Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more

0
Medium
Security-toolcybersecurityreddit
Published: 07/02/2026 (07/02/2026, 22:09:54 UTC)
Source: Reddit Cybersecurity

Description

This is a self-hostable Microsoft 365 SOC (Security Operations Center) tool rebuilt from a PowerShell script into a full web application with enhanced features such as RBAC, SSO, and improved performance. It is designed to run locally, binding only to localhost, and facilitates rapid investigation and response to Microsoft 365 account compromises. The tool collects and correlates evidence from Microsoft Graph, provides risk scoring, MITRE ATT&CK mapping, and supports containment actions with explicit user confirmation. It is intended for personal or internal company use and requires enterprise app registration with specific Microsoft Graph permissions. No vulnerabilities or exploits are reported in this tool.

Reddit Discussion

r/cybersecurity·posted by u/Ok-Stretch-7850
00

Hi everyone,

A while back I showed you my local Microsoft 365 SOC tool built in PowerShell. Back then it was limited to a single-user setup:
https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Well… I’ve been pulling all-nighters and completely rebuilt it from the ground up. It’s no longer PowerShell, it’s now a full JavaScript application and it’s absolutely fire.

You can see pictures in another Reddit post:
https://www.reddit.com/r/microsoft365/comments/1ulw3hz/i_rebuilt_my_local_m365_soc_tool_from_powershell/

You can now self-host it wherever you want:

  • On-prem
  • Azure
  • Any web server with at least 2 cores and 4 GB RAM

I’ll be releasing it in the next few days so you can host and test it yourselves.

What’s new & improved:

  • SSO support for additional users → no more manual logins
  • Full RBAC permission system
  • More RBAC roles coming: Analyst, Responder, Reader, Administrator
  • Azure Files Share integration for storing evidence and data
  • Significantly better performance
  • Security hardening
  • Fully automatic setup script that does the entire deployment for you

GCC / GCC-High compatibility is unfortunately not possible yet. I don’t have access to that environment and being based in Germany makes it pretty hard to get one.

If anyone has a GCC tenant they’d be willing to test with, I’d love to collaborate!

I’m planning to sink at least 35 hours into this project again this weekend.

If you have feature requests or ideas for what a proper M365 SOC tool should have, drop them in the comments. You guys know better than anyone what’s actually needed in the field.

Huge thanks to everyone who tested the earlier version:)

Can’t wait to get this into your hands.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 22:21:23 UTC

Technical Analysis

The tool is a local SOC console for Microsoft 365 compromise response, rebuilt as a JavaScript web app from an earlier PowerShell version. It runs a local web server bound to localhost, ensuring credentials and client secrets remain on the local machine and are cleared on exit. It collects comprehensive evidence from Microsoft Graph APIs, correlates data into timelines and risk scores, and supports containment actions such as session revocation and password resets. The tool includes security hardening, RBAC with multiple roles, SSO support, and automatic setup scripts. It is not a cloud service and no known exploits or vulnerabilities have been reported. The tool is provided for internal use only, with no indication of inherent security flaws.

Potential Impact

There is no indication of a security vulnerability or exploit associated with this tool. It is a defensive security tool intended to aid incident response for Microsoft 365 compromises. No adverse impact or exploitation risk is described.

Mitigation Recommendations

No mitigation or patching is required as this is not a vulnerability or threat. Users should follow the author's usage instructions and security notes, including running the tool locally, ensuring client secrets remain local, and confirming all active response actions explicitly. Since no vulnerabilities are reported, no additional security actions are necessary.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
cybersecurity
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a46e45e27e9c7971936205b

Added to database: 07/02/2026, 22:21:18 UTC

Last enriched: 07/02/2026, 22:21:23 UTC

Last updated: 07/03/2026, 00:21:10 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses