M365 DSC configuration - ApplyAndAutoCorrect is NOT really what it says

[subhashvinjamuri]

we are trying to implement M365DSC to manage tenant configuration using standard devops process (github and jenkins pipeline). During this process, using github we defined resource configuration files in github and update them via github Pull Request (PR). And our jenkins pipeline will compile them to .mof files and apply to the tenant. Example - Configuration contains - Resource1 - in PR1 Resource1 and resource 2 - in PR2 Resource1, resource 2 and Resource 3 - in PR3 Resource1, resource 2, resource 3 and Resource 4 - in PR4 All works fine and good. But now, if I do github revert a commit and want to bring the tenant state to the time of that at PR2 (from PR4) - there the issue comes. When i revert to PR2, we get config from PR2 and that get forced on the tenant to have only resources 1 & 2 to exist. However, the previously created resources : resource 3 & resource 4 still stay in the tenant. And even though DSC sees some extra resources (3 & 4) in the tenant, it does NOT delete them even though I apply DSC with tried the same with LCM config - ApplyAndAutoCorrect , no luck.

Please suggest how to proceed further

[FabienTschanz]

For a resource to be deleted, it's state must be set to Ensure = Absent. Simply removing it from the configuration does not delete the resource from the tenant. It must be manually set to Absent, otherwise it will remain untouched.

[subhashvinjamuri]

Thanks, Yes that is observed (usage of Ensure). In this case, I am wondering - we cannot use this Github revert feature, while implementing with devops ? Intension of using DSC, is to make sure the configurations applied on the tenant are controlled and reviewed & track every change (possible). So if any resource that is in the tenant but not in the configuration file - can't be monitored / alerted / Autocorrected ?

[FabienTschanz]

The thing in DSC is: Would like to manage resources that you do not have a configuration for? If yes, add them to the configuration. If not, leave them out. Applying a configuration for a specific state changes the resources, but the moment you remove them from the configuration, they become unmanaged. If you actually want to revert any changes, you must change the configuration to make it conform to what you expect to happen.

Terraform goes another way: You create resources, it will add them to a state, and once you remove them from the configuration, it will detect that they are still present in the state and do the cleanup for you. Since Microsoft365DSC does not check for a configuration change against the previous configuration, it won't cleanup any resources that were previously created. So you have to clean them up either manually or by using Ensure = 'Absent'.

I am not too familiar with drift monitoring to be honest. That's something new for me as well, and I do need to educate myself more on that topic. So I am not going to stick my head too much out of the window, but from what I expect it to do is that it will only alert drifts in the resources that you have a configuration for. I don't expect it to alert you for changes in resources that you do not have a configuration for (how would it do that?).

[FabienTschanz]

@subhashvinjamuri Any news on this? If the issue is resolved for you, do you mind closing it?