I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more

Hi everyone,

A while back I showed you my local Microsoft 365 SOC tool built in PowerShell. Back then it was limited to a single-user setup:
https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Well… I’ve been pulling all-nighters and completely rebuilt it from the ground up. It’s no longer PowerShell, it’s now a full JavaScript application and it’s absolutely fire.

You can see pictures in another Reddit post:
https://www.reddit.com/r/microsoft365/comments/1ulw3hz/i_rebuilt_my_local_m365_soc_tool_from_powershell/

You can now self-host it wherever you want:

  • On-prem
  • Azure
  • Any web server with at least 2 cores and 4 GB RAM

I’ll be releasing it in the next few days so you can host and test it yourselves.

What’s new & improved:

  • SSO support for additional users → no more manual logins
  • Full RBAC permission system
  • More RBAC roles coming: Analyst, Responder, Reader, Administrator
  • Azure Files Share integration for storing evidence and data
  • Significantly better performance
  • Security hardening
  • Fully automatic setup script that does the entire deployment for you

GCC / GCC-High compatibility is unfortunately not possible yet. I don’t have access to that environment and being based in Germany makes it pretty hard to get one.

If anyone has a GCC tenant they’d be willing to test with, I’d love to collaborate!

I’m planning to sink at least 35 hours into this project again this weekend.

If you have feature requests or ideas for what a proper M365 SOC tool should have, drop them in the comments. You guys know better than anyone what’s actually needed in the field.

Huge thanks to everyone who tested the earlier version:)

Can’t wait to get this into your hands.

reddit.com
u/Ok-Stretch-7850 — 3 days ago
▲ 76 r/DefenderATP+1 crossposts

I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more

Hi everyone,

A while back I showed you my local Microsoft 365 SOC tool built in PowerShell. Back then it was limited to a single-user setup https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Well… I’ve been pulling all-nighters and completely rebuilt it from the ground up. It’s no longer PowerShell, it’s now a full JavaScript application and it’s absolutely fire.

You can now self-host it wherever you want:

  • On-prem
  • Azure
  • Any web server with at least 2 cores and 4 GB RAM

I’ll be releasing it in the next few days so you can host and test it yourselves.

What’s new & improved:

  • SSO support for additional users → no more manual logins
  • Full RBAC permission system
  • More RBAC roles coming: Analyst, Responder, Reader, Administrator
  • Azure Files Share integration for storing evidence and data
  • Significantly better performance
  • Security hardening
  • Fully automatic setup script that does the entire deployment for you

GCC / GCC-High compatibility is unfortunately not possible yet. I don’t have access to that environment and being based in Germany makes it pretty hard to get one.

If anyone has a GCC tenant they’d be willing to test with, I’d love to collaborate!

I’m planning to sink at least 35 hours into this project again this weekend.

If you have feature requests or ideas for what a proper M365 SOC tool should have, drop them in the comments. You guys know better than anyone what’s actually needed in the field.

Huge thanks to everyone who tested the earlier version:)

Can’t wait to get this into your hands.

u/Ok-Stretch-7850 — 3 days ago
▲ 13 r/Intune

M365 SoC Tool

Hey

Over the past few weeks I’ve built a tool I wanted to share with you.

It’s a SOC solution for Microsoft 365. It currently runs on a local PowerShell web server, but the plan is to make it fully self-hosted or deployable in Azure in the future.

What it does:

You enter a compromised user and the approximate compromise date, and the tool gives you:

  • All devices the user was logged into
  • Suspicious sign-ins
  • Mail traffic after the breach
  • Additional aggregated signals from multiple M365 data sources

The goal is to give you fast and clear visibility into a potential incident. Results can be exported or automatically sent via email.

More features are coming soon. I’m developing this after work in my spare time because I want to give something useful back to the community and make our jobs a bit easier (and a lot more secure).

Version 0.1 is now live on GitHub.
I’d love your feedback, test results, improvement ideas, or bug reports. Feel free to comment here or open an issue in the repo.

