I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more
This is a self-hostable Microsoft 365 SOC (Security Operations Center) tool rebuilt from a PowerShell script into a full web application with enhanced features such as RBAC, SSO, and improved performance. It is designed to run locally, binding only to localhost, and facilitates rapid investigation and response to Microsoft 365 account compromises. The tool collects and correlates evidence from Microsoft Graph, provides risk scoring, MITRE ATT&CK mapping, and supports containment actions with explicit user confirmation. It is intended for personal or internal company use and requires enterprise app registration with specific Microsoft Graph permissions. No vulnerabilities or exploits are reported in this tool.
AI Analysis
Technical Summary
The tool is a local SOC console for Microsoft 365 compromise response, rebuilt as a JavaScript web app from an earlier PowerShell version. It runs a local web server bound to localhost, ensuring credentials and client secrets remain on the local machine and are cleared on exit. It collects comprehensive evidence from Microsoft Graph APIs, correlates data into timelines and risk scores, and supports containment actions such as session revocation and password resets. The tool includes security hardening, RBAC with multiple roles, SSO support, and automatic setup scripts. It is not a cloud service and no known exploits or vulnerabilities have been reported. The tool is provided for internal use only, with no indication of inherent security flaws.
Potential Impact
There is no indication of a security vulnerability or exploit associated with this tool. It is a defensive security tool intended to aid incident response for Microsoft 365 compromises. No adverse impact or exploitation risk is described.
Mitigation Recommendations
No mitigation or patching is required as this is not a vulnerability or threat. Users should follow the author's usage instructions and security notes, including running the tool locally, ensuring client secrets remain local, and confirming all active response actions explicitly. Since no vulnerabilities are reported, no additional security actions are necessary.
I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more
Description
This is a self-hostable Microsoft 365 SOC (Security Operations Center) tool rebuilt from a PowerShell script into a full web application with enhanced features such as RBAC, SSO, and improved performance. It is designed to run locally, binding only to localhost, and facilitates rapid investigation and response to Microsoft 365 account compromises. The tool collects and correlates evidence from Microsoft Graph, provides risk scoring, MITRE ATT&CK mapping, and supports containment actions with explicit user confirmation. It is intended for personal or internal company use and requires enterprise app registration with specific Microsoft Graph permissions. No vulnerabilities or exploits are reported in this tool.
Reddit Discussion
Hi everyone,
A while back I showed you my local Microsoft 365 SOC tool built in PowerShell. Back then it was limited to a single-user setup:
https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console
Well… I’ve been pulling all-nighters and completely rebuilt it from the ground up. It’s no longer PowerShell, it’s now a full JavaScript application and it’s absolutely fire.
You can see pictures in another Reddit post:
https://www.reddit.com/r/microsoft365/comments/1ulw3hz/i_rebuilt_my_local_m365_soc_tool_from_powershell/
You can now self-host it wherever you want:
- On-prem
- Azure
- Any web server with at least 2 cores and 4 GB RAM
I’ll be releasing it in the next few days so you can host and test it yourselves.
What’s new & improved:
- SSO support for additional users → no more manual logins
- Full RBAC permission system
- More RBAC roles coming: Analyst, Responder, Reader, Administrator
- Azure Files Share integration for storing evidence and data
- Significantly better performance
- Security hardening
- Fully automatic setup script that does the entire deployment for you
GCC / GCC-High compatibility is unfortunately not possible yet. I don’t have access to that environment and being based in Germany makes it pretty hard to get one.
If anyone has a GCC tenant they’d be willing to test with, I’d love to collaborate!
I’m planning to sink at least 35 hours into this project again this weekend.
If you have feature requests or ideas for what a proper M365 SOC tool should have, drop them in the comments. You guys know better than anyone what’s actually needed in the field.
Huge thanks to everyone who tested the earlier version:)
Can’t wait to get this into your hands.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The tool is a local SOC console for Microsoft 365 compromise response, rebuilt as a JavaScript web app from an earlier PowerShell version. It runs a local web server bound to localhost, ensuring credentials and client secrets remain on the local machine and are cleared on exit. It collects comprehensive evidence from Microsoft Graph APIs, correlates data into timelines and risk scores, and supports containment actions such as session revocation and password resets. The tool includes security hardening, RBAC with multiple roles, SSO support, and automatic setup scripts. It is not a cloud service and no known exploits or vulnerabilities have been reported. The tool is provided for internal use only, with no indication of inherent security flaws.
Potential Impact
There is no indication of a security vulnerability or exploit associated with this tool. It is a defensive security tool intended to aid incident response for Microsoft 365 compromises. No adverse impact or exploitation risk is described.
Mitigation Recommendations
No mitigation or patching is required as this is not a vulnerability or threat. Users should follow the author's usage instructions and security notes, including running the tool locally, ensuring client secrets remain local, and confirming all active response actions explicitly. Since no vulnerabilities are reported, no additional security actions are necessary.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a46e45e27e9c7971936205b
Added to database: 07/02/2026, 22:21:18 UTC
Last enriched: 07/02/2026, 22:21:23 UTC
Last updated: 07/03/2026, 00:21:10 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.