Multi-customer Β· multi-tenant Β· open-source under MIT.
Quick Start Β· Features Β· Compliance Β· Documentation Β· Contributing Β· Discussions
Most MSP M365 tooling is read-only dashboards or pre-AI scripting platforms. Aegis is built differently: every workflow an MSP runs against Microsoft 365 drift detection, anomaly response, policy generation, compliance evidence has AI woven through it, with safety controls and audit trails designed to survive a security review rather than bypass one.
Designed for the operator running 5β500 customers who needs leverage, not just visibility.
| π‘οΈ Multi-tenant by default | Customer-aware data model from day one. Every query is scoped; nothing leaks between customers. |
| π€ AI throughout | 24+ AI workflows backed by real Graph data. Anomaly detection, policy generation, drift narration, compliance reasoning. |
| π Audit-ready | 6 compliance frameworks (HIPAA, SOC 2, CMMC, NIST 800-53, ISO 27001, PCI DSS). Downloadable audit packages with PDF cover and per-control snapshots. |
| π¨ White-label portal | Customer-facing read-only portal at <slug>.<your-host> or their own portal.acme.com, branded per customer. |
| π Pluggable | PSA integrations (HaloPSA, Autotask, ConnectWise, ServiceNow, Jira). Marketplace for policy templates and AI workflows. |
| π Safe by design | Every new table ships with RLS policies. Customer-owned data never leaves your Supabase project. BYOK supported for every AI provider. |
| Threat Intelligence Browser | AI Anomaly Detection |
|---|---|
 |
 |
| MISP-inspired catalog: 38 ATT&CK techniques, 15 threat actors, 20 IOCs, 20 galaxies, 14 OSINT feeds, 4 taxonomies. | Live sign-in / config / permission anomaly scanning across every connected tenant. |
git clone https://github.com/<your-fork>/aegis.git
cd aegis
npm install
cp .env.example .env # fill in your Supabase URL + publishable key
npm run dev # β http://localhost:8080Then deploy backend (migrations + edge functions) in one command:
# Windows
.\scripts\deploy-aegis.ps1# macOS / Linux / WSL
./scripts/deploy-aegis.shSee the full deployment runbook for DNS / SSL / cron setup.
flowchart LR
subgraph M365[Microsoft 365 tenants]
Graph[Microsoft Graph API]
MDE[Defender for Endpoint API]
end
subgraph Aegis[Aegis platform]
UI["MSP UI (React + Tailwind)"]
Portal["Customer Portal<br/>(branded, read-only)"]
Edge["Supabase Edge Functions<br/>(Deno)"]
DB[("Supabase Postgres<br/>+ RLS + pg_cron")]
end
subgraph External[External services]
AI[OpenAI-compatible<br/>AI Gateway]
PSA[PSA: HaloPSA Β· Autotask<br/>ConnectWise Β· ServiceNow Β· Jira]
Email[Resend / SMTP]
end
UI <--> DB
Portal <--> DB
UI --> Edge
Portal --> Edge
Edge --> Graph
Edge --> MDE
Edge --> AI
Edge --> PSA
Edge --> Email
DB <-..-> Edge
- Frontend is a single React SPA. MSP routes get full Tenant + Branding context; portal routes (
/portal/*or custom hosts) are isolated and read-only. - Edge functions (Deno) handle Graph calls, AI orchestration, scheduled jobs, and webhook fan-out. Every function enforces auth + ownership.
- Postgres with Row-Level Security on every table;
pg_crontriggers scheduled compliance + DUDE runs. - Bring your own AI β point
AI_GATEWAY_URLat any OpenAI-compatible endpoint (OpenAI, Azure OpenAI, OpenRouter, your own proxy). Or use BYOK per-feature for direct Anthropic / Google / Mistral / Groq.
Governance & Configuration
- Tenant Health β connection health, API status, license usage across every connected tenant
- Resource Explorer β browse and select M365 resources across 11 categories (Intune, Conditional Access, Entra ID, Exchange, SharePoint, Teams, etc.)
- Export Configuration β tenant settings exported to JSON / Terraform / Bicep / PowerShell
- Import & Restore β restore configurations from previous exports or migrate between tenants
- Policy Templates β reusable policy definitions for consistent deployments across customers
- Customer Management β group multiple tenants under MSP customers; org chart, contacts, PSA ticket links
Intune & Device Management
- Intune Manager β centralized device, app, policy, and configuration management across tenants
- DUDE Sync β Dynamic User & Device Enumeration. Auto-tag Defender devices and sync user-group β device-group membership with transitive resolution, blast-radius limiter, prefix allowlists, dry-run-by-default, scheduled execution, and AU user sync. Concept inspired by Daniel Petri's π DUDE-Manager (MIT).