→ GitHub Link: https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Thanks in advance, looking forward to your thoughts!

reddit.com
u/Ok-Stretch-7850 — 7 days ago

M365 SoC Tool

Hey

Over the past few weeks I’ve built a tool I wanted to share with you.

It’s a SOC solution for Microsoft 365. It currently runs on a local PowerShell web server, but the plan is to make it fully self-hosted or deployable in Azure in the future.

What it does:

You enter a compromised user and the approximate compromise date, and the tool gives you:

  • All devices the user was logged into
  • Suspicious sign-ins
  • Mail traffic after the breach
  • Additional aggregated signals from multiple M365 data sources

The goal is to give you fast and clear visibility into a potential incident. Results can be exported or automatically sent via email.

More features are coming soon. I’m developing this after work in my spare time because I want to give something useful back to the community and make our jobs a bit easier (and a lot more secure).

Version 0.1 is now live on GitHub.
I’d love your feedback, test results, improvement ideas, or bug reports. Feel free to comment here or open an issue in the repo.

→ GitHub Link: https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Thanks in advance, looking forward to your thoughts!

reddit.com
u/Ok-Stretch-7850 — 7 days ago

M365 SoC Tool

Hi

Over the past few weeks I’ve built a tool I wanted to share with you.

It’s a SOC solution for Microsoft 365. It currently runs on a local PowerShell web server, but the plan is to make it fully self-hosted or deployable in Azure in the future.

What it does:

You enter a compromised user and the approximate compromise date, and the tool gives you:

  • All devices the user was logged into
  • Suspicious sign-ins
  • Mail traffic after the breach
  • Additional aggregated signals from multiple M365 data sources

The goal is to give you fast and clear visibility into a potential incident. Results can be exported or automatically sent via email.

More features are coming soon. I’m developing this after work in my spare time because I want to give something useful back to the community and make our jobs a bit easier (and a lot more secure).

Version 0.1 is now live on GitHub.
I’d love your feedback, test results, improvement ideas, or bug reports. Feel free to comment here or open an issue in the repo.

→ GitHub Link: https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Thanks in advance, looking forward to your thoughts!

reddit.com
u/Ok-Stretch-7850 — 7 days ago

Free M365 SoC Tool just shipped for you

Hey r/cybersecurity

Over the past few weeks I’ve built a tool I wanted to share with you.

It’s a SOC solution for Microsoft 365. It currently runs on a local PowerShell web server, but the plan is to make it fully self-hosted or deployable in Azure in the future.

What it does:

You enter a compromised user and the approximate compromise date, and the tool gives you:

  • All devices the user was logged into
  • Suspicious sign-ins
  • Mail traffic after the breach
  • Additional aggregated signals from multiple M365 data sources

The goal is to give you fast and clear visibility into a potential incident. Results can be exported or automatically sent via email.

More features are coming soon. I’m developing this after work in my spare time because I want to give something useful back to the community and make our jobs a bit easier (and a lot more secure).

Version 0.1 is now live on GitHub.
I’d love your feedback, test results, improvement ideas, or bug reports. Feel free to comment here or open an issue in the repo.

GitHub Link: https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Thanks in advance, looking forward to your thoughts!

reddit.com
u/Ok-Stretch-7850 — 7 days ago
▲ 32 r/Intune+2 crossposts

Built a simple Edge Extension Inventory Script for Intune – Sharing it with you all :)

Hey everyone,

It’s the weekend, which finally gave me time to clean this up and share it.

Most of us have probably asked ourselves at some point: Do you actually know what Edge Extensions are being used in your environment?
In most cases the honest answer is: “Uhhh… no idea, never really thought about it.”

Manually checking is painful, and tools like Microsoft Vulnerability Management can get expensive quickly when you have many users.

So I built a straightforward PowerShell script that solves exactly this:

Edge Extension Inventory

  • Automatically finds all installed Microsoft Edge extensions on the devices
  • Collects useful info (Name, Version, Extension ID, Profile, etc.)
  • Sends everything nicely into an Azure Log Analytics table
  • Designed to run perfectly as an Intune Remediation Script (system context, robust, always exits cleanly)

It’s deliberately kept simple, reliable, and production-ready.

