Digital Transformation Agency Microsoft 365 Protected Utility Configuration as Code

In March this year, the Digital Transformation Agency released the Blueprint that supports building a Microsoft 365 environment to meet the requirements of PROTECTED level status under the Federal Government Protective Security Policy Framework.

The Protected Utility program delivers a secure, modern desktop, based on Microsoft Office 365. It will bring together best-in-class productivity tools and facilitate cross-agency collaboration.

The majority of the technologies, controls, and processes that support certifying the MS public cloud to PROTECTED level are implemented in the Azure Availability Zones (Data Centres). This includes all Azure Availability Zones in Australia. There is, however, further configuration required in M365 in order to meet PROTECTED status. The DTA's Protected Utility Blueprint details all required configuration to meet PROTECTED status.

The DTA M365 Protected Utility Configuration as Code Project

M365 Protected Utility Configuration as Code - Github Repo

The objective of this project is to use DevOps Infrastructure as Code principles, and apply them to M365. In a DevOps context, the use of Infrastructure as Code is utilised to programmatically express the build and configuration of cloud services. By deploying cloud services by infrastructure as code, it is fully automated, repeatable and rapid.

In Azure DevOps Infrastructure as Code is implemented by Azure Resource Manager (ARM) in the form of a JSON-based template.

In M365, the equivalent of Infrastructure as Code is Configuration as Code. This is due to M365 being SaaS and not IaaS. Windows PowerShell Desired State Configuration does the heavy lifting.

The utility that leverages configuration as code is called Microsoft 365 Desired State Configuration.

The project sets out to build a complete PROTECTED M365 deployment based on an MS365 E5 license base. as per the Protected Utility Blueprints.  Microsoft 365 Desired State Configuration would then be used to capture the tenant configuration and convert it into a Desired State Configuration Blueprint.

Microsoft 365 Desired State Configuration could then be used to apply the Desired State Configuration Blueprint to fully configure M365 in line with the DTA Protected Utility Blueprint. The objective is to automate the replication of an M365 Protected Utility Tenant. This will ensure an automated, consistent, and repeatable deployment, with a considerable reduction in time and labor.

The Project has just commenced as a special interest of mine and is proof of concept.

Any feedback or comments are appreciated.



28 views0 comments