From 07268cd741ad1d42f4314503fe29d681be9661aa Mon Sep 17 00:00:00 2001 From: Winter Williams Date: Thu, 9 Jul 2026 13:39:58 -0700 Subject: [PATCH] sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 13:39:12 Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-09 13:39:12 --- ...nter-dortega-user-lookup-password-reset.md | 120 ++++++++++++++++++ errorlog.md | 4 + 2 files changed, 124 insertions(+) create mode 100644 clients/sif-oidak/session-logs/2026-07/2026-07-09-winter-dortega-user-lookup-password-reset.md diff --git a/clients/sif-oidak/session-logs/2026-07/2026-07-09-winter-dortega-user-lookup-password-reset.md b/clients/sif-oidak/session-logs/2026-07/2026-07-09-winter-dortega-user-lookup-password-reset.md new file mode 100644 index 00000000..74b2bd0f --- /dev/null +++ b/clients/sif-oidak/session-logs/2026-07/2026-07-09-winter-dortega-user-lookup-password-reset.md @@ -0,0 +1,120 @@ +# 2026-07-09 — Sif-oidak District: Dwayne Ortega user lookup + password reset (Winter, via Discord bot) + +## User +- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG) +- **Requested by:** Winter Williams (@winterguru, via Discord) - tech +- **Role:** automation (acting on the requester's behalf) + +## Session Summary + +Winter asked (Discord #tech-department, thread 1524875038967468295) whether user +"Dwaybe Ortega" (`dortega.sod@sifoidak.onmicrosoft.com`) exists in the Sif-oidak +District tenant. The vault has no M365 admin creds for this client (only +`clients/sif-oidak/laptops.sops.yaml`), so the lookup ran through the multi-tenant +remediation-tool apps. Resolved tenant `sifoidak.onmicrosoft.com` to GUID +`568eb763-3b95-4271-8443-530c74b1c6bb`, acquired an `investigator` (Graph read-only) +token, and confirmed the user exists: display name **Dwayne Ortega** (Dwaybe was a +typo), account enabled, Member type, cloud-only, created 2026-06-03, licensed with +Microsoft 365 Apps for Business (O365_BUSINESS), no mailbox (`mail: null` — SKU has +no Exchange plan). + +Winter then requested a password reset to something simple. Ran +`scripts/reset-password.sh` (tenant-admin tier). The direct PATCH 403'd because the +target holds a directory admin role, so the script performed its JIT elevation +(assigned Privileged Authentication Administrator to the Tenant Admin SP), and the +reset succeeded. New password: `Roadrunner2026!` (permanent, forceChangePasswordNextSignIn=false). +Password was communicated to Winter in the Discord thread; she distributes it. + +The script's JIT cleanup FAILED (HTTP 400): Graph blocks a service principal from +removing its own role assignment ("Removing self from Global Administrator built-in +role is not allowed" on the roleAssignments endpoint; "no privilege to remove self" +on the legacy directoryRoles endpoint). Remediated manually: used the Tenant Admin +app (holds RoleManagement.ReadWrite.Directory) to grant Privileged Role +Administrator to the **User Manager** SP, pulled a fresh user-manager token (deleted +the cached JWT so the new `wids` claim was picked up), deleted the stuck PAA +assignment with the User Manager token (HTTP 204), then revoked the temporary PRA +grant with the Tenant Admin token (HTTP 204). Verified both SPs are back to standing +roles only. Logged the script defect to `errorlog.md`. + +Finally, Winter asked whether Sif has licenses available for this account. Tenant +holds exactly one SKU: **O365_BUSINESS (Microsoft 365 Apps for Business), 11 total / +11 consumed / 0 available**. Dwayne already consumes one seat. No mailbox-bearing +SKUs exist in the tenant. Winter declined further action ("I updated notes. This is +complete.") — no Syncro entry needed from this side. + +## Key Decisions + +- Used multi-tenant remediation-tool apps instead of per-client creds — vault has no + `clients/sif-oidak/m365*.sops.yaml`; the MSP app suite is consented in this tenant + and worked at cert auth. +- Password set WITHOUT force-change (script default) since Winter is handing it to + the user directly; offered to flip it, not requested. +- JIT-cleanup fix path: temp Privileged Role Administrator grant to a SECOND app + (User Manager SP) rather than leaving PAA standing or requiring a human GA in the + portal. Chosen because self-removal is the only blocked operation; a different + principal removing it is allowed. Temp grant revoked immediately after. + +## Problems Encountered + +- `signInActivity` select on `GET /users/{upn}` returned 403 + `Authentication_MSGraphPermissionMissing` (needs AuditLog.Read.All, not held by + investigator). Dropped the field. +- `reset-password.sh` JIT de-elevation failed HTTP 400 — SP cannot remove