Built by security engineers, for security engineers. Production-grade PowerShell tools
that complement the Griffin31 posture-management platform.
Table of contents
Microsoft 365 and Entra ID are the modern enterprise's front door — and the most frequent target. Built-in tooling doesn't cover every corner: stale devices, over-permissioned apps, expiring credentials, Conditional Access blind spots, SPF misconfigurations, SharePoint oversharing, Exchange permission sprawl.
The ToolKit is a focused set of production-grade scripts — each one solves a single real problem we hit in the field. No installers, no cloud back-end, no telemetry. Download, run, review the output.
Used internally at Griffin31 against real customer tenants, published here for the community.
Every tool follows the same principles — one problem, one tool; safe by default (read-only, destructive actions require typed confirmation); honest output (no inflated scores, no marketing numbers).
Example: CA-Policy-Analyzer HTML report (anonymized). Each tool produces either an interactive HTML report, a formatted Excel workbook, or a console audit.
| If you want to… | Use | Output |
|---|---|---|
| Audit your Conditional Access policies + posture score | CA-Policy-Analyzer ★ | HTML report |
| Keep break-glass accounts excluded from every CA policy, always | CA-BreakGlass-Enforcer | Azure Logic App |
| Prepare for the May 2026 CA enforcement change | CA-Update-AffectedApps | Excel risk report |
| Find sites, OneDrives, Teams with public sharing or missing labels | SharePoint-Sites-Audit ★ | HTML report |
| Hunt OAuth abuse, infostealers, or token theft in M365 | Threat-Hunting | KQL / IoCs / detection rules |
| Clean up stale devices | Entra-StaleDevices-Cleanup | Excel + actions |
| Clean up unused app registrations | Entra-StaleApps-Cleanup | Excel + actions |
| Catch expiring app credentials before they break production | Entra-AppCredentials-Audit | Excel |
| Scope Exchange Online app permissions to specific mailboxes | EXO-AppPermissions-Manager | Interactive |
| Sort, dedupe, and clean up buckets in a Microsoft Planner plan | Planner-Plan-Organizer | Interactive |
| Validate an SPF record against the 10-lookup RFC limit | SPF-Lookup-Validator | Console |
★ = flagship tool with rich HTML report
CA-Policy-Analyzer ★ · CA posture score, gaps, and insights
Exports your full CA configuration, scores every policy 0-100, flags tenant-wide gaps against Microsoft's 2026 best practices — including the May 2026 enforcement change — and produces a self-contained HTML report with posture score, priority-sorted insights, and per-policy drill-down.
Conditional Access · Entra ID · Posture · Zero Trust
CA-Update-AffectedApps · Prepare for Microsoft's May 2026 CA change
Identifies tenant apps using basic OIDC scopes, cross-references sign-in logs for MFA status, and generates an Excel risk report so you can remediate before the change breaks authentication.
Conditional Access · App Assessment · MFA
CA-BreakGlass-Enforcer · Keep emergency accounts out of every CA policy, always
Azure Consumption Logic App that runs every 30 minutes, iterates every Conditional Access policy, and idempotently adds two break-glass account IDs to the excludeUsers list. Managed Service Identity auth (no stored credentials), least-privilege Graph scope, If-Match PATCH to avoid overwriting concurrent admin edits.
Conditional Access · Break-Glass · Azure Logic Apps · MSI
Entra-AppCredentials-Audit · Catch expiring app credentials
Scans every app registration, flags expired and soon-to-expire certificates and client secrets, resolves owners, and optionally removes expired credentials. Excel report with direct links into the Entra portal.
Entra ID · App Registrations · Credential Hygiene
Entra-StaleApps-Cleanup · Clean up unused app registrations
Every tenant accumulates unused app registrations — each one a credential exposure and a permission-abuse risk. Queries the Graph sign-in activity report, flags apps idle past your threshold, and lets you disable or delete them safely.
Entra ID · App Registrations · Cleanup
Entra-StaleDevices-Cleanup · Audit, disable, or delete stale devices
Finds devices that haven't signed in for X days, filters by OS and ownership, shows a full audit with MDM info, then gives you the decision — export only, disable, or delete.
