sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 13:39:12
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-09 13:39:12
This commit is contained in:
committed by
ClaudeTools Bot
parent
57c23fc8d7
commit
07268cd741
@@ -0,0 +1,120 @@
|
||||
# 2026-07-09 — Sif-oidak District: Dwayne Ortega user lookup + password reset (Winter, via Discord bot)
|
||||
|
||||
## User
|
||||
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||
- **Role:** automation (acting on the requester's behalf)
|
||||
|
||||
## Session Summary
|
||||
|
||||
Winter asked (Discord #tech-department, thread 1524875038967468295) whether user
|
||||
"Dwaybe Ortega" (`dortega.sod@sifoidak.onmicrosoft.com`) exists in the Sif-oidak
|
||||
District tenant. The vault has no M365 admin creds for this client (only
|
||||
`clients/sif-oidak/laptops.sops.yaml`), so the lookup ran through the multi-tenant
|
||||
remediation-tool apps. Resolved tenant `sifoidak.onmicrosoft.com` to GUID
|
||||
`568eb763-3b95-4271-8443-530c74b1c6bb`, acquired an `investigator` (Graph read-only)
|
||||
token, and confirmed the user exists: display name **Dwayne Ortega** (Dwaybe was a
|
||||
typo), account enabled, Member type, cloud-only, created 2026-06-03, licensed with
|
||||
Microsoft 365 Apps for Business (O365_BUSINESS), no mailbox (`mail: null` — SKU has
|
||||
no Exchange plan).
|
||||
|
||||
Winter then requested a password reset to something simple. Ran
|
||||
`scripts/reset-password.sh` (tenant-admin tier). The direct PATCH 403'd because the
|
||||
target holds a directory admin role, so the script performed its JIT elevation
|
||||
(assigned Privileged Authentication Administrator to the Tenant Admin SP), and the
|
||||
reset succeeded. New password: `Roadrunner2026!` (permanent, forceChangePasswordNextSignIn=false).
|
||||
Password was communicated to Winter in the Discord thread; she distributes it.
|
||||
|
||||
The script's JIT cleanup FAILED (HTTP 400): Graph blocks a service principal from
|
||||
removing its own role assignment ("Removing self from Global Administrator built-in
|
||||
role is not allowed" on the roleAssignments endpoint; "no privilege to remove self"
|
||||
on the legacy directoryRoles endpoint). Remediated manually: used the Tenant Admin
|
||||
app (holds RoleManagement.ReadWrite.Directory) to grant Privileged Role
|
||||
Administrator to the **User Manager** SP, pulled a fresh user-manager token (deleted
|
||||
the cached JWT so the new `wids` claim was picked up), deleted the stuck PAA
|
||||
assignment with the User Manager token (HTTP 204), then revoked the temporary PRA
|
||||
grant with the Tenant Admin token (HTTP 204). Verified both SPs are back to standing
|
||||
roles only. Logged the script defect to `errorlog.md`.
|
||||
|
||||
Finally, Winter asked whether Sif has licenses available for this account. Tenant
|
||||
holds exactly one SKU: **O365_BUSINESS (Microsoft 365 Apps for Business), 11 total /
|
||||
11 consumed / 0 available**. Dwayne already consumes one seat. No mailbox-bearing
|
||||
SKUs exist in the tenant. Winter declined further action ("I updated notes. This is
|
||||
complete.") — no Syncro entry needed from this side.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Used multi-tenant remediation-tool apps instead of per-client creds — vault has no
|
||||
`clients/sif-oidak/m365*.sops.yaml`; the MSP app suite is consented in this tenant
|
||||
and worked at cert auth.
|
||||
- Password set WITHOUT force-change (script default) since Winter is handing it to
|
||||
the user directly; offered to flip it, not requested.
|
||||
- JIT-cleanup fix path: temp Privileged Role Administrator grant to a SECOND app
|
||||
(User Manager SP) rather than leaving PAA standing or requiring a human GA in the
|
||||
portal. Chosen because self-removal is the only blocked operation; a different
|
||||
principal removing it is allowed. Temp grant revoked immediately after.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- `signInActivity` select on `GET /users/{upn}` returned 403
|
||||
`Authentication_MSGraphPermissionMissing` (needs AuditLog.Read.All, not held by
|
||||
investigator). Dropped the field.
|
||||
- `reset-password.sh` JIT de-elevation failed HTTP 400 — SP cannot remove its own
|
||||
role assignment. Fixed via temp PRA grant to User Manager SP (see summary). Logged
|
||||
to `errorlog.md` as a remediation-tool defect; script should delegate cleanup to a
|
||||
second SP or warn loudly.
|
||||
- Graph `$filter` with `or` across two `principalId`s on roleAssignments returned
|
||||
`Request_UnsupportedQuery` ("Multiple principalId in filter not supported") — split
|
||||
into two queries.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- Sif-oidak tenant: password reset for `Dortega.sod@sifoidak.onmicrosoft.com`
|
||||
(user id `014c1df6-444b-4502-9239-15c3ff935887`).
