Skip to content

kayasax/EasyTCM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

103 Commits
.github
.github
Β 
Β 
EasyTCM
EasyTCM
Β 
Β 
docs
docs
Β 
Β 
scripts
scripts
Β 
Β 
templates
templates
Β 
Β 
tests
tests
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CHANGELOG.md
CHANGELOG.md
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ›‘οΈ EasyTCM

Stop Microsoft 365 tenant drift before it becomes a breach.

PSGallery Version PSGallery Downloads Documentation GitHub Stars License

Someone changes a Conditional Access policy. A transport rule gets modified. An auth method is disabled. You don't know until something breaks β€” or fails an audit.

Microsoft's new TCM APIs monitor your tenant configuration server-side every 6 hours across Entra, Exchange, Intune, Teams, and Security & Compliance.

EasyTCM makes them accessible through 3 simple commands.

πŸš€ Three Commands. That's It.

Install-Module EasyTCM

# 1. Setup (one time β€” guided wizard handles everything)
Start-TCMMonitoring

# 2. Check for drift (daily)
Show-TCMDrift

# 3. After approved changes, accept the new state
Update-TCMBaseline

What Each Command Does

Start-TCMMonitoring β€” Guided wizard: connects to Graph, creates the TCM service principal, snapshots your tenant, builds a security-focused baseline, creates a monitor. Zero to monitoring in one run.

Show-TCMDrift β€” Your daily command:

Show-TCMDrift                    # quick console summary
Show-TCMDrift -Report            # HTML dashboard with admin portal links
Show-TCMDrift -Maester           # pipe results into Maester test framework
Show-TCMDrift -CompareBaseline   # also catch new/deleted resources

Update-TCMBaseline β€” After you verify drift is from approved changes, rebaseline with one command. Shows current drift for review, takes fresh snapshot, updates the monitor.

πŸ“Έ See It In Action

Console drift check:

πŸ” Checking for configuration drift...

  ⚠️  3 active drift(s) detected!

  conditionalaccesspolicy (2):
    β€’ Block Legacy Auth β€” 1 changed property
      state: enabled β†’ disabled
    β€’ Require MFA for Admins β€” 1 changed property
      excludeUsers: [] β†’ ["breakglass@contoso.com"]

  namedlocation (1):
    β€’ Corporate Network β€” 1 changed property
      ipRanges: ["10.0.0.0/8"] β†’ ["10.0.0.0/8","192.168.0.0/16"]

Maester integration β€” drift as failed tests in your existing report:

Maester detecting TCM drift across 4 workloads with property-level detail

πŸ›οΈ CISA SCuBA Baseline Templates

Scope your TCM monitor to only the resource types that matter for CISA compliance. When a CISA-relevant config changes, you'll know within 6 hours.

# Create a CISA-scoped monitor in one pipeline
New-TCMSnapshot -Wait | ConvertTo-TCMBaseline -Template CISA-SCuBA-Entra -DisplayName 'CISA Entra' | New-TCMMonitor

# Or combine all three workloads
$snap = New-TCMSnapshot -Workload Entra, Exchange, Teams -Wait
ConvertTo-TCMBaseline -SnapshotContent $snap -Template CISA-SCuBA-Entra, CISA-SCuBA-Exchange, CISA-SCuBA-Teams

EasyTCM watches the config. Maester/ScubaGear checks the rules. Use Show-TCMDrift -Maester to pipe TCM drift into Maester's test framework for unified reporting.

Three built-in templates cover 41 CISA SCuBA controls across 23 TCM resource types:

CISA-SCuBA-Entra β€” 18 controls, 6 resource types
Control Severity BOD 25-01 What TCM Monitors
MS.AAD.1.1v1 SHALL βœ… CA policy blocking legacy auth
MS.AAD.2.1v1 SHALL βœ… CA policy blocking high-risk users
MS.AAD.2.3v1 SHALL βœ… CA policy blocking high-risk sign-ins
MS.AAD.3.1v1 SHALL βœ… CA policy enforcing phishing-resistant MFA
MS.AAD.3.2v1 SHALL βœ… CA policy enforcing alternative MFA
MS.AAD.3.3v2 SHALL βœ… Authenticator login context (auth method policy)
MS.AAD.3.4v1 SHALL βœ… Auth Methods migration state (auth method policy)
MS.AAD.3.5v2 SHALL βœ… SMS/Voice/Email OTP disabled (auth method policy)
MS.AAD.3.6v1 SHALL βœ… CA policy for privileged role MFA
MS.AAD.3.7v1 SHOULD CA policy requiring managed devices
MS.AAD.3.8v1 SHOULD CA policy for MFA registration device requirement
MS.AAD.3.9v1 SHOULD CA policy blocking device code flow
MS.AAD.5.1v1 SHALL βœ… App registration restriction (authorization policy)
MS.AAD.5.2v1 SHALL βœ… App consent restriction (authorization policy)
MS.AAD.5.3v1 SHALL βœ… Admin consent workflow (authorization policy)
MS.AAD.8.1v1 SHOULD Guest directory access (authorization policy)
MS.AAD.8.2v1 SHOULD Guest invitation policy (cross-tenant access)
MS.AAD.8.3v1 SHOULD Guest domain restrictions (cross-tenant access)

