IT Director · Affinity Group

IT Director on paper, principal systems engineer in practice. I run a national food brokerage's hybrid Microsoft estate across ~1,100 employees and 80+ locations. The bulk of the work I'm most proud of is the engineering and automation below; the title comes with operational and strategy responsibilities I handle too, but they're not what I want to lead with.

Engineering and automation

claude-forge

AI-augmented IT operations platform I'm architecting and building. Python + Supabase Postgres + Azure Functions backbone. Pulls and caches data from Freshservice, AdminDroid, ScreenConnect, and Microsoft Graph, exposes a curated set of named, audited functions to the IT team via Cowork, and accepts webhook events to call the Claude API for auto-triage, reply drafts, asset enrichment, and duplicate detection.

Stage 1 (Freshservice analytics-export refresh plus per-ticket enrichment with conversations and custom fields) runs in production on Windows Task Scheduler at 9:05 AM weekdays. Stage 2 brings the Supabase migration, Azure Functions timer triggers, and the Cowork tech skill.

Conventions: stdlib-first Python, idempotent and resumable jobs, rate-limit aware, RLS on Supabase tables, secrets in Bitwarden delivered via env vars, never raw SQL or arbitrary tool access exposed to techs.

Microsoft 365 PowerShell admin library (76 scripts)

Internal library used for monthly compliance reviews. Covers license auditing, mailbox sizing, external-forwarding detection, OneDrive usage, SharePoint external sharing, unified audit log search, room mailbox usage, MFA status, risky sign-in detection, guest user auditing, privileged role assignments, Conditional Access policy inventory, mail flow rules, Teams lifecycle, Defender for Endpoint device reporting, Identity Protection, Azure AD PIM, Cloud App Security, and many more. Every script is documented and parameterized for multi-tenant work.

Office 365 → Snowflake user sync

Snowflake-native Python stored procedure pulling filtered Entra ID users via Microsoft Graph (transitive group members) on a daily Snowflake Tasks schedule. Captures 15 extension attributes plus manager ID and display name, MERGE for incremental updates, soft-delete tracking for users removed from Entra ID. Eliminated the external server, Python environment, and credential management dependencies entirely. Outbound Graph calls wired through Snowflake Network Rules and EXTERNAL ACCESS INTEGRATION.

Affinity SMS Platform

Microsoft Forms + Power Automate + Microsoft Graph + Twilio with Teams approval routing. Audience targeting maps to dynamic Entra ID groups (All Employees, by region, by division). Twilio toll-free verified for A2P compliance, STOP and HELP handled via Twilio Advanced Opt-Out per CTIA standards. Per-blast cost ~$8 for 1,000 employees at toll-free SMS pricing. Public Terms & Conditions deployed alongside.

HPSCAT vendor data ingestion pipeline

PowerShell + Microsoft Graph pipeline that replaced manual monthly vendor reporting for 11 manufacturer vendors. Static-IP whitelisted from Grand Rapids and Charlotte office ranges (PowerShell rather than Power Automate because Power Automate's dynamic IPs can't be reliably whitelisted). Variants for single-vendor, multi-vendor, multi-day, and backfill runs.

AGIT Documentation pipeline

PowerShell discovery scripts query Microsoft Graph and write human-readable Markdown into a versioned SharePoint-hosted documentation site organized by domain (01_Microsoft_365, 02_Entra_ID, 11_Cloud_Config_Export, etc.). Re-running any script refreshes its section. CISA ScubaGear output (JSON + Markdown) integrated under 11_Cloud_Config_Export/ScubaGear/ for ongoing compliance posture visibility.