Entra ID · Device Management · Compliance
SharePoint-Sites-Audit ★ · Find the risky sites, OneDrives, groups, teams
Iterates every site, OneDrive, M365 group, and Team. Runs 14 per-entity security checks — public sharing, excessive external users, inactive sites, missing sensitivity labels — and produces an HTML report with per-entity scores and drill-down findings.
SharePoint · OneDrive · Teams · Sensitivity Labels
EXO-AppPermissions-Manager · Exchange Online app-to-mailbox scoping
Creates management scopes, assigns roles, and verifies configuration in one flow. Supports all 13 Exchange application roles and every mailbox type.
Exchange Online · RBAC · Mailbox Scoping
Planner-Plan-Organizer · Sort, dedupe, and clean up Planner buckets
Interactive organizer for any Microsoft Planner plan — sort buckets A-Z, merge duplicates, delete empty or stale buckets, and export a local JSON backup. Every destructive action previews first and requires a typed confirmation.
Planner · M365 Groups · Cleanup
SPF-Lookup-Validator · RFC 7208-compliant SPF chain analysis
Recursively walks your entire SPF include chain, counts the real DNS lookup total against the 10-lookup limit, and catches misconfigurations before they break email delivery.
SPF · Email Security · DNS
Threat-Hunting · KQL queries, IoCs, and detection rules for M365 / Entra ID / Defender XDR / Sentinel
Curated library of 44 KQL hunt queries spanning OAuth abuse, identity attacks, data exfiltration, persistence, endpoint infostealers, and token theft — each tied to a documented incident (Vercel/Context.ai, Storm-2477 Lumma, Storm-2372 device code, Scattered Spider, NOBELIUM). Plus 5 IOC categories from CISA advisories + abuse.ch + Microsoft Threat Intel, and 15 production-ready detection rules (13 Sentinel YAML + 2 Defender XDR custom detections). Every artifact self-contained with inline metadata, MITRE ATT&CK mapping, tuning, and source attribution.
KQL · Sentinel · Defender XDR · Advanced Hunting · MITRE ATT&CK · IoCs
# Clone the repository
git clone https://github.com/griffin31-lab/Griffin31-ToolKit.git
cd Griffin31-ToolKit
# Pick a tool, open its folder, follow its README
cd CA-Policy-Analyzer
pwsh ./CA-Manager.ps1Every tool is self-contained. Most tools require:
- PowerShell 7.x — install guide
- Microsoft.Graph module — auto-installs on first run
- Delegated admin permissions — each tool's README lists exact scopes
No Griffin31 account needed. No telemetry. No network calls outside Microsoft Graph.
- One problem, one tool — Every script solves a single real, high-frequency problem. No frameworks you don't need.
- Safe by default — Read-only by default. Destructive actions require explicit confirmation (often two-stage).
- Honest output — Reports show what the tool can and cannot determine. No inflated scores, no marketing numbers.
- Self-contained — Copy the folder, run it, delete it. No global state, no installers.
- Cross-platform where possible — PowerShell 7 on Windows and macOS. We note when a tool is Windows-only.
Found a vulnerability? Please follow our security policy — responsible disclosure to security@griffin31.ai. We respond within 48 hours.
All tools are scanned for supply-chain risks and reviewed against OWASP and Microsoft Graph least-privilege guidance before release. CDN dependencies in generated HTML reports are pinned with SRI hashes.
We welcome contributions — bug fixes, new tools, documentation improvements.
- Issues — open a ticket for bugs and feature requests
- Discussions — join the conversation
- Contribution guide — see CONTRIBUTING.md
- Code of conduct — see CODE_OF_CONDUCT.md
Griffin31 is building the security posture management platform for Microsoft 365 — continuous monitoring, prioritized recommendations, and automated remediation for Entra ID, Exchange Online, SharePoint, Teams, and Intune.
The ToolKit is the free, open-source foundation of the same analysis engines that power our commercial product.
