Enterprise-grade deployment automation for Maester - Microsoft 365 Security Test Automation
Author: Adrian Johnson adrian207@gmail.com
The Maester Deployment Framework provides production-ready, multi-platform deployment solutions for automated Microsoft 365 security testing using Maester. This framework enables continuous security monitoring, compliance validation, and automated reporting across your Microsoft 365 tenant.
- π’ Enterprise Deployments: vSphere (Tanzu/RKE2/Vanilla K8s), AKS, EKS, GKE
- βοΈ Serverless Options: Azure Functions, AWS Lambda, Google Cloud Functions
- π³ Containerized: Docker Compose for rapid deployment
- π Zero-Trust Security: Workload Identity Federation (no secrets!)
- π Comprehensive Compliance: NIST 800-53, CIS, ISO 27001, HIPAA, PCI-DSS, SOC 2, CMMC
- π Multi-Channel Notifications: Email, Microsoft Teams, Slack, Webhooks
- πΎ Hybrid Storage: Embedded web server + Cloud backup
- π Auto-Updates: Periodic updates for Maester and test definitions
- Microsoft 365 tenant with appropriate permissions
- Azure AD App Registration (for authentication)
- One of:
- vSphere 7.0+ cluster
- Kubernetes cluster (any distribution)
- Azure/AWS/GCP account (for serverless)
- Docker + Docker Compose
# Clone the repository
git clone https://github.com/your-org/maester-deployment.git
cd maester-deployment
# Configure environment
cp .env.example .env
# Edit .env with your Azure AD credentials
# Deploy
docker-compose up -d
# Access web UI
open http://localhost:8080For production deployments, see our Deployment Guides.
| Platform | Complexity | Setup Time | Best For | Guide |
|---|---|---|---|---|
| Docker Compose | β Low | ~30 min | Testing, Small Orgs | Guide |
| Azure Functions | ββ Medium | ~1 hour | Cloud-First, Cost-Sensitive | Guide |
| vSphere Tanzu | βββ High | ~4 hours | Enterprise, On-Premise | Guide |
| Azure AKS | ββ Medium | ~2 hours | Azure-Native | Guide |
| AWS EKS | ββ Medium | ~2 hours | AWS-Native | Guide |
| GCP GKE | ββ Medium | ~2 hours | GCP-Native | Guide |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Maester Deployment β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Maester βββββΆβ Report βββββΆβ Notification β β
β β Runner β β Server β β Hub β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β β
β β β β β
β βΌ βΌ βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Microsoft Graph API (M365 Tenant) β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Compliance β β Cloud β β Monitoring β β
β β Mapper β β Storage β β & Alerts β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
For detailed architecture, see ARCHITECTURE.md.
- β 40+ EIDSCA Tests: Pre-configured Entra ID Security Config Analyzer tests
- β Conditional Access: Policy validation and What-If analysis
- β Custom Tests: PowerShell-based Pester tests
- β Continuous Monitoring: Scheduled test execution
- β Regression Testing: Validate changes before deployment
- β Multi-Framework Support: NIST 800-53, CIS, ISO 27001, HIPAA, PCI-DSS, SOC 2, CMMC
- β Automated Mapping: Tests mapped to compliance controls
- β Evidence Collection: Automated audit-ready evidence packages
- β Gap Analysis: Identify compliance gaps and remediation steps
- β Trend Analysis: Historical compliance score tracking
- β Email: HTML-formatted reports with embedded charts
- β Microsoft Teams: Adaptive Cards with interactive actions
- β Slack: Rich message blocks with threaded updates
- β Webhooks: Custom integrations (PagerDuty, ServiceNow, etc.)
- β Smart Routing: Severity-based notification channels
- β Embedded Web Server: Real-time report viewing with search
- β Cloud Backup: Azure Blob, AWS S3, Google Cloud Storage
- β REST API: Programmatic access to test results
- β Multi-Format Export: HTML, PDF, Excel, JSON, CSV
- β Workload Identity Federation: No secrets in configuration
- β Managed Identities: Azure/AWS/GCP native authentication
- β Least Privilege: Minimal Microsoft Graph permissions
- β Audit Logging: Complete activity tracking
- β Encryption: At-rest and in-transit encryption
The framework includes comprehensive mappings for:
| Framework | Controls | Coverage | Evidence |
|---|---|---|---|
| NIST 800-53 Rev 5 | 1,194 | 342 applicable | β Automated |
| CIS Microsoft 365 | 150+ | Full | β Automated |
| ISO 27001:2022 | 93 (Annex A) | Full | β Automated |
| HIPAA Security Rule | 45 | Full | β Automated |
| PCI-DSS v4.0 | 12 requirements | Applicable | β Automated |
| SOC 2 Type II | 5 Trust Services | Full | β Automated |
| CMMC 2.0 | Level 1-3 | Full | β Automated |
See Compliance Documentation for detailed mappings.