Threat Intelligence & Forensics
- MISP Browser β local threat intel browser with curated ATT&CK techniques, IOCs, threat actor profiles, OSINT feeds
- Hawk Forensics β incident forensics workflow leveraging Microsoft Hawk
- Email Security β outbound + inbound posture monitoring, transport rule audit
- Reference Catalog β 38 ATT&CK Techniques Β· 20 Galaxy Clusters Β· 14 OSINT Feeds Β· 4 Taxonomies built in
AI Workflows (24+)
| Workflow | What it does |
|---|---|
| Tenant Analyzer | Natural-language Q&A across tenant configurations |
| AI Query | Cross-tenant natural-language search |
| AI Chat | Conversational interface to your tenant data |
| Cross-Tenant Insights | Patterns and anomalies across the customer book |
| Policy Generator | Generate Conditional Access, Intune compliance, configuration policies from prompts |
| Remediation Scripts | PowerShell / Graph remediation for detected issues |
| Change Impact | Predict downstream impact of proposed policy changes |
| Anomaly Detection | Sign-in, config-change, and permission-grant anomalies |
| Incident Responder | Guided incident response with Graph-based evidence collection |
| User Risk Profiler | Risk-score users from sign-in behavior, app consent, group membership |
| Drift Detection + Drift Explainer | Detect and narrate configuration drift in plain English |
| Security Predictor / Benchmark | Predict incidents and benchmark against industry baselines |
| Compliance Advisor | Map findings to control requirements |
| License Optimizer | Spot underutilized SKUs |
| Cost Predictor | Forecast license + Copilot consumption |
| Migration Planner | Plan tenant-to-tenant migrations |
| Copilot Readiness Advisor | Score and remediate readiness for Copilot rollout |
| Executive Reports | One-click stakeholder-facing summaries |
Multi-LLM provider support: bring-your-own-key for OpenAI Β· Anthropic Β· Google Β· Azure OpenAI Β· OpenRouter Β· Groq Β· Mistral Β· Perplexity Β· plus a built-in OpenAI-compatible gateway.
Customer Portal (white-label)
- Subdomain routing β
<customer-slug>.<your-base-host> - Custom domain β
portal.acme.comwith DNS verification - Branded shell β logo, primary/accent colors, support contacts per customer
- Read-only views β secure score, drift findings, anomaly history (RLS-scoped to that customer's tenants only)
- Email-based portal user invites β magic link redirected at the customer's portal sign-in
Marketplace + Plugin SDK
- Policy Templates Marketplace β publish + install community-shared policy templates with star ratings and install counts
- Plugin SDK β author AI workflows as
{prompt template, input schema, optional tenant-context flag}. Run, share publicly, install someone else's into your library
Six frameworks, ~46 controls, all backed by the same evaluator code that runs against live tenant configuration.
| Framework | Version | Controls | Evaluators |
|---|---|---|---|
| HIPAA Security Rule | 45 CFR 164 | 5 | β Auto |
| SOC 2 Trust Services Criteria | 2017 (rev. 2022) | 6 | β Auto |
| CMMC Level 2 | v2.0 | 9 | β Auto |
| NIST SP 800-53 | Rev. 5 (Moderate) | 11 | β Auto |
| ISO/IEC 27001 Annex A | 2022 | 8 | β Auto |
| PCI DSS | v4.0 (M365 subset) | 8 | β Auto |
Each run produces a downloadable ZIP:
acme_2026-04-29_evidence_package.zip
βββ cover.pdf β auditor-facing summary, color-coded control table
βββ manifest.json β machine-readable run metadata
βββ narratives.md β (optional) AI-generated plain-English explanations of failed controls
βββ controls/
βββ 164.312(d).json β per-control raw snapshot (the actual evidence)
βββ β¦
Schedule recurring collection per (framework, target tenants, cadence). pg_cron pings the runner every 15 min.
