Michael Lawrence

IT Systems & Automation Engineer

I run IT solo for a 100+ employee HIPAA-regulated healthcare organization — and I automate everything that gets done twice. M365 · Entra ID · Windows Server · PowerShell · Power Platform · Docker.

The short version

Numbers first — the case studies below show how.

100+employees supported, solo, across multiple locations
65 → 120headcount growth absorbed with zero added IT staff
HIPAAregulated environment — GPO, MFA, least privilege by design
~45 minzero-touch machine builds, down from half a day of manual setup

Case studies

Real systems, running in production. Sanitized source and full write-ups on GitHub.

Onboarding errors eliminated

Identity automation: attributes in, access out

Manual account creation and hand-managed security groups don't survive 85% headcount growth — every typo became a day-one access problem.

  • One PowerShell command creates the account, stamps HR attributes, provisions the mailbox
  • Entra ID dynamic membership rules derive every security group from those attributes
  • Transfers are one attribute edit; offboarding drops all access instantly
ad-onboarding-automation · entra-dynamic-groups
HR intakename · dept · role New-Employee.ps1account + attributes Dynamic group rulesdept / role / location SharePoint · shares · apps · licenses
Evaluations run themselves

Power Platform: employee evaluation system

Annual evaluations lived on paper and memory — missed anniversaries, wrong forms, no audit trail.

  • Model-driven Power App on Dataverse; anniversary flows key off employeeHireDate in Entra
  • Role-based evaluation tracks driven by a mapping table HR edits — config as data, not code
  • Send / first-open / completion timestamps on every record; PDF export to HR
  • Packaged with environment variables so the whole solution redeploys to a new tenant from a settings file
powerapps-employee-evaluations
Entra IDemployeeHireDate Daily flowanniversary scan Dataverseeval records Model-driven approle-scoped forms notifications · escalations · PDF → HR audit trail: sent · opened · completed
A staging environment that didn't exist

Hyper-V lab: a Server 2025 domain that mirrors production

There's no test environment at work, and "try it in production" isn't a plan. So I built one on a host I assembled myself.

  • Two virtual switches on separate NICs — one for internet-facing VMs, one for an isolated lab segment, so the lab's DNS and PXE/DHCP can never collide with the home network
  • AD DS, authoritative internal DNS, DHCP with PXE options, file/print services, GPO — same OU structure and naming as production
  • RemoteApp publishing the clinical EMR over a certificate issued by an internal CA — no per-workstation client installs, plus a fallback access path
  • Catches GPO scoping errors, imaging task-sequence failures, and print-driver behavior before they reach real users
hyperv-ad-lab
Home gatewayinternet WAN-Switchpatching / updates LAN-Switchisolated · DNS · PXE DC — Server 2025AD DS · DNS · DHCP File / Printshares · GPO RDS — RemoteAppinternal CA cert self-built Hyper-V host · mirrors production OU structure
Recovered from real disk failure

Homelab: self-healing media infrastructure

10 Docker services, 9 drives, VPN-isolated downloads — then Windows dynamic disks failed and drive letters reshuffled under the whole stack.

  • Diagnosed it as a pointer problem, not data loss: 163 of ~210 "lost" titles recovered with zero re-downloads
  • Edited the Plex library DB directly when the API silently no-op'd; re-mounted and re-rooted every service
  • Health check every 30 min now auto-restarts containers and watches VPN, queues, and drive mounts
  • Dedup tooling freed ~379 GB; a Letterboxd→Plex sync keeps the library matching my watchlist, hands-free
homelab-media-stack (incl. the full disaster-recovery write-up)
Overseerrrequests Radarr · Sonarr+ Prowlarr indexers gluetun VPN containerqBittorrent inside — kill-switch 9 NTFS drivesper-drive mounts Plex · Jellyfin+ Tautulli stats health checkevery 30 minauto-restartVPN + queue+ drive watch
Security awareness, measured

In-house phishing simulation program

Awareness training needs evidence, and commercial phishing-sim platforms are overkill for a 100-person org.

  • Power Automate flows randomly target rolling cohorts with tracked simulation emails
  • Clicks and reports-to-IT logged to SharePoint — report rate is the culture metric
  • Department rollups for leadership; individual results drive follow-up training
  • Zero licensing cost — built entirely on tooling the org already owned
powerautomate-phishing-sim
Scheduled flowcampaign kickoff Random targetsexcl. recent cohorts Lure emailtracked link SharePoint campaign logclick rate ↓ · report rate ↑ leadership dashboard · targeted training

Stack

Daily drivers, in production.

Microsoft 365Entra IDActive Directory Exchange OnlineWindows ServerHyper-V IntunePowerShellPower Apps Power AutomateDataverseMDT GPOSharePointDocker RDS / RemoteAppAD Certificate ServicesPXE / WDS n8nTCP/IP · DNS · DHCP · VPNDuo MFA

About

I'm the sole IT operation for a HIPAA-regulated healthcare organization in New Jersey — escalation support, identity, infrastructure, security, and everything between, across multiple locations. The through-line in my work: if a process gets done twice, it gets automated — and the automation gets documented, monitored, and made repeatable.

B.A. in Information Technology & Informatics, Rutgers University. Rutgers Cybersecurity Boot Camp (300 hrs), Security Pro certified. Currently studying for the CCNA.

Off hours I run the labs above on hardware I built myself, write n8n pipelines, and keep a Letterboxd watchlist long enough to need its own automation.