{"slug": "walking-through-a-5-domain-microsoft-365-audit-in-30-seconds", "title": "Walking through a 5-domain Microsoft 365 audit in 30 seconds", "summary": "The article describes a new open-source PowerShell toolkit designed for solo administrators of small Microsoft 365 tenants, addressing the gap between overly complex enterprise tools and insufficient security recommendations. The tool performs a single-command audit across five security domains, producing a ranked report with findings mapped to major frameworks like NIST and ISO 27001, and provides ready-to-deploy remediation artifacts. It is specifically opinionated for small, cloud-only organizations using M365 and Cloudflare, and is available on GitHub under an MIT license.", "body_md": "If you administer a small Microsoft 365 tenant, here's the question that probably stopped you somewhere between \"I should check our security posture\" and actually doing it:\n\n**Which tool?**\n\nMicrosoft Secure Score gives recommendations but no remediation artifacts. CISA ScubaGear is excellent but federal-grade, overkill for a 20-person mid-market shop. M365DSC is configuration-as-code, which is great when you're a DSC shop and terrible when you're not. CIPP is purpose-built for MSPs managing many tenants, and solo defenders don't need that fan-out.\n\nThere was a gap: an opinionated audit-plus-remediation toolkit for a solo defender running M365 + Cloudflare in a small org. I built one. Tagged 1.0 today.\n\n[github.com/ibondarenko1/m365-security-operations](https://github.com/ibondarenko1/m365-security-operations)\n\n## What it actually does\n\nOne PowerShell command sweeps five domains, produces a single markdown report ranking findings P1/P2/P3, and links every gap to a ready-to-deploy remediation artifact:\n\n| Domain | Audit | Remediation |\n|---|---|---|\n| Sentinel detection engineering | Workspace state, daily quota, retention, Sentinel onboarding, analytics rules, Fusion, Activity Log diagnostic, data connectors, workbooks, hunting queries, automation playbooks, watchlists, UEBA, threat intelligence | 5 MITRE-mapped ARM templates + 10 KQL hunting drills |\n| Defender for Office 365 | Anti-phish impersonation, anti-spam, anti-malware, Safe Attachments, Safe Links, Tenant Allow/Block List, DKIM, ZAP, outbound thresholds, transport rules, Attack Simulation Training | Exchange Online PowerShell remediation scripts |\n| DNS + email authentication | MX, SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, NS, Autodiscover, CAA, DNSSEC, SPF lookup count, DMARC sub-policy | Cloudflare Worker + DNS deployment script for MTA-STS + TLS-RPT |\n| Identity hardening | Conditional Access policies, authorization policy, directory roles, sign-in logs, authentication methods, app consent, service principal credentials, named locations, cross-tenant access, sign-in risk, SSPR | 6 baseline Conditional Access policy JSONs ready for Graph PUT |\n| Defender for Cloud | Per-plan pricing tier, Secure Score, recommendations by severity, AI plane, continuous export to Sentinel | Plan-tier upgrade methodology + walkthrough |\n\nEvery finding is tagged with framework controls: NIST CSF 2.0, NIST SP 800-53, NIST SP 800-63B, ISO 27001:2022, MITRE ATT&CK, Microsoft Cloud Security Benchmark, RFC references.\n\n## Try it in 30 seconds\n\n```\ngit clone https://github.com/ibondarenko1/m365-security-operations\ncd m365-security-operations\n./examples/run-mock.ps1\n```\n\nThat runs the full audit against bundled sanitized fixtures and produces a complete sample report (58 findings across 5 domains). No Azure access required. Open `reports/<latest-timestamp>/report.md`\n\nto see exactly what the tool produces.\n\nWhen you're ready to run against your tenant:\n\n```\naz login --tenant <your-tenant-id>\n./run-audit.ps1 -TenantId <id> -SubscriptionId <id> -Domain <yourdomain> -WorkspaceName <ws> -ResourceGroup <rg>\n```\n\n## Why opinionated scope matters\n\nThis toolkit explicitly does NOT cover:\n\n- Multi-tenant MSP management (use CIPP)\n- Federal compliance overlays (use ScubaGear)\n- On-premises Active Directory (use Defender for Identity)\n- Endpoint detection at device level (use Defender for Endpoint native)\n- Data Loss Prevention (use Microsoft Purview)\n\nThe toolkit is opinionated for **small-org cloud-only M365 + Cloudflare**. Concentration enables depth: each domain has 15-25 checks, not the surface-level 5 a broader-scope tool can maintain.\n\n## Architecture you can actually contribute to\n\n- Schema-first: every audit script emits findings conforming to\n`SCHEMA.md`\n\n, enforced by`lib/Finding.psm1`\n\n- Mock mode:\n`lib/MockClient.psm1`\n\nprovides drop-in mocks for Graph + ARM + DNS + EXO. Contributors iterate on audit logic without burning real-tenant quota - 114 Pester tests in CI on Windows + Linux + Mac\n- 6 Architecture Decision Records document the design rationale\n- 5 walkthroughs cover end-to-end deployment of the remediation artifacts\n\n## What's next\n\nv1.0 is the public-release baseline. Roadmap continues with v1.1-v1.5 expanding per-domain checks, adding documentation_url to every finding (currently P1/P2 only), and surfacing community-contributed checks.\n\nIf you administer M365 in a small org, give it a try and open issues for what you'd like to see next.\n\n[github.com/ibondarenko1/m365-security-operations](https://github.com/ibondarenko1/m365-security-operations)\n\n*MIT licensed. Methodology, schema, fixtures, walkthroughs, ADRs, Pester tests, and CI matrix all in the repo.*", "url": "https://wpnews.pro/news/walking-through-a-5-domain-microsoft-365-audit-in-30-seconds", "canonical_source": "https://dev.to/ibondarenko1/walking-through-a-5-domain-microsoft-365-audit-in-30-seconds-1bp", "published_at": "2026-05-23 22:05:28+00:00", "updated_at": "2026-05-23 22:33:40.746614+00:00", "lang": "en", "topics": ["cybersecurity", "open-source", "developer-tools", "cloud-computing"], "entities": ["Microsoft 365", "CISA ScubaGear", "M365DSC", "CIPP", "Cloudflare", "NIST CSF 2.0", "NIST SP 800-53", "ISO 27001:2022"], "alternates": {"html": "https://wpnews.pro/news/walking-through-a-5-domain-microsoft-365-audit-in-30-seconds", "markdown": "https://wpnews.pro/news/walking-through-a-5-domain-microsoft-365-audit-in-30-seconds.md", "text": "https://wpnews.pro/news/walking-through-a-5-domain-microsoft-365-audit-in-30-seconds.txt", "jsonld": "https://wpnews.pro/news/walking-through-a-5-domain-microsoft-365-audit-in-30-seconds.jsonld"}}