maester-deployment/
βββ docs/ # Documentation
β βββ deployment-guides/ # Platform-specific guides
β βββ architecture/ # Architecture documentation
β βββ compliance/ # Compliance framework docs
β βββ operations/ # Operations guides
βββ docker/ # Docker images
β βββ maester-runner/ # Test runner container
β βββ report-server/ # Web UI and API
β βββ notification-hub/ # Notification orchestrator
β βββ compliance-mapper/ # Compliance engine
βββ terraform/ # Infrastructure as Code
β βββ modules/ # Reusable modules
β βββ environments/ # Environment configs
βββ kubernetes/ # Kubernetes manifests
β βββ base/ # Base resources
β βββ overlays/ # Kustomize overlays
β βββ helm/ # Helm charts
βββ serverless/ # Serverless deployments
β βββ azure-functions/ # Azure Functions
β βββ aws-lambda/ # AWS Lambda
β βββ gcp-functions/ # Google Cloud Functions
βββ compliance/ # Compliance mappings
β βββ frameworks/ # Framework definitions
βββ tests/ # Custom Maester tests
β βββ examples/ # Example tests
β βββ templates/ # Test templates
βββ scripts/ # Utility scripts
βββ setup/ # Setup automation
βββ maintenance/ # Maintenance scripts
# Azure AD Authentication
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
# Test Configuration
TEST_SCHEDULE="0 2 * * *" # Daily at 2 AM
TEST_TAGS="EIDSCA,CA,MFA" # Test categories
REPORT_RETENTION_DAYS=90
# Notifications
NOTIFICATION_EMAIL=security@company.com
TEAMS_WEBHOOK_URL=https://...
SLACK_WEBHOOK_URL=https://...
# Storage
CLOUD_STORAGE_PROVIDER=azure # azure|aws|gcp
STORAGE_ACCOUNT_NAME=maesterreportsSee Configuration Guide for full reference.
- Docker Compose
- vSphere Tanzu
- vSphere Vanilla Kubernetes
- Azure Functions (Serverless)
- AWS Lambda (Serverless)
- Azure AKS
- AWS EKS
- Google GKE
- Configuration Reference
- Monitoring & Alerting
- Backup & Recovery
- Troubleshooting
- Updates & Maintenance
We welcome contributions! Please see our Contributing Guide for details.
# Clone repository
git clone https://github.com/your-org/maester-deployment.git
cd maester-deployment
# Install development dependencies
./scripts/setup/dev-setup.sh
# Run tests
./scripts/test/run-tests.sh- β Core deployment framework
- β vSphere support (Tanzu/Vanilla/RKE2)
- β Kubernetes deployments
- β Serverless options (Azure/AWS/GCP)
- β Compliance framework mappings
- β Multi-channel notifications
- β¬ Production hardening
- β¬ Performance optimizations
- β¬ Extended testing coverage
- β¬ Enhanced documentation
- β¬ Community feedback integration
- β¬ Multi-tenant support
- β¬ Advanced dashboards
- β¬ Automated remediation workflows
- β¬ GitOps integration (ArgoCD/Flux)
- β¬ Cost optimization recommendations
See ROADMAP.md for detailed planning.
| Metric | Target | Typical |
|---|---|---|
| Test Execution Time | < 10 min | 5-7 min |
| Report Generation | < 2 min | 30-60 sec |
| API Response Time | < 500ms | 100-200ms |
| Cold Start (Serverless) | < 30 sec | 5-15 sec |
| Concurrent Users | 50+ | N/A |
- Infrastructure: Existing server/VM
- Monthly Cost: $0 incremental
- Infrastructure: Existing vSphere investment
- VMs: ~144 vCPU, ~224GB RAM total
- Storage: ~500GB
- Monthly Cost: $0 incremental + $20-50 cloud backup
- Azure Functions: ~$10-30/month
- Container Apps: ~$20-40/month (scale to zero)
- Storage: ~$5-20/month
- Total: $35-90/month
- Lambda: ~$10-25/month
- Fargate: ~$25-45/month
- S3: ~$5-15/month
- Total: $40-85/month
Please report security vulnerabilities to security@your-domain.com. Do not create public GitHub issues for security vulnerabilities.
- β Use Workload Identity Federation (no secrets)
- β Enable encryption at rest and in transit
- β Implement least privilege access
- β Regular security updates
- β Audit logging enabled
- β Network isolation
See SECURITY.md for detailed security practices.
This project is licensed under the MIT License - see the LICENSE file for details.
- Maester Team for the excellent security testing framework
- Microsoft Graph for comprehensive APIs
- Pester for PowerShell testing framework
- Community contributors and testers
For enterprise support, training, and custom development:
- Email: support@your-domain.com
- Website: https://your-domain.com
Current Status: Pre-Release (v0.9.0)
Stability: Beta
Production Ready: Use with caution, testing recommended
Built with β€οΈ for secure Microsoft 365 environments