Microsoft 365 • Configuration as Code

Configuration-as-Code for Microsoft 365

Deploy baselines. Detect drift. Stay compliant. Manage M365 configurations across all your tenants with GitOps.

View the Baseline The Orchestrator
Deploy-Baseline-Enterprise
Run #247
Plan 2m 34s
Approval
Deploy
Configure-BaselineGroups
45 group definitions loaded
12 groups to create
33 groups unchanged
Configure-ConditionalAccess
30 policies loaded
5 policies to create
8 policies to update
17 policies unchanged
Configure-Intune
120 configurations loaded
15 configs to create
22 configs to update
83 configs unchanged
Waiting for approval from Admins

Why OM365DO?

Built by MSPs, for MSPs. We solved the problems we faced managing hundreds of M365 tenants.

{{GROUP:name}}

Groups First

Use {{GROUP:name}} templates in your configs. OM365DO resolves names to IDs at deployment, so one baseline works everywhere.

GitOps Native

Azure DevOps pipelines with WhatIf preview, approval gates, and full audit trail. Every change tracked in Git history.

Multi-Tenant Ready

One baseline repository, deploy to unlimited Tenant tenants. Separate assignments per tenant, consistent configurations.

Detailed Feedback

Clear, actionable output for every policy. Know exactly what changed, what failed, and why. No more cryptic DSC errors.

GCC High Support

Full support for Government Cloud environments. Same workflows, same baselines, just point to the right cloud.

Separate Assignments

Policy configs and assignments in separate files. Change who gets a policy without touching the policy itself.

Daily Automated Backups

Every client's full M365 configuration is exported to Git each night. Full point-in-time restore from any date in history.

.baseline-ignore

Per-Client Flexibility

A .baseline-ignore file in each tenant repo lets MSPs opt specific policies out per client without touching the shared baseline.

OM365DO:IGNORE

Resource Protection

Any M365 resource with OM365DO:IGNORE in its description is skipped. Clients can lock their own customizations from being overwritten.

No Local Tools Required

Everything runs in Azure DevOps cloud. MSP staff need only a browser and a text editor — no PowerShell, no modules, no local setup.

Auto Pipeline Self-Healing

When the MSP updates their pipeline template, all client pipelines automatically update on the next run — zero manual maintenance.

How It Works

Git-based configurations flow through Azure DevOps pipelines to your M365 tenants.

OM365DO Architecture — Azure DevOps repositories, pipeline workflow, and Microsoft 365 tenant deployment
Click to enlarge

WhatIf Preview

See exactly what will change before deploying. Review, approve, then apply with confidence.

Deploy-Baseline-Enterprise
Run #247
Plan 2m 34s
Approval
Deploy
Configure-BaselineGroups
45 group definitions loaded
12 groups to create
33 groups unchanged
Configure-ConditionalAccess
30 policies loaded
5 policies to create
8 policies to update
17 policies unchanged
Configure-Intune
120 configurations loaded
15 configs to create
22 configs to update
83 configs unchanged
Waiting for approval from Admins

Ready to Get Started?

Explore the full Modern Workplace baseline, or dive into the platform details to see how OM365DO works under the hood.

View the Baseline The Orchestrator