Portfolio Complete — v1.0 Last updated: June 2026 — 11 operational phases · 30+ scripts
Microsoft 365 Security Operations Lab

Enterprise IT Security Operations Toolkit

A repeatable Microsoft 365 governance and security operations lab — Entra ID, Intune, Defender, Exchange Online, Conditional Access, and Microsoft Purview — built across eleven phases with executed PowerShell, exported reports, and screenshot evidence rather than manual portal review.

Portfolio Case Summary

Situation
Microsoft 365 administrators often need to review tenant health, identity exposure, endpoint posture, mail flow security, app permissions, and investigation evidence across several portals.
Task
Build a repeatable lab toolkit that collects security and governance evidence with PowerShell instead of relying only on manual portal review.
Action
Implemented Microsoft Graph, Exchange Online, Entra ID, Intune, Defender, Conditional Access, Purview, and reporting workflows across eleven operational phases.
Result
Produced scripts, CSV/TXT reports, screenshots, and dashboard views that demonstrate Microsoft 365 administration, security review, and incident triage readiness.

What This Proves

Microsoft 365 administration
Tenant health, users, groups, licenses, roles, Exchange Online, and report generation
Entra ID / identity governance
MFA method review, risky users, guest users, admin roles, PIM-related review, OAuth grants
Conditional Access
Policy inventory, report-only validation, compliant-device requirements, web-only access controls
Intune / endpoint administration
Company Portal enrollment, managed-device inventory, ownership, and compliance-state evidence
PowerShell automation
30+ scripts using Microsoft Graph and Exchange Online modules
Security operations
Secure Score tracking, high-risk permission review, sign-in evidence, and initial triage package
Microsoft Purview
DLP design and simulation, Compliance Manager review, Insider Risk policy planning, sensitivity labels, and retention labels
Documentation discipline
Phase READMEs, screenshots, sample reports, GitHub Pages site, and evidence map

Real Lab Results

MetricValue
Total users audited28
Enabled accounts27
Licensed accounts21
Active directory roles11
Microsoft Secure Score (retained snapshot)146.26 / 204 (71.7%)
Groups audited10
App registrations audited1
Service principals inventoried241
High-risk OAuth grants detected3
Mailboxes audited23
Report types generated25+
Scripts in toolkit30+

Multi-Phase Platform Architecture

Platform Architecture

Enterprise Environment (M365 E3/E5 Lab)
Microsoft 365 / Entra ID / Intune / Microsoft Defender / Exchange Online / Purview
Microsoft Graph + Security APIs
PowerShell Automation Layer (30+ scripts)
Governance & Risk Classification Logic
↙ ↘
Identity + Endpoint Security Operations        License + Access Governance Reporting
↓                                           ↓
CSV / TXT Reports                      HTML Dashboards & Visualization
GitHub Security Operations Lab Evidence

Key Design Decisions & Lessons Learned

Stage before enforcing
Conditional Access and DLP controls were reviewed in report-only or simulation modes where supported, to reduce rollout risk.
Separate inventory from compliance
Entra device registration is not the same as Intune managed-device compliance; the reporting script queries Intune managed devices directly.
Registration ≠ enforcement
Registered MFA methods indicate authentication readiness, but do not by themselves prove that a Conditional Access policy enforced MFA for every sign-in.
Evidence limits
A Compliance Manager score, healthy policy status, or empty alert list is a point-in-time posture signal — not proof of regulatory compliance or incident-free operations.
Destructive automation, designed carefully
Offboarding actions support -WhatIf, confirmation, and protected-group safeguards before any tenant change occurs.

Quick Start

# Clone the repository
git clone https://github.com/rahatislamanik-spec/Enterprise-IT-Security-Operations-Toolkit.git
cd Enterprise-IT-Security-Operations-Toolkit

# Phase 1 — Tenant health report
./scripts/m365-reports/tenant-health.ps1

# Phase 5 — Exchange mail flow audit
./phase-5-exchange-online-mail-flow-audit/scripts/exchange-mail-flow-audit.ps1

# Phase 7 — App registration audit
./phase-7-entra-app-registration-audit/scripts/entra-app-registration-audit.ps1

# Phase 8 — Initial security triage
./phase-8-m365-incident-response-security-triage/scripts/invoke-m365-incident-response.ps1

Portfolio Ecosystem

01 — Network Foundation
DNS · Connectivity · Network Diagnostics
02 — User Lifecycle
Onboarding · Offboarding · M365 Automation
03 — Identity & Security
Enterprise IT Security Operations Toolkit (this project)
Entra ID · Intune · Defender · Zero Trust
04 — M365 Operations
Exchange · Teams · SharePoint · Purview

Lab Environment Disclaimer

This toolkit was developed in isolated Microsoft 365 E3 and E5 lab tenants created exclusively for security operations simulation, governance workflow testing, automation engineering, and portfolio demonstration. Reports and screenshots are preserved as public lab evidence to show reporting format, audit logic, and operational workflow. Public exports use pseudonymized names, domains, addresses, and identifiers where needed. They are not production customer records or confidential organizational data.