Security

• Conditional Access policies covering device compliance, location, risk-based sign-in, and per-application controls. Enterprise MFA with managed exception workflow and break-glass account procedures. Privileged Identity Management for just-in-time elevation with periodic access reviews.
• EMS E5 bundled onto the Office 365 E3 baseline (Dec 2025) unlocking Defender for Endpoint, Identity, and Cloud Apps; Azure AD Premium P2; full Conditional Access capabilities; PIM.
• CISA ScubaGear Microsoft 365 Secure Configuration Baseline assessments (Azure AD/Entra, Defender, Exchange Online, Power Platform, SharePoint, Teams) with results exported to the AGIT documentation pipeline.
• Authorized external pentests on three production properties (May 2026): 47 findings total, demonstrated unauthenticated RCE under written authorization, GCP service-account RSA private key exposure (exploitation confirmed), supply-chain attack chain identified.
• Unified Audit Log forensics for account compromise investigations, anomalous mail flow, and external sharing reviews.

Data and analytics

• Microsoft Fabric F64 capacity replacing 100+ Power BI Pro licenses (Dec 2025 to Early 2026). Dynamic Entra ID group-based access control and Row-Level Security across customer-facing datasets.
• External Fabric sharing for food manufacturer partners; Copilot integration for natural-language self-service analytics.
• Snowflake reporting environment with automated identity and licensing data feeds from Microsoft 365.

Infrastructure

• Hybrid Azure + Microsoft 365 across 80+ locations. Site-to-site VPN topology with consistent firewall rules and content filtering. Hybrid AD + Entra ID via AD Connect with dynamic groups driving SSO, licensing, distribution lists, and Fabric workspace access.
• Intune device management with automated enrollment, policy deployment, application packaging, and compliance policies.
• Cisco Meraki estate (MX, MR, MDM) across all sites from a single cloud dashboard.
• Microsoft Teams Phone via BCMOne consolidating regional PBX contracts.

M&A integration

Built the reusable cross-tenant migration toolkit: tenant discovery (Get-TenantDiscovery.ps1), mailbox and OneDrive migration (Movebot), SharePoint migration, device export (Export-LaptopProfile.ps1), mailbox access grants. Designed the cross-tenant coexistence patterns for the gap window before full cutover: mail flow connectors, shared address space, free/busy sharing, unified GAL.

Authored the AG IT M&A Integration Guide v2.0: 26 pages, three audience tracks, seven phased timelines, acquisition sizing table, decision matrix, due-diligence checklist, five appendices. The guide is itself a maintainable codebase, generated by a Node.js + docx document builder rather than a hand-edited Word doc.

Acquired-company marketing sites I shipped on Astro + Tailwind + Cloudflare Pages with R2 image hosting: Perishable Sales Inc., Sandh Food Service, Chesapeake North Group, Glenwyck.

Strategy and operations

Authored the State of IT: Infrastructure Modernization and Service Enhancement Plan (drafted mid-2024, presented early 2025). Documented current state, roadblocks, recommendations, and supporting reference analyses. The plan proposed MSP elimination ($136,318 estimated annual savings on licensing reseller markup), an internal IT staffing build-out, and an M365 E5 upgrade. The board approved a scaled-down version (Fabric F64 + EMS E5 add-on bundled onto the Office 365 E3 baseline) in December 2025.

Operate the ITIL framework on Freshservice. Maintain the ten-domain enterprise IT documentation framework (AD, GPO, Network, Servers, RDS, Apps, Security, Procedures, Troubleshooting, Standards). Allocate IT cost across regional P&Ls. Present updates at FLT (Forum Leadership Team).

Enterprise AI adoption

• Claude Enterprise rollout (2024–2025) with data classification, prompt-handling policy, retention, internal-tool integration, and prompt-engineering training for power users.
• GitHub Copilot Pro+ rollout with adoption tracking, repository-level enablement, and best-practice guidelines.
• Copilot Studio agents: ASE HR and Benefits Assistant (March 2025), Affinity Assistant, Affinity Group bot, plus agents covering cloud infrastructure provisioning, data pipeline orchestration, testing/QA, and code-to-documentation generation.
• Contributed IT input to the corporate AI Policy (March 2026).