| Layer | Technology |
|---|---|
| Frontend | React 18 Β· TypeScript Β· Vite Β· Tailwind CSS Β· shadcn/ui Β· TanStack React Query |
| Backend | Supabase (Auth Β· PostgreSQL Β· Edge Functions Β· pg_cron) |
| M365 | Microsoft Graph API Β· Defender for Endpoint API |
| AI | Multi-provider via OpenAI-compatible gateway Β· BYOK for direct provider access |
| PSA | HaloPSA Β· Autotask Β· ConnectWise Β· ServiceNow Β· Jira |
| Resend (configurable) | |
| Threat intel | MISP-format ingestion |
| Variable | Description |
|---|---|
VITE_SUPABASE_URL |
Your Supabase project URL |
VITE_SUPABASE_PUBLISHABLE_KEY |
The anon / publishable key |
VITE_SUPABASE_PROJECT_ID |
Project ref (diagnostics only) |
VITE_PORTAL_BASE_HOST |
Optional β base host for subdomain portal routing (e.g. aegis.io) |
| Variable | Description |
|---|---|
AI_GATEWAY_API_KEY |
API key for the AI gateway |
AI_GATEWAY_URL |
OpenAI-compatible chat-completions endpoint |
RESEND_API_KEY |
Optional β outbound notification emails |
CUSTOM_DOMAIN_CNAME_TARGET |
Optional β for customer-owned portal domains |
CUSTOM_DOMAIN_A_TARGETS |
Optional β apex-domain fallback |
Per-provider keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) are optional fallbacks; users can also supply their own via the in-app provider settings (BYOK).
- β White-label per-MSP branding
- β Webhook β ServiceNow / Jira / ConnectWise / HaloPSA / Autotask on detected anomalies
- β Customer-facing read-only portal (subdomain + custom-domain routing, branded per customer, email-invite flow)
- β Automated HIPAA / SOC 2 / CMMC / NIST 800-53 / ISO 27001 / PCI DSS evidence collection
- β Downloadable audit packages with PDF cover + AI-generated narratives + per-control JSON
- β Public marketplace for shared Policy Templates with ratings
- β Plugin SDK for community-contributed AI workflows
- β DUDE Sync β full parity with Daniel Petri's DUDE-Manager (prefix allowlists, dry-run-by-default, MDE tagging, scheduled execution, AU user sync)
- Slack / Teams app surfaces for the customer portal
- More evaluator coverage per existing framework (e.g. tenant-wide MFA, smart lockout)
- Threat-intel correlation: when an anomaly fires, surface matching MISP indicators
- Multi-region deployment guide
- Self-hosted Supabase deployment guide
- More PSA providers (Kaseya BMS, SuperOps, Atera)
Have an idea? Open an issue or start a Discussion.
Contributions welcome β see CONTRIBUTING.md for development setup, coding conventions, the PR process, and "how to add a compliance evaluator" / "how to publish a marketplace plugin" recipes.
Looking for an entry point? Issues labelled good first issue and help wanted are sized for first-time contributors.
For security issues, don't open a public issue β see SECURITY.md.
aegis/
βββ src/
β βββ components/
β β βββ ai/ # AI provider settings, AI chat, prompt templates
β β βββ compliance/ # Compliance schedule UI
β β βββ customers/ # MSP-side customer management + branding + portal users
β β βββ layout/ # Sidebar, app shell
β β βββ portal/ # Customer-facing portal components
β β βββ views/ # Top-level page components keyed by tab id
β βββ contexts/ # TenantContext Β· BrandingContext Β· PortalHostContext
β βββ hooks/ # Custom hooks (usePageTitle, useTenant, useResourceSelection, β¦)
β βββ lib/ # Database wrappers, Graph helpers, package generators
β βββ pages/ # Top-level routes
β βββ types/ # Shared TypeScript types
βββ supabase/
β βββ migrations/ # Postgres migrations (timestamp-prefixed)
β βββ functions/ # 30+ Deno edge functions
β βββ config.toml # Supabase project config
βββ scripts/
β βββ deploy-aegis.ps1 # One-shot deploy (Windows)
β βββ deploy-aegis.sh # One-shot deploy (macOS / Linux)
β βββ post-deploy.sql # SQL to run after deploy (cron jobs, data migrations)
βββ docs/
β βββ screenshots/ # Capture targets
βββ .github/ # CI Β· issue templates Β· PR template
βββ HANDOFF.md # Full deployment runbook (35+ items)
βββ CHANGELOG.md # Keep a Changelog format, SemVer-ish pre-1.0
βββ RELEASING.md # Release process
βββ SECURITY.md # Security policy + disclosure
βββ CONTRIBUTING.md # Development setup, conventions, PR flow
- Daniel Petri's DUDE-Manager β the canonical PowerShell + WPF reference for Dynamic User & Device Enumeration. Aegis's port mirrors the design (transitive membership, blast-radius limiter, prefix allowlists, AU + Defender automation) on a Supabase + React stack.
- The Microsoft Graph and Defender for Endpoint API teams for surfacing the underlying capabilities Aegis orchestrates.
- The MISP Project for the threat-intelligence taxonomies seeded in our reference catalog.
- The shadcn/ui, Tailwind, Supabase, and Deno maintainers β we stand on a lot of OSS.
MIT Β© 2026 Aegis contributors