1. The document discusses configuring Office 365 tenant settings for a new company, Fabrikam, that is splitting off from Contoso.
2. It describes managing Office 365 configuration as code by storing settings in JSON files and releasing changes through environments using Azure DevOps pipelines.
3. Tests are run using Pester to validate the Office 365 configuration matches the defined settings. Failures result in ServiceNow incident tickets.
3. @AlexMags
This talk
• Unconventional use of Release Pipelines
• Office 365 configuration as versioned code
• Releasing changes through environments to prod
• Testing Office 365 configuration compliance
• NIST CyberSecurity Framework
4. @AlexMags
MS-500 Microsoft 365 Security Administration
Scenario:
Contoso Group (CG) is a financial services organisation.
Contoso is splitting off it’s investment banking division as
a new company named Fabrikam Ltd
Contoso Group has 70,000 users, Fabrikam has 7000
users.
Objective:
Prepare new foundational IT services for Fabrikam to
operate independently of Contoso.
Adopt a cloud first approach.
5. @AlexMags
So much to configure!!!
• AAD tenant config
• AAD Privliged Identity Management
• AAD Conditional Access
• Office 365 Groups policies
• Exchange spam policies
• Exchange anti phish policies
• Exchange Malware filter policy
• Exchange safe attachments policies
• Exchange safe links policies
• Exchange org config
• Exchange Authentication policies
• Exchange DKIM and antispoofing
• Exchange role-based access
• Exchange Transport Rules
• Exchange connector TLS policies
• Exchange Data loss prevention policies
• Sensitive information types
• Office 365 audit log alerts
• Data Retention policies
• SharePoint tenant config
• SharePoint DLP policies
• SharePoint role-based access
• Teams messaging policies
• Teams meeting policies
• Teams client policies
• Teams federation
• Teams role-based access
• Etc….
• Etc….
• Etc….
15. @AlexMags
Subscriptions
AAD Identity
Accounts
Invoicing
EA Portal Enterprise
Agreement
Fabricam
IT
Lab
domain
Azure Lab
O365 Lab
(MPSA)
Test
domain
Azure Test
O365 Test
(MPSA)
Production
domain
Azure Prod
O365
Production
Azure
DevOps
Research
Grid
Contoso
IT
Production
34. @AlexMags
Testing with Pester
https://github.com/pester
Describe 'Notepad’ {
It 'Exists in Windows folder’ {
'C:WindowsNotAtAllPad.exe' | Should -Exist `
-because "law 57 of Windows builds"
}
}
Describing Notepad
[-] Exists in Windows folder 17ms
Expected path 'C:WindowsNotAtAllPad.exe' to exist,
because law 57 of Windows builds, but it did not exist.
35. @AlexMags
Test tenant config compared to JSON
$TenantSettingsJson = get-content $genericJSONPath | ConvertFrom-Json
$currentCompanyConfig = Get-AzureADMSGroupLifecyclePolicy -ErrorAction SilentlyContinue
# Note "-because" parameters requires Pester module v4
Describe "Office365 group lifecycle policy for $($AADtenant.DisplayName)" {
it "Office 365 group lifecycle policy" {
$currentCompanyConfig | should -not -BeNullOrEmpty `
-Because "Office 365 group lifecycle policy ensures projects are closed down and data archived"
}
it "Office 365 Group lifetime" {
$currentCompanyConfig.GroupLifetimeInDays | should -be $TenantSettingsJson.GroupLifetimeInDays `
-Because "Unused o365 groups should be archived after $($TenantSettingsJson.GroupLifetimeInDays)"
}
it "Office 365 group notification mails" {
$currentCompanyConfig.AlternateNotificationEmails | should -be $TenantSettingsJson.AlternateNotificationEmails `
-Because "$($TenantSettingsJson.AlternateNotificationEmails) should be notified of unused o365 groups"
}
}
Read JSON, get current config
Assert that current config shouldn’t be blank/unset
Assert that current config should match JSON
40. @AlexMags
Incident tickets in ServiceNow
• Email to special email address
• ServiceNow email flow rule based on TO: address
• Email becomes incident in correct assignment group
• Azure DevOps notification rule logic:
Only email on 1st failure after a success
42. @AlexMags
The good, the bad
• Requires frequent maintenance to keep up with
organisation changes
• Requires frequent maintenance to keep up with Microsoft
changes/new features
• Maintenance requires PowerShell & DevOps skills
43. @AlexMags
The good, the bad, the ugly
• Outsourced operations teams don’t have PowerShell
automation skills
“we’re administrators not developers!”
Background infrastructure engineering teams investment banking, asset management
High availability, high security, regulatory compliance.
Come off Office365 deployment. Sprinked DevOps on it
On prem vs IaaS
Terrafrom Why youre here. WHAT it is
Terraform workflow HOW to use it
Demo
Terraform for Dev, Sec, and Ops
News
Warning: Fetish for excruciating PowerPoint transitions.
Green field. Whole stack. New domain. New tenant
All the configuration needs to be tracked, maintained
Office365 Security Portal
Graph API you can export this list of improvement actions and see if any flipped from completed to not completed?
Graph API you can export this list of improvement actions and see if any flipped from completed to not completed?
Most accessible intro to release pipelines. Esp OPS guys
When you’ve been configuring Conditional Access by hand, and locked yourself and the entire company out, you know it.
http://www.jklossner.com/humannature
EA (250 users minimum)
MPSA (points, # users vary on E3 or E5)
LOGICALLY
Admins subject to CA policy
VSTS Packer
Vault for your project
Azure DevOps scheduler
The account provided gives the code context
Onmicrosoft.com
Additional approval required to deploy prod
Additional approval required to deploy prod
PESTER
Config exported to JSON
Assert things that should be true and you want to know if they’re not
Assert things that should be true and you want to know if they’re not