its own + role assignment. Fixed via temp PRA grant to User Manager SP (see summary). Logged + to `errorlog.md` as a remediation-tool defect; script should delegate cleanup to a + second SP or warn loudly. +- Graph `$filter` with `or` across two `principalId`s on roleAssignments returned + `Request_UnsupportedQuery` ("Multiple principalId in filter not supported") — split + into two queries. + +## Configuration Changes + +- Sif-oidak tenant: password reset for `Dortega.sod@sifoidak.onmicrosoft.com` + (user id `014c1df6-444b-4502-9239-15c3ff935887`). +- Transient role assignments (all removed, verified): + - PAA `7be44c8a-adaf-4e2a-84d6-ab2649e08a13` -> Tenant Admin SP `3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341` (assignment `ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1`) — created by script, removed manually. + - PRA `e8611ab8-c189-46e8-94e1-60213ab1f814` -> User Manager SP `011b990a-c787-4af1-b4d5-606a5461f2e5` (assignment `uBph6InB6EaU4WAhOrH4FAqZGwGFx_FKtNVgalRh8uU-1`) — created + removed this session. +- Repo: `errorlog.md` entry added (remediation-tool / reset-password JIT cleanup). + +## Credentials & Secrets + +- New password for `Dortega.sod@sifoidak.onmicrosoft.com`: `Roadrunner2026!` + (permanent; user-facing, expected to be changed/managed by client — NOT vaulted as + it is an end-user password handed to Winter). +- Vault paths read: `msp-tools/computerguru-security-investigator.sops.yaml`, + `msp-tools/computerguru-tenant-admin.sops.yaml`, + `msp-tools/computerguru-user-manager.sops.yaml` (cert auth, via get-token.sh). + +## Infrastructure & Servers + +- Tenant: Sif-oidak District — `sifoidak.onmicrosoft.com` = `568eb763-3b95-4271-8443-530c74b1c6bb` +- Tenant Admin SP (this tenant): `3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341` — standing role: Conditional Access Administrator (`b1be1c3e-b65d-4f19-8427-f6fa0d97feb9`) +- User Manager SP (this tenant): `011b990a-c787-4af1-b4d5-606a5461f2e5` — standing roles: Authentication Administrator (`c4e39bd9-1100-46d3-8c65-fb160da0071f`), User Administrator (`fe930be7-5e62-47db-91af-98c3a49a38b1`) +- Licensing: O365_BUSINESS 11/11 consumed, 0 available; only SKU in tenant. + +## Commands & Outputs + +- `scripts/resolve-tenant.sh sifoidak.onmicrosoft.com` -> `568eb763-3b95-4271-8443-530c74b1c6bb` +- `scripts/reset-password.sh sifoidak.onmicrosoft.com Dortega.sod@... ''` -> + `[OK] password reset ... (via JIT Privileged Authentication Administrator)` + + `[WARNING] failed to remove JIT role assignment ... (HTTP 400)` +- Self-removal errors (both endpoints): `Request_BadRequest` "Removing self from + Global Administrator built-in role is not allowed" / "no privilege to remove self + from Privileged Authentication Administrator role". +- Cleanup: POST roleAssignments (PRA->UM SP) 201; DELETE stuck PAA w/ fresh UM token + 204; DELETE PRA grant 204. NOTE: after granting a directory role to an SP, delete + the cached JWT and re-acquire — app-only tokens carry roles in `wids` at issuance. + +## Pending / Incomplete Tasks + +- remediation-tool `reset-password.sh` defect: JIT cleanup cannot self-remove. + Suggested fix: perform cleanup via a second SP (User Manager w/ temp PRA) or emit + explicit manual-fix instructions. Logged in `errorlog.md`. +- If Dwayne needs a mailbox: client must buy a mailbox-bearing SKU (Business + Basic/Standard) or free a seat — 0 licenses available. + +## Reference Information + +- Discord thread: 1524875038967468295 (#tech-department, Arizona Computer Guru) +- Target user: `Dortega.sod@sifoidak.onmicrosoft.com` / id `014c1df6-444b-4502-9239-15c3ff935887` +- Winter updated client notes herself; no Syncro ticket created this session. diff --git a/errorlog.md b/errorlog.md index 5084fcf6..6e030dcb 100644 --- a/errorlog.md +++ b/errorlog.md @@ -19,6 +19,10 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password.sh JIT cleanup failed: SP cannot remove its own PAA role assignment (Graph 400 self-removal block); required temp PRA grant to second SP to remove. Script should delegate cleanup to another SP or warn [ctx: tenant=sifoidak script=reset-password.sh] + +2026-07-09 | GURU-BEAST-ROG | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=568eb763-3b95-4271-8443-530c74b1c6bb assignment=ikzke6-tKk6E1qsmSeCKE7PwwTzAbMNNrIysDtlMU0E-1 http=400] + 2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter] 2026-07-09 | Howard-Home | bash/env | [friction] used $UID as a variable in a Bash tool script; UID is readonly in bash so the assignment failed and the downstream Graph calls silently ran with an empty id - use a non-reserved name (OBJ/USER_ID)