive enabling anonymous access all files. This might not be in the interest of your organisation. The same would apply to any other possible combination.

It is best practice to create blueprint from scratch and align these with your recommendations in regards to governance principles.

[ricmestre]

@andikrueger One could still argue that you could, not necessarily should or must, provide default secure recommendations in blueprint form. MS already provides this information although in written form in articles scattered all over the place and you need to find each piece of information to create those policies. That is actually what we are doing, we create policies based on your recommendations, export them to get them in blueprint form and then our customers are free to use them as-is, adapt them or not use them at all depending on their requirements.

A good example of CA policies for zero-trust that are actually already in blueprint format can be found here https://github.com/microsoft/ConditionalAccessforZeroTrustResources/tree/main

[andikrueger]

That is a fair point. There is plenty of information and recommendations within the documentation.

The main challenge would be to maintain the blueprints and make alignment to changing docs or the parameters that are available.

The CA policy blueprints and white-paper are maintained separately - and are a very good resource to understand this complex topic.

[Alexprosp247]

I realise this was a couple weeks old. I just assumed there would've been sample blueprints out there for different workloads that you could use and modify. But since then what I have been doing is for example creating a couple conditional access policies, exporting the config, rename the file to be .m365 and then running the assert cmdlet. Not sure if that is the "right" way of doing things but it felt easier than just writing a blueprint from scratch.

[ricmestre]

@andikrueger Again, that is exactly what we do, my colleagues ensure that the policies are maintained and up-to-date with MS's recommendations and then I export them to blueprint every now and then to our main repo, usually on a weekly basis following M365DSC own release cycle so that the parameters and their values work with the new release.

Of course it would be easier if those policies were already created in blueprint form and ready to use, and they would be not more than a recommendation that customers either follow or not, the same goes for the recommendations provided via articles.