Walking through a 5-domain Microsoft 365 audit in 30 seconds

If you administer a small Microsoft 365 tenant, here's the question that probably stopped you somewhere between "I should check our security posture" and actually doing it:

Which tool?

Microsoft Secure Score gives recommendations but no remediation artifacts. CISA ScubaGear is excellent but federal-grade, overkill for a 20-person mid-market shop. M365DSC is configuration-as-code, which is great when you're a DSC shop and terrible when you're not. CIPP is purpose-built for MSPs managing many tenants, and solo defenders don't need that fan-out.

There was a gap: an opinionated audit-plus-remediation toolkit for a solo defender running M365 + Cloudflare in a small org. I built one. Tagged 1.0 today.

github.com/ibondarenko1/m365-security-operations