How are you keeping Entra External ID config consistent across multiple tenants?
Posted by antivocal@reddit | sysadmin | View on Reddit | 14 comments
Managing a handful of entra external ID tenants for different clients and keeping them consistent is kind of a mess, every tenant has drifted from the "standard" config in some small way and there's no clean way to see what's different or push a change across all of them.
Currently got some graph API scripts and a folder of exported JSON i manually diff
is there anything better out there? not looking for full IaC, just something that can tell me "here's what's different between these two tenants right now"
belkezo@reddit
We had the same drift problem across about 8 client tenants and ended up, going with Netwrix 1Secure ITDR after trying to maintain it manually for way too long. The specific thing that sold us was the Entra External ID configuration recovery piece, it can actually snapshot and restore object configs across, tenants so when something drifts or someone makes a change you didn't sanction, you're not just seeing a diff, you can roll it back.
Myriade-de-Couilles@reddit
We’re using CIPP, it can monitor configuration drift
man__i__love__frogs@reddit
What exactly is 'drifting' is it customization or security things?
If it's security related settings, look at the using the new baseline security mode in the m365 admin center and just plan to check it on an annual basis.
certifiedsysadmin@reddit
https://www.reddit.com/r/entra/s/IODl8qdUlr
JohnnyAngel@reddit
I mean if you have a standard config, a powershell script that scans for that and reports deviation might be a thought.
antivocal@reddit (OP)
Yeh this is my initial thinking. Graph API does seem to have a good amount of coverage for what I need by the looks of it
VikingSolarium@reddit
Check out maester, specifically built to monitor and manage Enrta ID config.
JohnnyAngel@reddit
Out of curiosity how many tenancy's are we talking about?
antivocal@reddit (OP)
Just a couple atm but potentially more
JohnnyAngel@reddit
so since you already have graph I bashed out two scripts a json to load up all the different tenancy's, ids, etc, the powershell script calls that as a variable and after authing runs the script that way you can search for things graph can't. Little cleaner.
konikpk@reddit
Terraform
HotfixLover@reddit
Honestly, manual JSON diffing sounds like the exact kind of thing everyone starts with and then slowly grows to hate.
Turak64@reddit
Have you looked into M365 DSC?
HotdogFromIKEA@reddit
I agree with this, also just as a note its becoming Microsoft Tenant Configuration Manager, on another note TCM doesn't have all the features of DCM yet but it will eventually, its also supported by MS whereas DCM is supported by a community of MS engineers and other brains on the internet - only mentioning this due to the stance your company may take with you using either.
Final note, is that if you do configure DCM there is documentation to walk you through converting your config (for DCM) to TCM.
If you are starting fresh and just want to essentially export or compare then I would go TCM - its what I'm doing currently but i have to put a proposal doc together and get approval from.the powers that be.