First public release. The toolkit graduates from private development to community-facing v1.0.
Detect-and-remediate methodology for solo defenders running Microsoft 365 + Cloudflare in small organizations. Audits five domains in one command, produces a single ranked report, and ships ready-to-deploy remediation artifacts mapped to NIST CSF 2.0, NIST 800-53, ISO 27001, MITRE ATT&CK.
Try it in 30 seconds
```powershell
git clone https://github.com/ibondarenko1/m365-security-operations
cd m365-security-operations
./examples/run-mock.ps1
```
Produces complete sample report (58 findings across 5 domains) using bundled fixtures. No Azure access required.
What's in v1.0
5 audit scripts
- audit-sentinel.ps1 (workspace, daily quota, retention, onboarding, rules, Fusion, Activity Log, data connectors, workbooks, hunting queries, playbooks, watchlists, UEBA, threat intelligence)
- audit-defender-o365.ps1 (anti-phish impersonation, TenantAllowBlockList, DKIM, Strict Preset, ZAP, outbound thresholds, transport rules, attack simulation)
- audit-dns-posture.ps1 (MX, SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, CAA, DNSSEC, SPF lookup count, DMARC sub-policy, MX backup, DKIM key strength)
- audit-identity-posture.ps1 (CA policies, authorization policy, directory roles, sign-in logs, authentication methods, app consent, service principal credentials, named locations, cross-tenant access, sign-in risk, SSPR)
- audit-defender-cloud.ps1 (per-plan pricing tier, Secure Score, recommendations by severity, Defender for AI, continuous export to Sentinel)
24+ remediation artifacts
- 6 baseline Conditional Access policy JSONs (block legacy auth, MFA admins phishing-resistant, MFA all users, sign-in risk, user risk, compliant device for management portals) with deploy.ps1
- 5 MITRE-mapped Sentinel Scheduled Analytics Rule ARM templates
- 10 KQL hunting drill templates
- 3 Defender for O365 remediation PowerShell scripts (impersonation enrollment, allow-list bulk add, Strict Preset assignment)
- MTA-STS Cloudflare Worker + DNS deployment script
- Identity + DNS audit reusable functions
Infrastructure
- Schema-enforced finding output via lib/Finding.psm1 (SCHEMA.md v1.1)
- Mock mode via lib/MockClient.psm1 — drop-in mocks for Graph + ARM + DNS + EXO
- 16 sanitized fixtures in examples/fixtures/
- 114 Pester tests
- CI matrix on ubuntu-latest + windows-latest + macos-latest (PowerShell 7)
- Static checks: JSON validation + PSScriptAnalyzer + KQL header check + fixture sanity
Documentation
- README with mock-first quickstart
- 5 end-to-end deployment walkthroughs (docs/walkthroughs/)
- THREAT-MODEL.md — explicit scope statement (what catches, what doesn't)
- FAQ.md — 20+ operator questions
- 6 Architecture Decision Records (docs/adr/)
- CONTRIBUTING.md with PR checklist
- ROADMAP.md (public release plan)
- LICENSE (MIT)
Generate-Report polish
- Severity distribution ASCII histogram
- MITRE ATT&CK tactic coverage section
- Diff mode (`-CompareWith `)
Honest scope statement
The toolkit is opinionated for small-org cloud-only Microsoft 365 + Cloudflare. It does NOT cover:
- Multi-tenant MSP management (use CIPP)
- Federal compliance overlays (use CISA ScubaGear)
- On-premises Active Directory
- Endpoint detection at device level
- Data Loss Prevention / Microsoft Purview
- Penetration testing
- M365 backup posture
Concentration enables depth: 60+ checks across 5 domains rather than surface-level coverage of 20.
Distribution
See `examples/LAUNCH.md` for the post-v1.0 distribution checklist. Companion blog post at `examples/launch-post.md`.
Contributing
See `CONTRIBUTING.md`. Most-valuable contributions: false-positive recognition patterns + new check proposals per `SCHEMA.md`.
Next: v1.1+ (community-driven)
Per `ROADMAP.md`: expanding per-domain checks, documentation_url backfill on all P3+ findings, community-requested checks via GitHub Issues.
Total project investment to v1.0: 7 phases, ~24 incremental commits, 6 sub-releases (v0.1 → v0.6), 114 Pester tests, 58 mock-mode findings, ~70 framework-tagged checks across 5 domains.