Table of Contents
UTCM and Maester Serve Different Purposes
With the arrival (in preview) of Microsoft’s Unified Tenant Configuration Management (UTCM) solution, some have asked if any potential overlap exists between UTCM and the community-driven Maester project. The answer is no. Both projects do different things and can be considered complementary to each other. Let me explain why.
UTCM Attacks the Problem of Configuration Settings
Microsoft 365 is a complex system to manage. The different workloads do not share common approaches to configurations and tenant administrators must deal with anything from a system registry setting to control how individual clients work to Graph API requests to update settings like obfuscation for report data. The lack of consistency and coherence means that Microsoft 365 administration is challenging, especially when something “goes wrong” after working perfectly happily for months.
Unified Tenant Configuration Management (UTCM) is the start of a project to help tenant administrators detect changes to important configuration settings within Entra ID and the wider Microsoft 365 ecosystem. It’s only a start because UTCM cannot monitor everything. As explained in this article, UTCM has an inventory of approximately 300 workload resources that it can monitor to note when changes occur to specified properties. This change is called drift, and it’s the kind of thing that can cause a workload not to function as expected. The set of resource types and properties is defined in a schema that Microsoft is likely to expand over time to increase the usefulness of UTCM.
UTCM works by checking the current properties of a monitored resource against the value captured in a snapshot. Tenant administrators must decide what resources and properties to monitor, how they will detect change (by checking the configuration drift records generated by UTCM), and what they will do when a property changes. In addition, because UTCM doesn’t tell you who changed a setting, effort is required to track down the culprit using audit logs (if the action is audited).
Today, UTCM is unfinished in that it cannot advise when change happens or what should happen about the change. Microsoft has said that they will improve UTCM functionality (listen to this podcast with Nik Charlebois, Principal Program Manager for UTCM), but the most exciting part of UTCM is that its workings are exposed through Graph APIs. ISVs and individual tenants can therefore fill in the gaps left by Microsoft. Because the problem of configuration drift is so intense, I anticipate that we’ll hear a lot about extensions and enhancements for UTCM in the coming months.
Maester Features Security and Custom Tests
Maester is an open-source community-driven platform to test different aspects of a Microsoft 365 tenant against best practice. Instead of being accessed via Graph APIs, Maester gives tenants the ability to add custom Pester, the PowerShell test framework. The tests can call Graph APIs to extract data about a workload. Being able to customize the test framework with your own tests is a very powerful capability.
Reporting a tenant’s current configuration against best practice (as determined by the community) helps tenants to maintain secure configurations. Many of the original Maester tests were written to test aspects of Entra ID like conditional access policies. With some extra effort, Maester tests can run against components like Exchange Online and Microsoft Teams and can execute in Azure Automation runbooks to ensure that assessments happen on a scheduled basis. Like UTCM, Maester doesn’t tell you who last updated a setting.
Reporting focuses on inconsistencies between the observed tenant configuration and best practice. It’s important to understand that failing a Maester test might be inconsequential if the setting being reported on is acceptable to your organization. For example, among the test failures Maester reported in a recent run (Figure 1) was “ORCA.240: Outlook is configured to display external tags for external emails,” a test belonging to the Microsoft Defender for Office 365 Recommended Configuration Analyzer (ORCA).The failure is because I disabled Outlook’s external email tagging option for some reason, probably because I can recognize external email.
Maester can be integrated with GitHub and Azure DevOps to improve the effectiveness of its operations. When Maester detects inconsistencies, it can flag the problem through email, Teams, or Slack. For more details, see the Maester home page.
Two Very Useful Tools
Maester and UTCM are not competitors. Maester has community backing and draws upon industry standards like CISA and CIS in addition to Microsoft recommendations for the security configurations that its tests assess. Customization and reporting are the core strength of Maester.
On the other hand, UTCM is a Microsoft solution that will come with support when it’s generally available. UTCM doesn’t draw upon the same kind of material because it’s simply concerned about measuring configuration drift within individual tenants.
You could say that Maester helps you get your tenant’s configuration into a secure and supportable shape and UTCM then measures change that happens in that configuration. Of course, some of the drift might come from updated recommendations in Maester tests, but that just reflects the changing nature of the Microsoft 365 ecosystem. In either case, any Microsoft 365 tenant can benefit from these tools.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!