Resource types: conditionalaccesspolicy, authenticationmethodpolicy, authorizationpolicy, crosstenantaccesspolicy, crosstenantaccesspolicyconfigurationpartner, namedlocationpolicy

CISA-SCuBA-Exchange β€” 14 controls, 12 resource types
Control Severity BOD 25-01 What TCM Monitors
MS.EXO.1.1v2 SHALL βœ… Auto-forwarding (outbound spam filter)
MS.EXO.3.1v1 SHOULD DKIM signing config
MS.EXO.5.1v1 SHALL βœ… SMTP AUTH (organization config)
MS.EXO.6.1v1 SHALL βœ… Contact folder sharing (organization config)
MS.EXO.6.2v1 SHALL βœ… Calendar sharing (organization config)
MS.EXO.7.1v1 SHALL βœ… External sender warnings (transport rules)
MS.EXO.11.1v1 SHOULD Impersonation protection (anti-phish policy)
MS.EXO.11.3v1 SHOULD Mailbox Intelligence (anti-phish policy)
MS.EXO.12.1v1 SHOULD IP allow lists (content filter policy)
MS.EXO.12.2v1 SHOULD Safe lists (content filter policy)
MS.EXO.13.1v1 SHALL βœ… Mailbox auditing (organization config)
MS.EXO.14.3v1 SHALL Allowed domains in anti-spam
MS.EXO.15.1v1 SHOULD Safe Links URL scanning
MS.EXO.15.2v1 SHOULD Safe Attachments malware scanning

Resource types: antiphishpolicy, antiphishrule, hostedcontentfilterpolicy, hostedoutboundspamfilterpolicy, safeattachmentpolicy, safelinkspolicy, transportrule, dkimsigningconfig, organizationconfig, malwarefilterrule, inboundconnector, outboundconnector

CISA-SCuBA-Teams β€” 9 controls, 5 resource types
Control Severity BOD 25-01 What TCM Monitors
MS.TEAMS.1.1v1 SHALL βœ… External access per-domain (federation config)
MS.TEAMS.1.2v1 SHALL βœ… Authorized domains only (federation config)
MS.TEAMS.1.3v1 SHALL βœ… Unmanaged user contact (federation config)
MS.TEAMS.1.4v1 SHOULD Skype interop (federation config)
MS.TEAMS.2.1v1 SHALL βœ… Anonymous meeting join (meeting policy)
MS.TEAMS.2.2v1 SHOULD Anonymous auto-admit (meeting config)
MS.TEAMS.2.3v1 SHOULD External participant control (meeting policy)
MS.TEAMS.4.1v1 SHOULD App permission policy
MS.TEAMS.6.1v1 SHOULD Security reporting (messaging policy)

Resource types: federationconfiguration, meetingpolicy, messagingpolicy, apppermissionpolicy, meetingconfiguration

✏️ Interactive Monitor Editor

Need to add or remove resource types from your monitor? No need to rebuild from scratch:

# Visual editor β€” opens in your browser
Edit-TCMMonitor

# Or inspect what you're monitoring
Show-TCMMonitor -Browser

Edit-TCMMonitor interactive HTML editor showing resource type checkboxes, profile presets, severity badges, and quota estimate

Use preset buttons (SecurityCritical / Recommended / Full) or select resource types with checkboxes, then click Copy PowerShell Command and paste. EasyTCM handles the snapshot, baseline merge, and monitor update.