|
||||
- Transient role assignments (all removed, verified):
|
||||
- PAA `7be44c8a-adaf-4e2a-84d6-ab2649e08a13` -> Tenant Admin SP `3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341` (assignment `ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1`) — created by script, removed manually.
|
||||
- PRA `e8611ab8-c189-46e8-94e1-60213ab1f814` -> User Manager SP `011b990a-c787-4af1-b4d5-606a5461f2e5` (assignment `uBph6InB6EaU4WAhOrH4FAqZGwGFx_FKtNVgalRh8uU-1`) — created + removed this session.
|
||||
- Repo: `errorlog.md` entry added (remediation-tool / reset-password JIT cleanup).
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- New password for `Dortega.sod@sifoidak.onmicrosoft.com`: `Roadrunner2026!`
|
||||
(permanent; user-facing, expected to be changed/managed by client — NOT vaulted as
|
||||
it is an end-user password handed to Winter).
|
||||
- Vault paths read: `msp-tools/computerguru-security-investigator.sops.yaml`,
|
||||
`msp-tools/computerguru-tenant-admin.sops.yaml`,
|
||||
`msp-tools/computerguru-user-manager.sops.yaml` (cert auth, via get-token.sh).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- Tenant: Sif-oidak District — `sifoidak.onmicrosoft.com` = `568eb763-3b95-4271-8443-530c74b1c6bb`
|
||||
- Tenant Admin SP (this tenant): `3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341` — standing role: Conditional Access Administrator (`b1be1c3e-b65d-4f19-8427-f6fa0d97feb9`)
|
||||
- User Manager SP (this tenant): `011b990a-c787-4af1-b4d5-606a5461f2e5` — standing roles: Authentication Administrator (`c4e39bd9-1100-46d3-8c65-fb160da0071f`), User Administrator (`fe930be7-5e62-47db-91af-98c3a49a38b1`)
|
||||
- Licensing: O365_BUSINESS 11/11 consumed, 0 available; only SKU in tenant.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- `scripts/resolve-tenant.sh sifoidak.onmicrosoft.com` -> `568eb763-3b95-4271-8443-530c74b1c6bb`
|
||||
- `scripts/reset-password.sh sifoidak.onmicrosoft.com Dortega.sod@... '<pw>'` ->
|
||||
`[OK] password reset ... (via JIT Privileged Authentication Administrator)` +
|
||||
`[WARNING] failed to remove JIT role assignment ... (HTTP 400)`
|
||||
- Self-removal errors (both endpoints): `Request_BadRequest` "Removing self from
|
||||
Global Administrator built-in role is not allowed" / "no privilege to remove self
|
||||
from Privileged Authentication Administrator role".
|
||||
- Cleanup: POST roleAssignments (PRA->UM SP) 201; DELETE stuck PAA w/ fresh UM token
|
||||
204; DELETE PRA grant 204. NOTE: after granting a directory role to an SP, delete
|
||||
the cached JWT and re-acquire — app-only tokens carry roles in `wids` at issuance.
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- remediation-tool `reset-password.sh` defect: JIT cleanup cannot self-remove.
|
||||
Suggested fix: perform cleanup via a second SP (User Manager w/ temp PRA) or emit
|
||||
explicit manual-fix instructions. Logged in `errorlog.md`.
|
||||
- If Dwayne needs a mailbox: client must buy a mailbox-bearing SKU (Business
|
||||
Basic/Standard) or free a seat — 0 licenses available.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Discord thread: 1524875038967468295 (#tech-department, Arizona Computer Guru)
|
||||
- Target user: `Dortega.sod@sifoidak.onmicrosoft.com` / id `014c1df6-444b-4502-9239-15c3ff935887`
|
||||
- Winter updated client notes herself; no Syncro ticket created this session.
|
||||
@@ -19,6 +19,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
||||
|
||||
<!-- Append entries below this line -->
|
||||
|
||||
2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password.sh JIT cleanup failed: SP cannot remove its own PAA role assignment (Graph 400 self-removal block); required temp PRA grant to second SP to remove. Script should delegate cleanup to another SP or warn [ctx: tenant=sifoidak script=reset-password.sh]
|
||||
|
||||
2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=568eb763-3b95-4271-8443-530c74b1c6bb assignment=ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1 http=400]
|
||||
|
||||
2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter]
|
||||
|
||||
2026-07-09 | Howard-Home | bash/env | [friction] used $UID as a variable in a Bash tool script; UID is readonly in bash so the assignment failed and the downstream Graph calls silently ran with an empty id - use a non-reserved name (OBJ/USER_ID)
|
||||
|
||||
Reference in New Issue
Block a user