The best part? It only costs you a Log Analytics Workspace which is extremely cheap compared to other solutions.

Full code, simple documentation and step-by-step Intune deployment guide are here:

👉 https://github.com/Mau2rice0/World-of-M365/tree/main/Security/Reporting/EdgeExtensions

Just drop in your Workspace ID + Shared Key, deploy it via Intune, and you’re done.

If you try it out or have ideas / feedback, let me know always happy to improve it!

#MicrosoftIntune #MicrosoftEdge #PowerShell #Azure #M365 #Intune #EndpointManagement

reddit.com
u/Ok-Stretch-7850 — 25 days ago
▲ 13 r/entra+1 crossposts

OpenEntraBaseline

Hello r/microsoft365

We already have the incredibly useful and truly helpful OpenIntuneBaseline so how about creating an OpenEntraBaseline as well?

The goal is to build a baseline aligned with the CIS Benchmark, enforcing security recommendations in a consistent and transparent way. This would allow us to harden new environments quickly or spin up secure test environments without starting from scratch every time.

And honestly, who could build this better than all of you? You work with these services every single day, you know every trick, every bug, every quirk.

So let’s combine our collective knowledge and create the OpenEntraBaseline together. Let’s merge the CIS Benchmark with our real‑world experience and deliver something valuable for all Microsoft admins out there. In the end, we all benefit from a stronger, shared foundation.

If you’re interested, drop a comment I appreciate every bit of help 😄

If enough people join in, I’ll set up a Discord channel and a Git repo so we can collaborate properly

reddit.com
u/Ok-Stretch-7850 — 2 months ago
▲ 99 r/entra+2 crossposts

Built a Runbook That Finds Unused Enterprise Apps Automatically, Sharing It With You :)

It’s the weekend, which finally gives me time to finish things I’ve been building for way too long.
I’ve been working on this Azure Automation Runbook on and off for quite a while, and today I finally wrapped it up. Of course, I wanted to share it with you all.

In short:
The Runbook automatically identifies inactive Enterprise Apps (Service Principals) in your Entra tenant.
It checks the Microsoft Graph Beta sign‑in logs to see which tenant‑created apps had zero sign‑in activity in the last 30 days.
If inactive apps are found, it generates a clean HTML report and sends it via email.
If everything is healthy and no unused apps exist, it stays quiet, no unnecessary notifications 😉

As always, the full code is available in my GitHub repository, which I’ve linked below.

https://github.com/Mau2rice0/World-of-M365/tree/main/Entra/Reporting/UnusedEnterpriseAppsReport

If you have ideas, feedback, or want to see additional features, let me know, maybe that’ll be my next weekend project.

#Azure #M365 #Entra

reddit.com
u/Ok-Stretch-7850 — 2 months ago
▲ 18 r/AZURE+1 crossposts

Automated Microsoft 365 Service Health Reporting

Most of us have been there: users suddenly report issues with a Microsoft 365 service, and as an admin you’re left wondering whether the problem is on your side or if Microsoft is having an outage.

Checking the M365 Admin Center can help, but it takes time and many helpdesk staff don’t even have access to it.

To solve this, I created an Azure Automation Runbook that regularly checks the Microsoft 365 service health status and sends an email only when there’s an actual issue (degradation or outage).

Key benefits:

  • No personal admin access to the Microsoft 365 portal required
  • Notifications can go directly into your ticketing system
  • Issues are often detected before users notice them
  • A quick look at your inbox in the morning is enough
  • No unnecessary notifications only real incidents

The script is available in my Git repository:
https://github.com/Mau2rice0/ServiceHealthNotificationService/tree/main

If you’re interested, feel free to try it out and share your feedback.

#Microsoft365 #AzureAutomation #M365Admin #Helpdesk

reddit.com
u/Ok-Stretch-7850 — 2 months ago