# Non-interactive β€” scripted updates
Edit-TCMMonitor -ResourceTypes @('microsoft.entra.conditionalaccesspolicy','microsoft.entra.authenticationmethodpolicy')

# Expand coverage with a CISA template β€” no rebaselining needed
Add-TCMMonitorType -Template CISA-SCuBA-Exchange

πŸ“¦ Install

Install-Module EasyTCM -Scope CurrentUser
Requirement Details
PowerShell 5.1+ or 7.0+
Graph module Microsoft.Graph.Authentication (auto-installed)
Permissions Global Admin for initial setup, then ConfigurationMonitoring.ReadWrite.All

πŸ“– Learn More
πŸ“– Full Documentation The complete story: problem β†’ solution β†’ Maester β†’ automation
Maester Integration Why & how to combine TCM + Maester for unified security reporting
Continuous Monitoring & Automation Daily checks β†’ rebaselining β†’ Task Scheduler / Azure Automation / GitHub Actions
GitHub Actions Workflows Ready-to-use Maester + TCM drift detection workflows β€” setup guide
Getting Started (Advanced) Step-by-step guide with granular control over each cmdlet
Changelog Version history

βš™οΈ GitHub Actions

Two ready-to-use workflow templates live in templates/workflows/:

Workflow What it does
maester.yml Vanilla Maester β€” 400+ daily M365 security checks, HTML report artifact
maester-tcm.yml Maester + TCM β€” security checks AND drift detection in one report 
# Add to your repo β€” that's it.
# Runs daily at 06:00 UTC and on manual trigger.
on:
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch:

Drift = failing Pester test = workflow failure = free alerting via GitHub notifications.

See the full setup guide for app registration, permissions, OIDC vs client-secret auth, and troubleshooting.

πŸ”§ All 24 Cmdlets

Click to expand the full cmdlet reference

Easy Buttons (v0.3.0+)

Cmdlet Description
Start-TCMMonitoring Guided wizard: connect β†’ setup β†’ snapshot β†’ baseline β†’ monitor
Show-TCMDrift Daily drift check: console, -Report HTML, -Maester tests
Update-TCMBaseline Rebaseline after approved changes
Register-TCMSchedule One-command setup for automated drift monitoring with Teams notifications

Setup

Cmdlet Description
Initialize-TCM Register TCM service principal, grant permissions
Test-TCMConnection Verify authentication and TCM readiness

Snapshots

Cmdlet Description
New-TCMSnapshot Snapshot tenant config with workload shortcuts + -Wait
Get-TCMSnapshot Retrieve snapshots with optional -IncludeContent
Remove-TCMSnapshot Delete a snapshot job
ConvertTo-TCMBaseline Snapshot β†’ baseline with profiles or -Template compliance filtering

Monitors

Cmdlet Description
New-TCMMonitor Create a monitor with quota-aware warnings
Get-TCMMonitor List monitors with baseline summary
Update-TCMMonitor Update baseline (⚠️ deletes existing drifts)
Remove-TCMMonitor Delete a monitor
Add-TCMMonitorType Expand monitor coverage with templates β€” no full rebaseline needed

Monitor UX (v0.5.0+)

Cmdlet Description
Show-TCMMonitor Inspect monitored types: console, -Detailed, or -Browser HTML view
Edit-TCMMonitor Interactive HTML editor or -ResourceTypes for scripted updates

Drift & Reporting

Cmdlet Description
Get-TCMDrift Enriched drifts with workload classification
Get-TCMMonitoringResult Monitor cycle status and timing
Export-TCMDriftReport HTML dashboard with admin portal deep links
Compare-TCMBaseline Detect new/deleted resources not in baseline
Get-TCMQuota Real-time quota dashboard

Maester Bridge

Cmdlet Description
Sync-TCMDriftToMaester Generate Maester-compatible drift test suites

🌐 Coverage

6 workloads, 62 resource types: Entra (CA policies, auth methods, named locations) Β· Exchange (transport rules, anti-phishing, DKIM) Β· Intune (device config) Β· Teams (meeting/messaging policies, federation) Β· Security & Compliance (DLP, retention, sensitivity labels)

Compliance templates: 3 CISA SCuBA baselines (Entra, Exchange, Teams) scope your monitors to security-relevant resource types. See templates/.

🀝 Contributing

git clone https://github.com/kayasax/EasyTCM.git
cd EasyTCM; Import-Module ./EasyTCM/EasyTCM.psd1; Invoke-Pester ./tests/

See CONTRIBUTING.md for guidelines.

Built with ❀️ for the Microsoft 365 Administrator Community
By the creator of EasyPIM

About

Simplify Microsoft 365 Tenant Configuration Management (TCM) APIs - The EasyPIM approach for tenant-wide configuration monitoring, drift detection, and remediation

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

22 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.5.0 β€” Monitor Management UX Latest
Mar 30, 2026

Packages

 
 
 

Contributors

Languages