Session log: glaztech DMARC override + syncro skill billing fix
- clients/glaztech/session-logs/2026-04-20-session.md: Exchange Online transport rule created to bypass DMARC for clearcutglass.com - session-logs/2026-04-20-session.md: update with 12:55 work - .claude/commands/syncro.md: fix billing workflow — comment endpoint silently drops time fields; use timer_entry endpoint instead Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
60
clients/glaztech/session-logs/2026-04-20-session.md
Normal file
60
clients/glaztech/session-logs/2026-04-20-session.md
Normal file
@@ -0,0 +1,60 @@
|
||||
# Session Log — 2026-04-20 — Glaz-Tech Industries
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** DESKTOP-0O8A1RL
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Set up Exchange Online DMARC bypass for inbound mail from clearcutglass.com → glaztech.com. Full remediation tool workflow: app consent, role assignment, transport rule creation via EXO REST API.
|
||||
|
||||
## Work Performed
|
||||
|
||||
### Problem
|
||||
Inbound mail from clearcutglass.com was being rejected at glaztech.com due to DMARC failure. Client needed a temporary override while clearcutglass.com fixes their email authentication.
|
||||
|
||||
### Solution
|
||||
Created Exchange Online transport rule via EXO REST API (InvokeCommand) to set SCL = -1 for all mail from clearcutglass.com, bypassing DMARC/spam filtering.
|
||||
|
||||
### Steps Taken
|
||||
|
||||
1. **App consent** — Exchange Operator app (b43e7342-5b4b-492f-890f-bb5a4f7f40e9) was not yet consented in glaztech.com tenant. Provided admin consent URL:
|
||||
`https://login.microsoftonline.com/82931e3c-de7a-4f74-87f7-fe714be1f160/adminconsent?client_id=b43e7342-5b4b-492f-890f-bb5a4f7f40e9`
|
||||
glaztech.com Global Admin completed consent.
|
||||
|
||||
2. **Role assignment** — After consent, EXO REST API still returned 403 because the SP needed Exchange Administrator role in the tenant directory (consent alone is not sufficient for EXO cmdlets). Verified SP was already assigned via screenshot from Entra portal (ComputerGuru Exchange Operator already listed as Exchange Administrator member).
|
||||
|
||||
3. **Transport rule created** — via `POST https://outlook.office365.com/adminapi/beta/{tenant}/InvokeCommand`:
|
||||
- Rule name: `TEMP - Allow DMARC fail from clearcutglass.com`
|
||||
- Condition: `SenderDomainIs = clearcutglass.com`
|
||||
- Action: `SetSCL = -1`
|
||||
- State: Enabled, Enforce mode
|
||||
- Rule GUID: `6b702a5c-02ad-46e5-a2e1-7cb70284bd5c`
|
||||
- Created: 2026-04-20 19:28 UTC
|
||||
|
||||
4. **Syncro ticket created** — #32176 "Exchange Online - DMARC override for clearcutglass.com", status Resolved.
|
||||
|
||||
### Follow-up Required
|
||||
Once clearcutglass.com fixes their SPF/DMARC configuration, remove the transport rule:
|
||||
- **Exchange Admin Center** → Mail flow → Rules → delete "TEMP - Allow DMARC fail from clearcutglass.com"
|
||||
- Or via API: `Remove-TransportRule -Identity "6b702a5c-02ad-46e5-a2e1-7cb70284bd5c"`
|
||||
|
||||
## Tenant Info
|
||||
|
||||
- **Domain:** glaztech.com
|
||||
- **Tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160
|
||||
- **Syncro customer ID:** 143932
|
||||
- **Syncro ticket:** #32176 (ID: 109216691)
|
||||
- **Contact:** Steve Eastman (Seastman@glaztech.com)
|
||||
|
||||
## Credentials Used
|
||||
|
||||
- Exchange Operator app: `b43e7342-5b4b-492f-890f-bb5a4f7f40e9` / vault: `msp-tools/computerguru-exchange-operator.sops.yaml`
|
||||
|
||||
## Issues Encountered
|
||||
|
||||
- **AADSTS7000229** on first token attempt — app not consented in tenant. Fixed via admin consent URL.
|
||||
- **403 after consent** — SP needed Exchange Administrator role in Entra directory (separate from API consent). Already assigned per Entra portal.
|
||||
- **curl null byte response** — EXO REST API returns compressed/binary response when no `Accept` header or `--compressed` flag used. Fixed by writing payload to temp file and checking raw bytes.
|
||||
- **PowerShell Graph module device code auth failure** — `DeviceCodeCredential authentication failed: Object reference not set to an instance of an object` — known bug with Microsoft.Graph 2.36.1 + WAM on Windows. Workaround: not needed since role was already assigned.
|
||||
@@ -305,6 +305,33 @@ Added `feedback_python_windows.md` to `.claude/memory/`: use `py` not `python3`,
|
||||
|
||||
---
|
||||
|
||||
---
|
||||
|
||||
## Update: 12:55
|
||||
|
||||
### Glaztech — Exchange Online DMARC Override
|
||||
|
||||
- Consented Exchange Operator app in glaztech.com tenant (82931e3c-de7a-4f74-87f7-fe714be1f160)
|
||||
- Created transport rule "TEMP - Allow DMARC fail from clearcutglass.com" via EXO REST InvokeCommand
|
||||
- GUID: 6b702a5c-02ad-46e5-a2e1-7cb70284bd5c
|
||||
- Action: SetSCL = -1 for sender domain clearcutglass.com
|
||||
- Syncro ticket #32176 created for Glaz-Tech Industries (customer ID 143932)
|
||||
- Full detail: `clients/glaztech/session-logs/2026-04-20-session.md`
|
||||
|
||||
### Syncro Skill Fix
|
||||
|
||||
- Investigated why labor/time entries weren't being saved on tickets
|
||||
- Root cause: `POST /tickets/{id}/comment` silently ignores `product_id`, `minutes_spent`, `bill_time_now` (Syncro API bug)
|
||||
- Fix: use `POST /tickets/{id}/timer_entry` with `start_at`, `end_at`, `billable`, `product_id` — confirmed working
|
||||
- Updated `.claude/commands/syncro.md` with correct two-call pattern and WARNING on broken comment fields
|
||||
- New behavior rules: always ask for minutes + labor type before billing; always show comment preview before posting
|
||||
|
||||
### Memory Updates
|
||||
|
||||
- `feedback_syncro_billing.md` — ask for time + show preview before any Syncro billing action
|
||||
|
||||
---
|
||||
|
||||
## Key Infrastructure Reference
|
||||
|
||||
| Resource | Details |
|
||||
|
||||
Reference in New Issue
Block a user